Signicat OIDC Config API (v1)
Download OpenAPI specification:Download
With this API, you can configure your OIDC clients for Authentication
List clients
Use this endpoints to view a list of all the clients you have configured
Authorizations:
query Parameters
primaryGrantType | Array of strings Items Enum: "ClientCredentials" "AuthorizationCode" "Hybrid" "Ciba" "DeviceFlow" |
id | string |
name | string |
account | string |
searchText | string |
Responses
Response samples
- 200
[- {
- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
]
Create configuration
Use this endpoint to create a new client configuration
Authorizations:
Request Body schema:
The client specification.
id | string or null <= 100 characters Client identifier (Globally unique). If not provided a new ID will be generated. |
name required | string non-empty Client name. |
account required | string [ 1 .. 100 ] characters Client account id. |
object (Acr) | |
pairWiseSubjectSalt | string or null Salt value used in pair-wise subjectId generation for users of this client. |
uri | string or null <uri> URI to further information about client (used on consent screen). |
logoUri | string or null <uri> URI to client logo (used on consent screen). Must be an absolute URI and Https. |
encryptIdTokens | boolean Default: false Enable/Disable IDTokens encryption. If enabled requires public keys allowed to encrypt. |
requireSecret | boolean Default: true Specifies whether this client needs a secret to request tokens from the token endpoint. At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'. |
requirePkce | boolean Default: false Specifies whether clients using an authorization code based grant type must send a proof key. At least one of these attributes must be 'true' (RequireSecret or RequirePkce). |
requireRequestObject | boolean Default: false Specifies whether this client needs to wrap the authorize request parameters in a JWT. When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'. |
useReferenceAccessTokens | boolean Default: false Specifies whether should use reference tokens or not. |
redirectUris | Array of strings or null <uri> Specifies the allowed URIs to return tokens or authorization codes to. Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost. |
allowedScopes required | Array of strings Specifies the allowed resources that client as access. |
allowOfflineAccess | boolean Default: true Specifies whether this client can request refresh tokens. |
allowAccessTokensViaBrowser | boolean Default: false Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser). |
postLogoutRedirectUris | Array of strings or null <uri> Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details. |
frontChannelLogoutUri | string or null <uri> Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details. The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost. |
frontChannelLogoutSessionRequired | boolean Default: false Specifies if the user’s session id should be sent to the FrontChannelLogoutUri. |
identityProviderRestrictions | Array of strings or null Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty. |
userSsoLifetime | integer <int32> [ 1 .. 10800 ] Default: 3600 The maximum duration (in seconds) since the last time the user authenticated. You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds. |
identityTokenLifetime | integer <int32> [ 1 .. 3600 ] Default: 600 Lifetime to identity token in seconds. The default value is 600 seconds. |
accessTokenLifetime | integer <int32> [ 1 .. 3600 ] Default: 600 Lifetime of access token in seconds. The default value is 600 seconds. |
authorizationCodeLifetime | integer <int32> [ 1 .. 60 ] Default: 15 Lifetime of authorization code in seconds. The default value is 15 seconds. |
absoluteRefreshTokenLifetime | integer <int32> [ 1 .. 2592000 ] Default: 86400 Maximum lifetime of a refresh token in seconds. The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on. |
slidingRefreshTokenLifetime | integer <int32> [ 1 .. 1296000 ] Default: 86400 Sliding lifetime of a refresh token in seconds. The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on. |
allowRefreshTokenReuse | boolean Default: false Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens. If set to false (default value) then the refresh token handle will be updated when refreshing tokens. |
slidingRefreshTokenExpiry | boolean Default: false Specifies whether refresh token should expire or not. Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0. |
deviceCodeLifetime | integer <int32> [ 1 .. 600 ] Default: 300 Lifetime to device code in seconds. The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type. |
allowedCorsOrigins | Array of strings or null Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients. |
