diff --git a/contrib/sdk/api.json b/contrib/sdk/api.json index a9a57145..8ba46ef3 100755 --- a/contrib/sdk/api.json +++ b/contrib/sdk/api.json @@ -2,37 +2,7 @@ "components": { "responses": { "emptyResponse": { - "description": "Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is\ntypically 201." - }, - "errorOAuth2BadRequest": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "Bad Request Error Response" - }, - "errorOAuth2Default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "Default Error Response" - }, - "errorOAuth2NotFound": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "Not Found Error Response" + "description": "Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is typically 201." }, "identitySchemas": { "content": { @@ -96,19 +66,6 @@ }, "description": "List My Session Response" }, - "listOAuth2Clients": { - "content": { - "application/json": { - "schema": { - "items": { - "$ref": "#/components/schemas/oAuth2Client" - }, - "type": "array" - } - } - }, - "description": "Paginated OAuth2 Client List Response" - }, "listSessions": { "content": { "application/json": { @@ -124,8 +81,7 @@ } }, "schemas": { - "CustomHostnameStatus": { - "title": "CustomHostnameStatus is the enumeration of valid state values in the CustomHostnameSSL.", + "CodeAddressType": { "type": "string" }, "DefaultError": {}, @@ -134,26 +90,6 @@ "format": "int64", "type": "integer" }, - "GenericUsage": { - "properties": { - "additional_price": { - "description": "AdditionalPrice is the price per-unit exceeding IncludedUsage. A price of 0 means that no other items can be consumed.", - "format": "int64", - "type": "integer" - }, - "included_usage": { - "description": "IncludedUsage is the number of included items.", - "format": "int64", - "type": "integer" - } - }, - "required": [ - "included_usage", - "additional_price" - ], - "title": "GenericUsage is the generic usage type that can be used for any feature.", - "type": "object" - }, "ID": { "format": "int64", "type": "integer" @@ -162,33 +98,10 @@ "title": "JSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger.", "type": "object" }, - "KetoNamespace": { - "properties": { - "id": { - "format": "int64", - "type": "integer" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "KetoNamespaces": { - "items": { - "$ref": "#/components/schemas/KetoNamespace" - }, - "type": "array" - }, "NullBool": { "nullable": true, "type": "boolean" }, - "NullDuration": { - "nullable": true, - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, "NullInt": { "nullable": true, "type": "integer" @@ -207,315 +120,365 @@ "nullable": true, "type": "string" }, - "ParseError": { + "OAuth2Client": { "properties": { - "end": { - "$ref": "#/components/schemas/SourcePosition" + "AdditionalProperties": { + "additionalProperties": {}, + "type": "object" }, - "message": { + "access_token_strategy": { + "description": "OAuth 2.0 Access Token Strategy AccessTokenStrategy is the strategy used to generate access tokens. Valid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens Setting the stragegy here overrides the global setting in `strategies.access_token`.", "type": "string" }, - "start": { - "$ref": "#/components/schemas/SourcePosition" - } - }, - "type": "object" - }, - "Plan": { - "properties": { - "name": { - "description": "Name is the name of the plan.", + "allowed_cors_origins": { + "items": { + "type": "string" + }, + "type": "array" + }, + "audience": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_code_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": "string" }, - "version": { - "description": "Version is the version of the plan. The combination of `name@version` must be unique.", - "format": "int64", - "type": "integer" - } - }, - "required": [ - "name", - "version" - ], - "type": "object" - }, - "PlanDetails": { - "properties": { - "base_fee_monthly": { - "description": "BaseFeeMonthly is the monthly base fee for the plan.", - "format": "int64", - "type": "integer" + "authorization_code_grant_id_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" }, - "base_fee_yearly": { - "description": "BaseFeeYearly is the yearly base fee for the plan.", - "format": "int64", - "type": "integer" + "authorization_code_grant_refresh_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" }, - "custom": { - "description": "Custom is true if the plan is custom. This means it will be hidden from the pricing page.", + "backchannel_logout_session_required": { + "description": "OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.", "type": "boolean" }, - "description": { - "description": "Description is the description of the plan.", + "backchannel_logout_uri": { + "description": "OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", "type": "string" }, - "features": { - "additionalProperties": { - "$ref": "#/components/schemas/GenericUsage" - }, - "description": "Features are the feature definitions included in the plan.", - "type": "object" + "client_credentials_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" }, - "name": { - "description": "Name is the name of the plan.", + "client_id": { + "description": "OAuth 2.0 Client ID The ID is autogenerated and immutable.", "type": "string" }, - "version": { - "description": "Version is the version of the plan. The combination of `name@version` must be unique.", - "format": "int64", - "type": "integer" - } - }, - "required": [ - "name", - "version", - "description", - "custom", - "base_fee_monthly", - "base_fee_yearly", - "features" - ], - "type": "object" - }, - "Pricing": { - "items": { - "$ref": "#/components/schemas/PlanDetails" - }, - "type": "array" - }, - "RecoveryAddressType": { - "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.", - "type": "string" - }, - "SourcePosition": { - "properties": { - "Line": { - "format": "int64", - "type": "integer" + "client_name": { + "description": "OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization.", + "type": "string" }, - "column": { - "format": "int64", - "type": "integer" - } - }, - "type": "object" - }, - "String": { - "$ref": "#/components/schemas/NullString" - }, - "StringSliceJSONFormat": { - "items": { - "type": "string" - }, - "title": "StringSliceJSONFormat represents []string{} which is encoded to/from JSON for SQL storage.", - "type": "array" - }, - "SubscriptionStatus": { - "description": "For `collection_method=charge_automatically` a subscription moves into `incomplete` if the initial payment attempt fails. A subscription in this state can only have metadata and default_source updated. Once the first invoice is paid, the subscription moves into an `active` state. If the first invoice is not paid within 23 hours, the subscription transitions to `incomplete_expired`. This is a terminal state, the open invoice will be voided and no further invoices will be generated.\n\nA subscription that is currently in a trial period is `trialing` and moves to `active` when the trial period is over.\n\nIf subscription `collection_method=charge_automatically` it becomes `past_due` when payment to renew it fails and `canceled` or `unpaid` (depending on your subscriptions settings) when Stripe has exhausted all payment retry attempts.\n\nIf subscription `collection_method=send_invoice` it becomes `past_due` when its invoice is not paid by the due date, and `canceled` or `unpaid` if it is still not paid by an additional deadline after that. Note that when a subscription has a status of `unpaid`, no subsequent invoices will be attempted (invoices will be created, but then immediately automatically closed). After receiving updated payment information from a customer, you may choose to reopen and pay their closed invoices.", - "title": "Possible values are `incomplete`, `incomplete_expired`, `trialing`, `active`, `past_due`, `canceled`, or `unpaid`.", - "type": "string" - }, - "Time": { - "format": "date-time", - "type": "string" - }, - "UUID": { - "format": "uuid4", - "type": "string" - }, - "Usage": { - "properties": { - "GenericUsage": { - "$ref": "#/components/schemas/GenericUsage" - } - }, - "type": "object" - }, - "Warning": { - "properties": { - "code": { + "client_secret": { + "description": "OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost.", + "type": "string" + }, + "client_secret_expires_at": { + "description": "OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0.", "format": "int64", "type": "integer" }, - "message": { + "client_uri": { + "description": "OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion.", "type": "string" - } - }, - "type": "object" - }, - "acceptOAuth2ConsentRequest": { - "properties": { - "grant_access_token_audience": { - "$ref": "#/components/schemas/StringSliceJSONFormat" }, - "grant_scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + "contacts": { + "items": { + "type": "string" + }, + "type": "array" }, - "handled_at": { - "$ref": "#/components/schemas/nullTime" + "created_at": { + "description": "OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client's creation.", + "format": "date-time", + "type": "string" }, - "remember": { - "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", + "frontchannel_logout_session_required": { + "description": "OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false.", "type": "boolean" }, - "remember_for": { - "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", - "format": "int64", - "type": "integer" + "frontchannel_logout_uri": { + "description": "OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.", + "type": "string" }, - "session": { - "$ref": "#/components/schemas/acceptOAuth2ConsentRequestSession" - } - }, - "title": "The request payload used to accept a consent request.", - "type": "object" - }, - "acceptOAuth2ConsentRequestSession": { - "properties": { - "access_token": { - "description": "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the\nrefresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.\nIf only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties\ncan access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!" + "grant_types": { + "items": { + "type": "string" + }, + "type": "array" }, - "id_token": { - "description": "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable\nby anyone that has access to the ID Challenge. Use with care!" - } - }, - "title": "Pass session data to a consent request.", - "type": "object" - }, - "acceptOAuth2LoginRequest": { - "properties": { - "acr": { - "description": "ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", + "implicit_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": "string" }, - "amr": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "context": { - "$ref": "#/components/schemas/JSONRawMessage" + "implicit_grant_id_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" }, - "extend_session_lifespan": { - "description": "Extend OAuth2 authentication session lifespan\n\nIf set to `true`, the OAuth2 authentication cookie lifespan is extended. This is for example useful if you want the user to be able to use `prompt=none` continuously.\n\nThis value can only be set to `true` if the user has an authentication, which is the case if the `skip` value is `true`.", - "type": "boolean" + "jwks": { + "description": "OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together." }, - "force_subject_identifier": { - "description": "ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID refers to the\n(Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID\nConnect specification. It allows you to set an obfuscated subject (\"user\") identifier that is unique to the client.\n\nPlease note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the\nsub claim in the OAuth 2.0 Introspection.\n\nPer default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself\nyou can use this field. Please note that setting this field has no effect if `pairwise` is not configured in\nORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's\nconfiguration).\n\nPlease also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies\nthat you have to compute this value on every authentication process (probably depending on the client ID or some\nother unique value).\n\nIf you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.", + "jwks_uri": { + "description": "OAuth 2.0 Client JSON Web Key Set URL URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.", "type": "string" }, - "remember": { - "description": "Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store\na cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she\nwill not be asked to log in again.", - "type": "boolean" + "jwt_bearer_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" }, - "remember_for": { - "description": "RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered for the duration of the browser session (using a session cookie).", - "format": "int64", - "type": "integer" + "logo_uri": { + "description": "OAuth 2.0 Client Logo URI A URL string referencing the client's logo.", + "type": "string" }, - "subject": { - "description": "Subject is the user ID of the end-user that authenticated.", + "metadata": {}, + "owner": { + "description": "OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client.", "type": "string" - } - }, - "required": [ - "subject" - ], - "title": "HandledLoginRequest is the request payload used to accept a login request.", - "type": "object" - }, - "activeProjectInConsole": { - "description": "The Active Project ID", - "properties": { - "project_id": { - "description": "The Active Project ID\n\nformat: uuid", + }, + "policy_uri": { + "description": "OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data.", "type": "string" - } - }, - "type": "object" - }, - "authenticatorAssuranceLevel": { - "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", - "enum": [ - "aal0", - "aal1", - "aal2", - "aal3" - ], - "title": "Authenticator Assurance Level (AAL)", - "type": "string" - }, - "batchPatchIdentitiesResponse": { - "description": "Patch identities response", - "properties": { - "identities": { - "description": "The patch responses for the individual identities.", + }, + "post_logout_redirect_uris": { "items": { - "$ref": "#/components/schemas/identityPatchResponse" + "type": "string" + }, + "type": "array" + }, + "redirect_uris": { + "items": { + "type": "string" + }, + "type": "array" + }, + "refresh_token_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" + }, + "refresh_token_grant_id_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" + }, + "refresh_token_grant_refresh_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": "string" + }, + "registration_access_token": { + "description": "OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration.", + "type": "string" + }, + "registration_client_uri": { + "description": "OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", + "type": "string" + }, + "request_object_signing_alg": { + "description": "OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.", + "type": "string" + }, + "request_uris": { + "items": { + "type": "string" + }, + "type": "array" + }, + "response_types": { + "items": { + "type": "string" }, "type": "array" + }, + "scope": { + "description": "OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.", + "type": "string" + }, + "sector_identifier_uri": { + "description": "OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.", + "type": "string" + }, + "skip_consent": { + "description": "SkipConsent skips the consent screen for this client. This field can only be set from the admin API.", + "type": "boolean" + }, + "subject_type": { + "description": "OpenID Connect Subject Type The `subject_types_supported` Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: `client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header. `client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body. `private_key_jwt`: Use JSON Web Tokens to authenticate the client. `none`: Used for public clients (native apps, mobile apps) which can not have secrets.", + "type": "string" + }, + "token_endpoint_auth_signing_alg": { + "description": "OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint.", + "type": "string" + }, + "tos_uri": { + "description": "OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.", + "type": "string" + }, + "updated_at": { + "description": "OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update.", + "format": "date-time", + "type": "string" + }, + "userinfo_signed_response_alg": { + "description": "OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.", + "type": "string" } }, + "title": "OAuth2Client OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "type": "object" }, - "checkOplSyntaxBody": { - "description": "Ory Permission Language Document", - "type": "string" - }, - "checkOplSyntaxResult": { + "OAuth2ConsentRequestOpenIDConnectContext": { + "description": "OAuth2ConsentRequestOpenIDConnectContext struct for OAuth2ConsentRequestOpenIDConnectContext", "properties": { - "errors": { - "description": "The list of syntax errors", + "AdditionalProperties": { + "additionalProperties": {}, + "type": "object" + }, + "acr_values": { + "description": "ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: \u003e Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.", + "items": { + "type": "string" + }, + "type": "array" + }, + "display": { + "description": "Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \\\"feature phone\\\" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.", + "type": "string" + }, + "id_token_hint_claims": { + "additionalProperties": {}, + "description": "IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.", + "type": "object" + }, + "login_hint": { + "description": "LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional.", + "type": "string" + }, + "ui_locales": { + "description": "UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value \\\"fr-CA fr en\\\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.", "items": { - "$ref": "#/components/schemas/ParseError" + "type": "string" }, "type": "array" } }, - "title": "CheckOPLSyntaxResponse represents the response for an OPL syntax check request.", "type": "object" }, - "checkPermissionResult": { - "description": "The content of the allowed field is mirrored in the HTTP status code.", - "properties": { - "allowed": { - "description": "whether the relation tuple is allowed", - "type": "boolean" - } - }, - "required": [ - "allowed" - ], - "title": "Check Permission Result", + "OAuth2LoginChallengeParams": { "type": "object" }, - "cloudAccount": { + "OAuth2LoginRequest": { + "description": "OAuth2LoginRequest struct for OAuth2LoginRequest", "properties": { - "email": { + "AdditionalProperties": { + "additionalProperties": {}, + "type": "object" + }, + "challenge": { + "description": "ID is the identifier (\\\"login challenge\\\") of the login request. It is used to identify the session.", "type": "string" }, - "id": { - "format": "uuid", + "client": { + "$ref": "#/components/schemas/OAuth2Client" + }, + "oidc_context": { + "$ref": "#/components/schemas/OAuth2ConsentRequestOpenIDConnectContext" + }, + "request_url": { + "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters.", "type": "string" }, - "name": { + "requested_access_token_audience": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requested_scope": { + "items": { + "type": "string" + }, + "type": "array" + }, + "session_id": { + "description": "SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \\\"sid\\\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user.", + "type": "string" + }, + "skip": { + "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information.", + "type": "boolean" + }, + "subject": { + "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail.", "type": "string" } }, "type": "object" }, + "RecoveryAddressType": { + "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.", + "type": "string" + }, + "Time": { + "format": "date-time", + "type": "string" + }, + "UUID": { + "format": "uuid4", + "type": "string" + }, + "authenticatorAssuranceLevel": { + "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", + "enum": [ + "aal0", + "aal1", + "aal2", + "aal3" + ], + "title": "Authenticator Assurance Level (AAL)", + "type": "string" + }, + "batchPatchIdentitiesResponse": { + "description": "Patch identities response", + "properties": { + "identities": { + "description": "The patch responses for the individual identities.", + "items": { + "$ref": "#/components/schemas/identityPatchResponse" + }, + "type": "array" + } + }, + "type": "object" + }, + "consistencyRequestParameters": { + "description": "Control API consistency guarantees", + "properties": { + "consistency": { + "description": "Read Consistency Level (preview)\n\nThe read consistency level determines the consistency guarantee for reads:\n\nstrong (slow): The read is guaranteed to return the most recent data committed at the start of the read.\neventual (very fast): The result will return data that is about 4.8 seconds old.\n\nThe default consistency guarantee can be changed in the Ory Network Console or using the Ory CLI with\n`ory patch project --replace '/previews/default_read_consistency_level=\"strong\"'`.\n\nSetting the default consistency level to `eventual` may cause regressions in the future as we add consistency\ncontrols to more APIs. Currently, the following APIs will be affected by this setting:\n\n`GET /admin/identities`\n\nThis feature is in preview and only available in Ory Network.\n ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.\nstrong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.\neventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps.", + "enum": [ + "", + "strong", + "eventual" + ], + "type": "string", + "x-go-enum-desc": " ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.\nstrong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.\neventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps." + } + }, + "type": "object" + }, "continueWith": { "discriminator": { "mapping": { "set_ory_session_token": "#/components/schemas/continueWithSetOrySessionToken", + "show_recovery_ui": "#/components/schemas/continueWithRecoveryUi", + "show_settings_ui": "#/components/schemas/continueWithSettingsUi", "show_verification_ui": "#/components/schemas/continueWithVerificationUi" }, "propertyName": "action" @@ -526,20 +489,63 @@ }, { "$ref": "#/components/schemas/continueWithSetOrySessionToken" + }, + { + "$ref": "#/components/schemas/continueWithSettingsUi" + }, + { + "$ref": "#/components/schemas/continueWithRecoveryUi" } ] }, + "continueWithRecoveryUi": { + "description": "Indicates, that the UI flow could be continued by showing a recovery ui", + "properties": { + "action": { + "description": "Action will always be `show_recovery_ui`\nshow_recovery_ui ContinueWithActionShowRecoveryUIString", + "enum": [ + "show_recovery_ui" + ], + "type": "string", + "x-go-enum-desc": "show_recovery_ui ContinueWithActionShowRecoveryUIString" + }, + "flow": { + "$ref": "#/components/schemas/continueWithRecoveryUiFlow" + } + }, + "required": [ + "action", + "flow" + ], + "type": "object" + }, + "continueWithRecoveryUiFlow": { + "properties": { + "id": { + "description": "The ID of the recovery flow", + "format": "uuid", + "type": "string" + }, + "url": { + "description": "The URL of the recovery flow", + "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, "continueWithSetOrySessionToken": { "description": "Indicates that a session was issued, and the application should use this token for authenticated requests", "properties": { "action": { - "description": "Action will always be `set_ory_session_token`\nset_ory_session_token ContinueWithActionSetOrySessionToken\nshow_verification_ui ContinueWithActionShowVerificationUI", + "description": "Action will always be `set_ory_session_token`\nset_ory_session_token ContinueWithActionSetOrySessionTokenString", "enum": [ - "set_ory_session_token", - "show_verification_ui" + "set_ory_session_token" ], "type": "string", - "x-go-enum-desc": "set_ory_session_token ContinueWithActionSetOrySessionToken\nshow_verification_ui ContinueWithActionShowVerificationUI" + "x-go-enum-desc": "set_ory_session_token ContinueWithActionSetOrySessionTokenString" }, "ory_session_token": { "description": "Token is the token of the session", @@ -552,17 +558,50 @@ ], "type": "object" }, + "continueWithSettingsUi": { + "description": "Indicates, that the UI flow could be continued by showing a settings ui", + "properties": { + "action": { + "description": "Action will always be `show_settings_ui`\nshow_settings_ui ContinueWithActionShowSettingsUIString", + "enum": [ + "show_settings_ui" + ], + "type": "string", + "x-go-enum-desc": "show_settings_ui ContinueWithActionShowSettingsUIString" + }, + "flow": { + "$ref": "#/components/schemas/continueWithSettingsUiFlow" + } + }, + "required": [ + "action", + "flow" + ], + "type": "object" + }, + "continueWithSettingsUiFlow": { + "properties": { + "id": { + "description": "The ID of the settings flow", + "format": "uuid", + "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, "continueWithVerificationUi": { "description": "Indicates, that the UI flow could be continued by showing a verification ui", "properties": { "action": { - "description": "Action will always be `show_verification_ui`\nset_ory_session_token ContinueWithActionSetOrySessionToken\nshow_verification_ui ContinueWithActionShowVerificationUI", + "description": "Action will always be `show_verification_ui`\nshow_verification_ui ContinueWithActionShowVerificationUIString", "enum": [ - "set_ory_session_token", "show_verification_ui" ], "type": "string", - "x-go-enum-desc": "set_ory_session_token ContinueWithActionSetOrySessionToken\nshow_verification_ui ContinueWithActionShowVerificationUI" + "x-go-enum-desc": "show_verification_ui ContinueWithActionShowVerificationUIString" }, "flow": { "$ref": "#/components/schemas/continueWithVerificationUiFlow" @@ -615,35 +654,6 @@ "title": "A Message's Type", "type": "string" }, - "createCustomDomainBody": { - "description": "Create Custom Hostname Request Body", - "properties": { - "cookie_domain": { - "description": "The domain where cookies will be set. Has to be a parent domain of the custom hostname to work.", - "type": "string" - }, - "cors_allowed_origins": { - "description": "CORS Allowed origins for the custom hostname.", - "items": { - "type": "string" - }, - "type": "array" - }, - "cors_enabled": { - "description": "CORS Enabled for the custom hostname.", - "type": "boolean" - }, - "custom_ui_base_url": { - "description": "The base URL where the custom user interface will be exposed.", - "type": "string" - }, - "hostname": { - "description": "The custom hostname where the API will be exposed.", - "type": "string" - } - }, - "type": "object" - }, "createIdentityBody": { "description": "Create Identity Body", "properties": { @@ -688,100 +698,17 @@ ], "type": "object" }, - "createJsonWebKeySet": { - "description": "Create JSON Web Key Set Request Body", + "createRecoveryCodeForIdentityBody": { + "description": "Create Recovery Code for Identity Request Body", "properties": { - "alg": { - "description": "JSON Web Key Algorithm\n\nThe algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`.", + "expires_in": { + "description": "Code Expires In\n\nThe recovery code will expire after that amount of time has passed. Defaults to the configuration value of\n`selfservice.methods.code.config.lifespan`.", + "pattern": "^([0-9]+(ns|us|ms|s|m|h))*$", "type": "string" }, - "kid": { - "description": "JSON Web Key ID\n\nThe Key ID of the key to be created.", - "type": "string" - }, - "use": { - "description": "JSON Web Key Use\n\nThe \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Valid values are \"enc\" and \"sig\".", - "type": "string" - } - }, - "required": [ - "alg", - "use", - "kid" - ], - "type": "object" - }, - "createProjectBody": { - "description": "Create Project Request Body", - "properties": { - "name": { - "description": "The name of the project to be created", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "createProjectBranding": { - "description": "Create a Project Branding", - "properties": { - "logo_type": { - "type": "string" - }, - "logo_url": { - "type": "string" - }, - "name": { - "type": "string" - }, - "theme": { - "$ref": "#/components/schemas/projectBrandingColors" - } - }, - "type": "object" - }, - "createProjectInvite": { - "description": "Create Project Invite Request Body", - "properties": { - "invitee_emails": { - "description": "A list of emails to invite", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "createProjectInvitesResponse": { - "description": "Response to the create project invite request", - "properties": { - "all_invites": { - "$ref": "#/components/schemas/projectInvites" - }, - "created_invites": { - "$ref": "#/components/schemas/projectInvites" - } - }, - "required": [ - "created_invites", - "all_invites" - ], - "type": "object" - }, - "createRecoveryCodeForIdentityBody": { - "description": "Create Recovery Code for Identity Request Body", - "properties": { - "expires_in": { - "description": "Code Expires In\n\nThe recovery code will expire after that amount of time has passed. Defaults to the configuration value of\n`selfservice.methods.code.config.lifespan`.", - "pattern": "^([0-9]+(ns|us|ms|s|m|h))*$", - "type": "string" - }, - "identity_id": { - "description": "Identity to Recover\n\nThe identity's ID you wish to recover.", - "format": "uuid", + "identity_id": { + "description": "Identity to Recover\n\nThe identity's ID you wish to recover.", + "format": "uuid", "type": "string" } }, @@ -809,140 +736,6 @@ ], "type": "object" }, - "createRelationshipBody": { - "description": "Create Relationship Request Body", - "properties": { - "namespace": { - "description": "Namespace to query", - "type": "string" - }, - "object": { - "description": "Object to query", - "type": "string" - }, - "relation": { - "description": "Relation to query", - "type": "string" - }, - "subject_id": { - "description": "SubjectID to query\n\nEither SubjectSet or SubjectID can be provided.", - "type": "string" - }, - "subject_set": { - "$ref": "#/components/schemas/subjectSet" - } - }, - "type": "object" - }, - "createSubscriptionBody": { - "description": "Create Subscription Request Body", - "properties": { - "currency": { - "description": "\nusd USD\neur Euro", - "enum": [ - "usd", - "eur" - ], - "type": "string", - "x-go-enum-desc": "usd USD\neur Euro" - }, - "interval": { - "description": "\nmonthly Monthly\nyearly Yearly", - "enum": [ - "monthly", - "yearly" - ], - "type": "string", - "x-go-enum-desc": "monthly Monthly\nyearly Yearly" - }, - "plan": { - "type": "string" - }, - "provision_first_project": { - "format": "uuid", - "type": "string" - }, - "return_to": { - "type": "string" - } - }, - "required": [ - "plan", - "interval", - "provision_first_project" - ], - "type": "object" - }, - "customDomain": { - "description": "Custom Hostname", - "properties": { - "cookie_domain": { - "type": "string" - }, - "cors_allowed_origins": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "cors_enabled": { - "type": "boolean" - }, - "created_at": { - "format": "date-time", - "type": "string" - }, - "custom_ui_base_url": { - "type": "string" - }, - "hostname": { - "type": "string" - }, - "id": { - "format": "uuid", - "type": "string" - }, - "ssl_status": { - "enum": [ - "initializing", - "pending_validation", - "deleted", - "pending_issuance", - "pending_deployment", - "pending_deletion", - "pending_expiration", - "expired", - "active", - "initializing_timed_out", - "validation_timed_out", - "issuance_timed_out", - "deployment_timed_out", - "deletion_timed_out", - "pending_cleanup", - "staging_deployment", - "staging_active", - "deactivating", - "inactive", - "backup_issued", - "holding_deployment", - "" - ], - "type": "string", - "x-go-enum-desc": "initializing initializing\npending_validation pending_validation\ndeleted deleted\npending_issuance pending_issuance\npending_deployment pending_deployment\npending_deletion pending_deletion\npending_expiration pending_expiration\nexpired expired\nactive active\ninitializing_timed_out initializing_timed_out\nvalidation_timed_out validation_timed_out\nissuance_timed_out issuance_timed_out\ndeployment_timed_out deployment_timed_out\ndeletion_timed_out deletion_timed_out\npending_cleanup pending_cleanup\nstaging_deployment staging_deployment\nstaging_active staging_active\ndeactivating deactivating\ninactive inactive\nbackup_issued backup_issued\nholding_deployment holding_deployment\n unknown Cloudflare sometimes returns an empty string." - }, - "updated_at": { - "format": "date-time", - "type": "string" - }, - "verification_errors": { - "items": { - "type": "string" - }, - "type": "array" - }, - "verification_status": { - "$ref": "#/components/schemas/CustomHostnameStatus" - } - }, - "type": "object" - }, "deleteMySessionsCount": { "description": "Deleted Session Count", "properties": { @@ -998,7 +791,7 @@ "description": "The standard Ory JSON API error format.", "properties": { "error": { - "$ref": "#/components/schemas/genericErrorContent" + "$ref": "#/components/schemas/genericError" } }, "required": [ @@ -1007,68 +800,6 @@ "title": "JSON API Error Response", "type": "object" }, - "errorOAuth2": { - "description": "Error", - "properties": { - "error": { - "description": "Error", - "type": "string" - }, - "error_debug": { - "description": "Error Debug Information\n\nOnly available in dev mode.", - "type": "string" - }, - "error_description": { - "description": "Error Description", - "type": "string" - }, - "error_hint": { - "description": "Error Hint\n\nHelps the user identify the error cause.", - "example": "The redirect URL is not allowed.", - "type": "string" - }, - "status_code": { - "description": "HTTP Status Code", - "example": 401, - "format": "int64", - "type": "integer" - } - }, - "type": "object" - }, - "expandedPermissionTree": { - "properties": { - "children": { - "description": "The children of the node, possibly none.", - "items": { - "$ref": "#/components/schemas/expandedPermissionTree" - }, - "type": "array" - }, - "tuple": { - "$ref": "#/components/schemas/relationship" - }, - "type": { - "description": "The type of the node.\nunion TreeNodeUnion\nexclusion TreeNodeExclusion\nintersection TreeNodeIntersection\nleaf TreeNodeLeaf\ntuple_to_subject_set TreeNodeTupleToSubjectSet\ncomputed_subject_set TreeNodeComputedSubjectSet\nnot TreeNodeNot\nunspecified TreeNodeUnspecified", - "enum": [ - "union", - "exclusion", - "intersection", - "leaf", - "tuple_to_subject_set", - "computed_subject_set", - "not", - "unspecified" - ], - "type": "string", - "x-go-enum-desc": "union TreeNodeUnion\nexclusion TreeNodeExclusion\nintersection TreeNodeIntersection\nleaf TreeNodeLeaf\ntuple_to_subject_set TreeNodeTupleToSubjectSet\ncomputed_subject_set TreeNodeComputedSubjectSet\nnot TreeNodeNot\nunspecified TreeNodeUnspecified" - } - }, - "required": [ - "type" - ], - "type": "object" - }, "flowError": { "properties": { "created_at": { @@ -1096,7 +827,6 @@ "type": "object" }, "genericError": { - "description": "Error responses are sent when an error (e.g. unauthorized, bad request, ...) occurred.", "properties": { "code": { "description": "The status code", @@ -1110,10 +840,9 @@ "type": "string" }, "details": { - "description": "Further error details" - }, - "error": { - "$ref": "#/components/schemas/genericErrorContent" + "additionalProperties": false, + "description": "Further error details", + "type": "object" }, "id": { "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", @@ -1143,64 +872,6 @@ "required": [ "message" ], - "title": "Error response", - "type": "object" - }, - "genericErrorContent": { - "description": "Error response", - "properties": { - "debug": { - "description": "Debug contains debug information. This is usually not available and has to be enabled.", - "example": "The database adapter was unable to find the element", - "type": "string" - }, - "error": { - "description": "Name is the error name.", - "example": "The requested resource could not be found", - "type": "string" - }, - "error_description": { - "description": "Description contains further information on the nature of the error.", - "example": "Object with ID 12345 does not exist", - "type": "string" - }, - "message": { - "description": "Message contains the error message.", - "type": "string" - }, - "status_code": { - "description": "Code represents the error status code (404, 403, 401, ...).", - "example": 404, - "format": "int64", - "type": "integer" - } - }, - "type": "object" - }, - "getManagedIdentitySchemaLocation": { - "description": "Ory Identity Schema Location", - "properties": { - "location": { - "type": "string" - } - }, - "type": "object" - }, - "getProjectMetricsResponse": { - "description": "Response of the getMetrics endpoint", - "properties": { - "data": { - "description": "The list of data points.", - "items": { - "$ref": "#/components/schemas/metricsDatapoint" - }, - "readOnly": true, - "type": "array" - } - }, - "required": [ - "data" - ], "type": "object" }, "healthNotReadyStatus": { @@ -1250,6 +921,9 @@ "metadata_public": { "$ref": "#/components/schemas/nullJsonRawMessage" }, + "organization_id": { + "$ref": "#/components/schemas/NullUUID" + }, "recovery_addresses": { "description": "RecoveryAddresses contains all the addresses that can be used to recover an identity.", "items": { @@ -1332,6 +1006,18 @@ }, "type": "object" }, + "identityCredentialsCode": { + "description": "CredentialsCode represents a one time login/registration code", + "properties": { + "address_type": { + "$ref": "#/components/schemas/CodeAddressType" + }, + "used_at": { + "$ref": "#/components/schemas/NullTime" + } + }, + "type": "object" + }, "identityCredentialsOidc": { "properties": { "providers": { @@ -1355,6 +1041,9 @@ "initial_refresh_token": { "type": "string" }, + "organization": { + "type": "string" + }, "provider": { "type": "string" }, @@ -1382,15 +1071,12 @@ "totp", "oidc", "webauthn", - "lookup_secret" + "lookup_secret", + "code" ], "title": "CredentialsType represents several different credential types, like password credentials, passwordless credentials,", "type": "string" }, - "identityMetaSchema": { - "description": "Identity Meta Schema", - "type": "object" - }, "identityPatch": { "description": "Payload for patching an identity", "properties": { @@ -1447,29 +1133,6 @@ }, "type": "object" }, - "identitySchemaPreset": { - "properties": { - "schema": { - "description": "Schema is the Identity JSON Schema", - "type": "object" - }, - "url": { - "description": "URL is the preset identifier", - "type": "string" - } - }, - "required": [ - "url", - "schema" - ], - "type": "object" - }, - "identitySchemaPresets": { - "items": { - "$ref": "#/components/schemas/identitySchemaPreset" - }, - "type": "array" - }, "identitySchemas": { "description": "List of Identity JSON Schemas", "items": { @@ -1493,10 +1156,6 @@ "description": "VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema", "type": "string" }, - "identityVerifiableAddressType": { - "description": "VerifiableAddressType must not exceed 16 characters as that is the limitation in the SQL Schema", - "type": "string" - }, "identityWithCredentials": { "description": "Create Identity and Import Credentials", "properties": { @@ -1564,7 +1223,7 @@ "description": "Create Identity and Import Password Credentials Configuration", "properties": { "hashed_password": { - "description": "The hashed password in [PHC format]( https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password#hashed-password-format)", + "description": "The hashed password in [PHC format](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#hashed-passwords)", "type": "string" }, "password": { @@ -1574,215 +1233,27 @@ }, "type": "object" }, - "internalGetProjectBrandingBody": { - "description": "Get Project Branding Request Body", - "properties": { - "hostname": { - "type": "string" - } - }, - "type": "object" - }, - "internalIsOwnerForProjectBySlugBody": { - "description": "Is Owner For Project By Slug Request Body", + "jsonPatch": { + "description": "A JSONPatch document as defined by RFC 6902", "properties": { - "namespace": { - "description": "Namespace is the namespace of the subject.", - "enum": [ - "User", - " ApiKey" - ], + "from": { + "description": "This field is used together with operation \"move\" and uses JSON Pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "example": "/name", "type": "string" }, - "project_scope": { - "description": "ProjectScope is the project_id resolved from the\nAPI Token.", + "op": { + "description": "The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\".", + "example": "replace", "type": "string" }, - "project_slug": { - "description": "ProjectSlug is the project's slug.", + "path": { + "description": "The path to the target path. Uses JSON pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "example": "/name", "type": "string" }, - "subject": { - "description": "Subject is the subject acting (user or API key).", - "type": "string" - } - }, - "required": [ - "subject", - "namespace", - "project_slug" - ], - "type": "object" - }, - "internalIsOwnerForProjectBySlugResponse": { - "properties": { - "project_id": { - "description": "ProjectID is the project's ID.", - "type": "string" - } - }, - "required": [ - "project_id" - ], - "type": "object" - }, - "internalProvisionMockSubscription": { - "description": "Internal Provision Mock Subscription Request Body", - "properties": { - "currency": { - "description": "Currency\nusd USD\neur Euro", - "enum": [ - "usd", - "eur" - ], - "type": "string", - "x-go-enum-desc": "usd USD\neur Euro" - }, - "identity_id": { - "description": "Identity ID", - "format": "uuid", - "type": "string" - }, - "interval": { - "description": "Billing Interval\nmonthly Monthly\nyearly Yearly", - "enum": [ - "monthly", - "yearly" - ], - "type": "string", - "x-go-enum-desc": "monthly Monthly\nyearly Yearly" - }, - "plan": { - "description": "Plan ID", - "type": "string" - } - }, - "required": [ - "plan", - "interval", - "identity_id", - "currency" - ], - "type": "object" - }, - "introspectedOAuth2Token": { - "description": "Introspection contains an access token's session data as specified by\n[IETF RFC 7662](https://tools.ietf.org/html/rfc7662)", - "properties": { - "active": { - "description": "Active is a boolean indicator of whether or not the presented token\nis currently active. The specifics of a token's \"active\" state\nwill vary depending on the implementation of the authorization\nserver and the information it keeps about its tokens, but a \"true\"\nvalue return for the \"active\" property will generally indicate\nthat a given token has been issued by this authorization server,\nhas not been revoked by the resource owner, and is within its\ngiven time window of validity (e.g., after its issuance time and\nbefore its expiration time).", - "type": "boolean" - }, - "aud": { - "description": "Audience contains a list of the token's intended audiences.", - "items": { - "type": "string" - }, - "type": "array" - }, - "client_id": { - "description": "ID is aclient identifier for the OAuth 2.0 client that\nrequested this token.", - "type": "string" - }, - "exp": { - "description": "Expires at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token will expire.", - "format": "int64", - "type": "integer" - }, - "ext": { - "additionalProperties": {}, - "description": "Extra is arbitrary data set by the session.", - "type": "object" - }, - "iat": { - "description": "Issued at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token was\noriginally issued.", - "format": "int64", - "type": "integer" - }, - "iss": { - "description": "IssuerURL is a string representing the issuer of this token", - "type": "string" - }, - "nbf": { - "description": "NotBefore is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token is not to be\nused before.", - "format": "int64", - "type": "integer" - }, - "obfuscated_subject": { - "description": "ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization.\nIt is the `sub` value of the ID Token that was issued.", - "type": "string" - }, - "scope": { - "description": "Scope is a JSON string containing a space-separated list of\nscopes associated with this token.", - "type": "string" - }, - "sub": { - "description": "Subject of the token, as defined in JWT [RFC7519].\nUsually a machine-readable identifier of the resource owner who\nauthorized this token.", - "type": "string" - }, - "token_type": { - "description": "TokenType is the introspected token's type, typically `Bearer`.", - "type": "string" - }, - "token_use": { - "description": "TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.", - "type": "string" - }, - "username": { - "description": "Username is a human-readable identifier for the resource owner who\nauthorized this token.", - "type": "string" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "isOwnerForProjectBySlug": { - "properties": { - "ProjectSlug": { - "description": "ProjectSlug is the project's slug.", - "type": "string" - }, - "Subject": { - "description": "Subject is the subject from the API Token.", - "type": "string" - } - }, - "required": [ - "Subject", - "ProjectSlug" - ], - "type": "object" - }, - "jsonPatch": { - "description": "A JSONPatch document as defined by RFC 6902", - "properties": { - "from": { - "description": "This field is used together with operation \"move\" and uses JSON Pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", - "example": "/name", - "type": "string" - }, - "op": { - "description": "The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\".", - "enum": [ - "add", - "remove", - "replace", - "move", - "copy", - "test" - ], - "example": "replace", - "type": "string" - }, - "path": { - "description": "The path to the target path. Uses JSON pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", - "example": "/name", - "type": "string" - }, - "value": { - "description": "The value to be used within the operations.