Skip to main content

Signicat OIDC Config API (v1)

Download OpenAPI specification:Download

With this API, you can configure your OIDC clients for Authentication

Clients

List clients

Use this endpoints to view a list of all the clients you have configured

Authorizations:
Signicat-OIDC
query Parameters
primaryGrantType
Array of strings
Items Enum: "ClientCredentials" "AuthorizationCode" "Hybrid" "Ciba" "DeviceFlow"
id
string
name
string
account
string
searchText
string

Responses

Response samples

Content type
[
  • {
    }
]

Create configuration

Use this endpoint to create a new client configuration

Authorizations:
Signicat-OIDC
Request Body schema:

The client specification.

id
string or null <= 100 characters

Client identifier (Globally unique).

If not provided a new ID will be generated.

name
required
string non-empty

Client name.

account
required
string [ 1 .. 100 ] characters

Client account id.

object (Acr)
pairWiseSubjectSalt
string or null

Salt value used in pair-wise subjectId generation for users of this client.

uri
string or null <uri>

URI to further information about client (used on consent screen).

logoUri
string or null <uri>

URI to client logo (used on consent screen).

Must be an absolute URI and Https.

encryptIdTokens
boolean
Default: false

Enable/Disable IDTokens encryption.

If enabled requires public keys allowed to encrypt.

requireSecret
boolean
Default: true

Specifies whether this client needs a secret to request tokens from the token endpoint.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'.

requirePkce
boolean
Default: false

Specifies whether clients using an authorization code based grant type must send a proof key.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce).

requireRequestObject
boolean
Default: false

Specifies whether this client needs to wrap the authorize request parameters in a JWT.

When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'.

useReferenceAccessTokens
boolean
Default: false

Specifies whether should use reference tokens or not.

redirectUris
Array of strings or null <uri>

Specifies the allowed URIs to return tokens or authorization codes to.

Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost.

allowedScopes
required
Array of strings

Specifies the allowed resources that client as access.

allowOfflineAccess
boolean
Default: true

Specifies whether this client can request refresh tokens.

allowAccessTokensViaBrowser
boolean
Default: false

Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser).

postLogoutRedirectUris
Array of strings or null <uri>

Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details.

frontChannelLogoutUri
string or null <uri>

Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details.

The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost.

frontChannelLogoutSessionRequired
boolean
Default: false

Specifies if the user’s session id should be sent to the FrontChannelLogoutUri.

identityProviderRestrictions
Array of strings or null

Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed).

Defaults to empty.

userSsoLifetime
integer <int32> [ 1 .. 10800 ]
Default: 3600

The maximum duration (in seconds) since the last time the user authenticated.

You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds.

identityTokenLifetime
integer <int32> [ 1 .. 3600 ]
Default: 600

Lifetime to identity token in seconds.

The default value is 600 seconds.

accessTokenLifetime
integer <int32> [ 1 .. 3600 ]
Default: 600

Lifetime of access token in seconds.

The default value is 600 seconds.

authorizationCodeLifetime
integer <int32> [ 1 .. 60 ]
Default: 15

Lifetime of authorization code in seconds.

The default value is 15 seconds.

absoluteRefreshTokenLifetime
integer <int32> [ 1 .. 2592000 ]
Default: 86400

Maximum lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on.

slidingRefreshTokenLifetime
integer <int32> [ 1 .. 1296000 ]
Default: 86400

Sliding lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on.

allowRefreshTokenReuse
boolean
Default: false

Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens.

If set to false (default value) then the refresh token handle will be updated when refreshing tokens.

slidingRefreshTokenExpiry
boolean
Default: false

Specifies whether refresh token should expire or not.

Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0.

deviceCodeLifetime
integer <int32> [ 1 .. 600 ]
Default: 300

Lifetime to device code in seconds.