primaryGrantType required | string Enum: "ClientCredentials" "AuthorizationCode" "Hybrid" "Ciba" "DeviceFlow" Specifies the primary grant type the client is allowed to use. |
contentEncryptionAlgorithm | string or null Enum: "A128CBC-HS256" "A192CBC-HS384" "A256CBC-HS512" Content encryption algorithm for ID tokens and the UserInfo response. Defaults to A256CBC-HS512. |
idTokenUserData | string Enum: "Minimal" "StandardScopes" "All" Defines the IdToken user data level. |
userInfoResponseType | string or null Enum: "Json" "Signed" "Encrypted" "SignedAndEncrypted" User info response type. Defaults to 'Json'. |
version | string or null Internal version of the client (Read only). |
requireConsent | boolean Default: false Specifies whether a consent screen is required. |
createdDate | string or null <date-time> Defines when the client was created (Read only). |
lastUpdatedDate | string or null <date-time> Defines the last change on the client (Read only). |
automaticRedirectAfterSignOut | boolean Default: false Indicates if after a logout, the client should be redirected automatically. Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed. |
usageExternalReference | string or null <= 100 characters External reference for transaction provided by the customer. Used to group transactions together for the customer. |
subjectLookupsEnabled | boolean or null Default: false Enables the Enterprise Subject Lookup migration feature. Note: You need admin permissions to enable this feature. |
useCookieless | boolean or null Default: false Enables the Client to not use cookies. Note: You need admin permissions to enable this feature. |
requirePushedAuthorization | boolean Default: false Enables the Client to require pushed authorization requests. |
embeddedParentDomains | Array of strings or null Specify the parent domains that will embed the authentication. This will be used for content security frame ancestor header if set, as an extra security mechanism to protect against clickjacking. |
Responses
Request samples
- Payload
{- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
Response samples
- 201
{- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
Retrieve client configuration
Use this endpoint to retrieve a specific client configuration
Authorizations:
path Parameters
clientId required | string The ID of the client |
Responses
Response samples
- 200
{- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
Update configuration
Use this endpoint to update an existing client's configuration
Authorizations:
path Parameters
clientId required | string The client ID. |
Request Body schema:
The updated client specification.
id | string or null <= 100 characters Client identifier (Globally unique). If not provided a new ID will be generated. |
name required | string non-empty Client name. |
account required | string [ 1 .. 100 ] characters Client account id. |
object (Acr) | |
pairWiseSubjectSalt | string or null Salt value used in pair-wise subjectId generation for users of this client. |
uri | string or null <uri> URI to further information about client (used on consent screen). |
logoUri | string or null <uri> URI to client logo (used on consent screen). Must be an absolute URI and Https. |
encryptIdTokens | boolean Default: false Enable/Disable IDTokens encryption. If enabled requires public keys allowed to encrypt. |
requireSecret | boolean Default: true Specifies whether this client needs a secret to request tokens from the token endpoint. At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'. |
requirePkce | boolean Default: false Specifies whether clients using an authorization code based grant type must send a proof key. At least one of these attributes must be 'true' (RequireSecret or RequirePkce). |
requireRequestObject | boolean Default: false Specifies whether this client needs to wrap the authorize request parameters in a JWT. When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'. |
useReferenceAccessTokens | boolean Default: false Specifies whether should use reference tokens or not. |
redirectUris | Array of strings or null <uri> Specifies the allowed URIs to return tokens or authorization codes to. Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost. |
allowedScopes required | Array of strings Specifies the allowed resources that client as access. |
allowOfflineAccess | boolean Default: true Specifies whether this client can request refresh tokens. |
allowAccessTokensViaBrowser | boolean Default: false Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser). |
postLogoutRedirectUris | Array of strings or null <uri> Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details. |
frontChannelLogoutUri | string or null <uri> Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details. The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost. |