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", - "example": "foobar" + "value": { + "description": "The value to be used within the operations.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "example": "foobar" } }, "required": [ @@ -1798,112 +1269,6 @@ }, "type": "array" }, - "jsonWebKey": { - "properties": { - "alg": { - "description": "The \"alg\" (algorithm) parameter identifies the algorithm intended for\nuse with the key. The values used should either be registered in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.", - "example": "RS256", - "type": "string" - }, - "crv": { - "example": "P-256", - "type": "string" - }, - "d": { - "example": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE", - "type": "string" - }, - "dp": { - "example": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0", - "type": "string" - }, - "dq": { - "example": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk", - "type": "string" - }, - "e": { - "example": "AQAB", - "type": "string" - }, - "k": { - "example": "GawgguFyGrWKav7AX4VKUg", - "type": "string" - }, - "kid": { - "description": "The \"kid\" (key ID) parameter is used to match a specific key. This\nis used, for instance, to choose among a set of keys within a JWK Set\nduring key rollover. The structure of the \"kid\" value is\nunspecified. When \"kid\" values are used within a JWK Set, different\nkeys within the JWK Set SHOULD use distinct \"kid\" values. (One\nexample in which different keys might use the same \"kid\" value is if\nthey have different \"kty\" (key type) values but are considered to be\nequivalent alternatives by the application using them.) The \"kid\"\nvalue is a case-sensitive string.", - "example": "1603dfe0af8f4596", - "type": "string" - }, - "kty": { - "description": "The \"kty\" (key type) parameter identifies the cryptographic algorithm\nfamily used with the key, such as \"RSA\" or \"EC\". \"kty\" values should\neither be registered in the IANA \"JSON Web Key Types\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name. The \"kty\" value is a case-sensitive string.", - "example": "RSA", - "type": "string" - }, - "n": { - "example": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0", - "type": "string" - }, - "p": { - "example": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ", - "type": "string" - }, - "q": { - "example": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ", - "type": "string" - }, - "qi": { - "example": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU", - "type": "string" - }, - "use": { - "description": "Use (\"public key use\") identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Values are commonly \"sig\" (signature) or \"enc\" (encryption).", - "example": "sig", - "type": "string" - }, - "x": { - "example": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", - "type": "string" - }, - "x5c": { - "description": "The \"x5c\" (X.509 certificate chain) parameter contains a chain of one\nor more PKIX certificates [RFC5280]. The certificate chain is\nrepresented as a JSON array of certificate value strings. Each\nstring in the array is a base64-encoded (Section 4 of [RFC4648] --\nnot base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.\nThe PKIX certificate containing the key value MUST be the first\ncertificate.", - "items": { - "type": "string" - }, - "type": "array" - }, - "y": { - "example": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", - "type": "string" - } - }, - "required": [ - "use", - "kty", - "kid", - "alg" - ], - "type": "object" - }, - "jsonWebKeySet": { - "description": "JSON Web Key Set", - "properties": { - "keys": { - "description": "List of JSON Web Keys\n\nThe value of the \"keys\" parameter is an array of JSON Web Key (JWK)\nvalues. By default, the order of the JWK values within the array does\nnot imply an order of preference among them, although applications\nof JWK Sets can choose to assign a meaning to the order for their\npurposes, if desired.", - "items": { - "$ref": "#/components/schemas/jsonWebKey" - }, - "type": "array" - } - }, - "type": "object" - }, - "listCustomDomains": { - "description": "Custom Hostname List", - "items": { - "$ref": "#/components/schemas/customDomain" - }, - "type": "array" - }, "loginFlow": { "description": "This object represents a login flow. A login flow is initiated at the \"Initiate Login API / Browser Flow\"\nendpoint by a client.\n\nOnce a login flow is completed successfully, a session cookie or session token will be issued.", "properties": { @@ -1935,7 +1300,10 @@ "type": "string" }, "oauth2_login_request": { - "$ref": "#/components/schemas/oAuth2LoginRequest" + "$ref": "#/components/schemas/OAuth2LoginRequest" + }, + "organization_id": { + "$ref": "#/components/schemas/NullUUID" }, "refresh": { "description": "Refresh stores whether this login flow should enforce re-authentication.", @@ -1956,6 +1324,9 @@ "description": "SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the login flow has been completed.\nThis is only set if the client has requested a session token exchange code, and if the flow is of type \"api\",\nand only on creating the login flow.", "type": "string" }, + "state": { + "description": "State represents the state of this request:\n\nchoose_method: ask the user to choose a method to sign in with\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the login challenge was passed." + }, "type": { "$ref": "#/components/schemas/selfServiceFlowType" }, @@ -1974,11 +1345,21 @@ "expires_at", "issued_at", "request_url", - "ui" + "ui", + "state" ], "title": "Login Flow", "type": "object" }, + "loginFlowState": { + "description": "The state represents the state of the login flow.\n\nchoose_method: ask the user to choose a method (e.g. login account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the login challenge was passed.", + "enum": [ + "choose_method", + "sent_email", + "passed_challenge" + ], + "title": "Login Flow State" + }, "logoutFlow": { "description": "Logout Flow", "properties": { @@ -1997,79 +1378,14 @@ ], "type": "object" }, - "managedIdentitySchema": { - "description": "Together the name and identity uuid are a unique index constraint.\nThis prevents a user from having schemas with the same name.\nThis also allows schemas to have the same name across the system.", - "properties": { - "blob_name": { - "description": "The gcs file name\n\nThis is a randomly generated name which is used to uniquely identify the file on the blob storage", - "type": "string" - }, - "blob_url": { - "description": "The publicly accessible url of the schema", - "type": "string" - }, - "content_hash": { - "description": "The Content Hash\n\nContains a hash of the schema's content.", - "type": "string" - }, - "created_at": { - "description": "The Schema's Creation Date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "id": { - "description": "The schema's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The schema name\n\nThis is set by the user and is for them to easily recognise their schema", - "example": "CustomerIdentity", - "type": "string" - }, - "updated_at": { - "description": "Last Time Schema was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "id", - "name", - "blob_name", - "blob_url", - "created_at", - "updated_at" - ], - "title": "Schema represents an Ory Kratos Identity Schema", - "type": "object" - }, - "managedIdentitySchemaValidationResult": { - "description": "Ory Identity Schema Validation Result", - "properties": { - "message": { - "type": "string" - }, - "valid": { - "type": "boolean" - } - }, - "type": "object" - }, - "managedIdentitySchemas": { - "items": { - "$ref": "#/components/schemas/managedIdentitySchema" - }, - "type": "array" - }, "message": { "properties": { "body": { "type": "string" }, + "channel": { + "type": "string" + }, "created_at": { "description": "CreatedAt is a helper struct field for gobuffalo.pop.", "format": "date-time", @@ -2100,7 +1416,7 @@ "type": "string" }, "template_type": { - "description": "\nrecovery_invalid TypeRecoveryInvalid\nrecovery_valid TypeRecoveryValid\nrecovery_code_invalid TypeRecoveryCodeInvalid\nrecovery_code_valid TypeRecoveryCodeValid\nverification_invalid TypeVerificationInvalid\nverification_valid TypeVerificationValid\nverification_code_invalid TypeVerificationCodeInvalid\nverification_code_valid TypeVerificationCodeValid\notp TypeOTP\nstub TypeTestStub", + "description": "\nrecovery_invalid TypeRecoveryInvalid\nrecovery_valid TypeRecoveryValid\nrecovery_code_invalid TypeRecoveryCodeInvalid\nrecovery_code_valid TypeRecoveryCodeValid\nverification_invalid TypeVerificationInvalid\nverification_valid TypeVerificationValid\nverification_code_invalid TypeVerificationCodeInvalid\nverification_code_valid TypeVerificationCodeValid\nstub TypeTestStub\nlogin_code_valid TypeLoginCodeValid\nregistration_code_valid TypeRegistrationCodeValid", "enum": [ "recovery_invalid", "recovery_valid", @@ -2110,11 +1426,12 @@ "verification_valid", "verification_code_invalid", "verification_code_valid", - "otp", - "stub" + "stub", + "login_code_valid", + "registration_code_valid" ], "type": "string", - "x-go-enum-desc": "recovery_invalid TypeRecoveryInvalid\nrecovery_valid TypeRecoveryValid\nrecovery_code_invalid TypeRecoveryCodeInvalid\nrecovery_code_valid TypeRecoveryCodeValid\nverification_invalid TypeVerificationInvalid\nverification_valid TypeVerificationValid\nverification_code_invalid TypeVerificationCodeInvalid\nverification_code_valid TypeVerificationCodeValid\notp TypeOTP\nstub TypeTestStub" + "x-go-enum-desc": "recovery_invalid TypeRecoveryInvalid\nrecovery_valid TypeRecoveryValid\nrecovery_code_invalid TypeRecoveryCodeInvalid\nrecovery_code_valid TypeRecoveryCodeValid\nverification_invalid TypeVerificationInvalid\nverification_valid TypeVerificationValid\nverification_code_invalid TypeVerificationCodeInvalid\nverification_code_valid TypeVerificationCodeValid\nstub TypeTestStub\nlogin_code_valid TypeLoginCodeValid\nregistration_code_valid TypeRegistrationCodeValid" }, "type": { "$ref": "#/components/schemas/courierMessageType" @@ -2184,35 +1501,6 @@ ], "type": "object" }, - "metricsDatapoint": { - "description": "Represents a single datapoint/bucket of a time series", - "properties": { - "count": { - "description": "The count of events that occured in this time", - "format": "int64", - "type": "integer" - }, - "time": { - "description": "The time of the bucket", - "format": "date-time", - "type": "string" - } - }, - "required": [ - "time", - "count" - ], - "type": "object" - }, - "namespace": { - "properties": { - "name": { - "description": "Name of the namespace.", - "type": "string" - } - }, - "type": "object" - }, "needsPrivilegedSessionError": { "properties": { "error": { @@ -2229,8992 +1517,1936 @@ "title": "Is sent when a privileged session is required to perform the settings update.", "type": "object" }, - "normalizedProject": { - "properties": { - "created_at": { - "description": "The Project's Creation Date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "current_revision": { - "$ref": "#/components/schemas/normalizedProjectRevision" - }, - "hosts": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "id": { - "description": "The project's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "slug": { - "description": "The project's slug", - "readOnly": true, - "type": "string" - }, - "state": { - "description": "The state of the project.\nrunning Running\nhalted Halted\ndeleted Deleted", - "enum": [ - "running", - "halted", - "deleted" - ], - "readOnly": true, - "type": "string", - "x-go-enum-desc": "running Running\nhalted Halted\ndeleted Deleted" - }, - "subscription_id": { - "$ref": "#/components/schemas/NullUUID" - }, - "subscription_plan": { - "$ref": "#/components/schemas/String" - }, - "updated_at": { - "description": "Last Time Project was Updated", - "format": "date-time", - "readOnly": true, + "nullDuration": { + "nullable": true, + "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", + "type": "string" + }, + "nullInt64": { + "nullable": true, + "type": "integer" + }, + "nullJsonRawMessage": { + "description": "NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-", + "nullable": true + }, + "nullTime": { + "format": "date-time", + "title": "NullTime implements sql.NullTime functionality.", + "type": "string" + }, + "patchIdentitiesBody": { + "description": "Patch Identities Body", + "properties": { + "identities": { + "description": "Identities holds the list of patches to apply\n\nrequired", + "items": { + "$ref": "#/components/schemas/identityPatch" + }, + "type": "array" + } + }, + "type": "object" + }, + "performNativeLogoutBody": { + "description": "Perform Native Logout Request Body", + "properties": { + "session_token": { + "description": "The Session Token\n\nInvalidate this session token.", "type": "string" } }, "required": [ - "id", - "hosts", - "slug", - "current_revision", - "state", - "created_at", - "updated_at" + "session_token" ], "type": "object" }, - "normalizedProjectRevision": { + "recoveryCodeForIdentity": { + "description": "Used when an administrator creates a recovery code for an identity.", "properties": { - "created_at": { - "description": "The Project's Revision Creation Date", + "expires_at": { + "description": "Expires At is the timestamp of when the recovery flow expires\n\nThe timestamp when the recovery code expires.", "format": "date-time", - "readOnly": true, - "type": "string" - }, - "hydra_oauth2_allowed_top_level_claims": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_oauth2_client_credentials_default_grant_allowed_scope": { - "description": "Automatically grant authorized OAuth2 Scope in OAuth2 Client Credentials Flow.\n\nEach OAuth2 Client is allowed to request a predefined OAuth2 Scope (for example `read write`). If this option is enabled, the full\nscope is automatically granted when performing the OAuth2 Client Credentials flow.\n\nIf disabled, the OAuth2 Client has to request the scope in the OAuth2 request by providing the `scope` query parameter.\n\nSetting this option to true is common if you need compatibility with MITREid.\n\nThis governs the \"oauth2.client_credentials.default_grant_allowed_scope\" setting.", - "type": "boolean" - }, - "hydra_oauth2_exclude_not_before_claim": { - "description": "Set to true if you want to exclude claim `nbf (not before)` part of access token.\n\nThis governs the \"oauth2.exclude_not_before_claim\" setting.", - "type": "boolean" - }, - "hydra_oauth2_grant_jwt_iat_optional": { - "description": "Configures if the issued at (`iat`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523).\n\nIf set to `false`, the `iat` claim is required. Set this value to `true` only after careful consideration.\n\nThis governs the \"oauth2.grant.jwt.iat_optional\" setting.", - "type": "boolean" - }, - "hydra_oauth2_grant_jwt_jti_optional": { - "description": "Configures if the JSON Web Token ID (`jti`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523).\n\nIf set to `false`, the `jti` claim is required. Set this value to `true` only after careful consideration.\n\nThis governs the \"oauth2.grant.jwt.jti_optional\" setting.", - "type": "boolean" - }, - "hydra_oauth2_grant_jwt_max_ttl": { - "default": "720h", - "description": "Configures what the maximum age of a JWT assertion used in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523) can be.\n\nThis feature uses the `exp` claim and `iat` claim to calculate assertion age. Assertions exceeding the max age will be denied.\n\nUseful as a safety measure and recommended to keep below 720h.\n\nThis governs the \"oauth2.grant.jwt.max_ttl\" setting.", - "example": "30m", - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "hydra_oauth2_pkce_enforced": { - "description": "Configures whether PKCE should be enforced for all OAuth2 Clients.\n\nThis governs the \"oauth2.pkce.enforced\" setting.", - "type": "boolean" - }, - "hydra_oauth2_pkce_enforced_for_public_clients": { - "description": "Configures whether PKCE should be enforced for OAuth2 Clients without a client secret (public clients).\n\nThis governs the \"oauth2.pkce.enforced_for_public_clients\" setting.", - "type": "boolean" - }, - "hydra_oauth2_refresh_token_hook": { - "description": "Sets the Refresh Token Hook Endpoint. If set this endpoint will be called during the OAuth2 Token Refresh grant update the OAuth2 Access Token claims.\n\nThis governs the \"oauth2.refresh_token_hook\" setting.", - "type": "string" - }, - "hydra_oidc_dynamic_client_registration_default_scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_oidc_dynamic_client_registration_enabled": { - "description": "Configures OpenID Connect Dynamic Client Registration.\n\nThis governs the \"oidc.dynamic_client_registration.enabled\" setting.", - "type": "boolean" - }, - "hydra_oidc_subject_identifiers_pairwise_salt": { - "description": "Configures OpenID Connect Discovery and overwrites the pairwise algorithm\n\nThis governs the \"oidc.subject_identifiers.pairwise_salt\" setting.", - "type": "string" - }, - "hydra_oidc_subject_identifiers_supported_types": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_secrets_cookie": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_secrets_system": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_serve_admin_cors_allowed_origins": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_serve_admin_cors_enabled": { - "description": "Configures the Ory Hydra CORS Settings\n\nThis governs the \"serve.admin.cors.enabled\" setting.", - "type": "boolean" - }, - "hydra_serve_cookies_same_site_legacy_workaround": { - "description": "Configures the Ory Hydra Cookie Same Site Legacy Workaround\n\nThis governs the \"serve.cookies.same_site_legacy_workaround\" setting.", - "type": "boolean" - }, - "hydra_serve_cookies_same_site_mode": { - "description": "Configures the Ory Hydra Cookie Same Site Mode\n\nThis governs the \"serve.cookies.same_site_mode\" setting.", - "type": "string" - }, - "hydra_serve_public_cors_allowed_origins": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_serve_public_cors_enabled": { - "description": "Configures the Ory Hydra CORS Settings\n\nThis governs the \"serve.public.cors.enabled\" setting.", - "type": "boolean" - }, - "hydra_strategies_access_token": { - "default": "opaque", - "description": "Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens\n\nThis governs the \"strategies.access_token\" setting.\nopaque Oauth2AccessTokenStrategyOpaque\njwt Oauth2AccessTokenStrategyJwt", - "enum": [ - "opaque", - "jwt" - ], - "type": "string", - "x-go-enum-desc": "opaque Oauth2AccessTokenStrategyOpaque\njwt Oauth2AccessTokenStrategyJwt" - }, - "hydra_strategies_scope": { - "default": "wildcard", - "description": "Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes\n\nThis governs the \"strategies.scope\" setting.\nexact Oauth2ScopeStrategyExact\nwildcard Oauth2ScopeStrategyWildcard", - "enum": [ - "exact", - "wildcard" - ], - "type": "string", - "x-go-enum-desc": "exact Oauth2ScopeStrategyExact\nwildcard Oauth2ScopeStrategyWildcard" - }, - "hydra_ttl_access_token": { - "default": "30m", - "description": "This governs the \"ttl.access_token\" setting.", - "example": "1h", - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "hydra_ttl_auth_code": { - "default": "720h", - "description": "Configures how long refresh tokens are valid.\n\nSet to -1 for refresh tokens to never expire. This is not recommended!\n\nThis governs the \"ttl.auth_code\" setting.", - "example": "30m", - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "hydra_ttl_id_token": { - "default": "30m", - "description": "This governs the \"ttl.id_token\" setting.", - "example": "1h", - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "hydra_ttl_login_consent_request": { - "default": "30m", - "description": "Configures how long a user login and consent flow may take.\n\nThis governs the \"ttl.login_consent_request\" setting.", - "example": "1h", - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "hydra_ttl_refresh_token": { - "default": "720h", - "description": "Configures how long refresh tokens are valid.\n\nSet to -1 for refresh tokens to never expire. This is not recommended!\n\nThis governs the \"ttl.refresh_token\" setting.", - "example": "30m", - "pattern": "^([0-9]+(ns|us|ms|s|m|h)|-1)$", "type": "string" }, - "hydra_urls_consent": { - "description": "Sets the OAuth2 Consent Endpoint URL of the OAuth2 User Login \u0026 Consent flow.\n\nDefaults to the Ory Account Experience if left empty.\n\nThis governs the \"urls.consent\" setting.", + "recovery_code": { + "description": "RecoveryCode is the code that can be used to recover the account", "type": "string" }, - "hydra_urls_error": { - "description": "Sets the OAuth2 Error URL of the OAuth2 User Login \u0026 Consent flow.\n\nDefaults to the Ory Account Experience if left empty.\n\nThis governs the \"urls.error\" setting.", + "recovery_link": { + "description": "RecoveryLink with flow\n\nThis link opens the recovery UI with an empty `code` field.", "type": "string" - }, - "hydra_urls_login": { - "description": "Sets the OAuth2 Login Endpoint URL of the OAuth2 User Login \u0026 Consent flow.\n\nDefaults to the Ory Account Experience if left empty.\n\nThis governs the \"urls.login\" setting.", + } + }, + "required": [ + "recovery_link", + "recovery_code" + ], + "title": "Recovery Code for Identity", + "type": "object" + }, + "recoveryFlow": { + "description": "This request is used when an identity wants to recover their account.\n\nWe recommend reading the [Account Recovery Documentation](../self-service/flows/password-reset-account-recovery)", + "properties": { + "active": { + "description": "Active, if set, contains the recovery method that is being used. It is initially\nnot set.", "type": "string" }, - "hydra_urls_logout": { - "description": "Sets the logout endpoint.\n\nDefaults to the Ory Account Experience if left empty.\n\nThis governs the \"urls.logout\" setting.", - "type": "string" + "continue_with": { + "description": "Contains possible actions that could follow this flow", + "items": { + "$ref": "#/components/schemas/continueWith" + }, + "type": "array" }, - "hydra_urls_post_logout_redirect": { - "description": "When an OAuth2-related user agent requests to log out, they will be redirected to this url afterwards per default.\n\nDefaults to the Ory Account Experience in development and your application in production mode when a custom domain is connected.\n\nThis governs the \"urls.post_logout_redirect\" setting.", + "expires_at": { + "description": "ExpiresAt is the time (UTC) when the request expires. If the user still wishes to update the setting,\na new request has to be initiated.", + "format": "date-time", "type": "string" }, - "hydra_urls_self_issuer": { - "description": "This value will be used as the issuer in access and ID tokens. It must be specified and using HTTPS protocol, unless the development mode is enabled.\n\nOn the Ory Network it will be very rare that you want to modify this value. If left empty, it will default to the correct value for the Ory Network.\n\nThis governs the \"urls.self.issuer\" setting.", + "id": { + "description": "ID represents the request's unique ID. When performing the recovery flow, this\nrepresents the id in the recovery ui's query parameter: http://\u003cselfservice.flows.recovery.ui_url\u003e?request=\u003cid\u003e", + "format": "uuid", "type": "string" }, - "hydra_webfinger_jwks_broadcast_keys": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_webfinger_oidc_discovery_auth_url": { - "description": "Configures OpenID Connect Discovery and overwrites the OAuth2 Authorization URL.\n\nThis governs the \"webfinger.oidc.discovery.auth_url\" setting.", + "issued_at": { + "description": "IssuedAt is the time (UTC) when the request occurred.", + "format": "date-time", "type": "string" }, - "hydra_webfinger_oidc_discovery_client_registration_url": { - "description": "Configures OpenID Connect Discovery and overwrites the OpenID Connect Dynamic Client Registration Endpoint.\n\nThis governs the \"webfinger.oidc.discovery.client_registration_url\" setting.", + "request_url": { + "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", "type": "string" }, - "hydra_webfinger_oidc_discovery_jwks_url": { - "description": "Configures OpenID Connect Discovery and overwrites the JWKS URL.\n\nThis governs the \"webfinger.oidc.discovery.jwks_url\" setting.", + "return_to": { + "description": "ReturnTo contains the requested return_to URL.", "type": "string" }, - "hydra_webfinger_oidc_discovery_supported_claims": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "hydra_webfinger_oidc_discovery_supported_scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + "state": { + "description": "State represents the state of this request:\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed." }, - "hydra_webfinger_oidc_discovery_token_url": { - "description": "Configures OpenID Connect Discovery and overwrites the OAuth2 Token URL.\n\nThis governs the \"webfinger.oidc.discovery.token_url\" setting.", - "type": "string" + "type": { + "$ref": "#/components/schemas/selfServiceFlowType" }, - "hydra_webfinger_oidc_discovery_userinfo_url": { - "description": "Configures OpenID Connect Discovery and overwrites userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.\n\nThis governs the \"webfinger.oidc.discovery.userinfo_url\" setting.", + "ui": { + "$ref": "#/components/schemas/uiContainer" + } + }, + "required": [ + "id", + "type", + "expires_at", + "issued_at", + "request_url", + "ui", + "state" + ], + "title": "A Recovery Flow", + "type": "object" + }, + "recoveryFlowState": { + "description": "The state represents the state of the recovery flow.\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed.", + "enum": [ + "choose_method", + "sent_email", + "passed_challenge" + ], + "title": "Recovery Flow State" + }, + "recoveryIdentityAddress": { + "properties": { + "created_at": { + "description": "CreatedAt is a helper struct field for gobuffalo.pop.", + "format": "date-time", "type": "string" }, "id": { - "description": "The revision ID.", "format": "uuid", - "readOnly": true, "type": "string" }, - "keto_namespace_configuration": { - "description": "The Revisions' Keto Namespace Configuration\n\nThe string is a URL pointing to an OPL file with the configuration.", + "updated_at": { + "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", + "format": "date-time", "type": "string" }, - "keto_namespaces": { - "$ref": "#/components/schemas/KetoNamespaces" - }, - "keto_read_max_depth": { - "$ref": "#/components/schemas/NullInt" - }, - "kratos_cookies_same_site": { - "description": "Configures the Ory Kratos Cookie SameSite Attribute\n\nThis governs the \"cookies.same_site\" setting.", + "value": { "type": "string" }, - "kratos_courier_smtp_connection_uri": { - "description": "Configures the Ory Kratos SMTP Connection URI\n\nThis governs the \"courier.smtp.connection_uri\" setting.", + "via": { + "$ref": "#/components/schemas/RecoveryAddressType" + } + }, + "required": [ + "id", + "value", + "via" + ], + "type": "object" + }, + "recoveryLinkForIdentity": { + "description": "Used when an administrator creates a recovery link for an identity.", + "properties": { + "expires_at": { + "description": "Recovery Link Expires At\n\nThe timestamp when the recovery link expires.", + "format": "date-time", "type": "string" }, - "kratos_courier_smtp_from_address": { - "description": "Configures the Ory Kratos SMTP From Address\n\nThis governs the \"courier.smtp.from_address\" setting.", + "recovery_link": { + "description": "Recovery Link\n\nThis link can be used to recover the account.", "type": "string" + } + }, + "required": [ + "recovery_link" + ], + "title": "Identity Recovery Link", + "type": "object" + }, + "registrationFlow": { + "properties": { + "active": { + "$ref": "#/components/schemas/identityCredentialsType" }, - "kratos_courier_smtp_from_name": { - "description": "Configures the Ory Kratos SMTP From Name\n\nThis governs the \"courier.smtp.from_name\" setting.", + "expires_at": { + "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,\na new flow has to be initiated.", + "format": "date-time", "type": "string" }, - "kratos_courier_smtp_headers": { - "$ref": "#/components/schemas/nullJsonRawMessage" - }, - "kratos_courier_templates_recovery_code_invalid_email_body_html": { - "description": "Configures the Ory Kratos Invalid Recovery via Code Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.recovery_code.invalid.email.body.html\" setting.", + "id": { + "description": "ID represents the flow's unique ID. When performing the registration flow, this\nrepresents the id in the registration ui's query parameter: http://\u003cselfservice.flows.registration.ui_url\u003e/?flow=\u003cid\u003e", + "format": "uuid", "type": "string" }, - "kratos_courier_templates_recovery_code_invalid_email_body_plaintext": { - "description": "Configures the Ory Kratos Invalid Recovery via Code Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.recovery_code.invalid.email.body.plaintext\" setting.", + "issued_at": { + "description": "IssuedAt is the time (UTC) when the flow occurred.", + "format": "date-time", "type": "string" }, - "kratos_courier_templates_recovery_code_invalid_email_subject": { - "description": "Configures the Ory Kratos Invalid Recovery via Code Email Subject Template\n\nThis governs the \"courier.smtp.templates.recovery_code.invalid.email.body.html\" setting.", + "oauth2_login_challenge": { + "description": "Ory OAuth 2.0 Login Challenge.\n\nThis value is set using the `login_challenge` query parameter of the registration and login endpoints.\nIf set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.", "type": "string" }, - "kratos_courier_templates_recovery_code_valid_email_body_html": { - "description": "Configures the Ory Kratos Valid Recovery via Code Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.recovery_code.valid.email.body.html\" setting.", - "type": "string" + "oauth2_login_request": { + "$ref": "#/components/schemas/OAuth2LoginRequest" }, - "kratos_courier_templates_recovery_code_valid_email_body_plaintext": { - "description": "Configures the Ory Kratos Valid Recovery via Code Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.recovery_code.valid.email.body.plaintext\" setting.", - "type": "string" + "organization_id": { + "$ref": "#/components/schemas/NullUUID" }, - "kratos_courier_templates_recovery_code_valid_email_subject": { - "description": "Configures the Ory Kratos Valid Recovery via Code Email Subject Template\n\nThis governs the \"courier.smtp.templates.recovery_code.valid.email.subject\" setting.", + "request_url": { + "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", "type": "string" }, - "kratos_courier_templates_recovery_invalid_email_body_html": { - "description": "Configures the Ory Kratos Invalid Recovery Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.recovery.invalid.email.body.html\" setting.", + "return_to": { + "description": "ReturnTo contains the requested return_to URL.", "type": "string" }, - "kratos_courier_templates_recovery_invalid_email_body_plaintext": { - "description": "Configures the Ory Kratos Invalid Recovery Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.recovery.invalid.email.body.plaintext\" setting.", + "session_token_exchange_code": { + "description": "SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the flow has been completed.\nThis is only set if the client has requested a session token exchange code, and if the flow is of type \"api\",\nand only on creating the flow.", "type": "string" }, - "kratos_courier_templates_recovery_invalid_email_subject": { - "description": "Configures the Ory Kratos Invalid Recovery Email Subject Template\n\nThis governs the \"courier.smtp.templates.recovery.invalid.email.body.html\" setting.", - "type": "string" + "state": { + "description": "State represents the state of this request:\n\nchoose_method: ask the user to choose a method (e.g. registration with email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the registration challenge was passed." }, - "kratos_courier_templates_recovery_valid_email_body_html": { - "description": "Configures the Ory Kratos Valid Recovery Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.recovery.valid.email.body.html\" setting.", - "type": "string" + "transient_payload": { + "description": "TransientPayload is used to pass data from the registration to a webhook", + "type": "object" }, - "kratos_courier_templates_recovery_valid_email_body_plaintext": { - "description": "Configures the Ory Kratos Valid Recovery Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.recovery.valid.email.body.plaintext\" setting.", - "type": "string" + "type": { + "$ref": "#/components/schemas/selfServiceFlowType" }, - "kratos_courier_templates_recovery_valid_email_subject": { - "description": "Configures the Ory Kratos Valid Recovery Email Subject Template\n\nThis governs the \"courier.smtp.templates.recovery.valid.email.subject\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_code_invalid_email_body_html": { - "description": "Configures the Ory Kratos Invalid Verification via Code Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.verification_code.invalid.email.body.html\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_code_invalid_email_body_plaintext": { - "description": "Configures the Ory Kratos Invalid Verification via Code Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.verification_code.invalid.email.body.plaintext\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_code_invalid_email_subject": { - "description": "Configures the Ory Kratos Invalid Verification via Code Email Subject Template\n\nThis governs the \"courier.smtp.templates.verification_code.invalid.email.subject\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_code_valid_email_body_html": { - "description": "Configures the Ory Kratos Valid Verification via Code Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.verification_code.valid.email.body.html\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_code_valid_email_body_plaintext": { - "description": "Configures the Ory Kratos Valid Verification via Code Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.verification_code.valid.email.body.plaintext\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_code_valid_email_subject": { - "description": "Configures the Ory Kratos Valid Verification via Code Email Subject Template\n\nThis governs the \"courier.smtp.templates.verification_code.valid.email.subject\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_invalid_email_body_html": { - "description": "Configures the Ory Kratos Invalid Verification Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.verification.invalid.email.body.html\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_invalid_email_body_plaintext": { - "description": "Configures the Ory Kratos Invalid Verification Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.verification.invalid.email.body.plaintext\" setting.", - "type": "string" - }, - "kratos_courier_templates_verification_invalid_email_subject": { - "description": "Configures the Ory Kratos Invalid Verification Email Subject Template\n\nThis governs the \"courier.smtp.templates.verification.invalid.email.subject\" setting.", - "type": "string" + "ui": { + "$ref": "#/components/schemas/uiContainer" + } + }, + "required": [ + "id", + "type", + "expires_at", + "issued_at", + "request_url", + "ui", + "state" + ], + "type": "object" + }, + "registrationFlowState": { + "description": "choose_method: ask the user to choose a method (e.g. registration with email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the registration challenge was passed.", + "enum": [ + "choose_method", + "sent_email", + "passed_challenge" + ], + "title": "State represents the state of this request:" + }, + "selfServiceFlowExpiredError": { + "description": "Is sent when a flow is expired", + "properties": { + "error": { + "$ref": "#/components/schemas/genericError" }, - "kratos_courier_templates_verification_valid_email_body_html": { - "description": "Configures the Ory Kratos Valid Verification Email Body HTML Template\n\nThis governs the \"courier.smtp.templates.verification.valid.email.body.html\" setting.", + "expired_at": { + "description": "When the flow has expired", + "format": "date-time", "type": "string" }, - "kratos_courier_templates_verification_valid_email_body_plaintext": { - "description": "Configures the Ory Kratos Valid Verification Email Body Plaintext Template\n\nThis governs the \"courier.smtp.templates.verification.valid.email.body.plaintext\" setting.", - "type": "string" + "since": { + "$ref": "#/components/schemas/Duration" }, - "kratos_courier_templates_verification_valid_email_subject": { - "description": "Configures the Ory Kratos Valid Verification Email Subject Template\n\nThis governs the \"courier.smtp.templates.verification.valid.email.subject\" setting.", + "use_flow_id": { + "description": "The flow ID that should be used for the new flow as it contains the correct messages.", + "format": "uuid", "type": "string" - }, - "kratos_feature_flags_cacheable_sessions": { - "description": "Configures the Ory Kratos Session caching feature flag\n\nThis governs the \"feature_flags.cacheable_sessions\" setting.", - "type": "boolean" - }, - "kratos_identity_schemas": { - "$ref": "#/components/schemas/projectRevisionIdentitySchemas" - }, - "kratos_oauth2_provider_headers": { - "$ref": "#/components/schemas/nullJsonRawMessage" - }, - "kratos_oauth2_provider_override_return_to": { - "description": "Kratos OAuth2 Provider Override Return To\n\nEnabling this allows Kratos to set the return_to parameter automatically to the OAuth2 request URL on the login flow, allowing complex flows such as recovery to continue to the initial OAuth2 flow.", + } + }, + "type": "object" + }, + "selfServiceFlowType": { + "description": "The flow type can either be `api` or `browser`.", + "title": "Type is the flow type.", + "type": "string" + }, + "session": { + "description": "A Session", + "properties": { + "active": { + "description": "Active state. If false the session is no longer active.", "type": "boolean" }, - "kratos_oauth2_provider_url": { - "description": "The Revisions' OAuth2 Provider Integration URL\n\nThis governs the \"oauth2_provider.url\" setting.", - "type": "string" - }, - "kratos_secrets_cipher": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "kratos_secrets_cookie": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "kratos_secrets_default": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "kratos_selfservice_allowed_return_urls": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "kratos_selfservice_default_browser_return_url": { - "description": "Configures the Ory Kratos Default Return URL\n\nThis governs the \"selfservice.allowed_return_urls\" setting.", - "type": "string" - }, - "kratos_selfservice_flows_error_ui_url": { - "description": "Configures the Ory Kratos Error UI URL\n\nThis governs the \"selfservice.flows.error.ui_url\" setting.", - "type": "string" - }, - "kratos_selfservice_flows_hooks": { - "$ref": "#/components/schemas/projectRevisionHooks" - }, - "kratos_selfservice_flows_login_after_default_browser_return_url": { - "description": "Configures the Ory Kratos Login Default Return URL\n\nThis governs the \"selfservice.flows.login.after.default_browser_return_url\" setting.", + "authenticated_at": { + "description": "The Session Authentication Timestamp\n\nWhen this session was authenticated at. If multi-factor authentication was used this\nis the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).", + "format": "date-time", "type": "string" }, - "kratos_selfservice_flows_login_after_oidc_default_browser_return_url": { - "description": "Configures the Ory Kratos Login After OIDC Default Return URL\n\nThis governs the \"selfservice.flows.login.after.oidc.default_browser_return_url\" setting.", - "type": "string" + "authentication_methods": { + "$ref": "#/components/schemas/sessionAuthenticationMethods" }, - "kratos_selfservice_flows_login_after_password_default_browser_return_url": { - "description": "Configures the Ory Kratos Login After Password Default Return URL\n\nThis governs the \"selfservice.flows.login.after.password.default_browser_return_url\" setting.", - "type": "string" + "authenticator_assurance_level": { + "$ref": "#/components/schemas/authenticatorAssuranceLevel" }, - "kratos_selfservice_flows_login_after_webauthn_default_browser_return_url": { - "description": "Configures the Ory Kratos Login After WebAuthn Default Return URL\n\nThis governs the \"selfservice.flows.login.after.webauthn.default_browser_return_url\" setting.", - "type": "string" + "devices": { + "description": "Devices has history of all endpoints where the session was used", + "items": { + "$ref": "#/components/schemas/sessionDevice" + }, + "type": "array" }, - "kratos_selfservice_flows_login_lifespan": { - "description": "Configures the Ory Kratos Login Lifespan\n\nThis governs the \"selfservice.flows.login.lifespan\" setting.", + "expires_at": { + "description": "The Session Expiry\n\nWhen this session expires at.", + "format": "date-time", "type": "string" }, - "kratos_selfservice_flows_login_ui_url": { - "description": "Configures the Ory Kratos Login UI URL\n\nThis governs the \"selfservice.flows.login.ui_url\" setting.", + "id": { + "description": "Session ID", + "format": "uuid", "type": "string" }, - "kratos_selfservice_flows_logout_after_default_browser_return_url": { - "description": "Configures the Ory Kratos Logout Default Return URL\n\nThis governs the \"selfservice.flows.logout.after.default_browser_return_url\" setting.", - "type": "string" + "identity": { + "$ref": "#/components/schemas/identity" }, - "kratos_selfservice_flows_recovery_after_default_browser_return_url": { - "description": "Configures the Ory Kratos Recovery Default Return URL\n\nThis governs the \"selfservice.flows.recovery.after.default_browser_return_url\" setting.", + "issued_at": { + "description": "The Session Issuance Timestamp\n\nWhen this session was issued at. Usually equal or close to `authenticated_at`.", + "format": "date-time", "type": "string" }, - "kratos_selfservice_flows_recovery_enabled": { - "description": "Configures the Ory Kratos Recovery Enabled Setting\n\nThis governs the \"selfservice.flows.recovery.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_flows_recovery_lifespan": { - "description": "Configures the Ory Kratos Recovery Lifespan\n\nThis governs the \"selfservice.flows.recovery.lifespan\" setting.", + "tokenized": { + "description": "Tokenized is the tokenized (e.g. JWT) version of the session.\n\nIt is only set when the `tokenize` query parameter was set to a valid tokenize template during calls to `/session/whoami`.", "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, + "sessionAuthenticationMethod": { + "description": "A singular authenticator used during authentication / login.", + "properties": { + "aal": { + "$ref": "#/components/schemas/authenticatorAssuranceLevel" }, - "kratos_selfservice_flows_recovery_notify_unknown_recipients": { - "description": "Configures whether to notify unknown recipients of a Ory Kratos recovery flow\n\nThis governs the \"selfservice.flows.recovery.notify_unknown_recipients\" setting.", - "type": "boolean" - }, - "kratos_selfservice_flows_recovery_ui_url": { - "description": "Configures the Ory Kratos Recovery UI URL\n\nThis governs the \"selfservice.flows.recovery.ui_url\" setting.", + "completed_at": { + "description": "When the authentication challenge was completed.", + "format": "date-time", "type": "string" }, - "kratos_selfservice_flows_recovery_use": { - "description": "Configures the Ory Kratos Recovery strategy to use (\"link\" or \"code\")\n\nThis governs the \"selfservice.flows.recovery.use\" setting.