The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type.

allowedCorsOrigins
Array of strings or null

Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients.

primaryGrantType
required
string
Enum: "ClientCredentials" "AuthorizationCode" "Hybrid" "Ciba" "DeviceFlow"

Specifies the primary grant type the client is allowed to use.

contentEncryptionAlgorithm
string or null
Enum: "A128CBC-HS256" "A192CBC-HS384" "A256CBC-HS512"

Content encryption algorithm for ID tokens and the UserInfo response.

Defaults to A256CBC-HS512.

idTokenUserData
string
Enum: "Minimal" "StandardScopes" "All"

Defines the IdToken user data level.

userInfoResponseType
string or null
Enum: "Json" "Signed" "Encrypted" "SignedAndEncrypted"

User info response type.

Defaults to 'Json'.

version
string or null

Internal version of the client (Read only).

requireConsent
boolean
Default: false

Specifies whether a consent screen is required.

createdDate
string or null <date-time>

Defines when the client was created (Read only).

lastUpdatedDate
string or null <date-time>

Defines the last change on the client (Read only).

automaticRedirectAfterSignOut
boolean
Default: false

Indicates if after a logout, the client should be redirected automatically.

Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed.

usageExternalReference
string or null <= 100 characters

External reference for transaction provided by the customer.

Used to group transactions together for the customer.orderid:121232

subjectLookupsEnabled
boolean or null
Default: false

Enables the Enterprise Subject Lookup migration feature.

Note: You need admin permissions to enable this feature.

useCookieless
boolean or null
Default: false

Enables the Client to not use cookies.

Note: You need admin permissions to enable this feature.

embeddedParentDomains
Array of strings or null

Specify the parent domains that will embed the authentication. This will be used for content security frame ancestor header if set, as an extra security mechanism to protect against clickjacking.

Responses

Request samples

Content type
{
  • "id": "chimney-sweep-monkey",
  • "name": "Stupefied animals portal",
  • "account": "a-pdge-kl2234afhrq34422j",
  • "acr": {
    },
  • "pairWiseSubjectSalt": "qfwhqw7832gqhw",
  • "encryptIdTokens": false,
  • "requireSecret": false,
  • "requirePkce": true,
  • "requireRequestObject": false,
  • "useReferenceAccessTokens": false,
  • "allowedScopes": [
    ],
  • "allowOfflineAccess": true,
  • "allowAccessTokensViaBrowser": true,
  • "frontChannelLogoutSessionRequired": true,
  • "identityProviderRestrictions": [
    ],
  • "userSsoLifetime": 1200,
  • "identityTokenLifetime": 500,
  • "accessTokenLifetime": 600,
  • "authorizationCodeLifetime": 15,
  • "absoluteRefreshTokenLifetime": 50000,
  • "slidingRefreshTokenLifetime": 60000,
  • "allowRefreshTokenReuse": true,
  • "slidingRefreshTokenExpiry": false,
  • "deviceCodeLifetime": 100,
  • "allowedCorsOrigins": [],
  • "primaryGrantType": "ClientCredentials",
  • "contentEncryptionAlgorithm": "A128CBC-HS256",
  • "idTokenUserData": "StandardScopes",
  • "userInfoResponseType": "SignedAndEncrypted",
  • "version": "00000000_2a43947f32e7820a2b567c3351a37046",
  • "requireConsent": false,
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
  • "automaticRedirectAfterSignOut": false,
  • "usageExternalReference": "string",
  • "subjectLookupsEnabled": false,
  • "useCookieless": false,
  • "embeddedParentDomains": [
    ]
}