frontChannelLogoutSessionRequired | boolean Default: false Specifies if the user’s session id should be sent to the FrontChannelLogoutUri. |
identityProviderRestrictions | Array of strings or null Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty. |
userSsoLifetime | integer <int32> [ 1 .. 10800 ] Default: 3600 The maximum duration (in seconds) since the last time the user authenticated. You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds. |
identityTokenLifetime | integer <int32> [ 1 .. 3600 ] Default: 600 Lifetime to identity token in seconds. The default value is 600 seconds. |
accessTokenLifetime | integer <int32> [ 1 .. 3600 ] Default: 600 Lifetime of access token in seconds. The default value is 600 seconds. |
authorizationCodeLifetime | integer <int32> [ 1 .. 60 ] Default: 15 Lifetime of authorization code in seconds. The default value is 15 seconds. |
absoluteRefreshTokenLifetime | integer <int32> [ 1 .. 2592000 ] Default: 86400 Maximum lifetime of a refresh token in seconds. The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on. |
slidingRefreshTokenLifetime | integer <int32> [ 1 .. 1296000 ] Default: 86400 Sliding lifetime of a refresh token in seconds. The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on. |
allowRefreshTokenReuse | boolean Default: false Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens. If set to false (default value) then the refresh token handle will be updated when refreshing tokens. |
slidingRefreshTokenExpiry | boolean Default: false Specifies whether refresh token should expire or not. Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0. |
deviceCodeLifetime | integer <int32> [ 1 .. 600 ] Default: 300 Lifetime to device code in seconds. The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type. |
allowedCorsOrigins | Array of strings or null Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients. |
primaryGrantType required | string Enum: "ClientCredentials" "AuthorizationCode" "Hybrid" "Ciba" "DeviceFlow" Specifies the primary grant type the client is allowed to use. |
contentEncryptionAlgorithm | string or null Enum: "A128CBC-HS256" "A192CBC-HS384" "A256CBC-HS512" Content encryption algorithm for ID tokens and the UserInfo response. Defaults to A256CBC-HS512. |
idTokenUserData | string Enum: "Minimal" "StandardScopes" "All" Defines the IdToken user data level. |
userInfoResponseType | string or null Enum: "Json" "Signed" "Encrypted" "SignedAndEncrypted" User info response type. Defaults to 'Json'. |
version | string or null Internal version of the client (Read only). |
requireConsent | boolean Default: false Specifies whether a consent screen is required. |
createdDate | string or null <date-time> Defines when the client was created (Read only). |
lastUpdatedDate | string or null <date-time> Defines the last change on the client (Read only). |
automaticRedirectAfterSignOut | boolean Default: false Indicates if after a logout, the client should be redirected automatically. Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed. |
usageExternalReference | string or null <= 100 characters External reference for transaction provided by the customer. Used to group transactions together for the customer. |
subjectLookupsEnabled | boolean or null Default: false Enables the Enterprise Subject Lookup migration feature. Note: You need admin permissions to enable this feature. |
useCookieless | boolean or null Default: false Enables the Client to not use cookies. Note: You need admin permissions to enable this feature. |
requirePushedAuthorization | boolean Default: false Enables the Client to require pushed authorization requests. |
embeddedParentDomains | Array of strings or null Specify the parent domains that will embed the authentication. This will be used for content security frame ancestor header if set, as an extra security mechanism to protect against clickjacking. |
Responses
Request samples
- Payload
{- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
Response samples
- 200
{- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
Clone client configuration
Use this endpoint to clone an existing client's configuration
Authorizations:
path Parameters
clientId required | string The client ID. |
Responses
Response samples
- 201
{- "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
List client revisions
Use this endpoint to view a list of the client revisions, or changes, that have been made to a specific client configuration
To enumerate all revisions of the resource, start by setting `untilVersion` to the version of the
resource. If `count` results are returned, repeat the request with `untilVersion` set to
`data.Version` of the last revision returned. This allows you to page through all the revisions.