\nlink SelfServiceMessageVerificationStrategyLink\ncode SelfServiceMessageVerificationStrategyCode", + "method": { "enum": [ - "link", - "code" + "link_recovery", + "code_recovery", + "password", + "code", + "totp", + "oidc", + "webauthn", + "lookup_secret", + "v0.6_legacy_session" ], - "type": "string", - "x-go-enum-desc": "link SelfServiceMessageVerificationStrategyLink\ncode SelfServiceMessageVerificationStrategyCode" - }, - "kratos_selfservice_flows_registration_after_default_browser_return_url": { - "description": "Configures the Ory Kratos Registration Default Return URL\n\nThis governs the \"selfservice.flows.registration.after.default_browser_return_url\" setting.", + "title": "The method used", "type": "string" }, - "kratos_selfservice_flows_registration_after_oidc_default_browser_return_url": { - "description": "Configures the Ory Kratos Registration After OIDC Default Return URL\n\nThis governs the \"selfservice.flows.registration.after.oidc.default_browser_return_url\" setting.", + "organization": { + "description": "The Organization id used for authentication", "type": "string" }, - "kratos_selfservice_flows_registration_after_password_default_browser_return_url": { - "description": "Configures the Ory Kratos Registration After Password Default Return URL\n\nThis governs the \"selfservice.flows.registration.after.password.default_browser_return_url\" setting.", + "provider": { + "description": "OIDC or SAML provider id used for authentication", "type": "string" - }, - "kratos_selfservice_flows_registration_after_webauthn_default_browser_return_url": { - "description": "Configures the Ory Kratos Registration After Password Default Return URL\n\nThis governs the \"selfservice.flows.registration.after.password.default_browser_return_url\" setting.", + } + }, + "title": "AuthenticationMethod identifies an authentication method", + "type": "object" + }, + "sessionAuthenticationMethods": { + "description": "A list of authenticators which were used to authenticate the session.", + "items": { + "$ref": "#/components/schemas/sessionAuthenticationMethod" + }, + "title": "List of (Used) AuthenticationMethods", + "type": "array" + }, + "sessionDevice": { + "description": "Device corresponding to a Session", + "properties": { + "id": { + "description": "Device record ID", + "format": "uuid", "type": "string" }, - "kratos_selfservice_flows_registration_enabled": { - "description": "Configures the Whether Ory Kratos Registration is Enabled\n\nThis governs the \"selfservice.flows.registration.enabled\" setting.0", - "type": "boolean" - }, - "kratos_selfservice_flows_registration_lifespan": { - "description": "Configures the Ory Kratos Registration Lifespan\n\nThis governs the \"selfservice.flows.registration.lifespan\" setting.", + "ip_address": { + "description": "IPAddress of the client", "type": "string" }, - "kratos_selfservice_flows_registration_ui_url": { - "description": "Configures the Ory Kratos Registration UI URL\n\nThis governs the \"selfservice.flows.registration.ui_url\" setting.", + "location": { + "description": "Geo Location corresponding to the IP Address", "type": "string" }, - "kratos_selfservice_flows_settings_after_default_browser_return_url": { - "description": "Configures the Ory Kratos Settings Default Return URL\n\nThis governs the \"selfservice.flows.settings.after.default_browser_return_url\" setting.", + "user_agent": { + "description": "UserAgent of the client", "type": "string" - }, - "kratos_selfservice_flows_settings_after_password_default_browser_return_url": { - "description": "Configures the Ory Kratos Settings Default Return URL After Updating Passwords\n\nThis governs the \"selfservice.flows.settings.after.password.default_browser_return_url\" setting.", + } + }, + "required": [ + "id" + ], + "type": "object" + }, + "settingsFlow": { + "description": "This flow is used when an identity wants to update settings\n(e.g. profile data, passwords, ...) in a selfservice manner.\n\nWe recommend reading the [User Settings Documentation](../self-service/flows/user-settings)", + "properties": { + "active": { + "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", "type": "string" }, - "kratos_selfservice_flows_settings_after_profile_default_browser_return_url": { - "description": "Configures the Ory Kratos Settings Default Return URL After Updating Profiles\n\nThis governs the \"selfservice.flows.settings.after.profile.default_browser_return_url\" setting.", - "type": "string" + "continue_with": { + "description": "Contains a list of actions, that could follow this flow\n\nIt can, for example, contain a reference to the verification flow, created as part of the user's\nregistration.", + "items": { + "$ref": "#/components/schemas/continueWith" + }, + "type": "array" }, - "kratos_selfservice_flows_settings_lifespan": { - "description": "Configures the Ory Kratos Settings Lifespan\n\nThis governs the \"selfservice.flows.settings.lifespan\" setting.", + "expires_at": { + "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting,\na new flow has to be initiated.", + "format": "date-time", "type": "string" }, - "kratos_selfservice_flows_settings_privileged_session_max_age": { - "description": "Configures the Ory Kratos Settings Privileged Session Max Age\n\nThis governs the \"selfservice.flows.settings.privileged_session_max_age\" setting.", + "id": { + "description": "ID represents the flow's unique ID. When performing the settings flow, this\nrepresents the id in the settings ui's query parameter: http://\u003cselfservice.flows.settings.ui_url\u003e?flow=\u003cid\u003e", + "format": "uuid", "type": "string" }, - "kratos_selfservice_flows_settings_required_aal": { - "description": "Configures the Ory Kratos Settings Required AAL\n\nThis governs the \"selfservice.flows.settings.required_aal\" setting.", - "type": "string" + "identity": { + "$ref": "#/components/schemas/identity" }, - "kratos_selfservice_flows_settings_ui_url": { - "description": "Configures the Ory Kratos Settings UI URL\n\nThis governs the \"selfservice.flows.settings.ui_url\" setting.", + "issued_at": { + "description": "IssuedAt is the time (UTC) when the flow occurred.", + "format": "date-time", "type": "string" }, - "kratos_selfservice_flows_verification_after_default_browser_return_url": { - "description": "Configures the Ory Kratos Verification Default Return URL\n\nThis governs the \"selfservice.flows.verification.after.default_browser_return_url\" setting.", + "request_url": { + "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", "type": "string" }, - "kratos_selfservice_flows_verification_enabled": { - "description": "Configures the Ory Kratos Verification Enabled Setting\n\nThis governs the \"selfservice.flows.verification.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_flows_verification_lifespan": { - "description": "Configures the Ory Kratos Verification Lifespan\n\nThis governs the \"selfservice.flows.verification.lifespan\" setting.", + "return_to": { + "description": "ReturnTo contains the requested return_to URL.", "type": "string" }, - "kratos_selfservice_flows_verification_notify_unknown_recipients": { - "description": "Configures whether to notify unknown recipients of a Ory Kratos verification flow\n\nThis governs the \"selfservice.flows.verification.notify_unknown_recipients\" setting.", - "type": "boolean" + "state": { + "description": "State represents the state of this flow. It knows two states:\n\nshow_form: No user data has been collected, or it is invalid, and thus the form should be shown.\nsuccess: Indicates that the settings flow has been updated successfully with the provided data.\nDone will stay true when repeatedly checking. If set to true, done will revert back to false only\nwhen a flow with invalid (e.g. \"please use a valid phone number\") data was sent." }, - "kratos_selfservice_flows_verification_ui_url": { - "description": "Configures the Ory Kratos Verification UI URL\n\nThis governs the \"selfservice.flows.verification.ui_url\" setting.", - "type": "string" + "type": { + "$ref": "#/components/schemas/selfServiceFlowType" }, - "kratos_selfservice_flows_verification_use": { - "description": "Configures the Ory Kratos Strategy to use for Verification\n\nThis governs the \"selfservice.flows.verification.use\" setting.\nlink SelfServiceMessageVerificationStrategyLink\ncode SelfServiceMessageVerificationStrategyCode", - "enum": [ - "link", - "code" - ], - "type": "string", - "x-go-enum-desc": "link SelfServiceMessageVerificationStrategyLink\ncode SelfServiceMessageVerificationStrategyCode" + "ui": { + "$ref": "#/components/schemas/uiContainer" + } + }, + "required": [ + "id", + "type", + "expires_at", + "issued_at", + "request_url", + "ui", + "identity", + "state" + ], + "title": "Flow represents a Settings Flow", + "type": "object" + }, + "settingsFlowState": { + "description": "show_form: No user data has been collected, or it is invalid, and thus the form should be shown.\nsuccess: Indicates that the settings flow has been updated successfully with the provided data.\nDone will stay true when repeatedly checking. If set to true, done will revert back to false only\nwhen a flow with invalid (e.g. \"please use a valid phone number\") data was sent.", + "enum": [ + "show_form", + "success" + ], + "title": "State represents the state of this flow. It knows two states:" + }, + "successfulCodeExchangeResponse": { + "description": "The Response for Registration Flows via API", + "properties": { + "session": { + "$ref": "#/components/schemas/session" }, - "kratos_selfservice_methods_code_config_lifespan": { - "description": "Configures the Ory Kratos Code Method's lifespan\n\nThis governs the \"selfservice.methods.code.config.lifespan\" setting.", - "type": "string" - }, - "kratos_selfservice_methods_code_enabled": { - "description": "Configures whether Ory Kratos Code Method is enabled\n\nThis governs the \"selfservice.methods.code.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_link_config_base_url": { - "description": "Configures the Base URL which Recovery, Verification, and Login Links Point to\n\nIt is recommended to leave this value empty. It will be appropriately configured to the best matching domain\n(e.g. when using custom domains) automatically.\n\nThis governs the \"selfservice.methods.link.config.base_url\" setting.", + "session_token": { + "description": "The Session Token\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", "type": "string" + } + }, + "required": [ + "session" + ], + "type": "object" + }, + "successfulNativeLogin": { + "description": "The Response for Login Flows via API", + "properties": { + "session": { + "$ref": "#/components/schemas/session" }, - "kratos_selfservice_methods_link_config_lifespan": { - "description": "Configures the Ory Kratos Link Method's lifespan\n\nThis governs the \"selfservice.methods.link.config.lifespan\" setting.", + "session_token": { + "description": "The Session Token\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", "type": "string" + } + }, + "required": [ + "session" + ], + "type": "object" + }, + "successfulNativeRegistration": { + "description": "The Response for Registration Flows via API", + "properties": { + "continue_with": { + "description": "Contains a list of actions, that could follow this flow\n\nIt can, for example, this will contain a reference to the verification flow, created as part of the user's\nregistration or the token of the session.", + "items": { + "$ref": "#/components/schemas/continueWith" + }, + "type": "array" }, - "kratos_selfservice_methods_link_enabled": { - "description": "Configures whether Ory Kratos Link Method is enabled\n\nThis governs the \"selfservice.methods.link.enabled\" setting.", - "type": "boolean" + "identity": { + "$ref": "#/components/schemas/identity" }, - "kratos_selfservice_methods_lookup_secret_enabled": { - "description": "Configures whether Ory Kratos TOTP Lookup Secret is enabled\n\nThis governs the \"selfservice.methods.lookup_secret.enabled\" setting.", - "type": "boolean" + "session": { + "$ref": "#/components/schemas/session" }, - "kratos_selfservice_methods_oidc_config_base_redirect_uri": { - "description": "Configures the Ory Kratos Third Party / OpenID Connect base redirect URI\n\nThis governs the \"selfservice.methods.oidc.config.base_redirect_uri\" setting.", + "session_token": { + "description": "The Session Token\n\nThis field is only set when the session hook is configured as a post-registration hook.\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", "type": "string" - }, - "kratos_selfservice_methods_oidc_config_providers": { - "$ref": "#/components/schemas/projectRevisionThirdPartyLoginProviders" - }, - "kratos_selfservice_methods_oidc_enabled": { - "description": "Configures whether Ory Kratos Third Party / OpenID Connect Login is enabled\n\nThis governs the \"selfservice.methods.oidc.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_password_config_haveibeenpwned_enabled": { - "description": "Configures whether Ory Kratos Password HIBP Checks is enabled\n\nThis governs the \"selfservice.methods.password.config.haveibeenpwned_enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_password_config_identifier_similarity_check_enabled": { - "description": "Configures whether Ory Kratos Password should disable the similarity policy.\n\nThis governs the \"selfservice.methods.password.config.identifier_similarity_check_enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_password_config_ignore_network_errors": { - "description": "Configures whether Ory Kratos Password Should ignore HIBPWND Network Errors\n\nThis governs the \"selfservice.methods.password.config.ignore_network_errors\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_password_config_max_breaches": { - "description": "Configures Ory Kratos Password Max Breaches Detection\n\nThis governs the \"selfservice.methods.password.config.max_breaches\" setting.", - "format": "int64", - "type": "integer" - }, - "kratos_selfservice_methods_password_config_min_password_length": { - "description": "Configures the minimum length of passwords.\n\nThis governs the \"selfservice.methods.password.config.min_password_length\" setting.", + } + }, + "required": [ + "identity" + ], + "type": "object" + }, + "tokenPagination": { + "properties": { + "page_size": { + "default": 250, + "description": "Items per page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "format": "int64", + "maximum": 1000, + "minimum": 1, "type": "integer" }, - "kratos_selfservice_methods_password_enabled": { - "description": "Configures whether Ory Kratos Password Method is enabled\n\nThis governs the \"selfservice.methods.password.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_profile_enabled": { - "description": "Configures whether Ory Kratos Profile Method is enabled\n\nThis governs the \"selfservice.methods.profile.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_totp_config_issuer": { - "description": "Configures Ory Kratos TOTP Issuer\n\nThis governs the \"selfservice.methods.totp.config.issuer\" setting.", - "type": "string" - }, - "kratos_selfservice_methods_totp_enabled": { - "description": "Configures whether Ory Kratos TOTP Method is enabled\n\nThis governs the \"selfservice.methods.totp.enabled\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_webauthn_config_passwordless": { - "description": "Configures whether Ory Kratos Webauthn is used for passwordless flows\n\nThis governs the \"selfservice.methods.webauthn.config.passwordless\" setting.", - "type": "boolean" - }, - "kratos_selfservice_methods_webauthn_config_rp_display_name": { - "description": "Configures the Ory Kratos Webauthn RP Display Name\n\nThis governs the \"selfservice.methods.webauthn.config.rp.display_name\" setting.", + "page_token": { + "default": "1", + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "minimum": 1, "type": "string" - }, - "kratos_selfservice_methods_webauthn_config_rp_icon": { - "description": "Configures the Ory Kratos Webauthn RP Icon\n\nThis governs the \"selfservice.methods.webauthn.config.rp.icon\" setting.", + } + }, + "type": "object" + }, + "tokenPaginationHeaders": { + "properties": { + "link": { + "description": "The link header contains pagination links.\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).\n\nin: header", "type": "string" }, - "kratos_selfservice_methods_webauthn_config_rp_id": { - "description": "Configures the Ory Kratos Webauthn RP ID\n\nThis governs the \"selfservice.methods.webauthn.config.rp.id\" setting.", + "x-total-count": { + "description": "The total number of clients.\n\nin: header", "type": "string" - }, - "kratos_selfservice_methods_webauthn_config_rp_origin": { - "description": "Configures the Ory Kratos Webauthn RP Origin\n\nThis governs the \"selfservice.methods.webauthn.config.rp.origin\" setting.", + } + }, + "type": "object" + }, + "uiContainer": { + "description": "Container represents a HTML Form. The container can work with both HTTP Form and JSON requests", + "properties": { + "action": { + "description": "Action should be used as the form action URL `\u003cform action=\"{{ .Action }}\" method=\"post\"\u003e`.", "type": "string" }, - "kratos_selfservice_methods_webauthn_enabled": { - "description": "Configures whether Ory Kratos Webauthn is enabled\n\nThis governs the \"selfservice.methods.webauthn.enabled\" setting.", - "type": "boolean" - }, - "kratos_session_cookie_persistent": { - "description": "Configures the Ory Kratos Session Cookie Persistent Attribute\n\nThis governs the \"session.cookie.persistent\" setting.", - "type": "boolean" - }, - "kratos_session_cookie_same_site": { - "description": "Configures the Ory Kratos Session Cookie SameSite Attribute\n\nThis governs the \"session.cookie.same_site\" setting.", - "type": "string" + "messages": { + "$ref": "#/components/schemas/uiTexts" }, - "kratos_session_lifespan": { - "description": "Configures the Ory Kratos Session Lifespan\n\nThis governs the \"session.lifespan\" setting.", + "method": { + "description": "Method is the form method (e.g. POST)", "type": "string" }, - "kratos_session_whoami_required_aal": { - "description": "Configures the Ory Kratos Session Whoami AAL requirement\n\nThis governs the \"session.whoami.required_aal\" setting.", - "type": "string" + "nodes": { + "$ref": "#/components/schemas/uiNodes" + } + }, + "required": [ + "action", + "method", + "nodes" + ], + "type": "object" + }, + "uiNode": { + "description": "Nodes are represented as HTML elements or their native UI equivalents. For example,\na node can be an `\u003cimg\u003e` tag, or an `\u003cinput element\u003e` but also `some plain text`.", + "properties": { + "attributes": { + "$ref": "#/components/schemas/uiNodeAttributes" }, - "name": { - "description": "The project's name.", - "type": "string" + "group": { + "description": "Group specifies which group (e.g. password authenticator) this node belongs to.\ndefault DefaultGroup\npassword PasswordGroup\noidc OpenIDConnectGroup\nprofile ProfileGroup\nlink LinkGroup\ncode CodeGroup\ntotp TOTPGroup\nlookup_secret LookupGroup\nwebauthn WebAuthnGroup", + "enum": [ + "default", + "password", + "oidc", + "profile", + "link", + "code", + "totp", + "lookup_secret", + "webauthn" + ], + "type": "string", + "x-go-enum-desc": "default DefaultGroup\npassword PasswordGroup\noidc OpenIDConnectGroup\nprofile ProfileGroup\nlink LinkGroup\ncode CodeGroup\ntotp TOTPGroup\nlookup_secret LookupGroup\nwebauthn WebAuthnGroup" }, - "production": { - "description": "Whether this project is in production mode or not.\n\nIn development mode, a low-security profile is used making it easier to develop against your, for example, local environment.", - "type": "boolean" + "messages": { + "$ref": "#/components/schemas/uiTexts" }, - "project_id": { - "description": "The Revision's Project ID", - "format": "uuid", - "type": "string" + "meta": { + "$ref": "#/components/schemas/uiNodeMeta" }, - "updated_at": { - "description": "Last Time Project's Revision was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" + "type": { + "description": "The node's type\ntext Text\ninput Input\nimg Image\na Anchor\nscript Script", + "enum": [ + "text", + "input", + "img", + "a", + "script" + ], + "type": "string", + "x-go-enum-desc": "text Text\ninput Input\nimg Image\na Anchor\nscript Script" } }, "required": [ - "name" + "type", + "group", + "attributes", + "messages", + "meta" ], + "title": "Node represents a flow's nodes", "type": "object" }, - "normalizedProjectRevisionHook": { + "uiNodeAnchorAttributes": { "properties": { - "config_key": { - "description": "The Hooks Config Key", - "type": "string" - }, - "created_at": { - "description": "The Project's Revision Creation Date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "hook": { - "description": "The Hook Type", + "href": { + "description": "The link's href (destination) URL.\n\nformat: uri", "type": "string" }, "id": { - "description": "ID of the entry", - "format": "uuid", + "description": "A unique identifier", "type": "string" }, - "project_revision_id": { - "description": "The Revision's ID this schema belongs to", - "format": "uuid", + "node_type": { + "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"a\".", "type": "string" }, - "updated_at": { - "description": "Last Time Project's Revision was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" + "title": { + "$ref": "#/components/schemas/uiText" + } + }, + "required": [ + "href", + "title", + "id", + "node_type" + ], + "title": "AnchorAttributes represents the attributes of an anchor node.", + "type": "object" + }, + "uiNodeAttributes": { + "discriminator": { + "mapping": { + "a": "#/components/schemas/uiNodeAnchorAttributes", + "img": "#/components/schemas/uiNodeImageAttributes", + "input": "#/components/schemas/uiNodeInputAttributes", + "script": "#/components/schemas/uiNodeScriptAttributes", + "text": "#/components/schemas/uiNodeTextAttributes" }, - "web_hook_config_auth_api_key_in": { - "description": "Whether to send the API Key in the HTTP Header or as a HTTP Cookie", - "example": "header", - "type": "string" + "propertyName": "node_type" + }, + "oneOf": [ + { + "$ref": "#/components/schemas/uiNodeInputAttributes" }, - "web_hook_config_auth_api_key_name": { - "description": "The name of the api key", - "example": "X-API-Key", - "type": "string" + { + "$ref": "#/components/schemas/uiNodeTextAttributes" }, - "web_hook_config_auth_api_key_value": { - "description": "The value of the api key", - "example": "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", - "type": "string" + { + "$ref": "#/components/schemas/uiNodeImageAttributes" }, - "web_hook_config_auth_basic_auth_password": { - "description": "The password to be sent in the HTTP Basic Auth Header", - "type": "string" + { + "$ref": "#/components/schemas/uiNodeAnchorAttributes" }, - "web_hook_config_auth_basic_auth_user": { - "description": "The username to be sent in the HTTP Basic Auth Header", - "type": "string" + { + "$ref": "#/components/schemas/uiNodeScriptAttributes" + } + ], + "title": "Attributes represents a list of attributes (e.g. `href=\"foo\"` for links)." + }, + "uiNodeImageAttributes": { + "properties": { + "height": { + "description": "Height of the image", + "format": "int64", + "type": "integer" }, - "web_hook_config_auth_type": { - "description": "HTTP Auth Method to use for the Web-Hook", + "id": { + "description": "A unique identifier", "type": "string" }, - "web_hook_config_body": { - "description": "URI pointing to the JsonNet template used for Web-Hook payload generation. Only used for those HTTP methods, which support HTTP body payloads.", - "example": "base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=", + "node_type": { + "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"img\".", "type": "string" }, - "web_hook_config_can_interrupt": { - "description": "If enabled allows the web hook to interrupt / abort the self-service flow. It only applies to certain flows (registration/verification/login/settings) and requires a valid response format.", - "type": "boolean" - }, - "web_hook_config_method": { - "description": "The HTTP method to use (GET, POST, etc) for the Web-Hook", - "example": "POST", + "src": { + "description": "The image's source URL.\n\nformat: uri", "type": "string" }, - "web_hook_config_response_ignore": { - "description": "Whether to ignore the Web Hook response", - "type": "boolean" - }, - "web_hook_config_response_parse": { - "description": "Whether to parse the Web Hook response", - "type": "boolean" - }, - "web_hook_config_url": { - "description": "The URL the Web-Hook should call", - "example": "https://www.example.org/web-hook-listener", - "type": "string" + "width": { + "description": "Width of the image", + "format": "int64", + "type": "integer" } }, "required": [ - "config_key", - "hook" + "src", + "id", + "width", + "height", + "node_type" ], + "title": "ImageAttributes represents the attributes of an image node.", "type": "object" }, - "normalizedProjectRevisionIdentitySchema": { + "uiNodeInputAttributes": { + "description": "InputAttributes represents the attributes of an input node", "properties": { - "created_at": { - "description": "The Project's Revision Creation Date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "id": { - "description": "The unique ID of this entry.", - "format": "uuid", - "type": "string" + "autocomplete": { + "description": "The autocomplete attribute for the input.\nemail InputAttributeAutocompleteEmail\ntel InputAttributeAutocompleteTel\nurl InputAttributeAutocompleteUrl\ncurrent-password InputAttributeAutocompleteCurrentPassword\nnew-password InputAttributeAutocompleteNewPassword\none-time-code InputAttributeAutocompleteOneTimeCode", + "enum": [ + "email", + "tel", + "url", + "current-password", + "new-password", + "one-time-code" + ], + "type": "string", + "x-go-enum-desc": "email InputAttributeAutocompleteEmail\ntel InputAttributeAutocompleteTel\nurl InputAttributeAutocompleteUrl\ncurrent-password InputAttributeAutocompleteCurrentPassword\nnew-password InputAttributeAutocompleteNewPassword\none-time-code InputAttributeAutocompleteOneTimeCode" }, - "identity_schema": { - "$ref": "#/components/schemas/managedIdentitySchema" + "disabled": { + "description": "Sets the input's disabled field to true or false.", + "type": "boolean" }, - "identity_schema_id": { - "$ref": "#/components/schemas/NullUUID" + "label": { + "$ref": "#/components/schemas/uiText" }, - "import_id": { - "description": "The imported (named) ID of the Identity Schema referenced in the Ory Kratos config.", + "name": { + "description": "The input's element name.", "type": "string" }, - "import_url": { - "description": "The ImportURL can be used to import an Identity Schema from a bse64 encoded string.\nIn the future, this key also support HTTPS and other sources!\n\nIf you import an Ory Kratos configuration, this would be akin to the `identity.schemas.#.url` key.\n\nThe configuration will always return the import URL when you fetch it from the API.", - "example": "base64://ey...", + "node_type": { + "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"input\".", "type": "string" }, - "is_default": { - "description": "If true sets the default schema for identities\n\nOnly one schema can ever be the default schema. If you\ntry to add two schemas with default to true, the\nrequest will fail.", - "type": "boolean" - }, - "preset": { - "description": "Use a preset instead of a custom identity schema.", + "onclick": { + "description": "OnClick may contain javascript which should be executed on click. This is primarily\nused for WebAuthn.", "type": "string" }, - "project_revision_id": { - "description": "The Revision's ID this schema belongs to", - "format": "uuid", + "pattern": { + "description": "The input's pattern.", "type": "string" }, - "updated_at": { - "description": "Last Time Project's Revision was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" + "required": { + "description": "Mark this input field as required.", + "type": "boolean" + }, + "type": { + "description": "The input's element type.\ntext InputAttributeTypeText\npassword InputAttributeTypePassword\nnumber InputAttributeTypeNumber\ncheckbox InputAttributeTypeCheckbox\nhidden InputAttributeTypeHidden\nemail InputAttributeTypeEmail\ntel InputAttributeTypeTel\nsubmit InputAttributeTypeSubmit\nbutton InputAttributeTypeButton\ndatetime-local InputAttributeTypeDateTimeLocal\ndate InputAttributeTypeDate\nurl InputAttributeTypeURI", + "enum": [ + "text", + "password", + "number", + "checkbox", + "hidden", + "email", + "tel", + "submit", + "button", + "datetime-local", + "date", + "url" + ], + "type": "string", + "x-go-enum-desc": "text InputAttributeTypeText\npassword InputAttributeTypePassword\nnumber InputAttributeTypeNumber\ncheckbox InputAttributeTypeCheckbox\nhidden InputAttributeTypeHidden\nemail InputAttributeTypeEmail\ntel InputAttributeTypeTel\nsubmit InputAttributeTypeSubmit\nbutton InputAttributeTypeButton\ndatetime-local InputAttributeTypeDateTimeLocal\ndate InputAttributeTypeDate\nurl InputAttributeTypeURI" + }, + "value": { + "description": "The input's value.", + "nullable": true } }, + "required": [ + "name", + "type", + "disabled", + "node_type" + ], "type": "object" }, - "normalizedProjectRevisionIdentitySchemas": { - "items": { - "$ref": "#/components/schemas/normalizedProjectRevisionIdentitySchema" + "uiNodeMeta": { + "description": "This might include a label and other information that can optionally\nbe used to render UIs.", + "properties": { + "label": { + "$ref": "#/components/schemas/uiText" + } }, - "type": "array" + "title": "A Node's Meta Information", + "type": "object" }, - "normalizedProjectRevisionThirdPartyProvider": { + "uiNodeScriptAttributes": { "properties": { - "apple_private_key": { - "$ref": "#/components/schemas/String" + "async": { + "description": "The script async type", + "type": "boolean" }, - "apple_private_key_id": { - "description": "Apple Private Key Identifier\n\nSign In with Apple Private Key Identifier needed for generating a JWT token for client secret", - "example": "UX56C66723", + "crossorigin": { + "description": "The script cross origin policy", "type": "string" }, - "apple_team_id": { - "description": "Apple Developer Team ID\n\nApple Developer Team ID needed for generating a JWT token for client secret", - "example": "KP76DQS54M", + "id": { + "description": "A unique identifier", "type": "string" }, - "auth_url": { - "description": "AuthURL is the authorize url, typically something like: https://example.org/oauth2/auth\nShould only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when\n`provider` is set to `generic`.", - "example": "https://www.googleapis.com/oauth2/v2/auth", + "integrity": { + "description": "The script's integrity hash", "type": "string" }, - "azure_tenant": { - "description": "Tenant is the Azure AD Tenant to use for authentication, and must be set when `provider` is set to `microsoft`.\n\nCan be either `common`, `organizations`, `consumers` for a multitenant application or a specific tenant like\n`8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com`.", - "example": "contoso.onmicrosoft.com", + "node_type": { + "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"script\".", "type": "string" }, - "client_id": { - "description": "ClientID is the application's Client ID.", + "nonce": { + "description": "Nonce for CSP\n\nA nonce you may want to use to improve your Content Security Policy.\nYou do not have to use this value but if you want to improve your CSP\npolicies you may use it. You can also choose to use your own nonce value!", "type": "string" }, - "client_secret": { - "$ref": "#/components/schemas/String" - }, - "created_at": { - "description": "The Project's Revision Creation Date", - "format": "date-time", - "readOnly": true, + "referrerpolicy": { + "description": "The script referrer policy", "type": "string" }, - "id": { - "format": "uuid", + "src": { + "description": "The script source", "type": "string" }, - "issuer_url": { - "description": "IssuerURL is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`.\nIf set, neither `auth_url` nor `token_url` are required.", - "example": "https://accounts.google.com", + "type": { + "description": "The script MIME type", "type": "string" - }, - "label": { - "description": "Label represents an optional label which can be used in the UI generation.", + } + }, + "required": [ + "src", + "async", + "referrerpolicy", + "crossorigin", + "integrity", + "type", + "id", + "nonce", + "node_type" + ], + "title": "ScriptAttributes represent script nodes which load javascript.", + "type": "object" + }, + "uiNodeTextAttributes": { + "properties": { + "id": { + "description": "A unique identifier", "type": "string" }, - "mapper_url": { - "description": "Mapper specifies the JSONNet code snippet which uses the OpenID Connect Provider's data (e.g. GitHub or Google\nprofile information) to hydrate the identity's data.\n\nIt can be either a URL (file://, http(s)://, base64://) or an inline JSONNet code snippet.", + "node_type": { + "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"text\".", "type": "string" }, - "project_revision_id": { - "description": "The Revision's ID this schema belongs to", - "format": "uuid", - "type": "string" + "text": { + "$ref": "#/components/schemas/uiText" + } + }, + "required": [ + "text", + "id", + "node_type" + ], + "title": "TextAttributes represents the attributes of a text node.", + "type": "object" + }, + "uiNodes": { + "items": { + "$ref": "#/components/schemas/uiNode" + }, + "type": "array" + }, + "uiText": { + "properties": { + "context": { + "description": "The message's context. Useful when customizing messages.", + "type": "object" }, - "provider": { - "description": "Provider is either \"generic\" for a generic OAuth 2.0 / OpenID Connect Provider or one of:\ngeneric\ngoogle\ngithub\ngitlab\nmicrosoft\ndiscord\nslack\nfacebook\nvk\nyandex\napple", - "example": "google", - "type": "string" + "id": { + "$ref": "#/components/schemas/ID" }, - "provider_id": { - "description": "ID is the provider's ID", + "text": { + "description": "The message text. Written in american english.", "type": "string" }, - "requested_claims": { - "$ref": "#/components/schemas/JSONRawMessage" - }, - "scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "state": { - "description": "State indicates the state of the provider\n\nOnly providers with state `enabled` will be used for authentication\nenabled ThirdPartyProviderStateEnabled\ndisabled ThirdPartyProviderStateDisabled", + "type": { + "description": "The message type.\ninfo Info\nerror Error\nsuccess Success", "enum": [ - "enabled", - "disabled" + "info", + "error", + "success" ], "type": "string", - "x-go-enum-desc": "enabled ThirdPartyProviderStateEnabled\ndisabled ThirdPartyProviderStateDisabled" - }, - "subject_source": { - "$ref": "#/components/schemas/String" - }, - "token_url": { - "description": "TokenURL is the token url, typically something like: https://example.org/oauth2/token\n\nShould only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when\n`provider` is set to `generic`.", - "example": "https://www.googleapis.com/oauth2/v4/token", - "type": "string" - }, - "updated_at": { - "description": "Last Time Project's Revision was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" + "x-go-enum-desc": "info Info\nerror Error\nsuccess Success" } }, + "required": [ + "id", + "text", + "type" + ], "type": "object" }, - "normalizedProjects": { + "uiTexts": { "items": { - "$ref": "#/components/schemas/normalizedProject" + "$ref": "#/components/schemas/uiText" }, "type": "array" }, - "nullBool": { - "nullable": true, - "type": "boolean" - }, - "nullDuration": { - "nullable": true, - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "nullInt64": { - "nullable": true, - "type": "integer" - }, - "nullJsonRawMessage": { - "description": "NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-", - "nullable": true, - "type": "object" - }, - "nullString": { - "type": "string" - }, - "nullTime": { - "format": "date-time", - "title": "NullTime implements sql.NullTime functionality.", + "unexpectedError": { "type": "string" }, - "oAuth2Client": { - "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "updateIdentityBody": { + "description": "Update Identity Body", "properties": { - "access_token_strategy": { - "description": "OAuth 2.0 Access Token Strategy\n\nAccessTokenStrategy is the strategy used to generate access tokens.\nValid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens\nSetting the stragegy here overrides the global setting in `strategies.access_token`.", - "type": "string" - }, - "allowed_cors_origins": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "audience": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "authorization_code_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "authorization_code_grant_id_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "authorization_code_grant_refresh_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "backchannel_logout_session_required": { - "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", - "type": "boolean" - }, - "backchannel_logout_uri": { - "description": "OpenID Connect Back-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", - "type": "string" + "credentials": { + "$ref": "#/components/schemas/identityWithCredentials" }, - "client_credentials_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + "metadata_admin": { + "description": "Store metadata about the user which is only accessible through admin APIs such as `GET /admin/identities/\u003cid\u003e`." }, - "client_id": { - "description": "OAuth 2.0 Client ID\n\nThe ID is autogenerated and immutable.", - "type": "string" + "metadata_public": { + "description": "Store metadata about the identity which the identity itself can see when calling for example the\nsession endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field." }, - "client_name": { - "description": "OAuth 2.0 Client Name\n\nThe human-readable name of the client to be presented to the\nend-user during authorization.", + "schema_id": { + "description": "SchemaID is the ID of the JSON Schema to be used for validating the identity's traits. If set\nwill update the Identity's SchemaID.", "type": "string" }, - "client_secret": { - "description": "OAuth 2.0 Client Secret\n\nThe secret will be included in the create request as cleartext, and then\nnever again. The secret is kept in hashed format and is not recoverable once lost.", - "type": "string" + "state": { + "$ref": "#/components/schemas/identityState" }, - "client_secret_expires_at": { - "description": "OAuth 2.0 Client Secret Expires At\n\nThe field is currently not supported and its value is always 0.", - "format": "int64", - "type": "integer" - }, - "client_uri": { - "description": "OAuth 2.0 Client URI\n\nClientURI is a URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", - "type": "string" - }, - "contacts": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "created_at": { - "description": "OAuth 2.0 Client Creation Date\n\nCreatedAt returns the timestamp of the client's creation.", - "format": "date-time", - "type": "string" - }, - "frontchannel_logout_session_required": { - "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", - "type": "boolean" + "traits": { + "description": "Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_id`.", + "type": "object" + } + }, + "required": [ + "schema_id", + "traits", + "state" + ], + "type": "object" + }, + "updateLoginFlowBody": { + "discriminator": { + "mapping": { + "code": "#/components/schemas/updateLoginFlowWithCodeMethod", + "lookup_secret": "#/components/schemas/updateLoginFlowWithLookupSecretMethod", + "oidc": "#/components/schemas/updateLoginFlowWithOidcMethod", + "password": "#/components/schemas/updateLoginFlowWithPasswordMethod", + "totp": "#/components/schemas/updateLoginFlowWithTotpMethod", + "webauthn": "#/components/schemas/updateLoginFlowWithWebAuthnMethod" }, - "frontchannel_logout_uri": { - "description": "OpenID Connect Front-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", - "type": "string" + "propertyName": "method" + }, + "oneOf": [ + { + "$ref": "#/components/schemas/updateLoginFlowWithPasswordMethod" }, - "grant_types": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + { + "$ref": "#/components/schemas/updateLoginFlowWithOidcMethod" }, - "implicit_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + { + "$ref": "#/components/schemas/updateLoginFlowWithTotpMethod" }, - "implicit_grant_id_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + { + "$ref": "#/components/schemas/updateLoginFlowWithWebAuthnMethod" }, - "jwks": { - "description": "OAuth 2.0 Client JSON Web Key Set\n\nClient's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as\nthe jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter\nis intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for\ninstance, by native applications that might not have a location to host the contents of the JWK Set. If a Client\ncan use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation\n(which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks\nparameters MUST NOT be used together." + { + "$ref": "#/components/schemas/updateLoginFlowWithLookupSecretMethod" }, - "jwks_uri": { - "description": "OAuth 2.0 Client JSON Web Key Set URL\n\nURL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", + { + "$ref": "#/components/schemas/updateLoginFlowWithCodeMethod" + } + ] + }, + "updateLoginFlowWithCodeMethod": { + "description": "Update Login flow using the code method", + "properties": { + "code": { + "description": "Code is the 6 digits code sent to the user", "type": "string" }, - "jwt_bearer_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "logo_uri": { - "description": "OAuth 2.0 Client Logo URI\n\nA URL string referencing the client's logo.", + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token", "type": "string" }, - "metadata": { - "$ref": "#/components/schemas/JSONRawMessage" - }, - "owner": { - "description": "OAuth 2.0 Client Owner\n\nOwner is a string identifying the owner of the OAuth 2.0 Client.", + "identifier": { + "description": "Identifier is the code identifier\nThe identifier requires that the user has already completed the registration or settings with code flow.", "type": "string" }, - "policy_uri": { - "description": "OAuth 2.0 Client Policy URI\n\nPolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", + "method": { + "description": "Method should be set to \"code\" when logging in using the code strategy.", "type": "string" }, - "post_logout_redirect_uris": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "redirect_uris": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "refresh_token_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "refresh_token_grant_id_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "refresh_token_grant_refresh_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "registration_access_token": { - "description": "OpenID Connect Dynamic Client Registration Access Token\n\nRegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client\nusing Dynamic Client Registration.", + "resend": { + "description": "Resend is set when the user wants to resend the code", "type": "string" - }, - "registration_client_uri": { - "description": "OpenID Connect Dynamic Client Registration URL\n\nRegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", + } + }, + "required": [ + "method", + "csrf_token" + ], + "type": "object" + }, + "updateLoginFlowWithLookupSecretMethod": { + "description": "Update Login Flow with Lookup Secret Method", + "properties": { + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", "type": "string" }, - "request_object_signing_alg": { - "description": "OpenID Connect Request Object Signing Algorithm\n\nJWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", + "lookup_secret": { + "description": "The lookup secret.", "type": "string" }, - "request_uris": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "response_types": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "scope": { - "description": "OAuth 2.0 Client Scope\n\nScope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", - "example": "scope1 scope-2 scope.3 scope:4", + "method": { + "description": "Method should be set to \"lookup_secret\" when logging in using the lookup_secret strategy.", "type": "string" - }, - "sector_identifier_uri": { - "description": "OpenID Connect Sector Identifier URI\n\nURL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", + } + }, + "required": [ + "method", + "lookup_secret" + ], + "type": "object" + }, + "updateLoginFlowWithOidcMethod": { + "description": "Update Login Flow with OpenID Connect Method", + "properties": { + "csrf_token": { + "description": "The CSRF Token", "type": "string" }, - "skip_consent": { - "description": "SkipConsent skips the consent screen for this client. This field can only\nbe set from the admin API.", - "type": "boolean" - }, - "subject_type": { - "description": "OpenID Connect Subject Type\n\nThe `subject_types_supported` Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", + "id_token": { + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple", "type": "string" }, - "token_endpoint_auth_method": { - "default": "client_secret_basic", - "description": "OAuth 2.0 Token Endpoint Authentication Method\n\nRequested Client Authentication method for the Token Endpoint. The options are:\n\n`client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header.\n`client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body.\n`private_key_jwt`: Use JSON Web Tokens to authenticate the client.