Response samples

Content type
{
  • "id": "chimney-sweep-monkey",
  • "name": "Stupefied animals portal",
  • "account": "a-pdge-kl2234afhrq34422j",
  • "acr": {
    },
  • "pairWiseSubjectSalt": "qfwhqw7832gqhw",
  • "encryptIdTokens": false,
  • "requireSecret": false,
  • "requirePkce": true,
  • "requireRequestObject": false,
  • "useReferenceAccessTokens": false,
  • "allowedScopes": [
    ],
  • "allowOfflineAccess": true,
  • "allowAccessTokensViaBrowser": true,
  • "frontChannelLogoutSessionRequired": true,
  • "identityProviderRestrictions": [
    ],
  • "userSsoLifetime": 1200,
  • "identityTokenLifetime": 500,
  • "accessTokenLifetime": 600,
  • "authorizationCodeLifetime": 15,
  • "absoluteRefreshTokenLifetime": 50000,
  • "slidingRefreshTokenLifetime": 60000,
  • "allowRefreshTokenReuse": true,
  • "slidingRefreshTokenExpiry": false,
  • "deviceCodeLifetime": 100,
  • "allowedCorsOrigins": [],
  • "primaryGrantType": "ClientCredentials",
  • "contentEncryptionAlgorithm": "A128CBC-HS256",
  • "idTokenUserData": "StandardScopes",
  • "userInfoResponseType": "SignedAndEncrypted",
  • "version": "00000000_2a43947f32e7820a2b567c3351a37046",
  • "requireConsent": false,
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
  • "automaticRedirectAfterSignOut": false,
  • "usageExternalReference": "string",
  • "subjectLookupsEnabled": false,
  • "useCookieless": false,
  • "embeddedParentDomains": [
    ]
}

Retrieve client configuration

Use this endpoint to retrieve a specific client configuration

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Responses

Response samples

Content type
{
  • "id": "chimney-sweep-monkey",
  • "name": "Stupefied animals portal",
  • "account": "a-pdge-kl2234afhrq34422j",
  • "acr": {
    },
  • "pairWiseSubjectSalt": "qfwhqw7832gqhw",
  • "encryptIdTokens": false,
  • "requireSecret": false,
  • "requirePkce": true,
  • "requireRequestObject": false,
  • "useReferenceAccessTokens": false,
  • "allowedScopes": [
    ],
  • "allowOfflineAccess": true,
  • "allowAccessTokensViaBrowser": true,
  • "frontChannelLogoutSessionRequired": true,
  • "identityProviderRestrictions": [
    ],
  • "userSsoLifetime": 1200,
  • "identityTokenLifetime": 500,
  • "accessTokenLifetime": 600,
  • "authorizationCodeLifetime": 15,
  • "absoluteRefreshTokenLifetime": 50000,
  • "slidingRefreshTokenLifetime": 60000,
  • "allowRefreshTokenReuse": true,
  • "slidingRefreshTokenExpiry": false,
  • "deviceCodeLifetime": 100,
  • "allowedCorsOrigins": [],
  • "primaryGrantType": "ClientCredentials",
  • "contentEncryptionAlgorithm": "A128CBC-HS256",
  • "idTokenUserData": "StandardScopes",
  • "userInfoResponseType": "SignedAndEncrypted",
  • "version": "00000000_2a43947f32e7820a2b567c3351a37046",
  • "requireConsent": false,
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
  • "automaticRedirectAfterSignOut": false,
  • "usageExternalReference": "string",
  • "subjectLookupsEnabled": false,
  • "useCookieless": false,
  • "embeddedParentDomains": [
    ]
}

Update configuration

Use this endpoint to update an existing client's configuration

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The client ID.

Request Body schema:

The updated client specification.

id
string or null <= 100 characters

Client identifier (Globally unique).

If not provided a new ID will be generated.

name
required
string non-empty

Client name.

account
required
string [ 1 .. 100 ] characters

Client account id.

object (Acr)
pairWiseSubjectSalt
string or null

Salt value used in pair-wise subjectId generation for users of this client.

uri
string or null <uri>

URI to further information about client (used on consent screen).

logoUri
string or null <uri>

URI to client logo (used on consent screen).

Must be an absolute URI and Https.

encryptIdTokens
boolean
Default: false

Enable/Disable IDTokens encryption.

If enabled requires public keys allowed to encrypt.

requireSecret
boolean
Default: true

Specifies whether this client needs a secret to request tokens from the token endpoint.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce). When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'true'.

requirePkce
boolean
Default: false

Specifies whether clients using an authorization code based grant type must send a proof key.