Authorizations:
path Parameters
clientId required | string The ID of the client |
query Parameters
untilVersion | string The version of the revision before which history should be returned |
count | integer <int32> [ 1 .. 100 ] Default: 10 The maximum number of revisions |
Responses
Response samples
- 200
[- {
- "replacedBy": "00000001_1de79344221ef5014703401fe2526aa1",
- "data": {
- "secrets": [
- {
- "id": "rare-beauty-secret",
- "name": "The most rare beauty secret",
- "version": "00000003_2a43947f32e7820a2b567c3351a37046",
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "userCreator": "1234"
}
], - "publicKeys": [
- {
- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
], - "customClaims": [
- {
- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
], - "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
}
]
Retrieve client revision configuration
Use this endpoint to retrieve a specific client revision configuration
Authorizations:
path Parameters
clientId required | string The ID of the client |
version required | string The version of the revision |
Responses
Response samples
- 200
{- "replacedBy": "00000001_1de79344221ef5014703401fe2526aa1",
- "data": {
- "secrets": [
- {
- "id": "rare-beauty-secret",
- "name": "The most rare beauty secret",
- "version": "00000003_2a43947f32e7820a2b567c3351a37046",
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "userCreator": "1234"
}
], - "publicKeys": [
- {
- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
], - "customClaims": [
- {
- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
], - "id": "chimney-sweep-monkey",
- "name": "Stupefied animals portal",
- "account": "a-pdge-kl2234afhrq34422j",
- "acr": {
- "values": "idp:dummy",
- "forced": true
}, - "pairWiseSubjectSalt": "qfwhqw7832gqhw",
- "encryptIdTokens": false,
- "requireSecret": false,
- "requirePkce": true,
- "requireRequestObject": false,
- "useReferenceAccessTokens": false,
- "allowedScopes": [
- "internal-stuff",
- "healthy-food"
], - "allowOfflineAccess": true,
- "allowAccessTokensViaBrowser": true,
- "frontChannelLogoutSessionRequired": true,
- "identityProviderRestrictions": [
- "some-idp",
- "another-one"
], - "userSsoLifetime": 1200,
- "identityTokenLifetime": 500,
- "accessTokenLifetime": 600,
- "authorizationCodeLifetime": 15,
- "absoluteRefreshTokenLifetime": 50000,
- "slidingRefreshTokenLifetime": 60000,
- "allowRefreshTokenReuse": true,
- "slidingRefreshTokenExpiry": false,
- "deviceCodeLifetime": 100,
- "primaryGrantType": "ClientCredentials",
- "contentEncryptionAlgorithm": "A128CBC-HS256",
- "idTokenUserData": "StandardScopes",
- "userInfoResponseType": "SignedAndEncrypted",
- "version": "00000000_2a43947f32e7820a2b567c3351a37046",
- "requireConsent": false,
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
- "automaticRedirectAfterSignOut": false,
- "usageExternalReference": "string",
- "subjectLookupsEnabled": false,
- "useCookieless": false,
- "requirePushedAuthorization": false,
- "embeddedParentDomains": [
- "signicat.com",
- "example.com"
]
}
}
Client Health Checks results
Use this endpoint to get Resource Health Check results
Authorizations:
path Parameters
clientId required | string The ID of the client |
Responses
Response samples
- 200
{- "checks": [
- {
- "status": "Unhealthy",
- "name": "string",
- "description": "string",
- "remediation": "string",
- "data": {
- "property1": null,
- "property2": null
}
}
], - "status": "Unhealthy"
}
List client custom claims
Use this endpoints to view a list of all the custom claims you have configured on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
Responses
Response samples
- 200
[- {
- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
]
Create custom claim configuration
Create a new custom claim for a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
Request Body schema:
The custom claim specification
id | string or null The custom claim identifier |
claim required | string non-empty The claim to set an alias to |
alias required | string non-empty The alias to the claim |
version | string or null Internal version of the custom claim (Read only). |
Responses
Request samples
- Payload
{- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
Response samples
- 201
{- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
Retrieve client custom claim configuration
Use this endpoint to retrieve a specific custom claim configuration on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
customClaimId required | string The ID of the client custom claim |
Responses
Response samples
- 200
{- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
Update custom claim
Update a custom claim on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
customClaimId required | string The ID of the custom claim to update. |
Request Body schema:
The updated custom claim specification.