\n`none`: Used for public clients (native apps, mobile apps) which can not have secrets.", + "id_token_nonce": { + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, - "token_endpoint_auth_signing_alg": { - "description": "OAuth 2.0 Token Endpoint Signing Algorithm\n\nRequested Client Authentication signing algorithm for the Token Endpoint.", + "method": { + "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "tos_uri": { - "description": "OAuth 2.0 Client Terms of Service URI\n\nA URL string pointing to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", + "provider": { + "description": "The provider to register with", "type": "string" }, - "updated_at": { - "description": "OAuth 2.0 Client Last Update Date\n\nUpdatedAt returns the timestamp of the last update.", - "format": "date-time", - "type": "string" + "traits": { + "description": "The identity traits. This is a placeholder for the registration flow.", + "type": "object" }, - "userinfo_signed_response_alg": { - "description": "OpenID Connect Request Userinfo Signed Response Algorithm\n\nJWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", - "type": "string" + "upstream_parameters": { + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "type": "object" } }, - "title": "OAuth 2.0 Client", + "required": [ + "provider", + "method" + ], "type": "object" }, - "oAuth2ClientTokenLifespans": { - "description": "Lifespans of different token types issued for this OAuth 2.0 Client.", + "updateLoginFlowWithPasswordMethod": { + "description": "Update Login Flow with Password Method", "properties": { - "authorization_code_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "authorization_code_grant_id_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "authorization_code_grant_refresh_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "client_credentials_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "implicit_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" - }, - "implicit_grant_id_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", + "type": "string" }, - "jwt_bearer_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + "identifier": { + "description": "Identifier is the email or username of the user trying to log in.", + "type": "string" }, - "refresh_token_grant_access_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + "method": { + "description": "Method should be set to \"password\" when logging in using the identifier and password strategy.", + "type": "string" }, - "refresh_token_grant_id_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + "password": { + "description": "The user's password.", + "type": "string" }, - "refresh_token_grant_refresh_token_lifespan": { - "$ref": "#/components/schemas/NullDuration" + "password_identifier": { + "description": "Identifier is the email or username of the user trying to log in.\nThis field is deprecated!", + "type": "string" } }, - "title": "OAuth 2.0 Client Token Lifespans", + "required": [ + "method", + "password", + "identifier" + ], "type": "object" }, - "oAuth2ConsentRequest": { + "updateLoginFlowWithTotpMethod": { + "description": "Update Login Flow with TOTP Method", "properties": { - "acr": { - "description": "ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", - "type": "string" - }, - "amr": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "challenge": { - "description": "ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to\nidentify the session.", - "type": "string" - }, - "client": { - "$ref": "#/components/schemas/oAuth2Client" - }, - "context": { - "$ref": "#/components/schemas/JSONRawMessage" - }, - "login_challenge": { - "description": "LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate\na login and consent request in the login \u0026 consent app.", - "type": "string" - }, - "login_session_id": { - "description": "LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", "type": "string" }, - "oidc_context": { - "$ref": "#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext" - }, - "request_url": { - "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", + "method": { + "description": "Method should be set to \"totp\" when logging in using the TOTP strategy.", "type": "string" }, - "requested_access_token_audience": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "requested_scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "skip": { - "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you must not ask the user to grant the requested scopes. You must however either allow or deny the\nconsent request using the usual API call.", - "type": "boolean" - }, - "subject": { - "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.", + "totp_code": { + "description": "The TOTP code.", "type": "string" } }, "required": [ - "challenge" + "method", + "totp_code" ], - "title": "Contains information on an ongoing consent request.", "type": "object" }, - "oAuth2ConsentRequestOpenIDConnectContext": { + "updateLoginFlowWithWebAuthnMethod": { + "description": "Update Login Flow with WebAuthn Method", "properties": { - "acr_values": { - "description": "ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.\nIt is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.\n\nOpenID Connect defines it as follows:\n\u003e Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values\nthat the Authorization Server is being requested to use for processing this Authentication Request, with the\nvalues appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication\nperformed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a\nVoluntary Claim by this parameter.", - "items": { - "type": "string" - }, - "type": "array" - }, - "display": { - "description": "Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.\nThe defined values are:\npage: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.\npopup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.\ntouch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.\nwap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display.\n\nThe Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.", + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", "type": "string" }, - "id_token_hint_claims": { - "additionalProperties": {}, - "description": "IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the\nEnd-User's current or past authenticated session with the Client.", - "type": "object" + "identifier": { + "description": "Identifier is the email or username of the user trying to log in.", + "type": "string" }, - "login_hint": { - "description": "LoginHint hints about the login identifier the End-User might use to log in (if necessary).\nThis hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)\nand then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a\nphone number in the format specified for the phone_number Claim. The use of this parameter is optional.", + "method": { + "description": "Method should be set to \"webAuthn\" when logging in using the WebAuthn strategy.", "type": "string" }, - "ui_locales": { - "description": "UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a\nspace-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value\n\"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation),\nfollowed by English (without a region designation). An error SHOULD NOT result if some or all of the requested\nlocales are not supported by the OpenID Provider.", - "items": { - "type": "string" - }, - "type": "array" + "webauthn_login": { + "description": "Login a WebAuthn Security Key\n\nThis must contain the ID of the WebAuthN connection.", + "type": "string" } }, - "title": "Contains optional information about the OpenID Connect request.", + "required": [ + "identifier", + "method" + ], "type": "object" }, - "oAuth2ConsentSession": { - "description": "A completed OAuth 2.0 Consent Session.", - "properties": { - "consent_request": { - "$ref": "#/components/schemas/oAuth2ConsentRequest" - }, - "expires_at": { - "properties": { - "access_token": { - "format": "date-time", - "type": "string" - }, - "authorize_code": { - "format": "date-time", - "type": "string" - }, - "id_token": { - "format": "date-time", - "type": "string" - }, - "par_context": { - "format": "date-time", - "type": "string" - }, - "refresh_token": { - "format": "date-time", - "type": "string" - } - }, - "type": "object" - }, - "grant_access_token_audience": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + "updateRecoveryFlowBody": { + "description": "Update Recovery Flow Request Body", + "discriminator": { + "mapping": { + "code": "#/components/schemas/updateRecoveryFlowWithCodeMethod", + "link": "#/components/schemas/updateRecoveryFlowWithLinkMethod" }, - "grant_scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + "propertyName": "method" + }, + "oneOf": [ + { + "$ref": "#/components/schemas/updateRecoveryFlowWithLinkMethod" }, - "handled_at": { - "$ref": "#/components/schemas/nullTime" + { + "$ref": "#/components/schemas/updateRecoveryFlowWithCodeMethod" + } + ] + }, + "updateRecoveryFlowWithCodeMethod": { + "description": "Update Recovery Flow with Code Method", + "properties": { + "code": { + "description": "Code from the recovery email\n\nIf you want to submit a code, use this field, but make sure to _not_ include the email field, as well.", + "type": "string" }, - "remember": { - "description": "Remember Consent\n\nRemember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", - "type": "boolean" + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", + "type": "string" }, - "remember_for": { - "description": "Remember Consent For\n\nRememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", - "format": "int64", - "type": "integer" + "email": { + "description": "The email address of the account to recover\n\nIf the email belongs to a valid account, a recovery email will be sent.\n\nIf you want to notify the email address if the account does not exist, see\nthe [notify_unknown_recipients flag](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#attempted-recovery-notifications)\n\nIf a code was already sent, including this field in the payload will invalidate the sent code and re-send a new code.\n\nformat: email", + "type": "string" }, - "session": { - "$ref": "#/components/schemas/acceptOAuth2ConsentRequestSession" + "method": { + "description": "Method is the method that should be used for this recovery flow\n\nAllowed values are `link` and `code`.\nlink RecoveryStrategyLink\ncode RecoveryStrategyCode", + "enum": [ + "link", + "code" + ], + "type": "string", + "x-go-enum-desc": "link RecoveryStrategyLink\ncode RecoveryStrategyCode" } }, - "title": "OAuth 2.0 Consent Session", + "required": [ + "method" + ], "type": "object" }, - "oAuth2ConsentSessions": { - "description": "List of OAuth 2.0 Consent Sessions", - "items": { - "$ref": "#/components/schemas/oAuth2ConsentSession" - }, - "type": "array" - }, - "oAuth2LoginRequest": { + "updateRecoveryFlowWithLinkMethod": { + "description": "Update Recovery Flow with Link Method", "properties": { - "challenge": { - "description": "ID is the identifier (\"login challenge\") of the login request. It is used to\nidentify the session.", + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", "type": "string" }, - "client": { - "$ref": "#/components/schemas/oAuth2Client" + "email": { + "description": "Email to Recover\n\nNeeds to be set when initiating the flow. If the email is a registered\nrecovery email, a recovery link will be sent. If the email is not known,\na email with details on what happened will be sent instead.\n\nformat: email", + "type": "string" }, - "oidc_context": { - "$ref": "#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext" + "method": { + "description": "Method is the method that should be used for this recovery flow\n\nAllowed values are `link` and `code`\nlink RecoveryStrategyLink\ncode RecoveryStrategyCode", + "enum": [ + "link", + "code" + ], + "type": "string", + "x-go-enum-desc": "link RecoveryStrategyLink\ncode RecoveryStrategyCode" + } + }, + "required": [ + "email", + "method" + ], + "type": "object" + }, + "updateRegistrationFlowBody": { + "description": "Update Registration Request Body", + "discriminator": { + "mapping": { + "code": "#/components/schemas/updateRegistrationFlowWithCodeMethod", + "oidc": "#/components/schemas/updateRegistrationFlowWithOidcMethod", + "password": "#/components/schemas/updateRegistrationFlowWithPasswordMethod", + "webauthn": "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod" }, - "request_url": { - "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", - "type": "string" + "propertyName": "method" + }, + "oneOf": [ + { + "$ref": "#/components/schemas/updateRegistrationFlowWithPasswordMethod" }, - "requested_access_token_audience": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + { + "$ref": "#/components/schemas/updateRegistrationFlowWithOidcMethod" }, - "requested_scope": { - "$ref": "#/components/schemas/StringSliceJSONFormat" + { + "$ref": "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod" }, - "session_id": { - "description": "SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", + { + "$ref": "#/components/schemas/updateRegistrationFlowWithCodeMethod" + } + ] + }, + "updateRegistrationFlowWithCodeMethod": { + "description": "Update Registration Flow with Code Method", + "properties": { + "code": { + "description": "The OTP Code sent to the user", "type": "string" }, - "skip": { - "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.", - "type": "boolean" + "csrf_token": { + "description": "The CSRF Token", + "type": "string" }, - "subject": { - "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type\nwhen accepting the login request, or the request will fail.", + "method": { + "description": "Method to use\n\nThis field must be set to `code` when using the code method.", + "type": "string" + }, + "resend": { + "description": "Resend restarts the flow with a new code", "type": "string" + }, + "traits": { + "description": "The identity's traits", + "type": "object" + }, + "transient_payload": { + "description": "Transient data to pass along to any webhooks", + "type": "object" } }, "required": [ - "challenge", - "requested_scope", - "requested_access_token_audience", - "skip", - "subject", - "client", - "request_url" + "traits", + "method" ], - "title": "Contains information on an ongoing login request.", "type": "object" }, - "oAuth2LogoutRequest": { + "updateRegistrationFlowWithOidcMethod": { + "description": "Update Registration Flow with OpenID Connect Method", "properties": { - "challenge": { - "description": "Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to\nidentify the session.", + "csrf_token": { + "description": "The CSRF Token", "type": "string" }, - "client": { - "$ref": "#/components/schemas/oAuth2Client" - }, - "request_url": { - "description": "RequestURL is the original Logout URL requested.", + "id_token": { + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple", "type": "string" }, - "rp_initiated": { - "description": "RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.", - "type": "boolean" + "id_token_nonce": { + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", + "type": "string" }, - "sid": { - "description": "SessionID is the login session ID that was requested to log out.", + "method": { + "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "subject": { - "description": "Subject is the user for whom the logout was request.", + "provider": { + "description": "The provider to register with", "type": "string" + }, + "traits": { + "description": "The identity traits", + "type": "object" + }, + "transient_payload": { + "description": "Transient data to pass along to any webhooks", + "type": "object" + }, + "upstream_parameters": { + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "type": "object" } }, - "title": "Contains information about an ongoing logout request.", + "required": [ + "provider", + "method" + ], "type": "object" }, - "oAuth2RedirectTo": { - "description": "Contains a redirect URL used to complete a login, consent, or logout request.", + "updateRegistrationFlowWithPasswordMethod": { + "description": "Update Registration Flow with Password Method", "properties": { - "redirect_to": { - "description": "RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed.", + "csrf_token": { + "description": "The CSRF Token", + "type": "string" + }, + "method": { + "description": "Method to use\n\nThis field must be set to `password` when using the password method.", + "type": "string" + }, + "password": { + "description": "Password to sign the user up with", "type": "string" + }, + "traits": { + "description": "The identity's traits", + "type": "object" + }, + "transient_payload": { + "description": "Transient data to pass along to any webhooks", + "type": "object" } }, "required": [ - "redirect_to" + "password", + "traits", + "method" ], - "title": "OAuth 2.0 Redirect Browser To", "type": "object" }, - "oAuth2TokenExchange": { - "description": "OAuth2 Token Exchange Result", + "updateRegistrationFlowWithWebAuthnMethod": { + "description": "Update Registration Flow with WebAuthn Method", "properties": { - "access_token": { - "description": "The access token issued by the authorization server.", + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token", "type": "string" }, - "expires_in": { - "description": "The lifetime in seconds of the access token. For\nexample, the value \"3600\" denotes that the access token will\nexpire in one hour from the time the response was generated.", - "format": "int64", - "type": "integer" + "method": { + "description": "Method\n\nShould be set to \"webauthn\" when trying to add, update, or remove a webAuthn pairing.", + "type": "string" }, - "id_token": { - "description": "To retrieve a refresh token request the id_token scope.", - "format": "int64", - "type": "integer" + "traits": { + "description": "The identity's traits", + "type": "object" }, - "refresh_token": { - "description": "The refresh token, which can be used to obtain new\naccess tokens. To retrieve it add the scope \"offline\" to your access token request.", - "type": "string" + "transient_payload": { + "description": "Transient data to pass along to any webhooks", + "type": "object" }, - "scope": { - "description": "The scope of the access token", + "webauthn_register": { + "description": "Register a WebAuthn Security Key\n\nIt is expected that the JSON returned by the WebAuthn registration process\nis included here.", "type": "string" }, - "token_type": { - "description": "The type of the token issued", + "webauthn_register_displayname": { + "description": "Name of the WebAuthn Security Key to be Added\n\nA human-readable name for the security key which will be added.", "type": "string" } }, + "required": [ + "traits", + "method" + ], "type": "object" }, - "oidcConfiguration": { - "description": "Includes links to several endpoints (for example `/oauth2/token`) and exposes information on supported signature algorithms\namong others.", - "properties": { - "authorization_endpoint": { - "description": "OAuth 2.0 Authorization Endpoint URL", - "example": "https://playground.ory.sh/ory-hydra/public/oauth2/auth", - "type": "string" + "updateSettingsFlowBody": { + "description": "Update Settings Flow Request Body", + "discriminator": { + "mapping": { + "lookup_secret": "#/components/schemas/updateSettingsFlowWithLookupMethod", + "oidc": "#/components/schemas/updateSettingsFlowWithOidcMethod", + "password": "#/components/schemas/updateSettingsFlowWithPasswordMethod", + "profile": "#/components/schemas/updateSettingsFlowWithProfileMethod", + "totp": "#/components/schemas/updateSettingsFlowWithTotpMethod", + "webauthn": "#/components/schemas/updateSettingsFlowWithWebAuthnMethod" }, - "backchannel_logout_session_supported": { - "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP\nsession with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP", - "type": "boolean" + "propertyName": "method" + }, + "oneOf": [ + { + "$ref": "#/components/schemas/updateSettingsFlowWithPasswordMethod" }, - "backchannel_logout_supported": { - "description": "OpenID Connect Back-Channel Logout Supported\n\nBoolean value specifying whether the OP supports back-channel logout, with true indicating support.", - "type": "boolean" + { + "$ref": "#/components/schemas/updateSettingsFlowWithProfileMethod" }, - "claims_parameter_supported": { - "description": "OpenID Connect Claims Parameter Parameter Supported\n\nBoolean value specifying whether the OP supports use of the claims parameter, with true indicating support.", - "type": "boolean" + { + "$ref": "#/components/schemas/updateSettingsFlowWithOidcMethod" }, - "claims_supported": { - "description": "OpenID Connect Supported Claims\n\nJSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply\nvalues for. Note that for privacy or other reasons, this might not be an exhaustive list.", - "items": { - "type": "string" - }, - "type": "array" + { + "$ref": "#/components/schemas/updateSettingsFlowWithOidcMethod" }, - "code_challenge_methods_supported": { - "description": "OAuth 2.0 PKCE Supported Code Challenge Methods\n\nJSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported\nby this authorization server.", - "items": { - "type": "string" - }, - "type": "array" + { + "$ref": "#/components/schemas/updateSettingsFlowWithTotpMethod" }, - "end_session_endpoint": { - "description": "OpenID Connect End-Session Endpoint\n\nURL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.", - "type": "string" + { + "$ref": "#/components/schemas/updateSettingsFlowWithWebAuthnMethod" }, - "frontchannel_logout_session_supported": { - "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify\nthe RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also\nincluded in ID Tokens issued by the OP.", - "type": "boolean" - }, - "frontchannel_logout_supported": { - "description": "OpenID Connect Front-Channel Logout Supported\n\nBoolean value specifying whether the OP supports HTTP-based logout, with true indicating support.", - "type": "boolean" - }, - "grant_types_supported": { - "description": "OAuth 2.0 Supported Grant Types\n\nJSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.", - "items": { - "type": "string" - }, - "type": "array" - }, - "id_token_signed_response_alg": { - "description": "OpenID Connect Default ID Token Signing Algorithms\n\nAlgorithm used to sign OpenID Connect ID Tokens.", - "items": { - "type": "string" - }, - "type": "array" - }, - "id_token_signing_alg_values_supported": { - "description": "OpenID Connect Supported ID Token Signing Algorithms\n\nJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.", - "items": { - "type": "string" - }, - "type": "array" - }, - "issuer": { - "description": "OpenID Connect Issuer URL\n\nAn URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.", - "example": "https://playground.ory.sh/ory-hydra/public/", - "type": "string" - }, - "jwks_uri": { - "description": "OpenID Connect Well-Known JSON Web Keys URL\n\nURL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate\nsignatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs\nto encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)\nparameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.\nAlthough some algorithms allow the same key to be used for both signatures and encryption, doing so is\nNOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of\nkeys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.", - "example": "https://{slug}.projects.oryapis.com/.well-known/jwks.json", - "type": "string" - }, - "registration_endpoint": { - "description": "OpenID Connect Dynamic Client Registration Endpoint URL", - "example": "https://playground.ory.sh/ory-hydra/admin/client", + { + "$ref": "#/components/schemas/updateSettingsFlowWithLookupMethod" + } + ] + }, + "updateSettingsFlowWithLookupMethod": { + "description": "Update Settings Flow with Lookup Method", + "properties": { + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token", "type": "string" }, - "request_object_signing_alg_values_supported": { - "description": "OpenID Connect Supported Request Object Signing Algorithms\n\nJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,\nwhich are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when\nthe Request Object is passed by value (using the request parameter) and when it is passed by reference\n(using the request_uri parameter).", - "items": { - "type": "string" - }, - "type": "array" - }, - "request_parameter_supported": { - "description": "OpenID Connect Request Parameter Supported\n\nBoolean value specifying whether the OP supports use of the request parameter, with true indicating support.", + "lookup_secret_confirm": { + "description": "If set to true will save the regenerated lookup secrets", "type": "boolean" }, - "request_uri_parameter_supported": { - "description": "OpenID Connect Request URI Parameter Supported\n\nBoolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.", + "lookup_secret_disable": { + "description": "Disables this method if true.", "type": "boolean" }, - "require_request_uri_registration": { - "description": "OpenID Connect Requires Request URI Registration\n\nBoolean value specifying whether the OP requires any request_uri values used to be pre-registered\nusing the request_uris registration parameter.", + "lookup_secret_regenerate": { + "description": "If set to true will regenerate the lookup secrets", "type": "boolean" }, - "response_modes_supported": { - "description": "OAuth 2.0 Supported Response Modes\n\nJSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.", - "items": { - "type": "string" - }, - "type": "array" - }, - "response_types_supported": { - "description": "OAuth 2.0 Supported Response Types\n\nJSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID\nProviders MUST support the code, id_token, and the token id_token Response Type values.", - "items": { - "type": "string" - }, - "type": "array" - }, - "revocation_endpoint": { - "description": "OAuth 2.0 Token Revocation URL\n\nURL of the authorization server's OAuth 2.0 revocation endpoint.", - "type": "string" - }, - "scopes_supported": { - "description": "OAuth 2.0 Supported Scope Values\n\nJSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST\nsupport the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used", - "items": { - "type": "string" - }, - "type": "array" - }, - "subject_types_supported": { - "description": "OpenID Connect Supported Subject Types\n\nJSON array containing a list of the Subject Identifier types that this OP supports. Valid types include\npairwise and public.", - "items": { - "type": "string" - }, - "type": "array" - }, - "token_endpoint": { - "description": "OAuth 2.0 Token Endpoint URL", - "example": "https://playground.ory.sh/ory-hydra/public/oauth2/token", - "type": "string" - }, - "token_endpoint_auth_methods_supported": { - "description": "OAuth 2.0 Supported Client Authentication Methods\n\nJSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0", - "items": { - "type": "string" - }, - "type": "array" + "lookup_secret_reveal": { + "description": "If set to true will reveal the lookup secrets", + "type": "boolean" }, - "userinfo_endpoint": { - "description": "OpenID Connect Userinfo URL\n\nURL of the OP's UserInfo Endpoint.", + "method": { + "description": "Method\n\nShould be set to \"lookup\" when trying to add, update, or remove a lookup pairing.", "type": "string" - }, - "userinfo_signed_response_alg": { - "description": "OpenID Connect User Userinfo Signing Algorithm\n\nAlgorithm used to sign OpenID Connect Userinfo Responses.", - "items": { - "type": "string" - }, - "type": "array" - }, - "userinfo_signing_alg_values_supported": { - "description": "OpenID Connect Supported Userinfo Signing Algorithm\n\nJSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].", - "items": { - "type": "string" - }, - "type": "array" } }, "required": [ - "issuer", - "authorization_endpoint", - "token_endpoint", - "jwks_uri", - "subject_types_supported", - "response_types_supported", - "id_token_signing_alg_values_supported", - "id_token_signed_response_alg", - "userinfo_signed_response_alg" - ], - "title": "OpenID Connect Discovery Metadata", + "method" + ], "type": "object" }, - "oidcUserInfo": { - "description": "OpenID Connect Userinfo", + "updateSettingsFlowWithOidcMethod": { + "description": "Update Settings Flow with OpenID Connect Method", "properties": { - "birthdate": { - "description": "End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.", - "type": "string" - }, - "email": { - "description": "End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.", - "type": "string" - }, - "email_verified": { - "description": "True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.", - "type": "boolean" - }, - "family_name": { - "description": "Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.", - "type": "string" - }, - "gender": { - "description": "End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.", - "type": "string" - }, - "given_name": { - "description": "Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.", - "type": "string" - }, - "locale": { - "description": "End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.", - "type": "string" - }, - "middle_name": { - "description": "Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.", - "type": "string" - }, - "name": { - "description": "End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.", - "type": "string" - }, - "nickname": { - "description": "Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.", - "type": "string" - }, - "phone_number": { - "description": "End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.", - "type": "string" - }, - "phone_number_verified": { - "description": "True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.", - "type": "boolean" - }, - "picture": { - "description": "URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.", - "type": "string" - }, - "preferred_username": { - "description": "Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.", + "flow": { + "description": "Flow ID is the flow's ID.\n\nin: query", "type": "string" }, - "profile": { - "description": "URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.", + "link": { + "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, - "sub": { - "description": "Subject - Identifier for the End-User at the IssuerURL.", + "method": { + "description": "Method\n\nShould be set to profile when trying to update a profile.", "type": "string" }, - "updated_at": { - "description": "Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.", - "format": "int64", - "type": "integer" + "traits": { + "description": "The identity's traits\n\nin: body", + "type": "object" }, - "website": { - "description": "URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.", + "unlink": { + "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, - "zoneinfo": { - "description": "String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.", - "type": "string" + "upstream_parameters": { + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "type": "object" } }, + "required": [ + "method" + ], "type": "object" }, - "pagination": { + "updateSettingsFlowWithPasswordMethod": { + "description": "Update Settings Flow with Password Method", "properties": { - "page": { - "default": 1, - "description": "Pagination Page\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.", - "format": "int64", - "minimum": 1, - "type": "integer" - }, - "page_size": { - "default": 250, - "description": "Items per page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - }, - "page_token": { - "default": "1", - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "minimum": 1, + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token", "type": "string" }, - "per_page": { - "default": 250, - "description": "Items per Page\n\nThis is the number of items per page.", - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - } - }, - "type": "object" - }, - "paginationHeaders": { - "properties": { - "link": { - "description": "The link header contains pagination links.\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).\n\nin: header", + "method": { + "description": "Method\n\nShould be set to password when trying to update a password.", "type": "string" }, - "x-total-count": { - "description": "The total number of clients.\n\nin: header", + "password": { + "description": "Password is the updated password", "type": "string" } }, + "required": [ + "password", + "method" + ], "type": "object" }, - "patchIdentitiesBody": { - "description": "Patch Identities Body", - "properties": { - "identities": { - "description": "Identities holds the list of patches to apply\n\nrequired", - "items": { - "$ref": "#/components/schemas/identityPatch" - }, - "type": "array" - } - }, - "type": "object" - }, - "performNativeLogoutBody": { - "description": "Perform Native Logout Request Body", + "updateSettingsFlowWithProfileMethod": { + "description": "Update Settings Flow with Profile Method", "properties": { - "session_token": { - "description": "The Session Token\n\nInvalidate this session token.", + "csrf_token": { + "description": "The Anti-CSRF Token\n\nThis token is only required when performing browser flows.", + "type": "string" + }, + "method": { + "description": "Method\n\nShould be set to profile when trying to update a profile.", "type": "string" + }, + "traits": { + "description": "Traits\n\nThe identity's traits.", + "type": "object" } }, "required": [ - "session_token" + "traits", + "method" ], "type": "object" }, - "permissionsOnProject": { - "additionalProperties": { - "type": "boolean" - }, - "description": "Get Permissions on Project Request Parameters", - "type": "object" - }, - "plans": { - "$ref": "#/components/schemas/Pricing" - }, - "postCheckPermissionBody": { - "description": "Check Permission using Post Request Body", + "updateSettingsFlowWithTotpMethod": { + "description": "Update Settings Flow with TOTP Method", "properties": { - "namespace": { - "description": "Namespace to query", - "type": "string" - }, - "object": { - "description": "Object to query", + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token", "type": "string" }, - "relation": { - "description": "Relation to query", + "method": { + "description": "Method\n\nShould be set to \"totp\" when trying to add, update, or remove a totp pairing.", "type": "string" }, - "subject_id": { - "description": "SubjectID to query\n\nEither SubjectSet or SubjectID can be provided.", + "totp_code": { + "description": "ValidationTOTP must contain a valid TOTP based on the", "type": "string" }, - "subject_set": { - "$ref": "#/components/schemas/subjectSet" + "totp_unlink": { + "description": "UnlinkTOTP if true will remove the TOTP pairing,\neffectively removing the credential. This can be used\nto set up a new TOTP device.", + "type": "boolean" } }, + "required": [ + "method" + ], "type": "object" }, - "postCheckPermissionOrErrorBody": { - "description": "Post Check Permission Or Error Body", + "updateSettingsFlowWithWebAuthnMethod": { + "description": "Update Settings Flow with WebAuthn Method", "properties": { - "namespace": { - "description": "Namespace to query", + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token", "type": "string" }, - "object": { - "description": "Object to query", + "method": { + "description": "Method\n\nShould be set to \"webauthn\" when trying to add, update, or remove a webAuthn pairing.", "type": "string" }, - "relation": { - "description": "Relation to query", + "webauthn_register": { + "description": "Register a WebAuthn Security Key\n\nIt is expected that the JSON returned by the WebAuthn registration process\nis included here.", "type": "string" }, - "subject_id": { - "description": "SubjectID to query\n\nEither SubjectSet or SubjectID can be provided.", + "webauthn_register_displayname": { + "description": "Name of the WebAuthn Security Key to be Added\n\nA human-readable name for the security key which will be added.", "type": "string" }, - "subject_set": { - "$ref": "#/components/schemas/subjectSet" + "webauthn_remove": { + "description": "Remove a WebAuthn Security Key\n\nThis must contain the ID of the WebAuthN connection.", + "type": "string" } }, + "required": [ + "method" + ], "type": "object" }, - "project": { - "properties": { - "id": { - "description": "The project's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the project.", - "type": "string" + "updateVerificationFlowBody": { + "description": "Update Verification Flow Request Body", + "discriminator": { + "mapping": { + "code": "#/components/schemas/updateVerificationFlowWithCodeMethod", + "link": "#/components/schemas/updateVerificationFlowWithLinkMethod" }, - "revision_id": { - "description": "The configuration revision ID.", - "format": "uuid", - "readOnly": true, + "propertyName": "method" + }, + "oneOf": [ + { + "$ref": "#/components/schemas/updateVerificationFlowWithLinkMethod" + }, + { + "$ref": "#/components/schemas/updateVerificationFlowWithCodeMethod" + } + ] + }, + "updateVerificationFlowWithCodeMethod": { + "properties": { + "code": { + "description": "Code from the recovery email\n\nIf you want to submit a code, use this field, but make sure to _not_ include the email field, as well.", "type": "string" }, - "services": { - "$ref": "#/components/schemas/projectServices" + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", + "type": "string" }, - "slug": { - "description": "The project's slug", - "readOnly": true, + "email": { + "description": "The email address to verify\n\nIf the email belongs to a valid account, a verifiation email will be sent.\n\nIf you want to notify the email address if the account does not exist, see\nthe [notify_unknown_recipients flag](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#attempted-verification-notifications)\n\nIf a code was already sent, including this field in the payload will invalidate the sent code and re-send a new code.\n\nformat: email", "type": "string" }, - "state": { - "description": "The state of the project.\nrunning Running\nhalted Halted\ndeleted Deleted", + "method": { + "description": "Method is the method that should be used for this verification flow\n\nAllowed values are `link` and `code`.\nlink VerificationStrategyLink\ncode VerificationStrategyCode", "enum": [ - "running", - "halted", - "deleted" + "link", + "code" ], - "readOnly": true, "type": "string", - "x-go-enum-desc": "running Running\nhalted Halted\ndeleted Deleted" + "x-go-enum-desc": "link VerificationStrategyLink\ncode VerificationStrategyCode" } }, "required": [ - "id", - "revision_id", - "slug", - "services", - "state", - "name" + "method" ], "type": "object" }, - "projectApiKey": { + "updateVerificationFlowWithLinkMethod": { + "description": "Update Verification Flow with Link Method", "properties": { - "created_at": { - "description": "The token's creation date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "id": { - "description": "The token's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The Token's Name\n\nSet this to help you remember, for example, where you use the token.", - "type": "string" - }, - "owner_id": { - "description": "The token's owner", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "project_id": { - "description": "The Token's Project ID", - "format": "uuid", - "readOnly": true, + "csrf_token": { + "description": "Sending the anti-csrf token is only required for browser login flows.", "type": "string" }, - "updated_at": { - "description": "The token's last update date", - "format": "date-time", - "readOnly": true, + "email": { + "description": "Email to Verify\n\nNeeds to be set when initiating the flow. If the email is a registered\nverification email, a verification link will be sent. If the email is not known,\na email with details on what happened will be sent instead.\n\nformat: email", "type": "string" }, - "value": { - "description": "The token's value", - "readOnly": true, - "type": "string" + "method": { + "description": "Method is the method that should be used for this verification flow\n\nAllowed values are `link` and `code`\nlink VerificationStrategyLink\ncode VerificationStrategyCode", + "enum": [ + "link", + "code" + ], + "type": "string", + "x-go-enum-desc": "link VerificationStrategyLink\ncode VerificationStrategyCode" } }, "required": [ - "id", - "name", - "owner_id" + "email", + "method" ], "type": "object" }, - "projectApiKeys": { - "items": { - "$ref": "#/components/schemas/projectApiKey" - }, - "type": "array" - }, - "projectBranding": { + "verifiableIdentityAddress": { + "description": "VerifiableAddress is an identity's verifiable address", "properties": { "created_at": { - "description": "The Customization Creation Date", + "description": "When this entry was created", + "example": "2014-01-01T23:28:56.782Z", "format": "date-time", - "readOnly": true, "type": "string" }, - "default_theme": { - "$ref": "#/components/schemas/projectBrandingTheme" - }, "id": { - "description": "The customization ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "project_id": { - "description": "The Project's ID this customization is associated with", + "description": "The ID", "format": "uuid", "type": "string" }, - "themes": { - "$ref": "#/components/schemas/projectBrandingThemes" + "status": { + "$ref": "#/components/schemas/identityVerifiableAddressStatus" }, "updated_at": { - "description": "Last Time Branding was Updated", + "description": "When this entry was last updated", + "example": "2014-01-01T23:28:56.782Z", "format": "date-time", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "id", - "project_id", - "default_theme", - "themes", - "created_at", - "updated_at" - ], - "title": "ProjectBranding holds all settings for customizing the Ory Account Experience.", - "type": "object" - }, - "projectBrandingColors": { - "properties": { - "accent_default_color": { - "description": "AccentDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_disabled_color": { - "description": "AccentDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_emphasis_color": { - "description": "AccentEmphasisColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_muted_color": { - "description": "AccentMutedColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_subtle_color": { - "description": "AccentSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "background_canvas_color": { - "description": "BackgroundCanvasColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "background_subtle_color": { - "description": "BackgroundSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "background_surface_color": { - "description": "BackgroundSurfaceColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "border_default_color": { - "description": "BorderDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_default_color": { - "description": "ErrorDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_emphasis_color": { - "description": "ErrorEmphasisColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_muted_color": { - "description": "ErrorMutedColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_subtle_color": { - "description": "ErrorSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_default_color": { - "description": "ForegroundDefaultColor is a hex color code used by the Ory Account Experience theme.", "type": "string" }, - "foreground_disabled_color": { - "description": "ForegroundDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_muted_color": { - "description": "ForegroundMutedColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_on_accent_color": { - "description": "ForegroundOnAccentColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_on_dark_color": { - "description": "ForegroundOnDarkColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_on_disabled_color": { - "description": "ForegroundOnDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_subtle_color": { - "description": "ForegroundSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_background_color": { - "description": "InputBackgroundColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_disabled_color": { - "description": "InputDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_placeholder_color": { - "description": "InputPlaceholderColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_text_color": { - "description": "InputTextColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "primary_color": { - "description": "Primary color is an hsla color value used to derive the other colors from for the Ory Account Experience theme.", - "type": "string" - }, - "secondary_color": { - "description": "Secondary color is a hsla color code used to derive the other colors from for the Ory Account Experience theme.", + "value": { + "description": "The address value\n\nexample foo@user.com", "type": "string" }, - "success_emphasis_color": { - "description": "SuccessEmphasisColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" + "verified": { + "description": "Indicates if the address has already been verified", + "example": true, + "type": "boolean" }, - "text_default_color": { - "description": "TextDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" + "verified_at": { + "$ref": "#/components/schemas/nullTime" }, - "text_disabled_color": { - "description": "TextDisabledColor is a hex color code used by the Ory Account Experience theme.", + "via": { + "description": "The delivery method", + "enum": [ + "email", + "sms" + ], + "example": "email", "type": "string" } }, - "title": "ProjectBrandingColors are the colors used by the Ory Account Experience theme.", + "required": [ + "value", + "verified", + "via", + "status" + ], "type": "object" }, - "projectBrandingTheme": { + "verificationFlow": { + "description": "Used to verify an out-of-band communication\nchannel such as an email address or a phone number.