At least one of these attributes must be 'true' (RequireSecret or RequirePkce).

requireRequestObject
boolean
Default: false

Specifies whether this client needs to wrap the authorize request parameters in a JWT.

When 'PrimaryGrantType' is set to 'ClientCredentials' or 'DeviceFlow' it must be 'false'.

useReferenceAccessTokens
boolean
Default: false

Specifies whether should use reference tokens or not.

redirectUris
Array of strings or null <uri>

Specifies the allowed URIs to return tokens or authorization codes to.

Must have at least one redirect URI in case of PrimaryGrantType attribute is DeviceFlow. Must be an absolute URI and Https. Http URIs are only allowed if pointing at localhost.

allowedScopes
required
Array of strings

Specifies the allowed resources that client as access.

allowOfflineAccess
boolean
Default: true

Specifies whether this client can request refresh tokens.

allowAccessTokensViaBrowser
boolean
Default: false

Specifies whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser).

postLogoutRedirectUris
Array of strings or null <uri>

Specifies allowed URIs to redirect to after logout. See the OIDC Connect Session Management spec (https://openid.net/specs/openid-connect-session-1_0.html) for more details.

frontChannelLogoutUri
string or null <uri>

Specifies logout URI at client for HTTP based front-channel logout. See the OIDC Front-Channel spec (https://openid.net/specs/openid-connect-frontchannel-1_0.html) for more details.

The URIs must be an absolute URI and Https. Http uris are only allowed if pointing at localhost.

frontChannelLogoutSessionRequired
boolean
Default: false

Specifies if the user’s session id should be sent to the FrontChannelLogoutUri.

identityProviderRestrictions
Array of strings or null

Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed).

Defaults to empty.

userSsoLifetime
integer <int32> [ 1 .. 10800 ]
Default: 3600

The maximum duration (in seconds) since the last time the user authenticated.

You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials instead of being silently authenticated, when using a web application. The default value is 3600 seconds.

identityTokenLifetime
integer <int32> [ 1 .. 3600 ]
Default: 600

Lifetime to identity token in seconds.

The default value is 600 seconds.

accessTokenLifetime
integer <int32> [ 1 .. 3600 ]
Default: 600

Lifetime of access token in seconds.

The default value is 600 seconds.

authorizationCodeLifetime
integer <int32> [ 1 .. 60 ]
Default: 15

Lifetime of authorization code in seconds.

The default value is 15 seconds.

absoluteRefreshTokenLifetime
integer <int32> [ 1 .. 2592000 ]
Default: 86400

Maximum lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry is off and AllowOfflineAccess is on.

slidingRefreshTokenLifetime
integer <int32> [ 1 .. 1296000 ]
Default: 86400

Sliding lifetime of a refresh token in seconds.

The default value is 86400 seconds. Must be greater then 1 when attribute SlidingRefreshTokenExpiry and AllowOfflineAccess is on.

allowRefreshTokenReuse
boolean
Default: false

Allow reuse refresh token. The refresh token handle will stay the same when refreshing tokens.

If set to false (default value) then the refresh token handle will be updated when refreshing tokens.

slidingRefreshTokenExpiry
boolean
Default: false

Specifies whether refresh token should expire or not.

Currently don´t have any default value and fail if not set. When set to 'true' and AllowOfflineAccess is on then SlidingRefreshTokenLifetime attribute must be greater then 0. When set to 'false' and AllowOfflineAccess is on then AbsoluteRefreshTokenLifetime attribute must be greater then 0.

deviceCodeLifetime
integer <int32> [ 1 .. 600 ]
Default: 300

Lifetime to device code in seconds.