id | string or null The custom claim identifier |
claim required | string non-empty The claim to set an alias to |
alias required | string non-empty The alias to the claim |
version | string or null Internal version of the custom claim (Read only). |
Responses
Request samples
- Payload
{- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
Response samples
- 200
{- "id": "7a482587238ec54198c34e8a0fbdbfbf",
- "claim": "personal.name",
- "alias": "name",
- "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}
List client public keys
Use this endpoints to view a list of all the public keys you have configured on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
Responses
Response samples
- 200
[- {
- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
]
Upload new public key
Upload a new public key for a specific client
Authorizations:
path Parameters
clientId required | string The client ID. |
Request Body schema:
The key specification.
id | string or null Public key identifier |
type | string or null Enum: "X509Certificate" "JWK" Public key type |
usage | string or null Enum: "Signing" "Encryption" The valid cryptographic uses of the certificate's public key |
data | string or null Public key data |
name | string or null Public key name |
notBefore | string or null <date-time> The earliest time and date on which the certificate is valid |
notAfter | string or null <date-time> The time and date past which the certificate is no longer valid |
version | string or null Version of Public key |
Responses
Request samples
- Payload
{- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
Response samples
- 201
{- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
Update public key
Use this endpoint to update an existing public key
Authorizations:
path Parameters
clientId required | string The client ID whose key you want to update. |
keyId required | string The ID of the key you want to update. |
Request Body schema:
The updated key specification.
id | string or null Public key identifier |
type | string or null Enum: "X509Certificate" "JWK" Public key type |
usage | string or null Enum: "Signing" "Encryption" The valid cryptographic uses of the certificate's public key |
data | string or null Public key data |
name | string or null Public key name |
notBefore | string or null <date-time> The earliest time and date on which the certificate is valid |
notAfter | string or null <date-time> The time and date past which the certificate is no longer valid |
version | string or null Version of Public key |
Responses
Request samples
- Payload
{- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
Response samples
- 200
{- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
Retrieve client public key configuration
Use this endpoint to retrieve a specific client public key configuration on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
keyId required | string The ID of the client public key |
Responses
Response samples
- 200
{- "id": "smart-lemon-tree",
- "type": "X509Certificate",
- "usage": "Signing",
- "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
- "name": "The Smart Lemon Tree",
- "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
- "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
- "version": "00000005_1de79344221ef5014703401fe2526aa1"
}
List client secrets
Use this endpoints to view a list of all the secrets you have configured on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
Responses
Response samples
- 200
[- {
- "id": "rare-beauty-secret",
- "name": "The most rare beauty secret",
- "version": "00000003_2a43947f32e7820a2b567c3351a37046",
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "userCreator": "1234"
}
]
Generate a client secret
Use this endpoint to generate a new client secret
Authorizations:
path Parameters
clientId required | string The ID of the client |
Request Body schema:
The client secret
name required | string non-empty Secret name |
Responses
Request samples
- Payload
{- "name": "The most rare beauty secret"
}
Response samples
- 201
{- "id": "rare-beauty-secret",
- "name": "The most rare beauty secret",
- "plainText": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG1lISEgVGhpcyBpcyB0aGUgbW9zdCBiZWF1dHkgYW5kIHJhcmUgc2VjcmV0IGZha2UgZGF0YSEhISA6LSk="
}
Retrieve client secret configuration
Use this endpoint to retrieve a specific secret configuration on a specific client
Authorizations:
path Parameters
clientId required | string The ID of the client |
secretId required | string The ID of the client secret |
Responses
Response samples
- 200
{- "id": "rare-beauty-secret",
- "name": "The most rare beauty secret",
- "version": "00000003_2a43947f32e7820a2b567c3351a37046",
- "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
- "userCreator": "1234"
}