\n\nFor more information head over to: https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation", "properties": { - "accent_default_color": { - "description": "AccentDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_disabled_color": { - "description": "AccentDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_emphasis_color": { - "description": "AccentEmphasisColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_muted_color": { - "description": "AccentMutedColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "accent_subtle_color": { - "description": "AccentSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "background_canvas_color": { - "description": "BackgroundCanvasColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "background_subtle_color": { - "description": "BackgroundSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "background_surface_color": { - "description": "BackgroundSurfaceColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "border_default_color": { - "description": "BorderDefaultColor is a hex color code used by the Ory Account Experience theme.", + "active": { + "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", "type": "string" }, - "created_at": { - "description": "The Customiation Creation Date", + "expires_at": { + "description": "ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address,\na new request has to be initiated.", "format": "date-time", - "readOnly": true, - "type": "string" - }, - "error_default_color": { - "description": "ErrorDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_emphasis_color": { - "description": "ErrorEmphasisColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_muted_color": { - "description": "ErrorMutedColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "error_subtle_color": { - "description": "ErrorSubtleColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_default_color": { - "description": "ForegroundDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_disabled_color": { - "description": "ForegroundDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_muted_color": { - "description": "ForegroundMutedColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_on_accent_color": { - "description": "ForegroundOnAccentColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_on_dark_color": { - "description": "ForegroundOnDarkColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_on_disabled_color": { - "description": "ForegroundOnDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "foreground_subtle_color": { - "description": "ForegroundSubtleColor is a hex color code used by the Ory Account Experience theme.", "type": "string" }, "id": { - "description": "The customization theme ID.", + "description": "ID represents the request's unique ID. When performing the verification flow, this\nrepresents the id in the verify ui's query parameter: http://\u003cselfservice.flows.verification.ui_url\u003e?request=\u003cid\u003e\n\ntype: string\nformat: uuid", "format": "uuid", - "readOnly": true, - "type": "string" - }, - "input_background_color": { - "description": "InputBackgroundColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_disabled_color": { - "description": "InputDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_placeholder_color": { - "description": "InputPlaceholderColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" - }, - "input_text_color": { - "description": "InputTextColor is a hex color code used by the Ory Account Experience theme.", "type": "string" }, - "logo_type": { - "description": "Logo Type\nThe Logo mime type.", - "type": "string" - }, - "logo_url": { - "description": "Logo URL\nLogo can be an https:// or base64:// URL. If the URL is not allowed, the logo will be stored inside the Ory Network storage bucket.", - "type": "string" - }, - "name": { - "description": "The customization theme name.", - "type": "string" - }, - "primary_color": { - "description": "Primary color is an hsla color value used to derive the other colors from for the Ory Account Experience theme.", - "type": "string" - }, - "project_branding_id": { - "description": "The ProjectBranding ID this customization is associated with", - "format": "uuid", + "issued_at": { + "description": "IssuedAt is the time (UTC) when the request occurred.", + "format": "date-time", "type": "string" }, - "secondary_color": { - "description": "Secondary color is a hsla color code used to derive the other colors from for the Ory Account Experience theme.", + "request_url": { + "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", "type": "string" }, - "success_emphasis_color": { - "description": "SuccessEmphasisColor is a hex color code used by the Ory Account Experience theme.", + "return_to": { + "description": "ReturnTo contains the requested return_to URL.", "type": "string" }, - "text_default_color": { - "description": "TextDefaultColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" + "state": { + "description": "State represents the state of this request:\n\nchoose_method: ask the user to choose a method (e.g. verify your email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the verification challenge was passed." }, - "text_disabled_color": { - "description": "TextDisabledColor is a hex color code used by the Ory Account Experience theme.", - "type": "string" + "type": { + "$ref": "#/components/schemas/selfServiceFlowType" }, - "updated_at": { - "description": "Last Time Branding was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "id", - "project_branding_id", - "name", - "created_at", - "updated_at" - ], - "title": "ProjectBrandingTheme represents a Theme for the Ory Account Experience.", - "type": "object" - }, - "projectBrandingThemes": { - "items": { - "$ref": "#/components/schemas/projectBrandingTheme" - }, - "title": "ProjectBrandingThemes is a list of ProjectBrandingTheme.", - "type": "array" - }, - "projectHost": { - "properties": { - "host": { - "description": "The project's host.", - "type": "string" - }, - "id": { - "description": "The mapping's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "project_id": { - "description": "The Revision's Project ID", - "format": "uuid", - "type": "string" - } - }, - "required": [ - "id", - "host", - "project_id" - ], - "type": "object" - }, - "projectInvite": { - "properties": { - "created_at": { - "description": "The Project's Revision Creation Date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "id": { - "description": "The invite's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "invitee_email": { - "description": "The invitee's email", - "type": "string" - }, - "invitee_id": { - "$ref": "#/components/schemas/NullUUID" - }, - "owner_email": { - "description": "The invite owner's email\nUsually the project's owner email", - "type": "string" - }, - "owner_id": { - "description": "The invite owner's ID\nUsually the project's owner", - "format": "uuid", - "type": "string" - }, - "project_id": { - "description": "The Project's ID this invite is associated with", - "format": "uuid", - "type": "string" - }, - "status": { - "description": "The invite's status\nKeeps track of the invites status such as pending, accepted, declined, expired\npending PENDING\naccepted ACCEPTED\ndeclined DECLINED\nexpired EXPIRED\ncancelled CANCELLED\nremoved REMOVED", - "enum": [ - "pending", - "accepted", - "declined", - "expired", - "cancelled", - "removed" - ], - "type": "string", - "x-go-enum-desc": "pending PENDING\naccepted ACCEPTED\ndeclined DECLINED\nexpired EXPIRED\ncancelled CANCELLED\nremoved REMOVED" - }, - "updated_at": { - "description": "Last Time Project's Revision was Updated", - "format": "date-time", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "id", - "project_id", - "owner_id", - "owner_email", - "invitee_email", - "status", - "created_at", - "updated_at" - ], - "type": "object" - }, - "projectInvites": { - "items": { - "$ref": "#/components/schemas/projectInvite" - }, - "type": "array" - }, - "projectMember": { - "$ref": "#/components/schemas/cloudAccount" - }, - "projectMembers": { - "items": { - "$ref": "#/components/schemas/projectMember" - }, - "type": "array" - }, - "projectMetadata": { - "properties": { - "created_at": { - "description": "The Project's Creation Date", - "format": "date-time", - "type": "string" - }, - "hosts": { - "$ref": "#/components/schemas/StringSliceJSONFormat" - }, - "id": { - "description": "The project's ID.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The project's name if set", - "type": "string" - }, - "slug": { - "description": "The project's slug", - "readOnly": true, - "type": "string" - }, - "state": { - "description": "The state of the project.\nrunning Running\nhalted Halted\ndeleted Deleted", - "enum": [ - "running", - "halted", - "deleted" - ], - "type": "string", - "x-go-enum-desc": "running Running\nhalted Halted\ndeleted Deleted" - }, - "subscription_id": { - "$ref": "#/components/schemas/NullUUID" - }, - "subscription_plan": { - "$ref": "#/components/schemas/String" - }, - "updated_at": { - "description": "Last Time Project was Updated", - "format": "date-time", - "type": "string" - } - }, - "required": [ - "id", - "hosts", - "state", - "created_at", - "updated_at", - "name" - ], - "type": "object" - }, - "projectMetadataList": { - "items": { - "$ref": "#/components/schemas/projectMetadata" - }, - "type": "array" - }, - "projectRevisionHooks": { - "items": { - "$ref": "#/components/schemas/normalizedProjectRevisionHook" - }, - "type": "array" - }, - "projectRevisionIdentitySchemas": { - "items": { - "$ref": "#/components/schemas/normalizedProjectRevisionIdentitySchema" - }, - "type": "array" - }, - "projectRevisionThirdPartyLoginProviders": { - "items": { - "$ref": "#/components/schemas/normalizedProjectRevisionThirdPartyProvider" - }, - "type": "array" - }, - "projectRevisions": { - "items": { - "$ref": "#/components/schemas/normalizedProjectRevision" - }, - "type": "array" - }, - "projectServiceIdentity": { - "properties": { - "config": { - "type": "object" - } - }, - "required": [ - "config" - ], - "type": "object" - }, - "projectServiceOAuth2": { - "properties": { - "config": { - "type": "object" - } - }, - "required": [ - "config" - ], - "type": "object" - }, - "projectServicePermission": { - "properties": { - "config": { - "type": "object" - } - }, - "required": [ - "config" - ], - "type": "object" - }, - "projectServices": { - "properties": { - "identity": { - "$ref": "#/components/schemas/projectServiceIdentity" - }, - "oauth2": { - "$ref": "#/components/schemas/projectServiceOAuth2" - }, - "permission": { - "$ref": "#/components/schemas/projectServicePermission" - } - }, - "type": "object" - }, - "projects": { - "items": { - "$ref": "#/components/schemas/project" - }, - "type": "array" - }, - "quotaUsage": { - "properties": { - "additional_price": { - "format": "int64", - "type": "integer" - }, - "can_use_more": { - "type": "boolean" - }, - "feature": { - "description": "\nregion_eu RegionEU\nregion_us RegionUS\nregion_apac RegionAPAC\nregion_global RegionGlobal\nproduction_projects ProductionProjects\ndaily_active_users DailyActiveUsers\ncustom_domains CustomDomains\nsla SLA\ncollaborator_seats CollaboratorSeats\nedge_cache EdgeCache\nbranding_themes BrandingThemes\nzendesk_support ZendeskSupport\nproject_metrics ProjectMetrics\nrate_limit_tier RateLimitTier\nsession_rate_limit_tier RateLimitTierSessions", - "enum": [ - "region_eu", - "region_us", - "region_apac", - "region_global", - "production_projects", - "daily_active_users", - "custom_domains", - "sla", - "collaborator_seats", - "edge_cache", - "branding_themes", - "zendesk_support", - "project_metrics", - "rate_limit_tier", - "session_rate_limit_tier" - ], - "type": "string", - "x-go-enum-desc": "region_eu RegionEU\nregion_us RegionUS\nregion_apac RegionAPAC\nregion_global RegionGlobal\nproduction_projects ProductionProjects\ndaily_active_users DailyActiveUsers\ncustom_domains CustomDomains\nsla SLA\ncollaborator_seats CollaboratorSeats\nedge_cache EdgeCache\nbranding_themes BrandingThemes\nzendesk_support ZendeskSupport\nproject_metrics ProjectMetrics\nrate_limit_tier RateLimitTier\nsession_rate_limit_tier RateLimitTierSessions" - }, - "feature_available": { - "type": "boolean" - }, - "included": { - "format": "int64", - "type": "integer" - }, - "used": { - "format": "int64", - "type": "integer" - } - }, - "required": [ - "feature", - "included", - "used", - "additional_price", - "can_use_more", - "feature_available" - ], - "type": "object" - }, - "recoveryCodeForIdentity": { - "description": "Used when an administrator creates a recovery code for an identity.", - "properties": { - "expires_at": { - "description": "Expires At is the timestamp of when the recovery flow expires\n\nThe timestamp when the recovery link expires.", - "format": "date-time", - "type": "string" - }, - "recovery_code": { - "description": "RecoveryCode is the code that can be used to recover the account", - "type": "string" - }, - "recovery_link": { - "description": "RecoveryLink with flow\n\nThis link opens the recovery UI with an empty `code` field.", - "type": "string" - } - }, - "required": [ - "recovery_link", - "recovery_code" - ], - "title": "Recovery Code for Identity", - "type": "object" - }, - "recoveryFlow": { - "description": "This request is used when an identity wants to recover their account.\n\nWe recommend reading the [Account Recovery Documentation](../self-service/flows/password-reset-account-recovery)", - "properties": { - "active": { - "description": "Active, if set, contains the recovery method that is being used. It is initially\nnot set.", - "type": "string" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the request expires. If the user still wishes to update the setting,\na new request has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "description": "ID represents the request's unique ID. When performing the recovery flow, this\nrepresents the id in the recovery ui's query parameter: http://\u003cselfservice.flows.recovery.ui_url\u003e?request=\u003cid\u003e", - "format": "uuid", - "type": "string" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the request occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/recoveryFlowState" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" + "ui": { + "$ref": "#/components/schemas/uiContainer" } }, "required": [ "id", "type", - "expires_at", - "issued_at", - "request_url", "ui", "state" ], - "title": "A Recovery Flow", + "title": "A Verification Flow", "type": "object" }, - "recoveryFlowState": { - "description": "The state represents the state of the recovery flow.\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed.", + "verificationFlowState": { + "description": "The state represents the state of the verification flow.\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed.", "enum": [ "choose_method", "sent_email", - "passed_challenge" - ], - "title": "Recovery Flow State", - "type": "string" - }, - "recoveryIdentityAddress": { - "properties": { - "created_at": { - "description": "CreatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "id": { - "format": "uuid", - "type": "string" - }, - "updated_at": { - "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "value": { - "type": "string" - }, - "via": { - "$ref": "#/components/schemas/RecoveryAddressType" - } - }, - "required": [ - "id", - "value", - "via" - ], - "type": "object" - }, - "recoveryLinkForIdentity": { - "description": "Used when an administrator creates a recovery link for an identity.", - "properties": { - "expires_at": { - "description": "Recovery Link Expires At\n\nThe timestamp when the recovery link expires.", - "format": "date-time", - "type": "string" - }, - "recovery_link": { - "description": "Recovery Link\n\nThis link can be used to recover the account.", - "type": "string" - } - }, - "required": [ - "recovery_link" - ], - "title": "Identity Recovery Link", - "type": "object" - }, - "registrationFlow": { - "properties": { - "active": { - "$ref": "#/components/schemas/identityCredentialsType" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,\na new flow has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "description": "ID represents the flow's unique ID. When performing the registration flow, this\nrepresents the id in the registration ui's query parameter: http://\u003cselfservice.flows.registration.ui_url\u003e/?flow=\u003cid\u003e", - "format": "uuid", - "type": "string" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the flow occurred.", - "format": "date-time", - "type": "string" - }, - "oauth2_login_challenge": { - "description": "Ory OAuth 2.0 Login Challenge.\n\nThis value is set using the `login_challenge` query parameter of the registration and login endpoints.\nIf set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.", - "type": "string" - }, - "oauth2_login_request": { - "$ref": "#/components/schemas/oAuth2LoginRequest" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "session_token_exchange_code": { - "description": "SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the flow has been completed.\nThis is only set if the client has requested a session token exchange code, and if the flow is of type \"api\",\nand only on creating the flow.", - "type": "string" - }, - "transient_payload": { - "description": "TransientPayload is used to pass data from the registration to a webhook", - "type": "object" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": [ - "id", - "type", - "expires_at", - "issued_at", - "request_url", - "ui" - ], - "type": "object" - }, - "rejectOAuth2Request": { - "properties": { - "error": { - "description": "The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).\n\nDefaults to `request_denied`.", - "type": "string" - }, - "error_debug": { - "description": "Debug contains information to help resolve the problem as a developer. Usually not exposed\nto the public but only in the server logs.", - "type": "string" - }, - "error_description": { - "description": "Description of the error in a human readable format.", - "type": "string" - }, - "error_hint": { - "description": "Hint to help resolve the error.", - "type": "string" - }, - "status_code": { - "description": "Represents the HTTP status code of the error (e.g. 401 or 403)\n\nDefaults to 400", - "format": "int64", - "type": "integer" - } - }, - "title": "The request payload used to accept a login or consent request.", - "type": "object" - }, - "relationQuery": { - "description": "Relation Query", - "properties": { - "namespace": { - "description": "Namespace to query", - "type": "string" - }, - "object": { - "description": "Object to query", - "type": "string" - }, - "relation": { - "description": "Relation to query", - "type": "string" - }, - "subject_id": { - "description": "SubjectID to query\n\nEither SubjectSet or SubjectID can be provided.", - "type": "string" - }, - "subject_set": { - "$ref": "#/components/schemas/subjectSet" - } - }, - "type": "object" - }, - "relationship": { - "description": "Relationship", - "properties": { - "namespace": { - "description": "Namespace of the Relation Tuple", - "type": "string" - }, - "object": { - "description": "Object of the Relation Tuple", - "type": "string" - }, - "relation": { - "description": "Relation of the Relation Tuple", - "type": "string" - }, - "subject_id": { - "description": "SubjectID of the Relation Tuple\n\nEither SubjectSet or SubjectID can be provided.", - "type": "string" - }, - "subject_set": { - "$ref": "#/components/schemas/subjectSet" - } - }, - "required": [ - "namespace", - "object", - "relation" - ], - "type": "object" - }, - "relationshipNamespaces": { - "description": "Relationship Namespace List", - "properties": { - "namespaces": { - "items": { - "$ref": "#/components/schemas/namespace" - }, - "type": "array" - } - }, - "type": "object" - }, - "relationshipPatch": { - "description": "Payload for patching a relationship", - "properties": { - "action": { - "enum": [ - "insert", - "delete" - ], - "type": "string", - "x-go-enum-desc": "insert ActionInsert\ndelete ActionDelete" - }, - "relation_tuple": { - "$ref": "#/components/schemas/relationship" - } - }, - "type": "object" - }, - "relationships": { - "description": "Paginated Relationship List", - "properties": { - "next_page_token": { - "description": "The opaque token to provide in a subsequent request\nto get the next page. It is the empty string iff this is\nthe last page.", - "type": "string" - }, - "relation_tuples": { - "items": { - "$ref": "#/components/schemas/relationship" - }, - "type": "array" - } - }, - "type": "object" - }, - "schemaPatch": { - "properties": { - "data": { - "description": "The json schema", - "type": "object" - }, - "name": { - "description": "The user defined schema name", - "type": "string" - } - }, - "required": [ - "name", - "data" - ], - "type": "object" - }, - "selfServiceFlowExpiredError": { - "description": "Is sent when a flow is expired", - "properties": { - "error": { - "$ref": "#/components/schemas/genericError" - }, - "expired_at": { - "description": "When the flow has expired", - "format": "date-time", - "type": "string" - }, - "since": { - "$ref": "#/components/schemas/Duration" - }, - "use_flow_id": { - "description": "The flow ID that should be used for the new flow as it contains the correct messages.", - "format": "uuid", - "type": "string" - } - }, - "type": "object" - }, - "selfServiceFlowType": { - "description": "The flow type can either be `api` or `browser`.", - "title": "Type is the flow type.", - "type": "string" - }, - "session": { - "description": "A Session", - "properties": { - "active": { - "description": "Active state. If false the session is no longer active.", - "type": "boolean" - }, - "authenticated_at": { - "description": "The Session Authentication Timestamp\n\nWhen this session was authenticated at. If multi-factor authentication was used this\nis the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).", - "format": "date-time", - "type": "string" - }, - "authentication_methods": { - "$ref": "#/components/schemas/sessionAuthenticationMethods" - }, - "authenticator_assurance_level": { - "$ref": "#/components/schemas/authenticatorAssuranceLevel" - }, - "devices": { - "description": "Devices has history of all endpoints where the session was used", - "items": { - "$ref": "#/components/schemas/sessionDevice" - }, - "type": "array" - }, - "expires_at": { - "description": "The Session Expiry\n\nWhen this session expires at.", - "format": "date-time", - "type": "string" - }, - "id": { - "description": "Session ID", - "format": "uuid", - "type": "string" - }, - "identity": { - "$ref": "#/components/schemas/identity" - }, - "issued_at": { - "description": "The Session Issuance Timestamp\n\nWhen this session was issued at. Usually equal or close to `authenticated_at`.", - "format": "date-time", - "type": "string" - } - }, - "required": [ - "id", - "identity" - ], - "type": "object" - }, - "sessionAuthenticationMethod": { - "description": "A singular authenticator used during authentication / login.", - "properties": { - "aal": { - "$ref": "#/components/schemas/authenticatorAssuranceLevel" - }, - "completed_at": { - "description": "When the authentication challenge was completed.", - "format": "date-time", - "type": "string" - }, - "method": { - "enum": [ - "link_recovery", - "code_recovery", - "password", - "totp", - "oidc", - "webauthn", - "lookup_secret", - "v0.6_legacy_session" - ], - "title": "The method used", - "type": "string" - }, - "provider": { - "description": "OIDC or SAML provider id used for authentication", - "type": "string" - } - }, - "title": "AuthenticationMethod identifies an authentication method", - "type": "object" - }, - "sessionAuthenticationMethods": { - "description": "A list of authenticators which were used to authenticate the session.", - "items": { - "$ref": "#/components/schemas/sessionAuthenticationMethod" - }, - "title": "List of (Used) AuthenticationMethods", - "type": "array" - }, - "sessionDevice": { - "description": "Device corresponding to a Session", - "properties": { - "id": { - "description": "Device record ID", - "format": "uuid", - "type": "string" - }, - "ip_address": { - "description": "IPAddress of the client", - "type": "string" - }, - "location": { - "description": "Geo Location corresponding to the IP Address", - "type": "string" - }, - "user_agent": { - "description": "UserAgent of the client", - "type": "string" - } - }, - "required": [ - "id" - ], - "type": "object" - }, - "setActiveProjectInConsoleBody": { - "description": "Set active project in the Ory Network Console Request Body", - "properties": { - "project_id": { - "description": "Project ID\n\nThe Project ID you want to set active.\n\nformat: uuid", - "type": "string" - } - }, - "required": [ - "project_id" - ], - "type": "object" - }, - "setCustomDomainBody": { - "description": "Update Custom Hostname Body", - "properties": { - "cookie_domain": { - "description": "The domain where cookies will be set. Has to be a parent domain of the custom hostname to work.", - "type": "string" - }, - "cors_allowed_origins": { - "description": "CORS Allowed origins for the custom hostname.", - "items": { - "type": "string" - }, - "type": "array" - }, - "cors_enabled": { - "description": "CORS Enabled for the custom hostname.", - "type": "boolean" - }, - "custom_ui_base_url": { - "description": "The custom UI base URL where the UI will be exposed.", - "type": "string" - }, - "hostname": { - "description": "The custom hostname where the API will be exposed.", - "type": "string" - } - }, - "type": "object" - }, - "setProject": { - "properties": { - "name": { - "description": "The name of the project.", - "type": "string" - }, - "services": { - "$ref": "#/components/schemas/projectServices" - } - }, - "required": [ - "services", - "name" - ], - "type": "object" - }, - "setProjectBrandingThemeBody": { - "properties": { - "logo_type": { - "description": "Logo type", - "type": "string" - }, - "logo_url": { - "description": "Logo URL", - "type": "string" - }, - "name": { - "description": "Branding name", - "type": "string" - }, - "theme": { - "$ref": "#/components/schemas/projectBrandingColors" - } - }, - "title": "SetProjectBrandingThemeBody is the request body for the set project branding theme endpoint.", - "type": "object" - }, - "settingsFlow": { - "description": "This flow is used when an identity wants to update settings\n(e.g. profile data, passwords, ...) in a selfservice manner.\n\nWe recommend reading the [User Settings Documentation](../self-service/flows/user-settings)", - "properties": { - "active": { - "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", - "type": "string" - }, - "continue_with": { - "description": "Contains a list of actions, that could follow this flow\n\nIt can, for example, contain a reference to the verification flow, created as part of the user's\nregistration.", - "items": { - "$ref": "#/components/schemas/continueWith" - }, - "type": "array" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting,\na new flow has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "description": "ID represents the flow's unique ID. When performing the settings flow, this\nrepresents the id in the settings ui's query parameter: http://\u003cselfservice.flows.settings.ui_url\u003e?flow=\u003cid\u003e", - "format": "uuid", - "type": "string" - }, - "identity": { - "$ref": "#/components/schemas/identity" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the flow occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/settingsFlowState" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": [ - "id", - "type", - "expires_at", - "issued_at", - "request_url", - "ui", - "identity", - "state" - ], - "title": "Flow represents a Settings Flow", - "type": "object" - }, - "settingsFlowState": { - "description": "show_form: No user data has been collected, or it is invalid, and thus the form should be shown.\nsuccess: Indicates that the settings flow has been updated successfully with the provided data.\nDone will stay true when repeatedly checking. If set to true, done will revert back to false only\nwhen a flow with invalid (e.g. \"please use a valid phone number\") data was sent.", - "enum": [ - "show_form", - "success" - ], - "title": "State represents the state of this flow. It knows two states:", - "type": "string" - }, - "stripeCustomer": { - "properties": { - "id": { - "type": "string" - } - }, - "type": "object" - }, - "subjectSet": { - "properties": { - "namespace": { - "description": "Namespace of the Subject Set", - "type": "string" - }, - "object": { - "description": "Object of the Subject Set", - "type": "string" - }, - "relation": { - "description": "Relation of the Subject Set", - "type": "string" - } - }, - "required": [ - "namespace", - "object", - "relation" - ], - "type": "object" - }, - "subscription": { - "properties": { - "created_at": { - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "currency": { - "description": "The currency of the subscription. To change this, a new subscription must be created.\nusd USD\neur Euro", - "enum": [ - "usd", - "eur" - ], - "readOnly": true, - "type": "string", - "x-go-enum-desc": "usd USD\neur Euro" - }, - "current_interval": { - "description": "The currently active interval of the subscription\nmonthly Monthly\nyearly Yearly", - "enum": [ - "monthly", - "yearly" - ], - "readOnly": true, - "type": "string", - "x-go-enum-desc": "monthly Monthly\nyearly Yearly" - }, - "current_plan": { - "description": "The currently active plan of the subscription", - "readOnly": true, - "type": "string" - }, - "customer_id": { - "description": "The ID of the stripe customer", - "readOnly": true, - "type": "string" - }, - "id": { - "description": "The ID of the subscription", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "interval_changes_to": { - "$ref": "#/components/schemas/String" - }, - "ongoing_stripe_checkout_id": { - "$ref": "#/components/schemas/String" - }, - "payed_until": { - "description": "Until when the subscription is payed", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "plan_changes_at": { - "$ref": "#/components/schemas/Time" - }, - "plan_changes_to": { - "$ref": "#/components/schemas/String" - }, - "status": { - "$ref": "#/components/schemas/SubscriptionStatus" - }, - "updated_at": { - "format": "date-time", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "id", - "customer_id", - "status", - "payed_until", - "current_plan", - "current_interval", - "plan_changes_to", - "interval_changes_to", - "currency", - "created_at", - "updated_at" - ], - "type": "object" - }, - "successfulCodeExchangeResponse": { - "description": "The Response for Registration Flows via API", - "properties": { - "session": { - "$ref": "#/components/schemas/session" - }, - "session_token": { - "description": "The Session Token\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", - "type": "string" - } - }, - "required": [ - "session" - ], - "type": "object" - }, - "successfulNativeLogin": { - "description": "The Response for Login Flows via API", - "properties": { - "session": { - "$ref": "#/components/schemas/session" - }, - "session_token": { - "description": "The Session Token\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", - "type": "string" - } - }, - "required": [ - "session" - ], - "type": "object" - }, - "successfulNativeRegistration": { - "description": "The Response for Registration Flows via API", - "properties": { - "continue_with": { - "description": "Contains a list of actions, that could follow this flow\n\nIt can, for example, this will contain a reference to the verification flow, created as part of the user's\nregistration or the token of the session.", - "items": { - "$ref": "#/components/schemas/continueWith" - }, - "type": "array" - }, - "identity": { - "$ref": "#/components/schemas/identity" - }, - "session": { - "$ref": "#/components/schemas/session" - }, - "session_token": { - "description": "The Session Token\n\nThis field is only set when the session hook is configured as a post-registration hook.\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", - "type": "string" - } - }, - "required": [ - "identity" - ], - "type": "object" - }, - "successfulProjectUpdate": { - "properties": { - "project": { - "$ref": "#/components/schemas/project" - }, - "warnings": { - "description": "Import Warnings\n\nNot all configuration items can be imported to the Ory Network. For example,\nsetting the port does not make sense because the Ory Network provides the runtime\nand networking.\n\nThis field contains warnings where configuration keys were found but can not\nbe imported. These keys will be ignored by the Ory Network. This field will help\nyou understand why certain configuration keys might not be respected!", - "items": { - "$ref": "#/components/schemas/Warning" - }, - "type": "array" - } - }, - "required": [ - "project", - "warnings" - ], - "type": "object" - }, - "tokenPagination": { - "properties": { - "page_size": { - "default": 250, - "description": "Items per page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - }, - "page_token": { - "default": "1", - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "minimum": 1, - "type": "string" - } - }, - "type": "object" - }, - "tokenPaginationHeaders": { - "properties": { - "link": { - "description": "The link header contains pagination links.\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).\n\nin: header", - "type": "string" - }, - "x-total-count": { - "description": "The total number of clients.\n\nin: header", - "type": "string" - } - }, - "type": "object" - }, - "tokenPaginationRequestParameters": { - "description": "The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:\n`\u003chttps://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}\u0026page_token={offset}\u003e; rel=\"{page}\"`\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "properties": { - "page_size": { - "default": 250, - "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "format": "int64", - "maximum": 500, - "minimum": 1, - "type": "integer" - }, - "page_token": { - "default": "1", - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "minimum": 1, - "type": "string" - } - }, - "title": "Pagination Request Parameters", - "type": "object" - }, - "tokenPaginationResponseHeaders": { - "description": "The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:\n`\u003chttps://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}\u0026page_token={offset}\u003e; rel=\"{page}\"`\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "properties": { - "link": { - "description": "The Link HTTP Header\n\nThe `Link` header contains a comma-delimited list of links to the following pages:\n\nfirst: The first page of results.\nnext: The next page of results.\nprev: The previous page of results.\nlast: The last page of results.\n\nPages are omitted if they do not exist. For example, if there is no next page, the `next` link is omitted. Examples:\n\n\u003c/clients?page_size=5\u0026page_token=0\u003e; rel=\"first\",\u003c/clients?page_size=5\u0026page_token=15\u003e; rel=\"next\",\u003c/clients?page_size=5\u0026page_token=5\u003e; rel=\"prev\",\u003c/clients?page_size=5\u0026page_token=20\u003e; rel=\"last\"", - "type": "string" - }, - "x-total-count": { - "description": "The X-Total-Count HTTP Header\n\nThe `X-Total-Count` header contains the total number of items in the collection.", - "format": "int64", - "type": "integer" - } - }, - "title": "Pagination Response Header", - "type": "object" - }, - "trustOAuth2JwtGrantIssuer": { - "description": "Trust OAuth2 JWT Bearer Grant Type Issuer Request Body", - "properties": { - "allow_any_subject": { - "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", - "type": "boolean" - }, - "expires_at": { - "description": "The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\".", - "format": "date-time", - "type": "string" - }, - "issuer": { - "description": "The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT).", - "example": "https://jwt-idp.example.com", - "type": "string" - }, - "jwk": { - "$ref": "#/components/schemas/jsonWebKey" - }, - "scope": { - "description": "The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])", - "example": [ - "openid", - "offline" - ], - "items": { - "type": "string" - }, - "type": "array" - }, - "subject": { - "description": "The \"subject\" identifies the principal that is the subject of the JWT.", - "example": "mike@example.com", - "type": "string" - } - }, - "required": [ - "issuer", - "scope", - "jwk", - "expires_at" - ], - "type": "object" - }, - "trustedOAuth2JwtGrantIssuer": { - "description": "OAuth2 JWT Bearer Grant Type Issuer Trust Relationship", - "properties": { - "allow_any_subject": { - "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", - "type": "boolean" - }, - "created_at": { - "description": "The \"created_at\" indicates, when grant was created.", - "format": "date-time", - "type": "string" - }, - "expires_at": { - "description": "The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\".", - "format": "date-time", - "type": "string" - }, - "id": { - "example": "9edc811f-4e28-453c-9b46-4de65f00217f", - "type": "string" - }, - "issuer": { - "description": "The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT).", - "example": "https://jwt-idp.example.com", - "type": "string" - }, - "public_key": { - "$ref": "#/components/schemas/trustedOAuth2JwtGrantJsonWebKey" - }, - "scope": { - "description": "The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])", - "example": [ - "openid", - "offline" - ], - "items": { - "type": "string" - }, - "type": "array" - }, - "subject": { - "description": "The \"subject\" identifies the principal that is the subject of the JWT.", - "example": "mike@example.com", - "type": "string" - } - }, - "type": "object" - }, - "trustedOAuth2JwtGrantIssuers": { - "description": "OAuth2 JWT Bearer Grant Type Issuer Trust Relationships", - "items": { - "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuer" - }, - "type": "array" - }, - "trustedOAuth2JwtGrantJsonWebKey": { - "description": "OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key", - "properties": { - "kid": { - "description": "The \"key_id\" is key unique identifier (same as kid header in jws/jwt).", - "example": "123e4567-e89b-12d3-a456-426655440000", - "type": "string" - }, - "set": { - "description": "The \"set\" is basically a name for a group(set) of keys. Will be the same as \"issuer\" in grant.", - "example": "https://jwt-idp.example.com", - "type": "string" - } - }, - "type": "object" - }, - "uiContainer": { - "description": "Container represents a HTML Form. The container can work with both HTTP Form and JSON requests", - "properties": { - "action": { - "description": "Action should be used as the form action URL `\u003cform action=\"{{ .Action }}\" method=\"post\"\u003e`.", - "type": "string" - }, - "messages": { - "$ref": "#/components/schemas/uiTexts" - }, - "method": { - "description": "Method is the form method (e.g. POST)", - "type": "string" - }, - "nodes": { - "$ref": "#/components/schemas/uiNodes" - } - }, - "required": [ - "action", - "method", - "nodes" - ], - "type": "object" - }, - "uiNode": { - "description": "Nodes are represented as HTML elements or their native UI equivalents. For example,\na node can be an `\u003cimg\u003e` tag, or an `\u003cinput element\u003e` but also `some plain text`.", - "properties": { - "attributes": { - "$ref": "#/components/schemas/uiNodeAttributes" - }, - "group": { - "description": "Group specifies which group (e.g. password authenticator) this node belongs to.\ndefault DefaultGroup\npassword PasswordGroup\noidc OpenIDConnectGroup\nprofile ProfileGroup\nlink LinkGroup\ncode CodeGroup\ntotp TOTPGroup\nlookup_secret LookupGroup\nwebauthn WebAuthnGroup", - "enum": [ - "default", - "password", - "oidc", - "profile", - "link", - "code", - "totp", - "lookup_secret", - "webauthn" - ], - "type": "string", - "x-go-enum-desc": "default DefaultGroup\npassword PasswordGroup\noidc OpenIDConnectGroup\nprofile ProfileGroup\nlink LinkGroup\ncode CodeGroup\ntotp TOTPGroup\nlookup_secret LookupGroup\nwebauthn WebAuthnGroup" - }, - "messages": { - "$ref": "#/components/schemas/uiTexts" - }, - "meta": { - "$ref": "#/components/schemas/uiNodeMeta" - }, - "type": { - "description": "The node's type\ntext Text\ninput Input\nimg Image\na Anchor\nscript Script", - "enum": [ - "text", - "input", - "img", - "a", - "script" - ], - "type": "string", - "x-go-enum-desc": "text Text\ninput Input\nimg Image\na Anchor\nscript Script" - } - }, - "required": [ - "type", - "group", - "attributes", - "messages", - "meta" - ], - "title": "Node represents a flow's nodes", - "type": "object" - }, - "uiNodeAnchorAttributes": { - "properties": { - "href": { - "description": "The link's href (destination) URL.\n\nformat: uri", - "type": "string" - }, - "id": { - "description": "A unique identifier", - "type": "string" - }, - "node_type": { - "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"a\".", - "type": "string" - }, - "title": { - "$ref": "#/components/schemas/uiText" - } - }, - "required": [ - "href", - "title", - "id", - "node_type" - ], - "title": "AnchorAttributes represents the attributes of an anchor node.", - "type": "object" - }, - "uiNodeAttributes": { - "discriminator": { - "mapping": { - "a": "#/components/schemas/uiNodeAnchorAttributes", - "img": "#/components/schemas/uiNodeImageAttributes", - "input": "#/components/schemas/uiNodeInputAttributes", - "script": "#/components/schemas/uiNodeScriptAttributes", - "text": "#/components/schemas/uiNodeTextAttributes" - }, - "propertyName": "node_type" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/uiNodeInputAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeTextAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeImageAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeAnchorAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeScriptAttributes" - } - ], - "title": "Attributes represents a list of attributes (e.g. `href=\"foo\"` for links)." - }, - "uiNodeImageAttributes": { - "properties": { - "height": { - "description": "Height of the image", - "format": "int64", - "type": "integer" - }, - "id": { - "description": "A unique identifier", - "type": "string" - }, - "node_type": { - "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"img\".", - "type": "string" - }, - "src": { - "description": "The image's source URL.\n\nformat: uri", - "type": "string" - }, - "width": { - "description": "Width of the image", - "format": "int64", - "type": "integer" - } - }, - "required": [ - "src", - "id", - "width", - "height", - "node_type" - ], - "title": "ImageAttributes represents the attributes of an image node.", - "type": "object" - }, - "uiNodeInputAttributes": { - "description": "InputAttributes represents the attributes of an input node", - "properties": { - "autocomplete": { - "description": "The autocomplete attribute for the input.\nemail InputAttributeAutocompleteEmail\ntel InputAttributeAutocompleteTel\nurl InputAttributeAutocompleteUrl\ncurrent-password InputAttributeAutocompleteCurrentPassword\nnew-password InputAttributeAutocompleteNewPassword\none-time-code InputAttributeAutocompleteOneTimeCode", - "enum": [ - "email", - "tel", - "url", - "current-password", - "new-password", - "one-time-code" - ], - "type": "string", - "x-go-enum-desc": "email InputAttributeAutocompleteEmail\ntel InputAttributeAutocompleteTel\nurl InputAttributeAutocompleteUrl\ncurrent-password InputAttributeAutocompleteCurrentPassword\nnew-password InputAttributeAutocompleteNewPassword\none-time-code InputAttributeAutocompleteOneTimeCode" - }, - "disabled": { - "description": "Sets the input's disabled field to true or false.", - "type": "boolean" - }, - "label": { - "$ref": "#/components/schemas/uiText" - }, - "name": { - "description": "The input's element name.", - "type": "string" - }, - "node_type": { - "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"input\".", - "type": "string" - }, - "onclick": { - "description": "OnClick may contain javascript which should be executed on click. This is primarily\nused for WebAuthn.", - "type": "string" - }, - "pattern": { - "description": "The input's pattern.", - "type": "string" - }, - "required": { - "description": "Mark this input field as required.", - "type": "boolean" - }, - "type": { - "description": "The input's element type.