The default value is 300 seconds. Must be greater then 0 when PrimaryGrantType attribute is DeviceFlow grant type.

allowedCorsOrigins
Array of strings or null

Specifies the allowed CORS origins that will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients.

primaryGrantType
required
string
Enum: "ClientCredentials" "AuthorizationCode" "Hybrid" "Ciba" "DeviceFlow"

Specifies the primary grant type the client is allowed to use.

contentEncryptionAlgorithm
string or null
Enum: "A128CBC-HS256" "A192CBC-HS384" "A256CBC-HS512"

Content encryption algorithm for ID tokens and the UserInfo response.

Defaults to A256CBC-HS512.

idTokenUserData
string
Enum: "Minimal" "StandardScopes" "All"

Defines the IdToken user data level.

userInfoResponseType
string or null
Enum: "Json" "Signed" "Encrypted" "SignedAndEncrypted"

User info response type.

Defaults to 'Json'.

version
string or null

Internal version of the client (Read only).

requireConsent
boolean
Default: false

Specifies whether a consent screen is required.

createdDate
string or null <date-time>

Defines when the client was created (Read only).

lastUpdatedDate
string or null <date-time>

Defines the last change on the client (Read only).

automaticRedirectAfterSignOut
boolean
Default: false

Indicates if after a logout, the client should be redirected automatically.

Depends on the existence of at least one Uri in the PostLogoutRedirectUris property to operate as designed.

usageExternalReference
string or null <= 100 characters

External reference for transaction provided by the customer.

Used to group transactions together for the customer.orderid:121232

subjectLookupsEnabled
boolean or null
Default: false

Enables the Enterprise Subject Lookup migration feature.

Note: You need admin permissions to enable this feature.

useCookieless
boolean or null
Default: false

Enables the Client to not use cookies.

Note: You need admin permissions to enable this feature.

embeddedParentDomains
Array of strings or null

Specify the parent domains that will embed the authentication. This will be used for content security frame ancestor header if set, as an extra security mechanism to protect against clickjacking.

Responses

Request samples

Content type
{
  • "id": "chimney-sweep-monkey",
  • "name": "Stupefied animals portal",
  • "account": "a-pdge-kl2234afhrq34422j",
  • "acr": {
    },
  • "pairWiseSubjectSalt": "qfwhqw7832gqhw",
  • "encryptIdTokens": false,
  • "requireSecret": false,
  • "requirePkce": true,
  • "requireRequestObject": false,
  • "useReferenceAccessTokens": false,
  • "allowedScopes": [
    ],
  • "allowOfflineAccess": true,
  • "allowAccessTokensViaBrowser": true,
  • "frontChannelLogoutSessionRequired": true,
  • "identityProviderRestrictions": [
    ],
  • "userSsoLifetime": 1200,
  • "identityTokenLifetime": 500,
  • "accessTokenLifetime": 600,
  • "authorizationCodeLifetime": 15,
  • "absoluteRefreshTokenLifetime": 50000,
  • "slidingRefreshTokenLifetime": 60000,
  • "allowRefreshTokenReuse": true,
  • "slidingRefreshTokenExpiry": false,
  • "deviceCodeLifetime": 100,
  • "allowedCorsOrigins": [],
  • "primaryGrantType": "ClientCredentials",
  • "contentEncryptionAlgorithm": "A128CBC-HS256",
  • "idTokenUserData": "StandardScopes",
  • "userInfoResponseType": "SignedAndEncrypted",
  • "version": "00000000_2a43947f32e7820a2b567c3351a37046",
  • "requireConsent": false,
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
  • "automaticRedirectAfterSignOut": false,
  • "usageExternalReference": "string",
  • "subjectLookupsEnabled": false,
  • "useCookieless": false,
  • "embeddedParentDomains": [
    ]
}

Response samples

Content type
{
  • "id": "chimney-sweep-monkey",
  • "name": "Stupefied animals portal",
  • "account": "a-pdge-kl2234afhrq34422j",
  • "acr": {
    },
  • "pairWiseSubjectSalt": "qfwhqw7832gqhw",
  • "encryptIdTokens": false,
  • "requireSecret": false,
  • "requirePkce": true,
  • "requireRequestObject": false,
  • "useReferenceAccessTokens": false,
  • "allowedScopes": [
    ],
  • "allowOfflineAccess": true,
  • "allowAccessTokensViaBrowser": true,
  • "frontChannelLogoutSessionRequired": true,
  • "identityProviderRestrictions": [
    ],
  • "userSsoLifetime": 1200,
  • "identityTokenLifetime": 500,
  • "accessTokenLifetime": 600,
  • "authorizationCodeLifetime": 15,
  • "absoluteRefreshTokenLifetime": 50000,
  • "slidingRefreshTokenLifetime": 60000,
  • "allowRefreshTokenReuse": true,
  • "slidingRefreshTokenExpiry": false,
  • "deviceCodeLifetime": 100,
  • "allowedCorsOrigins": [],
  • "primaryGrantType": "ClientCredentials",
  • "contentEncryptionAlgorithm": "A128CBC-HS256",
  • "idTokenUserData": "StandardScopes",
  • "userInfoResponseType": "SignedAndEncrypted",
  • "version": "00000000_2a43947f32e7820a2b567c3351a37046",
  • "requireConsent": false,
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
  • "automaticRedirectAfterSignOut": false,
  • "usageExternalReference": "string",
  • "subjectLookupsEnabled": false,
  • "useCookieless": false,
  • "embeddedParentDomains": [
    ]
}

Delete configuration

Use this endpoint to delete a client configuration

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The client ID.

Responses

Retrieve the org/account id for client configuration

Use this endpoint to retrieve a specific client configuration

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Responses

Response samples

Content type
{
  • "account": "string"
}

Clone client configuration

Use this endpoint to clone an existing client's configuration

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The client ID.

Responses

Response samples

Content type
{
  • "id": "chimney-sweep-monkey",
  • "name": "Stupefied animals portal",
  • "account": "a-pdge-kl2234afhrq34422j",
  • "acr": {
    },
  • "pairWiseSubjectSalt": "qfwhqw7832gqhw",
  • "encryptIdTokens": false,
  • "requireSecret": false,
  • "requirePkce": true,
  • "requireRequestObject": false,
  • "useReferenceAccessTokens": false,
  • "allowedScopes": [
    ],
  • "allowOfflineAccess": true,
  • "allowAccessTokensViaBrowser": true,
  • "frontChannelLogoutSessionRequired": true,
  • "identityProviderRestrictions": [
    ],
  • "userSsoLifetime": 1200,
  • "identityTokenLifetime": 500,
  • "accessTokenLifetime": 600,
  • "authorizationCodeLifetime": 15,
  • "absoluteRefreshTokenLifetime": 50000,
  • "slidingRefreshTokenLifetime": 60000,
  • "allowRefreshTokenReuse": true,
  • "slidingRefreshTokenExpiry": false,
  • "deviceCodeLifetime": 100,
  • "allowedCorsOrigins": [],
  • "primaryGrantType": "ClientCredentials",
  • "contentEncryptionAlgorithm": "A128CBC-HS256",
  • "idTokenUserData": "StandardScopes",
  • "userInfoResponseType": "SignedAndEncrypted",
  • "version": "00000000_2a43947f32e7820a2b567c3351a37046",
  • "requireConsent": false,
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "lastUpdatedDate": "2022-05-17T16:13:47.3524453+00:00",
  • "automaticRedirectAfterSignOut": false,
  • "usageExternalReference": "string",
  • "subjectLookupsEnabled": false,
  • "useCookieless": false,
  • "embeddedParentDomains": [
    ]
}

List client revisions

Use this endpoint to view a list of the client revisions, or changes, that have been made to a specific client configuration

            To enumerate all revisions of the resource, start by setting `untilVersion` to the version of the
            resource. If `count` results are returned, repeat the request with `untilVersion` set to
            `data.Version` of the last revision returned. This allows you to page through all the revisions.
          
Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

query Parameters
untilVersion
string

The version of the revision before which history should be returned

count
integer <int32> [ 1 .. 100 ]
Default: 10

The maximum number of revisions

Responses

Response samples

Content type
[
  • {
    }
]

Retrieve client revision configuration

Use this endpoint to retrieve a specific client revision configuration

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

version
required
string

The version of the revision

Responses

Response samples

Content type
{
  • "replacedBy": "00000001_1de79344221ef5014703401fe2526aa1",
  • "data": {
    }
}

Client Health Checks results

Use this endpoint to get Resource Health Check results

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Responses

Response samples

Content type
{
  • "checks": [
    ],
  • "status": "Unhealthy"
}

Custom claims

List client custom claims

Use this endpoints to view a list of all the custom claims you have configured on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Responses

Response samples

Content type
[
  • {
    }
]

Create custom claim configuration

Create a new custom claim for a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Request Body schema:

The custom claim specification

id
string or null

The custom claim identifier

claim
required
string non-empty

The claim to set an alias to

alias
required
string non-empty

The alias to the claim

version
string or null

Internal version of the custom claim (Read only).

Responses

Request samples

Content type
{
  • "id": "7a482587238ec54198c34e8a0fbdbfbf",
  • "claim": "personal.name",
  • "alias": "name",
  • "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}

Response samples

Content type
{
  • "id": "7a482587238ec54198c34e8a0fbdbfbf",
  • "claim": "personal.name",
  • "alias": "name",
  • "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}

Retrieve client custom claim configuration

Use this endpoint to retrieve a specific custom claim configuration on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

customClaimId
required
string

The ID of the client custom claim

Responses

Response samples

Content type
{
  • "id": "7a482587238ec54198c34e8a0fbdbfbf",
  • "claim": "personal.name",
  • "alias": "name",
  • "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}

Update custom claim

Update a custom claim on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

customClaimId
required
string

The ID of the custom claim to update.

Request Body schema:

The updated custom claim specification.

id
string or null

The custom claim identifier

claim
required
string non-empty

The claim to set an alias to

alias
required
string non-empty

The alias to the claim

version
string or null

Internal version of the custom claim (Read only).

Responses

Request samples

Content type
{
  • "id": "7a482587238ec54198c34e8a0fbdbfbf",
  • "claim": "personal.name",
  • "alias": "name",
  • "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}

Response samples

Content type
{
  • "id": "7a482587238ec54198c34e8a0fbdbfbf",
  • "claim": "personal.name",
  • "alias": "name",
  • "version": "00000000_34f4634dd4a3680002a345ef4d89b33"
}

Remove custom claim

Remove a custom claim from a client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

customClaimId
required
string

The ID of the custom claim to remove.

Responses

Public keys

List client public keys

Use this endpoints to view a list of all the public keys you have configured on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Responses

Response samples

Content type
[
  • {
    }
]

Upload new public key

Upload a new public key for a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The client ID.

Request Body schema:

The key specification.

id
string or null

Public key identifier

type
string or null
Enum: "X509Certificate" "JWK"

Public key type

usage
string or null
Enum: "Signing" "Encryption"

The valid cryptographic uses of the certificate's public key

data
string or null

Public key data

name
string or null

Public key name

notBefore
string or null <date-time>

The earliest time and date on which the certificate is valid

notAfter
string or null <date-time>

The time and date past which the certificate is no longer valid

version
string or null

Version of Public key

Responses

Request samples

Content type
{
  • "id": "smart-lemon-tree",
  • "type": "X509Certificate",
  • "usage": "Signing",
  • "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
  • "name": "The Smart Lemon Tree",
  • "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
  • "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
  • "version": "00000005_1de79344221ef5014703401fe2526aa1"
}

Response samples

Content type
{
  • "id": "smart-lemon-tree",
  • "type": "X509Certificate",
  • "usage": "Signing",
  • "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
  • "name": "The Smart Lemon Tree",
  • "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
  • "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
  • "version": "00000005_1de79344221ef5014703401fe2526aa1"
}

Update public key

Use this endpoint to update an existing public key

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The client ID whose key you want to update.

keyId
required
string

The ID of the key you want to update.