\ntext InputAttributeTypeText\npassword InputAttributeTypePassword\nnumber InputAttributeTypeNumber\ncheckbox InputAttributeTypeCheckbox\nhidden InputAttributeTypeHidden\nemail InputAttributeTypeEmail\ntel InputAttributeTypeTel\nsubmit InputAttributeTypeSubmit\nbutton InputAttributeTypeButton\ndatetime-local InputAttributeTypeDateTimeLocal\ndate InputAttributeTypeDate\nurl InputAttributeTypeURI", - "enum": [ - "text", - "password", - "number", - "checkbox", - "hidden", - "email", - "tel", - "submit", - "button", - "datetime-local", - "date", - "url" - ], - "type": "string", - "x-go-enum-desc": "text InputAttributeTypeText\npassword InputAttributeTypePassword\nnumber InputAttributeTypeNumber\ncheckbox InputAttributeTypeCheckbox\nhidden InputAttributeTypeHidden\nemail InputAttributeTypeEmail\ntel InputAttributeTypeTel\nsubmit InputAttributeTypeSubmit\nbutton InputAttributeTypeButton\ndatetime-local InputAttributeTypeDateTimeLocal\ndate InputAttributeTypeDate\nurl InputAttributeTypeURI" - }, - "value": { - "description": "The input's value.", - "nullable": true - } - }, - "required": [ - "name", - "type", - "disabled", - "node_type" - ], - "type": "object" - }, - "uiNodeMeta": { - "description": "This might include a label and other information that can optionally\nbe used to render UIs.", - "properties": { - "label": { - "$ref": "#/components/schemas/uiText" - } - }, - "title": "A Node's Meta Information", - "type": "object" - }, - "uiNodeScriptAttributes": { - "properties": { - "async": { - "description": "The script async type", - "type": "boolean" - }, - "crossorigin": { - "description": "The script cross origin policy", - "type": "string" - }, - "id": { - "description": "A unique identifier", - "type": "string" - }, - "integrity": { - "description": "The script's integrity hash", - "type": "string" - }, - "node_type": { - "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"script\".", - "type": "string" - }, - "nonce": { - "description": "Nonce for CSP\n\nA nonce you may want to use to improve your Content Security Policy.\nYou do not have to use this value but if you want to improve your CSP\npolicies you may use it. You can also choose to use your own nonce value!", - "type": "string" - }, - "referrerpolicy": { - "description": "The script referrer policy", - "type": "string" - }, - "src": { - "description": "The script source", - "type": "string" - }, - "type": { - "description": "The script MIME type", - "type": "string" - } - }, - "required": [ - "src", - "async", - "referrerpolicy", - "crossorigin", - "integrity", - "type", - "id", - "nonce", - "node_type" - ], - "title": "ScriptAttributes represent script nodes which load javascript.", - "type": "object" - }, - "uiNodeTextAttributes": { - "properties": { - "id": { - "description": "A unique identifier", - "type": "string" - }, - "node_type": { - "description": "NodeType represents this node's types. It is a mirror of `node.type` and\nis primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is \"text\".", - "type": "string" - }, - "text": { - "$ref": "#/components/schemas/uiText" - } - }, - "required": [ - "text", - "id", - "node_type" - ], - "title": "TextAttributes represents the attributes of a text node.", - "type": "object" - }, - "uiNodes": { - "items": { - "$ref": "#/components/schemas/uiNode" - }, - "type": "array" - }, - "uiText": { - "properties": { - "context": { - "description": "The message's context. Useful when customizing messages.", - "type": "object" - }, - "id": { - "$ref": "#/components/schemas/ID" - }, - "text": { - "description": "The message text. Written in american english.", - "type": "string" - }, - "type": { - "description": "The message type.\ninfo Info\nerror Error\nsuccess Success", - "enum": [ - "info", - "error", - "success" - ], - "type": "string", - "x-go-enum-desc": "info Info\nerror Error\nsuccess Success" - } - }, - "required": [ - "id", - "text", - "type" - ], - "type": "object" - }, - "uiTexts": { - "items": { - "$ref": "#/components/schemas/uiText" - }, - "type": "array" - }, - "unexpectedError": { - "type": "string" - }, - "updateIdentityBody": { - "description": "Update Identity Body", - "properties": { - "credentials": { - "$ref": "#/components/schemas/identityWithCredentials" - }, - "metadata_admin": { - "description": "Store metadata about the user which is only accessible through admin APIs such as `GET /admin/identities/\u003cid\u003e`." - }, - "metadata_public": { - "description": "Store metadata about the identity which the identity itself can see when calling for example the\nsession endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field." - }, - "schema_id": { - "description": "SchemaID is the ID of the JSON Schema to be used for validating the identity's traits. If set\nwill update the Identity's SchemaID.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/identityState" - }, - "traits": { - "description": "Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_id`.", - "type": "object" - } - }, - "required": [ - "schema_id", - "traits", - "state" - ], - "type": "object" - }, - "updateLoginFlowBody": { - "discriminator": { - "mapping": { - "lookup_secret": "#/components/schemas/updateLoginFlowWithLookupSecretMethod", - "oidc": "#/components/schemas/updateLoginFlowWithOidcMethod", - "password": "#/components/schemas/updateLoginFlowWithPasswordMethod", - "totp": "#/components/schemas/updateLoginFlowWithTotpMethod", - "webauthn": "#/components/schemas/updateLoginFlowWithWebAuthnMethod" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/updateLoginFlowWithPasswordMethod" - }, - { - "$ref": "#/components/schemas/updateLoginFlowWithOidcMethod" - }, - { - "$ref": "#/components/schemas/updateLoginFlowWithTotpMethod" - }, - { - "$ref": "#/components/schemas/updateLoginFlowWithWebAuthnMethod" - }, - { - "$ref": "#/components/schemas/updateLoginFlowWithLookupSecretMethod" - } - ] - }, - "updateLoginFlowWithLookupSecretMethod": { - "description": "Update Login Flow with Lookup Secret Method", - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "lookup_secret": { - "description": "The lookup secret.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"lookup_secret\" when logging in using the lookup_secret strategy.", - "type": "string" - } - }, - "required": [ - "method", - "lookup_secret" - ], - "type": "object" - }, - "updateLoginFlowWithOidcMethod": { - "description": "Update Login Flow with OpenID Connect Method", - "properties": { - "csrf_token": { - "description": "The CSRF Token", - "type": "string" - }, - "method": { - "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", - "type": "string" - }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, - "traits": { - "description": "The identity traits. This is a placeholder for the registration flow.", - "type": "object" - }, - "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", - "type": "object" - } - }, - "required": [ - "provider", - "method" - ], - "type": "object" - }, - "updateLoginFlowWithPasswordMethod": { - "description": "Update Login Flow with Password Method", - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "identifier": { - "description": "Identifier is the email or username of the user trying to log in.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"password\" when logging in using the identifier and password strategy.", - "type": "string" - }, - "password": { - "description": "The user's password.", - "type": "string" - }, - "password_identifier": { - "description": "Identifier is the email or username of the user trying to log in.\nThis field is deprecated!", - "type": "string" - } - }, - "required": [ - "method", - "password", - "identifier" - ], - "type": "object" - }, - "updateLoginFlowWithTotpMethod": { - "description": "Update Login Flow with TOTP Method", - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"totp\" when logging in using the TOTP strategy.", - "type": "string" - }, - "totp_code": { - "description": "The TOTP code.", - "type": "string" - } - }, - "required": [ - "method", - "totp_code" - ], - "type": "object" - }, - "updateLoginFlowWithWebAuthnMethod": { - "description": "Update Login Flow with WebAuthn Method", - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "identifier": { - "description": "Identifier is the email or username of the user trying to log in.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"webAuthn\" when logging in using the WebAuthn strategy.", - "type": "string" - }, - "webauthn_login": { - "description": "Login a WebAuthn Security Key\n\nThis must contain the ID of the WebAuthN connection.", - "type": "string" - } - }, - "required": [ - "identifier", - "method" - ], - "type": "object" - }, - "updateRecoveryFlowBody": { - "description": "Update Recovery Flow Request Body", - "discriminator": { - "mapping": { - "code": "#/components/schemas/updateRecoveryFlowWithCodeMethod", - "link": "#/components/schemas/updateRecoveryFlowWithLinkMethod" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/updateRecoveryFlowWithLinkMethod" - }, - { - "$ref": "#/components/schemas/updateRecoveryFlowWithCodeMethod" - } - ] - }, - "updateRecoveryFlowWithCodeMethod": { - "description": "Update Recovery Flow with Code Method", - "properties": { - "code": { - "description": "Code from the recovery email\n\nIf you want to submit a code, use this field, but make sure to _not_ include the email field, as well.", - "type": "string" - }, - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "email": { - "description": "The email address of the account to recover\n\nIf the email belongs to a valid account, a recovery email will be sent.\n\nIf you want to notify the email address if the account does not exist, see\nthe [notify_unknown_recipients flag](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#attempted-recovery-notifications)\n\nIf a code was already sent, including this field in the payload will invalidate the sent code and re-send a new code.\n\nformat: email", - "type": "string" - }, - "method": { - "description": "Method is the method that should be used for this recovery flow\n\nAllowed values are `link` and `code`.\nlink RecoveryStrategyLink\ncode RecoveryStrategyCode", - "enum": [ - "link", - "code" - ], - "type": "string", - "x-go-enum-desc": "link RecoveryStrategyLink\ncode RecoveryStrategyCode" - } - }, - "required": [ - "method" - ], - "type": "object" - }, - "updateRecoveryFlowWithLinkMethod": { - "description": "Update Recovery Flow with Link Method", - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "email": { - "description": "Email to Recover\n\nNeeds to be set when initiating the flow. If the email is a registered\nrecovery email, a recovery link will be sent. If the email is not known,\na email with details on what happened will be sent instead.\n\nformat: email", - "type": "string" - }, - "method": { - "description": "Method is the method that should be used for this recovery flow\n\nAllowed values are `link` and `code`\nlink RecoveryStrategyLink\ncode RecoveryStrategyCode", - "enum": [ - "link", - "code" - ], - "type": "string", - "x-go-enum-desc": "link RecoveryStrategyLink\ncode RecoveryStrategyCode" - } - }, - "required": [ - "email", - "method" - ], - "type": "object" - }, - "updateRegistrationFlowBody": { - "description": "Update Registration Request Body", - "discriminator": { - "mapping": { - "oidc": "#/components/schemas/updateRegistrationFlowWithOidcMethod", - "password": "#/components/schemas/updateRegistrationFlowWithPasswordMethod", - "webauthn": "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/updateRegistrationFlowWithPasswordMethod" - }, - { - "$ref": "#/components/schemas/updateRegistrationFlowWithOidcMethod" - }, - { - "$ref": "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod" - } - ] - }, - "updateRegistrationFlowWithOidcMethod": { - "description": "Update Registration Flow with OpenID Connect Method", - "properties": { - "csrf_token": { - "description": "The CSRF Token", - "type": "string" - }, - "method": { - "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", - "type": "string" - }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, - "traits": { - "description": "The identity traits", - "type": "object" - }, - "transient_payload": { - "description": "Transient data to pass along to any webhooks", - "type": "object" - }, - "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", - "type": "object" - } - }, - "required": [ - "provider", - "method" - ], - "type": "object" - }, - "updateRegistrationFlowWithPasswordMethod": { - "description": "Update Registration Flow with Password Method", - "properties": { - "csrf_token": { - "description": "The CSRF Token", - "type": "string" - }, - "method": { - "description": "Method to use\n\nThis field must be set to `password` when using the password method.", - "type": "string" - }, - "password": { - "description": "Password to sign the user up with", - "type": "string" - }, - "traits": { - "description": "The identity's traits", - "type": "object" - }, - "transient_payload": { - "description": "Transient data to pass along to any webhooks", - "type": "object" - } - }, - "required": [ - "password", - "traits", - "method" - ], - "type": "object" - }, - "updateRegistrationFlowWithWebAuthnMethod": { - "description": "Update Registration Flow with WebAuthn Method", - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to \"webauthn\" when trying to add, update, or remove a webAuthn pairing.", - "type": "string" - }, - "traits": { - "description": "The identity's traits", - "type": "object" - }, - "transient_payload": { - "description": "Transient data to pass along to any webhooks", - "type": "object" - }, - "webauthn_register": { - "description": "Register a WebAuthn Security Key\n\nIt is expected that the JSON returned by the WebAuthn registration process\nis included here.", - "type": "string" - }, - "webauthn_register_displayname": { - "description": "Name of the WebAuthn Security Key to be Added\n\nA human-readable name for the security key which will be added.", - "type": "string" - } - }, - "required": [ - "traits", - "method" - ], - "type": "object" - }, - "updateSettingsFlowBody": { - "description": "Update Settings Flow Request Body", - "discriminator": { - "mapping": { - "lookup_secret": "#/components/schemas/updateSettingsFlowWithLookupMethod", - "oidc": "#/components/schemas/updateSettingsFlowWithOidcMethod", - "password": "#/components/schemas/updateSettingsFlowWithPasswordMethod", - "profile": "#/components/schemas/updateSettingsFlowWithProfileMethod", - "totp": "#/components/schemas/updateSettingsFlowWithTotpMethod", - "webauthn": "#/components/schemas/updateSettingsFlowWithWebAuthnMethod" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/updateSettingsFlowWithPasswordMethod" - }, - { - "$ref": "#/components/schemas/updateSettingsFlowWithProfileMethod" - }, - { - "$ref": "#/components/schemas/updateSettingsFlowWithOidcMethod" - }, - { - "$ref": "#/components/schemas/updateSettingsFlowWithOidcMethod" - }, - { - "$ref": "#/components/schemas/updateSettingsFlowWithTotpMethod" - }, - { - "$ref": "#/components/schemas/updateSettingsFlowWithWebAuthnMethod" - }, - { - "$ref": "#/components/schemas/updateSettingsFlowWithLookupMethod" - } - ] - }, - "updateSettingsFlowWithLookupMethod": { - "description": "Update Settings Flow with Lookup Method", - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "lookup_secret_confirm": { - "description": "If set to true will save the regenerated lookup secrets", - "type": "boolean" - }, - "lookup_secret_disable": { - "description": "Disables this method if true.", - "type": "boolean" - }, - "lookup_secret_regenerate": { - "description": "If set to true will regenerate the lookup secrets", - "type": "boolean" - }, - "lookup_secret_reveal": { - "description": "If set to true will reveal the lookup secrets", - "type": "boolean" - }, - "method": { - "description": "Method\n\nShould be set to \"lookup\" when trying to add, update, or remove a lookup pairing.", - "type": "string" - } - }, - "required": [ - "method" - ], - "type": "object" - }, - "updateSettingsFlowWithOidcMethod": { - "description": "Update Settings Flow with OpenID Connect Method", - "properties": { - "flow": { - "description": "Flow ID is the flow's ID.\n\nin: query", - "type": "string" - }, - "link": { - "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to profile when trying to update a profile.", - "type": "string" - }, - "traits": { - "description": "The identity's traits\n\nin: body", - "type": "object" - }, - "unlink": { - "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", - "type": "string" - }, - "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", - "type": "object" - } - }, - "required": [ - "method" - ], - "type": "object" - }, - "updateSettingsFlowWithPasswordMethod": { - "description": "Update Settings Flow with Password Method", - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to password when trying to update a password.", - "type": "string" - }, - "password": { - "description": "Password is the updated password", - "type": "string" - } - }, - "required": [ - "password", - "method" - ], - "type": "object" - }, - "updateSettingsFlowWithProfileMethod": { - "description": "Update Settings Flow with Profile Method", - "properties": { - "csrf_token": { - "description": "The Anti-CSRF Token\n\nThis token is only required when performing browser flows.", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to profile when trying to update a profile.", - "type": "string" - }, - "traits": { - "description": "Traits\n\nThe identity's traits.", - "type": "object" - } - }, - "required": [ - "traits", - "method" - ], - "type": "object" - }, - "updateSettingsFlowWithTotpMethod": { - "description": "Update Settings Flow with TOTP Method", - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to \"totp\" when trying to add, update, or remove a totp pairing.", - "type": "string" - }, - "totp_code": { - "description": "ValidationTOTP must contain a valid TOTP based on the", - "type": "string" - }, - "totp_unlink": { - "description": "UnlinkTOTP if true will remove the TOTP pairing,\neffectively removing the credential. This can be used\nto set up a new TOTP device.", - "type": "boolean" - } - }, - "required": [ - "method" - ], - "type": "object" - }, - "updateSettingsFlowWithWebAuthnMethod": { - "description": "Update Settings Flow with WebAuthn Method", - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to \"webauthn\" when trying to add, update, or remove a webAuthn pairing.", - "type": "string" - }, - "webauthn_register": { - "description": "Register a WebAuthn Security Key\n\nIt is expected that the JSON returned by the WebAuthn registration process\nis included here.", - "type": "string" - }, - "webauthn_register_displayname": { - "description": "Name of the WebAuthn Security Key to be Added\n\nA human-readable name for the security key which will be added.", - "type": "string" - }, - "webauthn_remove": { - "description": "Remove a WebAuthn Security Key\n\nThis must contain the ID of the WebAuthN connection.", - "type": "string" - } - }, - "required": [ - "method" - ], - "type": "object" - }, - "updateSubscriptionBody": { - "description": "Update Subscription Request Body", - "properties": { - "interval": { - "description": "\nmonthly Monthly\nyearly Yearly", - "enum": [ - "monthly", - "yearly" - ], - "type": "string", - "x-go-enum-desc": "monthly Monthly\nyearly Yearly" - }, - "plan": { - "type": "string" - }, - "return_to": { - "type": "string" - } - }, - "required": [ - "plan", - "interval" - ], - "type": "object" - }, - "updateVerificationFlowBody": { - "description": "Update Verification Flow Request Body", - "discriminator": { - "mapping": { - "code": "#/components/schemas/updateVerificationFlowWithCodeMethod", - "link": "#/components/schemas/updateVerificationFlowWithLinkMethod" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/updateVerificationFlowWithLinkMethod" - }, - { - "$ref": "#/components/schemas/updateVerificationFlowWithCodeMethod" - } - ] - }, - "updateVerificationFlowWithCodeMethod": { - "properties": { - "code": { - "description": "Code from the recovery email\n\nIf you want to submit a code, use this field, but make sure to _not_ include the email field, as well.", - "type": "string" - }, - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "email": { - "description": "The email address to verify\n\nIf the email belongs to a valid account, a verifiation email will be sent.\n\nIf you want to notify the email address if the account does not exist, see\nthe [notify_unknown_recipients flag](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#attempted-verification-notifications)\n\nIf a code was already sent, including this field in the payload will invalidate the sent code and re-send a new code.\n\nformat: email", - "type": "string" - }, - "method": { - "description": "Method is the method that should be used for this verification flow\n\nAllowed values are `link` and `code`.\nlink VerificationStrategyLink\ncode VerificationStrategyCode", - "enum": [ - "link", - "code" - ], - "type": "string", - "x-go-enum-desc": "link VerificationStrategyLink\ncode VerificationStrategyCode" - } - }, - "required": [ - "method" - ], - "type": "object" - }, - "updateVerificationFlowWithLinkMethod": { - "description": "Update Verification Flow with Link Method", - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "email": { - "description": "Email to Verify\n\nNeeds to be set when initiating the flow. If the email is a registered\nverification email, a verification link will be sent. If the email is not known,\na email with details on what happened will be sent instead.\n\nformat: email", - "type": "string" - }, - "method": { - "description": "Method is the method that should be used for this verification flow\n\nAllowed values are `link` and `code`\nlink VerificationStrategyLink\ncode VerificationStrategyCode", - "enum": [ - "link", - "code" - ], - "type": "string", - "x-go-enum-desc": "link VerificationStrategyLink\ncode VerificationStrategyCode" - } - }, - "required": [ - "email", - "method" - ], - "type": "object" - }, - "verifiableIdentityAddress": { - "description": "VerifiableAddress is an identity's verifiable address", - "properties": { - "created_at": { - "description": "When this entry was created", - "example": "2014-01-01T23:28:56.782Z", - "format": "date-time", - "type": "string" - }, - "id": { - "description": "The ID", - "format": "uuid", - "type": "string" - }, - "status": { - "$ref": "#/components/schemas/identityVerifiableAddressStatus" - }, - "updated_at": { - "description": "When this entry was last updated", - "example": "2014-01-01T23:28:56.782Z", - "format": "date-time", - "type": "string" - }, - "value": { - "description": "The address value\n\nexample foo@user.com", - "type": "string" - }, - "verified": { - "description": "Indicates if the address has already been verified", - "example": true, - "type": "boolean" - }, - "verified_at": { - "$ref": "#/components/schemas/nullTime" - }, - "via": { - "$ref": "#/components/schemas/identityVerifiableAddressType" - } - }, - "required": [ - "value", - "verified", - "via", - "status" - ], - "type": "object" - }, - "verificationFlow": { - "description": "Used to verify an out-of-band communication\nchannel such as an email address or a phone number.\n\nFor more information head over to: https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation", - "properties": { - "active": { - "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", - "type": "string" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address,\na new request has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "description": "ID represents the request's unique ID. When performing the verification flow, this\nrepresents the id in the verify ui's query parameter: http://\u003cselfservice.flows.verification.ui_url\u003e?request=\u003cid\u003e\n\ntype: string\nformat: uuid", - "format": "uuid", - "type": "string" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the request occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/verificationFlowState" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": [ - "id", - "type", - "ui", - "state" - ], - "title": "A Verification Flow", - "type": "object" - }, - "verificationFlowState": { - "description": "The state represents the state of the verification flow.\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed.", - "enum": [ - "choose_method", - "sent_email", - "passed_challenge" - ], - "title": "Verification Flow State", - "type": "string" - }, - "version": { - "properties": { - "version": { - "description": "Version is the service's version.", - "type": "string" - } - }, - "type": "object" - }, - "webAuthnJavaScript": { - "type": "string" - } - }, - "securitySchemes": { - "basic": { - "scheme": "basic", - "type": "http" - }, - "bearer": { - "scheme": "bearer", - "type": "http" - }, - "oauth2": { - "flows": { - "authorizationCode": { - "authorizationUrl": "https://hydra.demo.ory.sh/oauth2/auth", - "scopes": { - "offline": "A scope required when requesting refresh tokens (alias for `offline_access`)", - "offline_access": "A scope required when requesting refresh tokens", - "openid": "Request an OpenID Connect ID Token" - }, - "tokenUrl": "https://hydra.demo.ory.sh/oauth2/token" - } - }, - "type": "oauth2" - }, - "oryAccessToken": { - "scheme": "bearer", - "type": "http" - } - } - }, - "info": { - "contact": { - "email": "support@ory.sh", - "name": "API Support" - }, - "description": "Documentation for all public and administrative Ory APIs. Administrative APIs can only be accessed\nwith a valid Personal Access Token. Public APIs are mostly used in browsers.\n", - "license": { - "name": "Apache 2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0.html" - }, - "termsOfService": "/ptos", - "title": "Ory APIs", - "version": "latest" - }, - "openapi": "3.0.3", - "paths": { - "/.well-known/jwks.json": { - "get": { - "description": "This endpoint returns JSON Web Keys required to verifying OpenID Connect ID Tokens and,\nif enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like\n[node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.", - "operationId": "discoverJsonWebKeys", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKeySet" - } - } - }, - "description": "jsonWebKeySet" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "summary": "Discover Well-Known JSON Web Keys", - "tags": [ - "wellknown" - ] - } - }, - "/.well-known/openid-configuration": { - "get": { - "description": "A mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations.\n\nPopular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others.\nFor a full list of clients go here: https://openid.net/developers/certified/", - "operationId": "discoverOidcConfiguration", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oidcConfiguration" - } - } - }, - "description": "oidcConfiguration" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "summary": "OpenID Connect Discovery", - "tags": [ - "oidc" - ] - } - }, - "/.well-known/ory/webauthn.js": { - "get": { - "description": "This endpoint provides JavaScript which is needed in order to perform WebAuthn login and registration.\n\nIf you are building a JavaScript Browser App (e.g. in ReactJS or AngularJS) you will need to load this file:\n\n```html\n\u003cscript src=\"https://public-kratos.example.org/.well-known/ory/webauthn.js\" type=\"script\" async /\u003e\n```\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", - "operationId": "getWebAuthnJavaScript", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/webAuthnJavaScript" - } - } - }, - "description": "webAuthnJavaScript" - } - }, - "summary": "Get WebAuthn JavaScript", - "tags": [ - "frontend" - ] - } - }, - "/admin/clients": { - "get": { - "description": "This endpoint lists all clients in the database, and never returns client secrets.\nAs a default it lists the first 100 clients.", - "operationId": "listOAuth2Clients", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_size", - "schema": { - "default": 250, - "format": "int64", - "maximum": 500, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_token", - "schema": { - "default": "1", - "minimum": 1, - "type": "string" - } - }, - { - "description": "The name of the clients to filter by.", - "in": "query", - "name": "client_name", - "schema": { - "type": "string" - } - }, - { - "description": "The owner of the clients to filter by.", - "in": "query", - "name": "owner", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "$ref": "#/components/responses/listOAuth2Clients" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List OAuth 2.0 Clients", - "tags": [ - "oAuth2" - ] - }, - "post": { - "description": "Create a new OAuth 2.0 client. If you pass `client_secret` the secret is used, otherwise a random secret\nis generated. The secret is echoed in the response. It is not possible to retrieve it later on.", - "operationId": "createOAuth2Client", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "OAuth 2.0 Client Request Body", - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "400": { - "$ref": "#/components/responses/errorOAuth2BadRequest" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create OAuth 2.0 Client", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/clients/{id}": { - "delete": { - "description": "Delete an existing OAuth 2.0 Client by its ID.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.\n\nMake sure that this endpoint is well protected and only callable by first-party components.", - "operationId": "deleteOAuth2Client", - "parameters": [ - { - "description": "The id of the OAuth 2.0 Client.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete OAuth 2.0 Client", - "tags": [ - "oAuth2" - ] - }, - "get": { - "description": "Get an OAuth 2.0 client by its ID. This endpoint never returns the client secret.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", - "operationId": "getOAuth2Client", - "parameters": [ - { - "description": "The id of the OAuth 2.0 Client.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get an OAuth 2.0 Client", - "tags": [ - "oAuth2" - ] - }, - "patch": { - "description": "Patch an existing OAuth 2.0 Client using JSON Patch. If you pass `client_secret`\nthe secret will be updated and returned via the API. This is the\nonly time you will be able to retrieve the client secret, so write it down and keep it safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", - "operationId": "patchOAuth2Client", - "parameters": [ - { - "description": "The id of the OAuth 2.0 Client.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonPatchDocument" - } - } - }, - "description": "OAuth 2.0 Client JSON Patch Body", - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "404": { - "$ref": "#/components/responses/errorOAuth2NotFound" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Patch OAuth 2.0 Client", - "tags": [ - "oAuth2" - ] - }, - "put": { - "description": "Replaces an existing OAuth 2.0 Client with the payload you send. If you pass `client_secret` the secret is used,\notherwise the existing secret is used.\n\nIf set, the secret is echoed in the response. It is not possible to retrieve it later on.\n\nOAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", - "operationId": "setOAuth2Client", - "parameters": [ - { - "description": "OAuth 2.0 Client ID", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "OAuth 2.0 Client Request Body", - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "400": { - "$ref": "#/components/responses/errorOAuth2BadRequest" - }, - "404": { - "$ref": "#/components/responses/errorOAuth2NotFound" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Set OAuth 2.0 Client", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/clients/{id}/lifespans": { - "put": { - "description": "Set lifespans of different token types issued for this OAuth 2.0 client. Does not modify other fields.", - "operationId": "setOAuth2ClientLifespans", - "parameters": [ - { - "description": "OAuth 2.0 Client ID", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2ClientTokenLifespans" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Set OAuth2 Client Token Lifespans", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/courier/messages": { - "get": { - "description": "Lists all messages by given status and recipient.", - "operationId": "listCourierMessages", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_size", - "schema": { - "default": 250, - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_token", - "schema": { - "type": "string" - } - }, - { - "description": "Status filters out messages based on status.\nIf no value is provided, it doesn't take effect on filter.", - "in": "query", - "name": "status", - "schema": { - "$ref": "#/components/schemas/courierMessageStatus" - } - }, - { - "description": "Recipient filters out messages based on recipient.\nIf no value is provided, it doesn't take effect on filter.", - "in": "query", - "name": "recipient", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "$ref": "#/components/responses/listCourierMessages" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List Messages", - "tags": [ - "courier" - ] - } - }, - "/admin/courier/messages/{id}": { - "get": { - "description": "Gets a specific messages by the given ID.", - "operationId": "getCourierMessage", - "parameters": [ - { - "description": "MessageID is the ID of the message.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/message" - } - } - }, - "description": "message" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get a Message", - "tags": [ - "courier" - ] - } - }, - "/admin/identities": { - "get": { - "description": "Lists all [identities](https://www.ory.sh/docs/kratos/concepts/identity-user-model) in the system.", - "operationId": "listIdentities", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page.", - "in": "query", - "name": "per_page", - "schema": { - "default": 250, - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Pagination Page\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.", - "in": "query", - "name": "page", - "schema": { - "default": 1, - "format": "int64", - "minimum": 1, - "type": "integer" - } - }, - { - "description": "CredentialsIdentifier is the identifier (username, email) of the credentials to look up.", - "in": "query", - "name": "credentials_identifier", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "$ref": "#/components/responses/listIdentities" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List Identities", - "tags": [ - "identity" - ] - }, - "patch": { - "description": "Creates or delete multiple\n[identities](https://www.ory.sh/docs/kratos/concepts/identity-user-model).\nThis endpoint can also be used to [import\ncredentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities)\nfor instance passwords, social sign in configurations or multifactor methods.", - "operationId": "batchPatchIdentities", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/patchIdentitiesBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/batchPatchIdentitiesResponse" - } - } - }, - "description": "batchPatchIdentitiesResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "409": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create and deletes multiple identities", - "tags": [ - "identity" - ] - }, - "post": { - "description": "Create an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model). This endpoint can also be used to\n[import credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities)\nfor instance passwords, social sign in configurations or multifactor methods.", - "operationId": "createIdentity", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/createIdentityBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "409": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create an Identity", - "tags": [ - "identity" - ] - } - }, - "/admin/identities/{id}": { - "delete": { - "description": "Calling this endpoint irrecoverably and permanently deletes the [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) given its ID. This action can not be undone.\nThis endpoint returns 204 when the identity was deleted or when the identity was not found, in which case it is\nassumed that is has been deleted already.", - "operationId": "deleteIdentity", - "parameters": [ - { - "description": "ID is the identity's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete an Identity", - "tags": [ - "identity" - ] - }, - "get": { - "description": "Return an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) by its ID. You can optionally\ninclude credentials (e.g. social sign in connections) in the response by using the `include_credential` query parameter.", - "operationId": "getIdentity", - "parameters": [ - { - "description": "ID must be set to the ID of identity you want to get", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Include Credentials in Response\n\nInclude any credential, for example `password` or `oidc`, in the response. When set to `oidc`, This will return\nthe initial OAuth 2.0 Access Token, OAuth 2.0 Refresh Token and the OpenID Connect ID Token if available.", - "in": "query", - "name": "include_credential", - "schema": { - "items": { - "enum": [ - "password", - "totp", - "oidc", - "webauthn", - "lookup_secret" - ], - "type": "string" - }, - "type": "array" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get an Identity", - "tags": [ - "identity" - ] - }, - "patch": { - "description": "Partially updates an [identity's](https://www.ory.sh/docs/kratos/concepts/identity-user-model) field using [JSON Patch](https://jsonpatch.com/).\nThe fields `id`, `stateChangedAt` and `credentials` can not be updated using this method.", - "operationId": "patchIdentity", - "parameters": [ - { - "description": "ID must be set to the ID of identity you want to update", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonPatchDocument" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "409": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Patch an Identity", - "tags": [ - "identity" - ] - }, - "put": { - "description": "This endpoint updates an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model). The full identity\npayload (except credentials) is expected. It is possible to update the identity's credentials as well.", - "operationId": "updateIdentity", - "parameters": [ - { - "description": "ID must be set to the ID of identity you want to update", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/updateIdentityBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "409": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Update an Identity", - "tags": [ - "identity" - ] - } - }, - "/admin/identities/{id}/credentials/{type}": { - "delete": { - "description": "Delete an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) credential by its type\nYou can only delete second factor (aal2) credentials.", - "operationId": "deleteIdentityCredentials", - "parameters": [ - { - "description": "ID is the identity's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Type is the credential's Type.\nOne of totp, webauthn, lookup", - "in": "path", - "name": "type", - "required": true, - "schema": { - "enum": [ - "totp", - "webauthn", - "lookup" - ], - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete a credential for a specific identity", - "tags": [ - "identity" - ] - } - }, - "/admin/identities/{id}/sessions": { - "delete": { - "description": "Calling this endpoint irrecoverably and permanently deletes and invalidates all sessions that belong to the given Identity.", - "operationId": "deleteIdentitySessions", - "parameters": [ - { - "description": "ID is the identity's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete \u0026 Invalidate an Identity's Sessions", - "tags": [ - "identity" - ] - }, - "get": { - "description": "This endpoint returns all sessions that belong to the given Identity.", - "operationId": "listIdentitySessions", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page.", - "in": "query", - "name": "per_page", - "schema": { - "default": 250, - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Pagination Page\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.", - "in": "query", - "name": "page", - "schema": { - "default": 1, - "format": "int64", - "minimum": 1, - "type": "integer" - } - }, - { - "description": "ID is the identity's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Active is a boolean flag that filters out sessions based on the state. If no value is provided, all sessions are returned.", - "in": "query", - "name": "active", - "schema": { - "type": "boolean" - } - } - ], - "responses": { - "200": { - "$ref": "#/components/responses/listIdentitySessions" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List an Identity's Sessions", - "tags": [ - "identity" - ] - } - }, - "/admin/keys/{set}": { - "delete": { - "description": "Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", - "operationId": "deleteJsonWebKeySet", - "parameters": [ - { - "description": "The JSON Web Key Set", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete JSON Web Key Set", - "tags": [ - "jwk" - ] - }, - "get": { - "description": "This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", - "operationId": "getJsonWebKeySet", - "parameters": [ - { - "description": "JSON Web Key Set ID", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKeySet" - } - } - }, - "description": "jsonWebKeySet" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Retrieve a JSON Web Key Set", - "tags": [ - "jwk" - ] - }, - "post": { - "description": "This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", - "operationId": "createJsonWebKeySet", - "parameters": [ - { - "description": "The JSON Web Key Set ID", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/createJsonWebKeySet" - } - } - }, - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKeySet" - } - } - }, - "description": "jsonWebKeySet" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create JSON Web Key", - "tags": [ - "jwk" - ] - }, - "put": { - "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", - "operationId": "setJsonWebKeySet", - "parameters": [ - { - "description": "The JSON Web Key Set ID", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKeySet" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKeySet" - } - } - }, - "description": "jsonWebKeySet" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Update a JSON Web Key Set", - "tags": [ - "jwk" - ] - } - }, - "/admin/keys/{set}/{kid}": { - "delete": { - "description": "Use this endpoint to delete a single JSON Web Key.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A\nJWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses\nthis functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens),\nand allows storing user-defined keys as well.", - "operationId": "deleteJsonWebKey", - "parameters": [ - { - "description": "The JSON Web Key Set", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The JSON Web Key ID (kid)", - "in": "path", - "name": "kid", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete JSON Web Key", - "tags": [ - "jwk" - ] - }, - "get": { - "description": "This endpoint returns a singular JSON Web Key contained in a set. It is identified by the set and the specific key ID (kid).", - "operationId": "getJsonWebKey", - "parameters": [ - { - "description": "JSON Web Key Set ID", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "JSON Web Key ID", - "in": "path", - "name": "kid", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKeySet" - } - } - }, - "description": "jsonWebKeySet" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get JSON Web Key", - "tags": [ - "jwk" - ] - }, - "put": { - "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", - "operationId": "setJsonWebKey", - "parameters": [ - { - "description": "The JSON Web Key Set ID", - "in": "path", - "name": "set", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "JSON Web Key ID", - "in": "path", - "name": "kid", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKey" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonWebKey" - } - } - }, - "description": "jsonWebKey" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Set JSON Web Key", - "tags": [ - "jwk" - ] - } - }, - "/admin/oauth2/auth/requests/consent": { - "get": { - "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted\nor rejected the request.\n\nThe default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please\nhead over to the OAuth 2.0 documentation.", - "operationId": "getOAuth2ConsentRequest", - "parameters": [ - { - "description": "OAuth 2.0 Consent Request Challenge", - "in": "query", - "name": "consent_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2ConsentRequest" - } - } - }, - "description": "oAuth2ConsentRequest" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get OAuth 2.0 Consent Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/consent/accept": { - "put": { - "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted\nor rejected the request.\n\nThis endpoint tells Ory that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider includes additional information, such as session data for access and ID tokens, and if the\nconsent request should be used as basis for future requests.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.\n\nThe default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please\nhead over to the OAuth 2.0 documentation.", - "operationId": "acceptOAuth2ConsentRequest", - "parameters": [ - { - "description": "OAuth 2.0 Consent Request Challenge", - "in": "query", - "name": "consent_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/acceptOAuth2ConsentRequest" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Accept OAuth 2.0 Consent Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/consent/reject": { - "put": { - "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted\nor rejected the request.