Request Body schema:

The updated key specification.

id
string or null

Public key identifier

type
string or null
Enum: "X509Certificate" "JWK"

Public key type

usage
string or null
Enum: "Signing" "Encryption"

The valid cryptographic uses of the certificate's public key

data
string or null

Public key data

name
string or null

Public key name

notBefore
string or null <date-time>

The earliest time and date on which the certificate is valid

notAfter
string or null <date-time>

The time and date past which the certificate is no longer valid

version
string or null

Version of Public key

Responses

Request samples

Content type
{
  • "id": "smart-lemon-tree",
  • "type": "X509Certificate",
  • "usage": "Signing",
  • "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
  • "name": "The Smart Lemon Tree",
  • "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
  • "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
  • "version": "00000005_1de79344221ef5014703401fe2526aa1"
}

Response samples

Content type
{
  • "id": "smart-lemon-tree",
  • "type": "X509Certificate",
  • "usage": "Signing",
  • "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
  • "name": "The Smart Lemon Tree",
  • "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
  • "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
  • "version": "00000005_1de79344221ef5014703401fe2526aa1"
}

Retrieve client public key configuration

Use this endpoint to retrieve a specific client public key configuration on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

keyId
required
string

The ID of the client public key

Responses

Response samples

Content type
{
  • "id": "smart-lemon-tree",
  • "type": "X509Certificate",
  • "usage": "Signing",
  • "data": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG15IGxlbW9ucyEhIEknbSB0aGUgc21hcnRlc3QgdHJlZSBpbiB0aGUgd29ybGQhISEgQUhBSEEgOi0p",
  • "name": "The Smart Lemon Tree",
  • "notBefore": "\"2026-05-17T16:13:47.3524211+00:00",
  • "notAfter": "\"2022-05-17T16:13:47.3524211+00:00",
  • "version": "00000005_1de79344221ef5014703401fe2526aa1"
}

Revoke public key

Use this endpoint to revoke a specific client public key configuration on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

keyId
required
string

The ID of the client public key

Responses

Secrets

List client secrets

Use this endpoints to view a list of all the secrets you have configured on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Responses

Response samples

Content type
[
  • {
    }
]

Generate a client secret

Use this endpoint to generate a new client secret

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

Request Body schema:

The client secret

name
required
string non-empty

Secret name

Responses

Request samples

Content type
{
  • "name": "The most rare beauty secret"
}

Response samples

Content type
{
  • "id": "rare-beauty-secret",
  • "name": "The most rare beauty secret",
  • "plainText": "T29vb3BwcHNzcyAuLi4geW91IGZvdW5kIG1lISEgVGhpcyBpcyB0aGUgbW9zdCBiZWF1dHkgYW5kIHJhcmUgc2VjcmV0IGZha2UgZGF0YSEhISA6LSk="
}

Retrieve client secret configuration

Use this endpoint to retrieve a specific secret configuration on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

secretId
required
string

The ID of the client secret

Responses

Response samples

Content type
{
  • "id": "rare-beauty-secret",
  • "name": "The most rare beauty secret",
  • "version": "00000003_2a43947f32e7820a2b567c3351a37046",
  • "createdDate": "\"2022-05-17T16:13:47.3524211+00:00",
  • "userCreator": "1234"
}

Revoke client secret

Use this endpoint to revoke a specific secret configuration on a specific client

Authorizations:
Signicat-OIDC
path Parameters
clientId
required
string

The ID of the client

secretId
required
string

The ID of the client secret

Responses

Errors

List error codes

Use this endpoints to view a list of all the error codes available

Authorizations:
Signicat-OIDC

Responses

Response samples

Content type
No sample

Retrieve error configuration

Use this endpoint to retrieve a specific error configuration

Authorizations:
Signicat-OIDC
path Parameters
errorCode
required
string

The error code

Responses

Response samples

Content type
No sample