\n\nThis endpoint tells Ory that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider must include a reason why the consent was not granted.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.\n\nThe default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please\nhead over to the OAuth 2.0 documentation.", - "operationId": "rejectOAuth2ConsentRequest", - "parameters": [ - { - "description": "OAuth 2.0 Consent Request Challenge", - "in": "query", - "name": "consent_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/rejectOAuth2Request" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Reject OAuth 2.0 Consent Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/login": { - "get": { - "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell the Ory OAuth2 Service about it.\n\nPer default, the login provider is Ory itself. You may use a different login provider which needs to be a web-app\nyou write and host, and it must be able to authenticate (\"show the subject a login screen\")\na subject (in OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.", - "operationId": "getOAuth2LoginRequest", - "parameters": [ - { - "description": "OAuth 2.0 Login Request Challenge", - "in": "query", - "name": "login_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2LoginRequest" - } - } - }, - "description": "oAuth2LoginRequest" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get OAuth 2.0 Login Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/login/accept": { - "put": { - "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell the Ory OAuth2 Service about it.\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells Ory that the subject has successfully authenticated and includes additional information such as\nthe subject's ID and if Ory should remember the subject's subject agent for future authentication attempts by setting\na cookie.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.", - "operationId": "acceptOAuth2LoginRequest", - "parameters": [ - { - "description": "OAuth 2.0 Login Request Challenge", - "in": "query", - "name": "login_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/acceptOAuth2LoginRequest" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Accept OAuth 2.0 Login Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/login/reject": { - "put": { - "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell the Ory OAuth2 Service about it.\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells Ory that the subject has not authenticated and includes a reason why the authentication\nwas denied.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.", - "operationId": "rejectOAuth2LoginRequest", - "parameters": [ - { - "description": "OAuth 2.0 Login Request Challenge", - "in": "query", - "name": "login_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/rejectOAuth2Request" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Reject OAuth 2.0 Login Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/logout": { - "get": { - "description": "Use this endpoint to fetch an Ory OAuth 2.0 logout request.", - "operationId": "getOAuth2LogoutRequest", - "parameters": [ - { - "in": "query", - "name": "logout_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2LogoutRequest" - } - } - }, - "description": "oAuth2LogoutRequest" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get OAuth 2.0 Session Logout Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/logout/accept": { - "put": { - "description": "When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to confirm that logout request.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.", - "operationId": "acceptOAuth2LogoutRequest", - "parameters": [ - { - "description": "OAuth 2.0 Logout Request Challenge", - "in": "query", - "name": "logout_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2RedirectTo" - } - } - }, - "description": "oAuth2RedirectTo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Accept OAuth 2.0 Session Logout Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/requests/logout/reject": { - "put": { - "description": "When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to deny that logout request.\nNo HTTP request body is required.\n\nThe response is empty as the logout provider has to chose what action to perform next.", - "operationId": "rejectOAuth2LogoutRequest", - "parameters": [ - { - "in": "query", - "name": "logout_challenge", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Reject OAuth 2.0 Session Logout Request", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/sessions/consent": { - "delete": { - "description": "This endpoint revokes a subject's granted consent sessions and invalidates all\nassociated OAuth 2.0 Access Tokens. You may also only revoke sessions for a specific OAuth 2.0 Client ID.", - "operationId": "revokeOAuth2ConsentSessions", - "parameters": [ - { - "description": "OAuth 2.0 Consent Subject\n\nThe subject whose consent sessions should be deleted.", - "in": "query", - "name": "subject", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "OAuth 2.0 Client ID\n\nIf set, deletes only those consent sessions that have been granted to the specified OAuth 2.0 Client ID.", - "in": "query", - "name": "client", - "schema": { - "type": "string" - } - }, - { - "description": "Revoke All Consent Sessions\n\nIf set to `true` deletes all consent sessions by the Subject that have been granted.", - "in": "query", - "name": "all", - "schema": { - "type": "boolean" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Revoke OAuth 2.0 Consent Sessions of a Subject", - "tags": [ - "oAuth2" - ] - }, - "get": { - "description": "This endpoint lists all subject's granted consent sessions, including client and granted scope.\nIf the subject is unknown or has not granted any consent sessions yet, the endpoint returns an\nempty JSON array with status code 200 OK.", - "operationId": "listOAuth2ConsentSessions", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_size", - "schema": { - "default": 250, - "format": "int64", - "maximum": 500, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_token", - "schema": { - "default": "1", - "minimum": 1, - "type": "string" - } - }, - { - "description": "The subject to list the consent sessions for.", - "in": "query", - "name": "subject", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The login session id to list the consent sessions for.", - "in": "query", - "name": "login_session_id", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2ConsentSessions" - } - } - }, - "description": "oAuth2ConsentSessions" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List OAuth 2.0 Consent Sessions of a Subject", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/auth/sessions/login": { - "delete": { - "description": "This endpoint invalidates authentication sessions. After revoking the authentication session(s), the subject\nhas to re-authenticate at the Ory OAuth2 Provider. This endpoint does not invalidate any tokens.\n\nIf you send the subject in a query param, all authentication sessions that belong to that subject are revoked.\nNo OpennID Connect Front- or Back-channel logout is performed in this case.\n\nAlternatively, you can send a SessionID via `sid` query param, in which case, only the session that is connected\nto that SessionID is revoked. OpenID Connect Back-channel logout is performed in this case.", - "operationId": "revokeOAuth2LoginSessions", - "parameters": [ - { - "description": "OAuth 2.0 Subject\n\nThe subject to revoke authentication sessions for.", - "in": "query", - "name": "subject", - "schema": { - "type": "string" - } - }, - { - "description": "OAuth 2.0 Subject\n\nThe subject to revoke authentication sessions for.", - "in": "query", - "name": "sid", - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Revokes OAuth 2.0 Login Sessions by either a Subject or a SessionID", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/introspect": { - "post": { - "description": "The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token\nis neither expired nor revoked. If a token is active, additional information on the token will be included. You can\nset additional data for a token by setting `session.access_token` during the consent flow.", - "operationId": "introspectOAuth2Token", - "requestBody": { - "content": { - "application/x-www-form-urlencoded": { - "schema": { - "properties": { - "scope": { - "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.", - "type": "string", - "x-formData-name": "scope" - }, - "token": { - "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0. For refresh tokens, this is the \"refresh_token\"\nvalue returned.", - "required": [ - "token" - ], - "type": "string", - "x-formData-name": "token" - } - }, - "required": [ - "token" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/introspectedOAuth2Token" - } - } - }, - "description": "introspectedOAuth2Token" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Introspect OAuth2 Access and Refresh Tokens", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/oauth2/tokens": { - "delete": { - "description": "This endpoint deletes OAuth2 access tokens issued to an OAuth 2.0 Client from the database.", - "operationId": "deleteOAuth2Token", - "parameters": [ - { - "description": "OAuth 2.0 Client ID", - "in": "query", - "name": "client_id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/recovery/code": { - "post": { - "description": "This endpoint creates a recovery code which should be given to the user in order for them to recover\n(or activate) their account.", - "operationId": "createRecoveryCodeForIdentity", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/createRecoveryCodeForIdentityBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/recoveryCodeForIdentity" - } - } - }, - "description": "recoveryCodeForIdentity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create a Recovery Code", - "tags": [ - "identity" - ] - } - }, - "/admin/recovery/link": { - "post": { - "description": "This endpoint creates a recovery link which should be given to the user in order for them to recover\n(or activate) their account.", - "operationId": "createRecoveryLinkForIdentity", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/createRecoveryLinkForIdentityBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/recoveryLinkForIdentity" - } - } - }, - "description": "recoveryLinkForIdentity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create a Recovery Link", - "tags": [ - "identity" - ] - } - }, - "/admin/relation-tuples": { - "delete": { - "description": "Use this endpoint to delete relationships", - "operationId": "deleteRelationships", - "parameters": [ - { - "description": "Namespace of the Relationship", - "in": "query", - "name": "namespace", - "schema": { - "type": "string" - } - }, - { - "description": "Object of the Relationship", - "in": "query", - "name": "object", - "schema": { - "type": "string" - } - }, - { - "description": "Relation of the Relationship", - "in": "query", - "name": "relation", - "schema": { - "type": "string" - } - }, - { - "description": "SubjectID of the Relationship", - "in": "query", - "name": "subject_id", - "schema": { - "type": "string" - } - }, - { - "description": "Namespace of the Subject Set", - "in": "query", - "name": "subject_set.namespace", - "schema": { - "type": "string" - } - }, - { - "description": "Object of the Subject Set", - "in": "query", - "name": "subject_set.object", - "schema": { - "type": "string" - } - }, - { - "description": "Relation of the Subject Set", - "in": "query", - "name": "subject_set.relation", - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete Relationships", - "tags": [ - "relationship" - ] - }, - "patch": { - "description": "Use this endpoint to patch one or more relationships.", - "operationId": "patchRelationships", - "requestBody": { - "content": { - "application/json": { - "schema": { - "items": { - "$ref": "#/components/schemas/relationshipPatch" - }, - "type": "array" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Patch Multiple Relationships", - "tags": [ - "relationship" - ] - }, - "put": { - "description": "Use this endpoint to create a relationship.", - "operationId": "createRelationship", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/createRelationshipBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/relationship" - } - } - }, - "description": "relationship" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create a Relationship", - "tags": [ - "relationship" - ] - } - }, - "/admin/sessions": { - "get": { - "description": "Listing all sessions that exist.", - "operationId": "listSessions", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_size", - "schema": { - "default": 250, - "format": "int64", - "maximum": 1000, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", - "in": "query", - "name": "page_token", - "schema": { - "type": "string" - } - }, - { - "description": "Active is a boolean flag that filters out sessions based on the state. If no value is provided, all sessions are returned.", - "in": "query", - "name": "active", - "schema": { - "type": "boolean" - } - }, - { - "description": "ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.\nIf no value is provided, the expandable properties are skipped.", - "in": "query", - "name": "expand", - "schema": { - "enum": [ - "identity", - "devices" - ], - "items": { - "type": "string" - }, - "type": "array" - } - } - ], - "responses": { - "200": { - "$ref": "#/components/responses/listSessions" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List All Sessions", - "tags": [ - "identity" - ] - } - }, - "/admin/sessions/{id}": { - "delete": { - "description": "Calling this endpoint deactivates the specified session. Session data is not deleted.", - "operationId": "disableSession", - "parameters": [ - { - "description": "ID is the session's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Deactivate a Session", - "tags": [ - "identity" - ] - }, - "get": { - "description": "This endpoint is useful for:\n\nGetting a session object with all specified expandables that exist in an administrative context.", - "operationId": "getSession", - "parameters": [ - { - "description": "ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.\nExample - ?expand=Identity\u0026expand=Devices\nIf no value is provided, the expandable properties are skipped.", - "in": "query", - "name": "expand", - "schema": { - "enum": [ - "identity", - "devices" - ], - "items": { - "type": "string" - }, - "type": "array" - } - }, - { - "description": "ID is the session's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/session" - } - } - }, - "description": "session" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get Session", - "tags": [ - "identity" - ] - } - }, - "/admin/sessions/{id}/extend": { - "patch": { - "description": "Calling this endpoint extends the given session ID. If `session.earliest_possible_extend` is set it\nwill only extend the session after the specified time has passed.\n\nRetrieve the session ID from the `/sessions/whoami` endpoint / `toSession` SDK method.", - "operationId": "extendSession", - "parameters": [ - { - "description": "ID is the session's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/session" - } - } - }, - "description": "session" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Extend a Session", - "tags": [ - "identity" - ] - } - }, - "/admin/trust/grants/jwt-bearer/issuers": { - "get": { - "description": "Use this endpoint to list all trusted JWT Bearer Grant Type Issuers.", - "operationId": "listTrustedOAuth2JwtGrantIssuers", - "parameters": [ - { - "in": "query", - "name": "MaxItems", - "schema": { - "format": "int64", - "type": "integer" - } - }, - { - "in": "query", - "name": "DefaultItems", - "schema": { - "format": "int64", - "type": "integer" - } - }, - { - "description": "If optional \"issuer\" is supplied, only jwt-bearer grants with this issuer will be returned.", - "in": "query", - "name": "issuer", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuers" - } - } - }, - "description": "trustedOAuth2JwtGrantIssuers" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List Trusted OAuth2 JWT Bearer Grant Type Issuers", - "tags": [ - "oAuth2" - ] - }, - "post": { - "description": "Use this endpoint to establish a trust relationship for a JWT issuer\nto perform JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication\nand Authorization Grants [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).", - "operationId": "trustOAuth2JwtGrantIssuer", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/trustOAuth2JwtGrantIssuer" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuer" - } - } - }, - "description": "trustedOAuth2JwtGrantIssuer" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Trust OAuth2 JWT Bearer Grant Type Issuer", - "tags": [ - "oAuth2" - ] - } - }, - "/admin/trust/grants/jwt-bearer/issuers/{id}": { - "delete": { - "description": "Use this endpoint to delete trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you\ncreated the trust relationship.\n\nOnce deleted, the associated issuer will no longer be able to perform the JSON Web Token (JWT) Profile\nfor OAuth 2.0 Client Authentication and Authorization Grant.", - "operationId": "deleteTrustedOAuth2JwtGrantIssuer", - "parameters": [ - { - "description": "The id of the desired grant", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete Trusted OAuth2 JWT Bearer Grant Type Issuer", - "tags": [ - "oAuth2" - ] - }, - "get": { - "description": "Use this endpoint to get a trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you\ncreated the trust relationship.", - "operationId": "getTrustedOAuth2JwtGrantIssuer", - "parameters": [ - { - "description": "The id of the desired grant", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuer" - } - } - }, - "description": "trustedOAuth2JwtGrantIssuer" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get Trusted OAuth2 JWT Bearer Grant Type Issuer", - "tags": [ - "oAuth2" - ] - } - }, - "/console/active/project": { - "get": { - "description": "Use this API to get your active project in the Ory Network Console UI.", - "operationId": "getActiveProjectInConsole", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/activeProjectInConsole" - } - } - }, - "description": "activeProjectInConsole" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Returns the Ory Network Project selected in the Ory Network Console", - "tags": [ - "project" - ] - }, - "put": { - "description": "Use this API to set your active project in the Ory Network Console UI.", - "operationId": "setActiveProjectInConsole", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/setActiveProjectInConsoleBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Sets the Ory Network Project active in the Ory Network Console", - "tags": [ - "project" - ] - } - }, - "/health/alive": { - "get": { - "description": "This endpoint returns a HTTP 200 status code when Ory Kratos is accepting incoming\nHTTP requests. This status does currently not include checks whether the database connection is working.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the health status will never\nrefer to the cluster state, only to a single instance.", - "operationId": "isAlive", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/healthStatus", - "properties": { - "status": { - "description": "Always \"ok\".", - "type": "string" - } - }, - "required": [ - "status" - ], - "type": "object" - } - } - }, - "description": "Ory Kratos is ready to accept connections." - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - }, - "default": { - "content": { - "text/plain": { - "schema": { - "type": "string" - } - } - }, - "description": "Unexpected error" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Check HTTP Server Status", - "tags": [ - "metadata" - ] - } - }, - "/health/ready": { - "get": { - "description": "This endpoint returns a HTTP 200 status code when Ory Kratos is up running and the environment dependencies (e.g.\nthe database) are responsive as well.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of Ory Kratos, the health status will never\nrefer to the cluster state, only to a single instance.", - "operationId": "isReady", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "properties": { - "status": { - "description": "Always \"ok\".", - "type": "string" - } - }, - "required": [ - "status" - ], - "type": "object" - } - } - }, - "description": "Ory Kratos is ready to accept requests." - }, - "503": { - "content": { - "application/json": { - "schema": { - "properties": { - "errors": { - "additionalProperties": { - "type": "string" - }, - "description": "Errors contains a list of errors that caused the not ready status.", - "type": "object" - } - }, - "required": [ - "errors" - ], - "type": "object" - } - } - }, - "description": "Ory Kratos is not yet ready to accept requests." - }, - "default": { - "content": { - "text/plain": { - "schema": { - "type": "string" - } - } - }, - "description": "Unexpected error" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Check HTTP Server and Database Status", - "tags": [ - "metadata" - ] - } - }, - "/namespaces": { - "get": { - "description": "Get all namespaces", - "operationId": "listRelationshipNamespaces", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/relationshipNamespaces" - } - } - }, - "description": "relationshipNamespaces" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Query namespaces", - "tags": [ - "relationship" - ] - } - }, - "/oauth2/auth": { - "get": { - "description": "Use open source libraries to perform OAuth 2.0 and OpenID Connect\navailable for any programming language. You can find a list of libraries at https://oauth.net/code/\n\nThe Ory SDK is not yet able to this endpoint properly.", - "operationId": "oAuth2Authorize", - "responses": { - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "summary": "OAuth 2.0 Authorize Endpoint", - "tags": [ - "oAuth2" - ] - } - }, - "/oauth2/register": { - "post": { - "description": "This endpoint behaves like the administrative counterpart (`createOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nPlease note that using this endpoint you are not able to choose the `client_secret` nor the `client_id` as those\nvalues will be server generated when specifying `token_endpoint_auth_method` as `client_secret_basic` or\n`client_secret_post`.\n\nThe `client_secret` will be returned in the response and you will not be able to retrieve it later on.\nWrite the secret down and keep it somewhere safe.", - "operationId": "createOidcDynamicClient", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "Dynamic Client Registration Request Body", - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "400": { - "$ref": "#/components/responses/errorOAuth2BadRequest" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "summary": "Register OAuth2 Client using OpenID Dynamic Client Registration", - "tags": [ - "oidc" - ] - } - }, - "/oauth2/register/{id}": { - "delete": { - "description": "This endpoint behaves like the administrative counterpart (`deleteOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", - "operationId": "deleteOidcDynamicClient", - "parameters": [ - { - "description": "The id of the OAuth 2.0 Client.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "security": [ - { - "bearer": [] - } - ], - "summary": "Delete OAuth 2.0 Client using the OpenID Dynamic Client Registration Management Protocol", - "tags": [ - "oidc" - ] - }, - "get": { - "description": "This endpoint behaves like the administrative counterpart (`getOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.", - "operationId": "getOidcDynamicClient", - "parameters": [ - { - "description": "The id of the OAuth 2.0 Client.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "bearer": [] - } - ], - "summary": "Get OAuth2 Client using OpenID Dynamic Client Registration", - "tags": [ - "oidc" - ] - }, - "put": { - "description": "This endpoint behaves like the administrative counterpart (`setOAuth2Client`) but is capable of facing the\npublic internet directly to be used by third parties. It implements the OpenID Connect\nDynamic Client Registration Protocol.\n\nThis feature is disabled per default. It can be enabled by a system administrator.\n\nIf you pass `client_secret` the secret is used, otherwise the existing secret is used. If set, the secret is echoed in the response.\nIt is not possible to retrieve it later on.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", - "operationId": "setOidcDynamicClient", - "parameters": [ - { - "description": "OAuth 2.0 Client ID", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "OAuth 2.0 Client Request Body", - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2Client" - } - } - }, - "description": "oAuth2Client" - }, - "404": { - "$ref": "#/components/responses/errorOAuth2NotFound" - }, - "default": { - "$ref": "#/components/responses/errorOAuth2Default" - } - }, - "security": [ - { - "bearer": [] - } - ], - "summary": "Set OAuth2 Client using OpenID Dynamic Client Registration", - "tags": [ - "oidc" - ] - } - }, - "/oauth2/revoke": { - "post": { - "description": "Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no\nlonger be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.\nRevoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by\nthe client the token was generated for.", - "operationId": "revokeOAuth2Token", - "requestBody": { - "content": { - "application/x-www-form-urlencoded": { - "schema": { - "properties": { - "client_id": { - "type": "string", - "x-formData-name": "client_id" - }, - "client_secret": { - "type": "string", - "x-formData-name": "client_secret" - }, - "token": { - "required": [ - "token" - ], - "type": "string", - "x-formData-name": "token" - } - }, - "required": [ - "token" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "$ref": "#/components/responses/emptyResponse" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "basic": [] - }, - { - "oauth2": [] - } - ], - "summary": "Revoke OAuth 2.0 Access or Refresh Token", - "tags": [ - "oAuth2" - ] - } - }, - "/oauth2/sessions/logout": { - "get": { - "description": "This endpoint initiates and completes user logout at the Ory OAuth2 \u0026 OpenID provider and initiates OpenID Connect Front- / Back-channel logout:\n\nhttps://openid.net/specs/openid-connect-frontchannel-1_0.html\nhttps://openid.net/specs/openid-connect-backchannel-1_0.html\n\nBack-channel logout is performed asynchronously and does not affect logout flow.", - "operationId": "revokeOidcSession", - "responses": { - "302": { - "$ref": "#/components/responses/emptyResponse" - } - }, - "summary": "OpenID Connect Front- and Back-channel Enabled Logout", - "tags": [ - "oidc" - ] - } - }, - "/oauth2/token": { - "post": { - "description": "Use open source libraries to perform OAuth 2.0 and OpenID Connect\navailable for any programming language. You can find a list of libraries here https://oauth.net/code/\n\nThe Ory SDK is not yet able to this endpoint properly.", - "operationId": "oauth2TokenExchange", - "requestBody": { - "content": { - "application/x-www-form-urlencoded": { - "schema": { - "properties": { - "client_id": { - "type": "string", - "x-formData-name": "client_id" - }, - "code": { - "type": "string", - "x-formData-name": "code" - }, - "grant_type": { - "required": [ - "grant_type" - ], - "type": "string", - "x-formData-name": "grant_type" - }, - "redirect_uri": { - "type": "string", - "x-formData-name": "redirect_uri" - }, - "refresh_token": { - "type": "string", - "x-formData-name": "refresh_token" - } - }, - "required": [ - "grant_type" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oAuth2TokenExchange" - } - } - }, - "description": "oAuth2TokenExchange" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" + "passed_challenge" + ], + "title": "Verification Flow State" + }, + "version": { + "properties": { + "version": { + "description": "Version is the service's version.", + "type": "string" } }, - "security": [ - { - "basic": [] - }, - { - "oauth2": [] - } - ], - "summary": "The OAuth 2.0 Token Endpoint", - "tags": [ - "oAuth2" - ] + "type": "object" + }, + "webAuthnJavaScript": { + "type": "string" } }, - "/opl/syntax/check": { - "post": { - "description": "The OPL file is expected in the body of the request.", - "operationId": "checkOplSyntax", - "requestBody": { - "content": { - "text/plain": { - "schema": { - "$ref": "#/components/schemas/checkOplSyntaxBody" - } - } - }, - "x-originalParamName": "Body" - }, + "securitySchemes": { + "oryAccessToken": { + "in": "header", + "name": "Authorization", + "type": "apiKey" + } + } + }, + "info": { + "contact": { + "email": "office@ory.sh" + }, + "description": "This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more.\n", + "license": { + "name": "Apache 2.0" + }, + "title": "Ory Identities API", + "version": "" + }, + "openapi": "3.0.3", + "paths": { + "/.well-known/ory/webauthn.js": { + "get": { + "description": "This endpoint provides JavaScript which is needed in order to perform WebAuthn login and registration.\n\nIf you are building a JavaScript Browser App (e.g. in ReactJS or AngularJS) you will need to load this file:\n\n```html\n\u003cscript src=\"https://public-kratos.example.org/.well-known/ory/webauthn.js\" type=\"script\" async /\u003e\n```\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", + "operationId": "getWebAuthnJavaScript", "responses": { "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkOplSyntaxResult" - } - } - }, - "description": "checkOplSyntaxResult" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" + "$ref": "#/components/schemas/webAuthnJavaScript" } } }, - "description": "errorGeneric" + "description": "webAuthnJavaScript" } }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Check the syntax of an OPL file", + "summary": "Get WebAuthn JavaScript", "tags": [ - "relationship" + "frontend" ] } }, - "/projects": { + "/admin/courier/messages": { "get": { - "description": "Lists all projects you have access to.", - "operationId": "listProjects", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/projectMetadataList" - } - } - }, - "description": "projectMetadataList" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ + "description": "Lists all messages by given status and recipient.", + "operationId": "listCourierMessages", + "parameters": [ { - "oryAccessToken": [] - } - ], - "summary": "List All Projects", - "tags": [ - "project" - ] - }, - "post": { - "description": "Creates a new project.", - "operationId": "createProject", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/createProjectBody" - } + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_size", + "schema": { + "default": 250, + "format": "int64", + "maximum": 1000, + "minimum": 1, + "type": "integer" } }, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/project" - } - } - }, - "description": "project" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" + { + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_token", + "schema": { + "type": "string" + } }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - } - }, - "security": [ { - "oryAccessToken": [] - } - ], - "summary": "Create a Project", - "tags": [ - "project" - ] - } - }, - "/projects/{project_id}": { - "delete": { - "description": "!! Use with extreme caution !!\n\nUsing this API endpoint you can purge (completely delete) a project and its data.\nThis action can not be undone and will delete ALL your data.\n\n!! Use with extreme caution !!", - "operationId": "purgeProject", - "parameters": [ + "description": "Status filters out messages based on status.\nIf no value is provided, it doesn't take effect on filter.", + "in": "query", + "name": "status", + "schema": { + "$ref": "#/components/schemas/courierMessageStatus" + } + }, { - "description": "Project ID\n\nThe project's ID.", - "in": "path", - "name": "project_id", - "required": true, + "description": "Recipient filters out messages based on recipient.\nIf no value is provided, it doesn't take effect on filter.", + "in": "query", + "name": "recipient", "schema": { "type": "string" } } ], "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" + "200": { + "$ref": "#/components/responses/listCourierMessages" }, - "404": { + "400": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" }, "default": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" } }, "security": [ @@ -11222,19 +3454,21 @@ "oryAccessToken": [] } ], - "summary": "Irrecoverably purge a project", + "summary": "List Messages", "tags": [ - "project" + "courier" ] - }, + } + }, + "/admin/courier/messages/{id}": { "get": { - "description": "Get a projects you have access to by its ID.", - "operationId": "getProject", + "description": "Gets a specific messages by the given ID.", + "operationId": "getCourierMessage", "parameters": [ { - "description": "Project ID\n\nThe project's ID.", + "description": "MessageID is the ID of the message.", "in": "path", - "name": "project_id", + "name": "id", "required": true, "schema": { "type": "string" @@ -11246,13 +3480,13 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/project" + "$ref": "#/components/schemas/message" } } }, - "description": "project" + "description": "message" }, - "401": { + "400": { "content": { "application/json": { "schema": { @@ -11262,7 +3496,7 @@ }, "description": "errorGeneric" }, - "403": { + "default": { "content": { "application/json": { "schema": { @@ -11271,16 +3505,112 @@ } }, "description": "errorGeneric" + } + }, + "security": [ + { + "oryAccessToken": [] + } + ], + "summary": "Get a Message", + "tags": [ + "courier" + ] + } + }, + "/admin/identities": { + "get": { + "description": "Lists all [identities](https://www.ory.sh/docs/kratos/concepts/identity-user-model) in the system.", + "operationId": "listIdentities", + "parameters": [ + { + "description": "Deprecated Items per Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis is the number of items per page.", + "in": "query", + "name": "per_page", + "schema": { + "default": 250, + "format": "int64", + "maximum": 1000, + "minimum": 1, + "type": "integer" + } }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } + { + "description": "Deprecated Pagination Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.\nThe first page can be retrieved by omitting this parameter. Following page pointers will be returned in the\n`Link` header.", + "in": "query", + "name": "page", + "schema": { + "format": "int64", + "type": "integer" + } + }, + { + "description": "Page Size\n\nThis is the number of items per page to return. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_size", + "schema": { + "default": 250, + "format": "int64", + "maximum": 500, + "minimum": 1, + "type": "integer" + } + }, + { + "description": "Next Page Token\n\nThe next page token. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_token", + "schema": { + "default": "1", + "minimum": 1, + "type": "string" + } + }, + { + "description": "Read Consistency Level (preview)\n\nThe read consistency level determines the consistency guarantee for reads:\n\nstrong (slow): The read is guaranteed to return the most recent data committed at the start of the read.\neventual (very fast): The result will return data that is about 4.8 seconds old.\n\nThe default consistency guarantee can be changed in the Ory Network Console or using the Ory CLI with\n`ory patch project --replace '/previews/default_read_consistency_level=\"strong\"'`.\n\nSetting the default consistency level to `eventual` may cause regressions in the future as we add consistency\ncontrols to more APIs. Currently, the following APIs will be affected by this setting:\n\n`GET /admin/identities`\n\nThis feature is in preview and only available in Ory Network.\n ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.\nstrong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.\neventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps.", + "in": "query", + "name": "consistency", + "schema": { + "enum": [ + "", + "strong", + "eventual" + ], + "type": "string" }, - "description": "errorGeneric" + "x-go-enum-desc": " ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.\nstrong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.\neventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps." + }, + { + "description": "List of ids used to filter identities.\nIf this list is empty, then no filter will be applied.", + "in": "query", + "name": "ids", + "schema": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + { + "description": "CredentialsIdentifier is the identifier (username, email) of the credentials to look up using exact match.\nOnly one of CredentialsIdentifier and CredentialsIdentifierSimilar can be used.", + "in": "query", + "name": "credentials_identifier", + "schema": { + "type": "string" + } + }, + { + "description": "This is an EXPERIMENTAL parameter that WILL CHANGE. Do NOT rely on consistent, deterministic behavior.\nTHIS PARAMETER WILL BE REMOVED IN AN UPCOMING RELEASE WITHOUT ANY MIGRATION PATH.\n\nCredentialsIdentifierSimilar is the (partial) identifier (username, email) of the credentials to look up using similarity search.\nOnly one of CredentialsIdentifier and CredentialsIdentifierSimilar can be used.", + "in": "query", + "name": "preview_credentials_identifier_similar", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "$ref": "#/components/responses/listIdentities" }, "default": { "content": { @@ -11298,33 +3628,19 @@ "oryAccessToken": [] } ], - "summary": "Get a Project", + "summary": "List Identities", "tags": [ - "project" + "identity" ] }, "patch": { - "description": "Deprecated: Use the `patchProjectWithRevision` endpoint instead to specify the exact revision the patch was generated for.\n\nThis endpoints allows you to patch individual Ory Network project configuration keys for\nOry's services (identity, permission, ...). The configuration format is fully compatible\nwith the open source projects for the respective services (e.g. Ory Kratos for Identity, Ory Keto for Permissions).\n\nThis endpoint expects the `version` key to be set in the payload. If it is unset, it\nwill try to import the config as if it is from the most recent version.\n\nIf you have an older version of a configuration, you should set the version key in the payload!\n\nWhile this endpoint is able to process all configuration items related to features (e.g. password reset),\nit does not support operational configuration items (e.g. port, tracing, logging) otherwise available in the\nopen source.\n\nFor configuration items that can not be translated to the Ory Network, this endpoint will return a list of warnings\nto help you understand which parts of your config could not be processed.", - "operationId": "patchProject", - "parameters": [ - { - "description": "Project ID\n\nThe project's ID.", - "in": "path", - "name": "project_id", - "required": true, - "schema": { - "type": "string" - } - } - ], + "description": "Creates or delete multiple\n[identities](https://www.ory.sh/docs/kratos/concepts/identity-user-model).\nThis endpoint can also be used to [import\ncredentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities)\nfor instance passwords, social sign in configurations or multifactor methods.", + "operationId": "batchPatchIdentities", "requestBody": { "content": { "application/json": { "schema": { - "items": { - "$ref": "#/components/schemas/jsonPatch" - }, - "type": "array" + "$ref": "#/components/schemas/patchIdentitiesBody" } } }, @@ -11335,11 +3651,11 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/successfulProjectUpdate" + "$ref": "#/components/schemas/batchPatchIdentitiesResponse" } } }, - "description": "successfulProjectUpdate" + "description": "batchPatchIdentitiesResponse" }, "400": { "content": { @@ -11351,27 +3667,7 @@ }, "description": "errorGeneric" }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { + "409": { "content": { "application/json": { "schema": { @@ -11397,45 +3693,34 @@ "oryAccessToken": [] } ], - "summary": "Patch an Ory Network Project Configuration", + "summary": "Create and deletes multiple identities", "tags": [ - "project" + "identity" ] }, - "put": { - "description": "This endpoints allows you to update the Ory Network project configuration for\nindividual services (identity, permission, ...). The configuration is fully compatible\nwith the open source projects for the respective services (e.g. Ory Kratos for Identity, Ory Keto for Permissions).\n\nThis endpoint expects the `version` key to be set in the payload. If it is unset, it\nwill try to import the config as if it is from the most recent version.\n\nIf you have an older version of a configuration, you should set the version key in the payload!\n\nWhile this endpoint is able to process all configuration items related to features (e.g. password reset),\nit does not support operational configuration items (e.g. port, tracing, logging) otherwise available in the\nopen source.\n\nFor configuration items that can not be translated to the Ory Network, this endpoint will return a list of warnings\nto help you understand which parts of your config could not be processed.\n\nBe aware that updating any service's configuration will completely override your current configuration for that\nservice!", - "operationId": "setProject", - "parameters": [ - { - "description": "Project ID\n\nThe project's ID.", - "in": "path", - "name": "project_id", - "required": true, - "schema": { - "type": "string" - } - } - ], + "post": { + "description": "Create an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model). This endpoint can also be used to\n[import credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities)\nfor instance passwords, social sign in configurations or multifactor methods.", + "operationId": "createIdentity", "requestBody": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/setProject" + "$ref": "#/components/schemas/createIdentityBody" } } }, "x-originalParamName": "Body" }, "responses": { - "200": { + "201": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/successfulProjectUpdate" + "$ref": "#/components/schemas/identity" } } }, - "description": "successfulProjectUpdate" + "description": "identity" }, "400": { "content": { @@ -11447,27 +3732,7 @@ }, "description": "errorGeneric" }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorGeneric" - } - } - }, - "description": "errorGeneric" - }, - "404": { + "409": { "content": { "application/json": { "schema": { @@ -11493,21 +3758,21 @@ "oryAccessToken": [] } ], - "summary": "Update an Ory Network Project Configuration", + "summary": "Create an Identity", "tags": [ - "project" + "identity" ] } }, - "/projects/{project_id}/members": { - "get": { - "description": "This endpoint requires the user to be a member of the project with the role `OWNER` or `DEVELOPER`.", - "operationId": "getProjectMembers", + "/admin/identities/{id}": { + "delete": { + "description": "Calling this endpoint irrecoverably and permanently deletes the [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) given its ID. This action can not be undone.\nThis endpoint returns 204 when the identity was deleted or when the identity was not found, in which case it is\nassumed that is has been deleted already.", + "operationId": "deleteIdentity", "parameters": [ { - "description": "Project ID\n\nThe project's ID.", + "description": "ID is the identity's ID.", "in": "path", - "name": "project_id", + "name": "id", "required": true, "schema": { "type": "string" @@ -11515,45 +3780,28 @@ } ], "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/projectMembers" - } - } - }, - "description": "projectMembers" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" + "204": { + "$ref": "#/components/responses/emptyResponse" }, - "406": { + "404": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" }, "default": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" } }, "security": [ @@ -11561,69 +3809,74 @@ "oryAccessToken": [] } ], - "summary": "Get all members associated with this project", + "summary": "Delete an Identity", "tags": [ - "project" + "identity" ] - } - }, - "/projects/{project_id}/members/{member_id}": { - "delete": { - "description": "This also sets their invite status to `REMOVED`.\nThis endpoint requires the user to be a member of the project with the role `OWNER`.", - "operationId": "removeProjectMember", + }, + "get": { + "description": "Return an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) by its ID. You can optionally\ninclude credentials (e.g. social sign in connections) in the response by using the `include_credential` query parameter.", + "operationId": "getIdentity", "parameters": [ { - "description": "Project ID\n\nThe project's ID.", + "description": "ID must be set to the ID of identity you want to get", "in": "path", - "name": "project_id", + "name": "id", "required": true, "schema": { "type": "string" } }, { - "description": "Member ID", - "in": "path", - "name": "member_id", - "required": true, + "description": "Include Credentials in Response\n\nInclude any credential, for example `password` or `oidc`, in the response. When set to `oidc`, This will return\nthe initial OAuth 2.0 Access Token, OAuth 2.0 Refresh Token and the OpenID Connect ID Token if available.", + "in": "query", + "name": "include_credential", "schema": { - "type": "string" + "items": { + "enum": [ + "password", + "totp", + "oidc", + "webauthn", + "lookup_secret", + "code" + ], + "type": "string" + }, + "type": "array" } } ], "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "401": { + "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/identity" } } }, - "description": "genericError" + "description": "identity" }, - "406": { + "404": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" }, "default": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" } }, "security": [ @@ -11631,106 +3884,85 @@ "oryAccessToken": [] } ], - "summary": "Remove a member associated with this project", + "summary": "Get an Identity", "tags": [ - "project" + "identity" ] - } - }, - "/projects/{project_id}/metrics": { - "get": { - "description": "Retrieves project metrics for the specified event type and time range", - "operationId": "getProjectMetrics", + }, + "patch": { + "description": "Partially updates an [identity's](https://www.ory.sh/docs/kratos/concepts/identity-user-model) field using [JSON Patch](https://jsonpatch.com/).\nThe fields `id`, `stateChangedAt` and `credentials` can not be updated using this method.", + "operationId": "patchIdentity", "parameters": [ { - "description": "Project ID", + "description": "ID must be set to the ID of identity you want to update", "in": "path", - "name": "project_id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The event type to query for", - "in": "query", - "name": "event_type", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The resolution of the buckets\n\nThe minimum resolution is 1 hour.", - "in": "query", - "name": "resolution", - "required": true, - "schema": { - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - } - }, - { - "description": "The start time of the time window", - "in": "query", - "name": "from", - "required": true, - "schema": { - "format": "date-time", - "type": "string" - } - }, - { - "description": "The end time of the time window", - "in": "query", - "name": "to", + "name": "id", "required": true, "schema": { - "format": "date-time", "type": "string" } } ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonPatchDocument" + } + } + }, + "x-originalParamName": "Body" + }, "responses": { "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/getProjectMetricsResponse" + "$ref": "#/components/schemas/identity" } } }, - "description": "getProjectMetricsResponse" + "description": "identity" }, "400": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" }, - "403": { + "404": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "409": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" }, "default": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/genericError" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "genericError" + "description": "errorGeneric" } }, "security": [ @@ -11738,36 +3970,75 @@ "oryAccessToken": [] } ], + "summary": "Patch an Identity", "tags": [ - "project" + "identity" ] - } - }, - "/projects/{project}/tokens": { - "get": { - "description": "A list of all the project's API tokens.", - "operationId": "listProjectApiKeys", + }, + "put": { + "description": "This endpoint updates an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model). The full identity\npayload (except credentials) is expected. It is possible to update the identity's credentials as well.", + "operationId": "updateIdentity", "parameters": [ { - "description": "The Project ID or Project slug", + "description": "ID must be set to the ID of identity you want to update", "in": "path", - "name": "project", + "name": "id", "required": true, "schema": { "type": "string" } } ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/updateIdentityBody" + } + } + }, + "x-originalParamName": "Body" + }, "responses": { "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/projectApiKeys" + "$ref": "#/components/schemas/identity" + } + } + }, + "description": "identity" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "404": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "409": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "projectApiKeys" + "description": "errorGeneric" }, "default": { "content": { @@ -11785,54 +4056,54 @@ "oryAccessToken": [] } ], - "summary": "List a project's API Tokens", + "summary": "Update an Identity", "tags": [ - "project" + "identity" ] - }, - "post": { - "description": "Create an API token for a project.", - "operationId": "createProjectApiKey", + } + }, + "/admin/identities/{id}/credentials/{type}": { + "delete": { + "description": "Delete an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) credential by its type\nYou can only delete second factor (aal2) credentials.", + "operationId": "deleteIdentityCredentials", "parameters": [ { - "description": "The Project ID or Project slug", + "description": "ID is the identity's ID.", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + }, + { + "description": "Type is the credential's Type.\nOne of totp, webauthn, lookup", "in": "path", - "name": "project", + "name": "type", "required": true, "schema": { + "enum": [ + "totp", + "webauthn", + "lookup" + ], "type": "string" } } ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "properties": { - "name": { - "description": "The Token Name\n\nA descriptive name for the token.\n\nin: body", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - } - } - }, - "x-originalParamName": "Body" - }, "responses": { - "201": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "404": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/projectApiKey" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "projectApiKey" + "description": "errorGeneric" }, "default": { "content": { @@ -11850,30 +4121,21 @@ "oryAccessToken": [] } ], - "summary": "Create project API token", + "summary": "Delete a credential for a specific identity", "tags": [ - "project" + "identity" ] } }, - "/projects/{project}/tokens/{token_id}": { + "/admin/identities/{id}/sessions": { "delete": { - "description": "Deletes an API token and immediately removes it.", - "operationId": "deleteProjectApiKey", + "description": "Calling this endpoint irrecoverably and permanently deletes and invalidates all sessions that belong to the given Identity.", + "operationId": "deleteIdentitySessions", "parameters": [ { - "description": "The Project ID or Project slug", - "in": "path", - "name": "project", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The Token ID", + "description": "ID is the identity's ID.", "in": "path", - "name": "token_id", + "name": "id", "required": true, "schema": { "type": "string" @@ -11884,6 +4146,36 @@ "204": { "$ref": "#/components/responses/emptyResponse" }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "401": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "404": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, "default": { "content": { "application/json": { @@ -11900,99 +4192,89 @@ "oryAccessToken": [] } ], - "summary": "Delete project API token", + "summary": "Delete \u0026 Invalidate an Identity's Sessions", "tags": [ - "project" + "identity" ] - } - }, - "/relation-tuples": { + }, "get": { - "description": "Get all relationships that match the query. Only the namespace field is required.", - "operationId": "getRelationships", + "description": "This endpoint returns all sessions that belong to the given Identity.", + "operationId": "listIdentitySessions", "parameters": [ { + "description": "Deprecated Items per Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis is the number of items per page.", "in": "query", - "name": "page_token", - "schema": { - "type": "string" - } - }, - { - "in": "query", - "name": "page_size", + "name": "per_page", "schema": { + "default": 250, "format": "int64", + "maximum": 1000, + "minimum": 1, "type": "integer" } }, { - "description": "Namespace of the Relationship", - "in": "query", - "name": "namespace", - "schema": { - "type": "string" - } - }, - { - "description": "Object of the Relationship", - "in": "query", - "name": "object", - "schema": { - "type": "string" - } - }, - { - "description": "Relation of the Relationship", + "description": "Deprecated Pagination Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.\nThe first page can be retrieved by omitting this parameter. Following page pointers will be returned in the\n`Link` header.", "in": "query", - "name": "relation", + "name": "page", "schema": { - "type": "string" + "format": "int64", + "type": "integer" } }, { - "description": "SubjectID of the Relationship", + "description": "Page Size\n\nThis is the number of items per page to return. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "in": "query", - "name": "subject_id", + "name": "page_size", "schema": { - "type": "string" + "default": 250, + "format": "int64", + "maximum": 500, + "minimum": 1, + "type": "integer" } }, { - "description": "Namespace of the Subject Set", + "description": "Next Page Token\n\nThe next page token. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "in": "query", - "name": "subject_set.namespace", + "name": "page_token", "schema": { + "default": "1", + "minimum": 1, "type": "string" } }, { - "description": "Object of the Subject Set", - "in": "query", - "name": "subject_set.object", + "description": "ID is the identity's ID.", + "in": "path", + "name": "id", + "required": true, "schema": { "type": "string" } }, { - "description": "Relation of the Subject Set", + "description": "Active is a boolean flag that filters out sessions based on the state. If no value is provided, all sessions are returned.", "in": "query", - "name": "subject_set.relation", + "name": "active", "schema": { - "type": "string" + "type": "boolean" } } ], "responses": { "200": { + "$ref": "#/components/responses/listIdentitySessions" + }, + "400": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/relationships" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "relationships" + "description": "errorGeneric" }, "404": { "content": { @@ -12020,92 +4302,36 @@ "oryAccessToken": [] } ], - "summary": "Query relationships", + "summary": "List an Identity's Sessions", "tags": [ - "relationship" + "identity" ] } }, - "/relation-tuples/check": { - "get": { - "description": "To learn how relationship tuples and the check works, head over to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview).", - "operationId": "checkPermissionOrError", - "parameters": [ - { - "description": "Namespace of the Relationship", - "in": "query", - "name": "namespace", - "schema": { - "type": "string" - } - }, - { - "description": "Object of the Relationship", - "in": "query", - "name": "object", - "schema": { - "type": "string" - } - }, - { - "description": "Relation of the Relationship", - "in": "query", - "name": "relation", - "schema": { - "type": "string" - } - }, - { - "description": "SubjectID of the Relationship", - "in": "query", - "name": "subject_id", - "schema": { - "type": "string" - } - }, - { - "description": "Namespace of the Subject Set", - "in": "query", - "name": "subject_set.namespace", - "schema": { - "type": "string" - } - }, - { - "description": "Object of the Subject Set", - "in": "query", - "name": "subject_set.object", - "schema": { - "type": "string" - } - }, - { - "description": "Relation of the Subject Set", - "in": "query", - "name": "subject_set.relation", - "schema": { - "type": "string" + "/admin/recovery/code": { + "post": { + "description": "This endpoint creates a recovery code which should be given to the user in order for them to recover\n(or activate) their account.", + "operationId": "createRecoveryCodeForIdentity", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/createRecoveryCodeForIdentityBody" + } } }, - { - "in": "query", - "name": "max-depth", - "schema": { - "format": "int64", - "type": "integer" - } - } - ], + "x-originalParamName": "Body" + }, "responses": { - "200": { + "201": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkPermissionResult" + "$ref": "#/components/schemas/recoveryCodeForIdentity" } } }, - "description": "checkPermissionResult" + "description": "recoveryCodeForIdentity" }, "400": { "content": { @@ -12117,15 +4343,15 @@ }, "description": "errorGeneric" }, - "403": { + "404": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkPermissionResult" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "checkPermissionResult" + "description": "errorGeneric" }, "default": { "content": { @@ -12143,30 +4369,21 @@ "oryAccessToken": [] } ], - "summary": "Check a permission", + "summary": "Create a Recovery Code", "tags": [ - "permission" + "identity" ] - }, + } + }, + "/admin/recovery/link": { "post": { - "description": "To learn how relationship tuples and the check works, head over to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview).", - "operationId": "postCheckPermissionOrError", - "parameters": [ - { - "description": "nolint:deadcode,unused", - "in": "query", - "name": "max-depth", - "schema": { - "format": "int64", - "type": "integer" - } - } - ], + "description": "This endpoint creates a recovery link which should be given to the user in order for them to recover\n(or activate) their account.", + "operationId": "createRecoveryLinkForIdentity", "requestBody": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/postCheckPermissionOrErrorBody" + "$ref": "#/components/schemas/createRecoveryLinkForIdentityBody" } } }, @@ -12177,11 +4394,11 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkPermissionResult" + "$ref": "#/components/schemas/recoveryLinkForIdentity" } } }, - "description": "checkPermissionResult" + "description": "recoveryLinkForIdentity" }, "400": { "content": { @@ -12193,15 +4410,15 @@ }, "description": "errorGeneric" }, - "403": { + "404": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkPermissionResult" + "$ref": "#/components/schemas/errorGeneric" } } }, - "description": "checkPermissionResult" + "description": "errorGeneric" }, "default": { "content": { @@ -12219,79 +4436,183 @@ "oryAccessToken": [] } ], - "summary": "Check a permission", + "summary": "Create a Recovery Link", "tags": [ - "permission" + "identity" ] } }, - "/relation-tuples/check/openapi": { + "/admin/sessions": { "get": { - "description": "To learn how relationship tuples and the check works, head over to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview).", - "operationId": "checkPermission", + "description": "Listing all sessions that exist.", + "operationId": "listSessions", "parameters": [ { - "description": "Namespace of the Relationship", + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "in": "query", - "name": "namespace", + "name": "page_size", "schema": { - "type": "string" + "default": 250, + "format": "int64", + "maximum": 1000, + "minimum": 1, + "type": "integer" } }, { - "description": "Object of the Relationship", + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "in": "query", - "name": "object", + "name": "page_token", "schema": { "type": "string" } }, { - "description": "Relation of the Relationship", + "description": "Active is a boolean flag that filters out sessions based on the state. If no value is provided, all sessions are returned.", "in": "query", - "name": "relation", + "name": "active", "schema": { - "type": "string" + "type": "boolean" } }, { - "description": "SubjectID of the Relationship", + "description": "ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.\nIf no value is provided, the expandable properties are skipped.", "in": "query", - "name": "subject_id", + "name": "expand", "schema": { - "type": "string" + "enum": [ + "identity", + "devices" + ], + "items": { + "type": "string" + }, + "type": "array" } + } + ], + "responses": { + "200": { + "$ref": "#/components/responses/listSessions" }, - { - "description": "Namespace of the Subject Set", - "in": "query", - "name": "subject_set.namespace", - "schema": { - "type": "string" - } + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + } + }, + "security": [ { - "description": "Object of the Subject Set", - "in": "query", - "name": "subject_set.object", + "oryAccessToken": [] + } + ], + "summary": "List All Sessions", + "tags": [ + "identity" + ] + } + }, + "/admin/sessions/{id}": { + "delete": { + "description": "Calling this endpoint deactivates the specified session. Session data is not deleted.", + "operationId": "disableSession", + "parameters": [ + { + "description": "ID is the session's ID.", + "in": "path", + "name": "id", + "required": true, "schema": { "type": "string" } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "401": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + } + }, + "security": [ + { + "oryAccessToken": [] + } + ], + "summary": "Deactivate a Session", + "tags": [ + "identity" + ] + }, + "get": { + "description": "This endpoint is useful for:\n\nGetting a session object with all specified expandables that exist in an administrative context.", + "operationId": "getSession", + "parameters": [ { - "description": "Relation of the Subject Set", + "description": "ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.\nExample - ?expand=Identity\u0026expand=Devices\nIf no value is provided, the expandable properties are skipped.", "in": "query", - "name": "subject_set.relation", + "name": "expand", "schema": { - "type": "string" + "enum": [ + "identity", + "devices" + ], + "items": { + "type": "string" + }, + "type": "array" } }, { - "in": "query", - "name": "max-depth", + "description": "ID is the session's ID.", + "in": "path", + "name": "id", + "required": true, "schema": { - "format": "int64", - "type": "integer" + "type": "string" } } ], @@ -12300,11 +4621,11 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkPermissionResult" + "$ref": "#/components/schemas/session" } } }, - "description": "checkPermissionResult" + "description": "session" }, "400": { "content": { @@ -12332,44 +4653,37 @@ "oryAccessToken": [] } ], - "summary": "Check a permission", + "summary": "Get Session", "tags": [ - "permission" + "identity" ] - }, - "post": { - "description": "To learn how relationship tuples and the check works, head over to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview).", - "operationId": "postCheckPermission", + } + }, + "/admin/sessions/{id}/extend": { + "patch": { + "description": "Calling this endpoint extends the given session ID. If `session.earliest_possible_extend` is set it\nwill only extend the session after the specified time has passed.\n\nRetrieve the session ID from the `/sessions/whoami` endpoint / `toSession` SDK method.", + "operationId": "extendSession", "parameters": [ { - "in": "query", - "name": "max-depth", + "description": "ID is the session's ID.", + "in": "path", + "name": "id", + "required": true, "schema": { - "format": "int64", - "type": "integer" + "type": "string" } } ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/postCheckPermissionBody" - } - } - }, - "x-originalParamName": "Payload" - }, "responses": { "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/checkPermissionResult" + "$ref": "#/components/schemas/session" } } }, - "description": "checkPermissionResult" + "description": "session" }, "400": { "content": { @@ -12381,6 +4695,16 @@ }, "description": "errorGeneric" }, + "404": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, "default": { "content": { "application/json": { @@ -12397,103 +4721,113 @@ "oryAccessToken": [] } ], - "summary": "Check a permission", + "summary": "Extend a Session", "tags": [ - "permission" + "identity" ] } }, - "/relation-tuples/expand": { + "/health/alive": { "get": { - "description": "Use this endpoint to expand a relationship tuple into permissions.", - "operationId": "expandPermissions", - "parameters": [ - { - "description": "Namespace of the Subject Set", - "in": "query", - "name": "namespace", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Object of the Subject Set", - "in": "query", - "name": "object", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Relation of the Subject Set", - "in": "query", - "name": "relation", - "required": true, - "schema": { - "type": "string" - } - }, - { - "in": "query", - "name": "max-depth", - "schema": { - "format": "int64", - "type": "integer" - } - } - ], + "description": "This endpoint returns a HTTP 200 status code when Ory Kratos is accepting incoming\nHTTP requests. This status does currently not include checks whether the database connection is working.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the health status will never\nrefer to the cluster state, only to a single instance.", + "operationId": "isAlive", "responses": { "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/expandedPermissionTree" + "properties": { + "status": { + "description": "Always \"ok\".", + "type": "string" + } + }, + "required": [ + "status" + ], + "type": "object" } } }, - "description": "expandedPermissionTree" + "description": "Ory Kratos is ready to accept connections." }, - "400": { + "default": { + "content": { + "text/plain": { + "schema": { + "type": "string" + } + } + }, + "description": "Unexpected error" + } + }, + "summary": "Check HTTP Server Status", + "tags": [ + "metadata" + ] + } + }, + "/health/ready": { + "get": { + "description": "This endpoint returns a HTTP 200 status code when Ory Kratos is up running and the environment dependencies (e.g.\nthe database) are responsive as well.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of Ory Kratos, the health status will never\nrefer to the cluster state, only to a single instance.", + "operationId": "isReady", + "responses": { + "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/errorGeneric" + "properties": { + "status": { + "description": "Always \"ok\".", + "type": "string" + } + }, + "required": [ + "status" + ], + "type": "object" } } }, - "description": "errorGeneric" + "description": "Ory Kratos is ready to accept requests." }, - "404": { + "503": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/errorGeneric" + "properties": { + "errors": { + "additionalProperties": { + "type": "string" + }, + "description": "Errors contains a list of errors that caused the not ready status.", + "type": "object" + } + }, + "required": [ + "errors" + ], + "type": "object" } } }, - "description": "errorGeneric" + "description": "Ory Kratos is not yet ready to accept requests." }, "default": { "content": { - "application/json": { + "text/plain": { "schema": { - "$ref": "#/components/schemas/errorGeneric" + "type": "string" } } }, - "description": "errorGeneric" + "description": "Unexpected error" } }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Expand a Relationship into permissions.", + "summary": "Check HTTP Server and Database Status", "tags": [ - "permission" + "metadata" ] } }, @@ -12503,7 +4837,7 @@ "operationId": "listIdentitySchemas", "parameters": [ { - "description": "Items per Page\n\nThis is the number of items per page.", + "description": "Deprecated Items per Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis is the number of items per page.", "in": "query", "name": "per_page", "schema": { @@ -12515,15 +4849,35 @@ } }, { - "description": "Pagination Page\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.", + "description": "Deprecated Pagination Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.\nThe first page can be retrieved by omitting this parameter. Following page pointers will be returned in the\n`Link` header.", "in": "query", "name": "page", "schema": { - "default": 1, "format": "int64", + "type": "integer" + } + }, + { + "description": "Page Size\n\nThis is the number of items per page to return. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_size", + "schema": { + "default": 250, + "format": "int64", + "maximum": 500, "minimum": 1, "type": "integer" } + }, + { + "description": "Next Page Token\n\nThe next page token. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_token", + "schema": { + "default": "1", + "minimum": 1, + "type": "string" + } } ], "responses": { @@ -12665,7 +5019,7 @@ }, "/self-service/login": { "post": { - "description": ":::info\n\nThis endpoint is EXPERIMENTAL and subject to potential breaking changes in the future.\n\n:::\n\nUse this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", + "description": "Use this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", "operationId": "updateLoginFlow", "parameters": [ { @@ -12899,6 +5253,14 @@ "schema": { "type": "string" } + }, + { + "description": "An optional organization ID that should be used for logging this user in.\nThis parameter is only effective in the Ory Network.", + "in": "query", + "name": "organization", + "schema": { + "type": "string" + } } ], "responses": { @@ -13195,7 +5557,7 @@ }, "/self-service/recovery": { "post": { - "description": "Use this endpoint to complete a recovery flow. This endpoint\nbehaves differently for API and browser flows and has several states:\n\n`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent\nand works with API- and Browser-initiated flows.\nFor API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.\nand a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).\nFor Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.\n`sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It\nworks for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.\n`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow (\"sending a recovery link\")\ndoes not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL\n(if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with\na new Recovery Flow ID which contains an error message that the recovery link was invalid.\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).", + "description": "Use this endpoint to update a recovery flow. This endpoint\nbehaves differently for API and browser flows and has several states:\n\n`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent\nand works with API- and Browser-initiated flows.\nFor API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.\nand a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).\nFor Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.\n`sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It\nworks for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.\n`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow (\"sending a recovery link\")\ndoes not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL\n(if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with\na new Recovery Flow ID which contains an error message that the recovery link was invalid.\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).", "operationId": "updateRecoveryFlow", "parameters": [ { @@ -13295,7 +5657,7 @@ "description": "errorGeneric" } }, - "summary": "Complete Recovery Flow", + "summary": "Update Recovery Flow", "tags": [ "frontend" ] @@ -13303,7 +5665,7 @@ }, "/self-service/recovery/api": { "get": { - "description": "This endpoint initiates a recovery flow for API clients such as mobile devices, smart TVs, and so on.\n\nIf a valid provided session cookie or session token is provided, a 400 Bad Request error.\n\nTo fetch an existing recovery flow call `/self-service/recovery/flows?flow=\u003cflow_id\u003e`.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).", + "description": "This endpoint initiates a recovery flow for API clients such as mobile devices, smart TVs, and so on.\n\nIf a valid provided session cookie or session token is provided, a 400 Bad Request error.\n\nOn an existing recovery flow, use the `getRecoveryFlow` API endpoint.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).", "operationId": "createNativeRecoveryFlow", "responses": { "200": { @@ -13631,7 +5993,7 @@ }, "/self-service/registration/browser": { "get": { - "description": "This endpoint initializes a browser-based user registration flow. This endpoint will set the appropriate\ncookies and anti-CSRF measures required for browser-based flows.\n\n:::info\n\nThis endpoint is EXPERIMENTAL and subject to potential breaking changes in the future.\n\n:::\n\nIf this endpoint is opened as a link in the browser, it will be redirected to\n`selfservice.flows.registration.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session\nexists already, the browser will be redirected to `urls.default_redirect_url`.\n\nIf this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n\nIf this endpoint is called via an AJAX request, the response contains the registration flow without a redirect.\n\nThis endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", + "description": "This endpoint initializes a browser-based user registration flow. This endpoint will set the appropriate\ncookies and anti-CSRF measures required for browser-based flows.\n\nIf this endpoint is opened as a link in the browser, it will be redirected to\n`selfservice.flows.registration.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session\nexists already, the browser will be redirected to `urls.default_redirect_url`.\n\nIf this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n\nIf this endpoint is called via an AJAX request, the response contains the registration flow without a redirect.\n\nThis endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", "operationId": "createBrowserRegistrationFlow", "parameters": [ { @@ -13657,6 +6019,13 @@ "schema": { "type": "string" } + }, + { + "in": "query", + "name": "organization", + "schema": { + "type": "string" + } } ], "responses": { @@ -14468,7 +6837,7 @@ "operationId": "listMySessions", "parameters": [ { - "description": "Items per Page\n\nThis is the number of items per page.", + "description": "Deprecated Items per Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis is the number of items per page.", "in": "query", "name": "per_page", "schema": { @@ -14480,16 +6849,36 @@ } }, { - "description": "Pagination Page\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.", + "description": "Deprecated Pagination Page\n\nDEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.\n\nThis value is currently an integer, but it is not sequential. The value is not the page number, but a\nreference. The next page can be any number and some numbers might return an empty list.\n\nFor example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.\nThe first page can be retrieved by omitting this parameter. Following page pointers will be returned in the\n`Link` header.", "in": "query", "name": "page", "schema": { - "default": 1, "format": "int64", + "type": "integer" + } + }, + { + "description": "Page Size\n\nThis is the number of items per page to return. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_size", + "schema": { + "default": 250, + "format": "int64", + "maximum": 500, "minimum": 1, "type": "integer" } }, + { + "description": "Next Page Token\n\nThe next page token. For details on pagination please head over to the\n[pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_token", + "schema": { + "default": "1", + "minimum": 1, + "type": "string" + } + }, { "description": "Set the Session Token when calling from non-browser clients. A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.", "in": "header", @@ -14631,7 +7020,7 @@ }, "/sessions/whoami": { "get": { - "description": "Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated.\nReturns a session object in the body or 401 if the credentials are invalid or no credentials were sent.\nWhen the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header\nin the response.\n\nIf you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/protected-endpoint', async function (req, res) {\nconst session = await client.toSession(undefined, req.header('cookie'))\n\nconsole.log(session)\n})\n```\n\nWhen calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token:\n\n```js\npseudo-code example\n...\nconst session = await client.toSession(\"the-session-token\")\n\nconsole.log(session)\n```\n\nDepending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor or change the configuration.\n\nThis endpoint is useful for:\n\nAJAX calls. Remember to send credentials and set up CORS correctly!\nReverse proxies and API Gateways\nServer-side calls - use the `X-Session-Token` header!\n\nThis endpoint authenticates users by checking:\n\nif the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie;\nif the `Authorization: bearer \u003cory-session-token\u003e` HTTP header was set with a valid Ory Kratos Session Token;\nif the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token.\n\nIf none of these headers are set or the cooke or token are invalid, the endpoint returns a HTTP 401 status code.\n\nAs explained above, this request may fail due to several reasons. The `error.id` can be one of:\n\n`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token).\n`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor.", + "description": "Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated.\nReturns a session object in the body or 401 if the credentials are invalid or no credentials were sent.\nWhen the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header\nin the response.\n\nIf you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/protected-endpoint', async function (req, res) {\nconst session = await client.toSession(undefined, req.header('cookie'))\n\nconsole.log(session)\n})\n```\n\nWhen calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token:\n\n```js\npseudo-code example\n...\nconst session = await client.toSession(\"the-session-token\")\n\nconsole.log(session)\n```\n\nWhen using a token template, the token is included in the `tokenized` field of the session.\n\n```js\npseudo-code example\n...\nconst session = await client.toSession(\"the-session-token\", { tokenize_as: \"example-jwt-template\" })\n\nconsole.log(session.tokenized) // The JWT\n```\n\nDepending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor or change the configuration.\n\nThis endpoint is useful for:\n\nAJAX calls. Remember to send credentials and set up CORS correctly!\nReverse proxies and API Gateways\nServer-side calls - use the `X-Session-Token` header!\n\nThis endpoint authenticates users by checking:\n\nif the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie;\nif the `Authorization: bearer \u003cory-session-token\u003e` HTTP header was set with a valid Ory Kratos Session Token;\nif the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token.\n\nIf none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code.\n\nAs explained above, this request may fail due to several reasons. The `error.id` can be one of:\n\n`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token).\n`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor.", "operationId": "toSession", "parameters": [ { @@ -14651,6 +7040,14 @@ "schema": { "type": "string" } + }, + { + "description": "Returns the session additionally as a token (such as a JWT)\n\nThe value of this parameter has to be a valid, configured Ory Session token template. For more information head over to [the documentation](http://ory.sh/docs/identities/session-to-jwt-cors).", + "in": "query", + "name": "tokenize_as", + "schema": { + "type": "string" + } } ], "responses": { @@ -14773,43 +7170,6 @@ ] } }, - "/userinfo": { - "get": { - "description": "This endpoint returns the payload of the ID Token, including `session.id_token` values, of\nthe provided OAuth 2.0 Access Token's consent request.\n\nIn the case of authentication error, a WWW-Authenticate header might be set in the response\nwith more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3)\nfor more details about header format.", - "operationId": "getOidcUserInfo", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/oidcUserInfo" - } - } - }, - "description": "oidcUserInfo" - }, - "default": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/errorOAuth2" - } - } - }, - "description": "errorOAuth2" - } - }, - "security": [ - { - "oauth2": [] - } - ], - "summary": "OpenID Connect Userinfo", - "tags": [ - "oidc" - ] - } - }, "/version": { "get": { "description": "This endpoint returns the version of Ory Kratos.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the version will never\nrefer to the cluster state, only to a single instance.", @@ -14835,11 +7195,6 @@ "description": "Returns the Ory Kratos version." } }, - "security": [ - { - "oryAccessToken": [] - } - ], "summary": "Return Running Software Version.", "tags": [ "metadata" @@ -14847,17 +7202,6 @@ } } }, - "servers": [ - { - "url": "https://{project}.projects.oryapis.com/", - "variables": { - "project": { - "default": "playground", - "description": "Project slug as provided by the Ory Console." - } - } - } - ], "tags": [ { "description": "APIs for managing identities.", @@ -14878,4 +7222,4 @@ ], "x-forwarded-proto": "string", "x-request-id": "string" -} +} \ No newline at end of file diff --git a/openapitools.json b/openapitools.json index 601ac1d6..64f2cbb5 100644 --- a/openapitools.json +++ b/openapitools.json @@ -2,6 +2,6 @@ "$schema": "node_modules/@openapitools/openapi-generator-cli/config.schema.json", "spaces": 2, "generator-cli": { - "version": "5.2.1" + "version": "7.2.0" } } diff --git a/package-lock.json b/package-lock.json index bb875445..668391a8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -390,14 +390,14 @@ } }, "node_modules/@next/env": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/env/-/env-13.5.3.tgz", - "integrity": "sha512-X4te86vsbjsB7iO4usY9jLPtZ827Mbx+WcwNBGUOIuswuTAKQtzsuoxc/6KLxCMvogKG795MhrR1LDhYgDvasg==" + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/env/-/env-14.0.4.tgz", + "integrity": "sha512-irQnbMLbUNQpP1wcE5NstJtbuA/69kRfzBrpAD7Gsn8zm/CY6YQYc3HQBz8QPxwISG26tIm5afvvVbu508oBeQ==" }, "node_modules/@next/swc-darwin-arm64": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-13.5.3.tgz", - "integrity": "sha512-6hiYNJxJmyYvvKGrVThzo4nTcqvqUTA/JvKim7Auaj33NexDqSNwN5YrrQu+QhZJCIpv2tULSHt+lf+rUflLSw==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-14.0.4.tgz", + "integrity": "sha512-mF05E/5uPthWzyYDyptcwHptucf/jj09i2SXBPwNzbgBNc+XnwzrL0U6BmPjQeOL+FiB+iG1gwBeq7mlDjSRPg==", "cpu": [ "arm64" ], @@ -410,9 +410,9 @@ } }, "node_modules/@next/swc-darwin-x64": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-13.5.3.tgz", - "integrity": "sha512-UpBKxu2ob9scbpJyEq/xPgpdrgBgN3aLYlxyGqlYX5/KnwpJpFuIHU2lx8upQQ7L+MEmz+fA1XSgesoK92ppwQ==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-14.0.4.tgz", + "integrity": "sha512-IZQ3C7Bx0k2rYtrZZxKKiusMTM9WWcK5ajyhOZkYYTCc8xytmwSzR1skU7qLgVT/EY9xtXDG0WhY6fyujnI3rw==", "cpu": [ "x64" ], @@ -425,9 +425,9 @@ } }, "node_modules/@next/swc-linux-arm64-gnu": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-13.5.3.tgz", - "integrity": "sha512-5AzM7Yx1Ky+oLY6pHs7tjONTF22JirDPd5Jw/3/NazJ73uGB05NqhGhB4SbeCchg7SlVYVBeRMrMSZwJwq/xoA==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-14.0.4.tgz", + "integrity": "sha512-VwwZKrBQo/MGb1VOrxJ6LrKvbpo7UbROuyMRvQKTFKhNaXjUmKTu7wxVkIuCARAfiI8JpaWAnKR+D6tzpCcM4w==", "cpu": [ "arm64" ], @@ -440,9 +440,9 @@ } }, "node_modules/@next/swc-linux-arm64-musl": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-13.5.3.tgz", - "integrity": "sha512-A/C1shbyUhj7wRtokmn73eBksjTM7fFQoY2v/0rTM5wehpkjQRLOXI8WJsag2uLhnZ4ii5OzR1rFPwoD9cvOgA==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-14.0.4.tgz", + "integrity": "sha512-8QftwPEW37XxXoAwsn+nXlodKWHfpMaSvt81W43Wh8dv0gkheD+30ezWMcFGHLI71KiWmHK5PSQbTQGUiidvLQ==", "cpu": [ "arm64" ], @@ -455,9 +455,9 @@ } }, "node_modules/@next/swc-linux-x64-gnu": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-13.5.3.tgz", - "integrity": "sha512-FubPuw/Boz8tKkk+5eOuDHOpk36F80rbgxlx4+xty/U71e3wZZxVYHfZXmf0IRToBn1Crb8WvLM9OYj/Ur815g==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-14.0.4.tgz", + "integrity": "sha512-/s/Pme3VKfZAfISlYVq2hzFS8AcAIOTnoKupc/j4WlvF6GQ0VouS2Q2KEgPuO1eMBwakWPB1aYFIA4VNVh667A==", "cpu": [ "x64" ], @@ -470,9 +470,9 @@ } }, "node_modules/@next/swc-linux-x64-musl": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-13.5.3.tgz", - "integrity": "sha512-DPw8nFuM1uEpbX47tM3wiXIR0Qa+atSzs9Q3peY1urkhofx44o7E1svnq+a5Q0r8lAcssLrwiM+OyJJgV/oj7g==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-14.0.4.tgz", + "integrity": "sha512-m8z/6Fyal4L9Bnlxde5g2Mfa1Z7dasMQyhEhskDATpqr+Y0mjOBZcXQ7G5U+vgL22cI4T7MfvgtrM2jdopqWaw==", "cpu": [ "x64" ], @@ -485,9 +485,9 @@ } }, "node_modules/@next/swc-win32-arm64-msvc": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-13.5.3.tgz", - "integrity": "sha512-zBPSP8cHL51Gub/YV8UUePW7AVGukp2D8JU93IHbVDu2qmhFAn9LWXiOOLKplZQKxnIPUkJTQAJDCWBWU4UWUA==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-14.0.4.tgz", + "integrity": "sha512-7Wv4PRiWIAWbm5XrGz3D8HUkCVDMMz9igffZG4NB1p4u1KoItwx9qjATHz88kwCEal/HXmbShucaslXCQXUM5w==", "cpu": [ "arm64" ], @@ -500,9 +500,9 @@ } }, "node_modules/@next/swc-win32-ia32-msvc": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-13.5.3.tgz", - "integrity": "sha512-ONcL/lYyGUj4W37D4I2I450SZtSenmFAvapkJQNIJhrPMhzDU/AdfLkW98NvH1D2+7FXwe7yclf3+B7v28uzBQ==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-14.0.4.tgz", + "integrity": "sha512-zLeNEAPULsl0phfGb4kdzF/cAVIfaC7hY+kt0/d+y9mzcZHsMS3hAS829WbJ31DkSlVKQeHEjZHIdhN+Pg7Gyg==", "cpu": [ "ia32" ], @@ -515,9 +515,9 @@ } }, "node_modules/@next/swc-win32-x64-msvc": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-13.5.3.tgz", - "integrity": "sha512-2Vz2tYWaLqJvLcWbbTlJ5k9AN6JD7a5CN2pAeIzpbecK8ZF/yobA39cXtv6e+Z8c5UJuVOmaTldEAIxvsIux/Q==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-14.0.4.tgz", + "integrity": "sha512-yEh2+R8qDlDCjxVpzOTEpBLQTEFAcP2A8fUFLaWNap9GitYKkKv1//y2S6XY6zsR4rCOPRpU7plYDR+az2n30A==", "cpu": [ "x64" ], @@ -2264,9 +2264,9 @@ "integrity": "sha512-GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==" }, "node_modules/follow-redirects": { - "version": "1.15.3", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.3.tgz", - "integrity": "sha512-1VzOtuEM8pC9SFU1E+8KfTjZyMztRsgEfwQl44z8A25uy13jSzTj6dyK2Df52iV0vgHCfBwLhDWevLn95w5v6Q==", + "version": "1.15.4", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.4.tgz", + "integrity": "sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==", "funding": [ { "type": "individual", @@ -3640,35 +3640,35 @@ "integrity": "sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==" }, "node_modules/next": { - "version": "13.5.3", - "resolved": "https://registry.npmjs.org/next/-/next-13.5.3.tgz", - "integrity": "sha512-4Nt4HRLYDW/yRpJ/QR2t1v63UOMS55A38dnWv3UDOWGezuY0ZyFO1ABNbD7mulVzs9qVhgy2+ppjdsANpKP1mg==", + "version": "14.0.4", + "resolved": "https://registry.npmjs.org/next/-/next-14.0.4.tgz", + "integrity": "sha512-qbwypnM7327SadwFtxXnQdGiKpkuhaRLE2uq62/nRul9cj9KhQ5LhHmlziTNqUidZotw/Q1I9OjirBROdUJNgA==", "dependencies": { - "@next/env": "13.5.3", + "@next/env": "14.0.4", "@swc/helpers": "0.5.2", "busboy": "1.6.0", "caniuse-lite": "^1.0.30001406", - "postcss": "8.4.14", + "graceful-fs": "^4.2.11", + "postcss": "8.4.31", "styled-jsx": "5.1.1", - "watchpack": "2.4.0", - "zod": "3.21.4" + "watchpack": "2.4.0" }, "bin": { "next": "dist/bin/next" }, "engines": { - "node": ">=16.14.0" + "node": ">=18.17.0" }, "optionalDependencies": { - "@next/swc-darwin-arm64": "13.5.3", - "@next/swc-darwin-x64": "13.5.3", - "@next/swc-linux-arm64-gnu": "13.5.3", - "@next/swc-linux-arm64-musl": "13.5.3", - "@next/swc-linux-x64-gnu": "13.5.3", - "@next/swc-linux-x64-musl": "13.5.3", - "@next/swc-win32-arm64-msvc": "13.5.3", - "@next/swc-win32-ia32-msvc": "13.5.3", - "@next/swc-win32-x64-msvc": "13.5.3" + "@next/swc-darwin-arm64": "14.0.4", + "@next/swc-darwin-x64": "14.0.4", + "@next/swc-linux-arm64-gnu": "14.0.4", + "@next/swc-linux-arm64-musl": "14.0.4", + "@next/swc-linux-x64-gnu": "14.0.4", + "@next/swc-linux-x64-musl": "14.0.4", + "@next/swc-win32-arm64-msvc": "14.0.4", + "@next/swc-win32-ia32-msvc": "14.0.4", + "@next/swc-win32-x64-msvc": "14.0.4" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", @@ -3685,29 +3685,6 @@ } } }, - "node_modules/next/node_modules/postcss": { - "version": "8.4.14", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz", - "integrity": "sha512-E398TUmfAYFPBSdzgeieK2Y1+1cpdxJx8yXbK/m57nRhKSmk1GB2tO4lbLBtlkfPQTDKfe4Xqv1ASWPpayPEig==", - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/postcss" - } - ], - "dependencies": { - "nanoid": "^3.3.4", - "picocolors": "^1.0.0", - "source-map-js": "^1.0.2" - }, - "engines": { - "node": "^10 || ^12 || >=14" - } - }, "node_modules/nice-try": { "version": "1.0.5", "resolved": "https://registry.npmjs.org/nice-try/-/nice-try-1.0.5.tgz", @@ -4174,7 +4151,6 @@ "version": "8.4.31", "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", - "dev": true, "funding": [ { "type": "opencollective", @@ -4189,8 +4165,6 @@ "url": "https://github.com/sponsors/ai" } ], - "optional": true, - "peer": true, "dependencies": { "nanoid": "^3.3.6", "picocolors": "^1.0.0", @@ -5915,14 +5889,6 @@ "engines": { "node": ">=6" } - }, - "node_modules/zod": { - "version": "3.21.4", - "resolved": "https://registry.npmjs.org/zod/-/zod-3.21.4.tgz", - "integrity": "sha512-m46AKbrzKVzOzs/DZgVnG5H55N1sv1M8qZU3A8RIKbs3mrACDNeIOeilDymVb2HdmP8uwshOCF4uJ8uM9rCqJw==", - "funding": { - "url": "https://github.com/sponsors/colinhacks" - } } } }