@lap v0.3
# Machine-readable API spec. Each @endpoint block is one API call.
@api Okta Admin Management
@base https://subdomain.okta.com
@version 5.1.0
@auth ApiKey Authorization in header | OAuth2
@endpoints 705
@hint download_for_search
@toc .well-known(6), api(654), attack-protection(4), device-access(4), integrations(9), oauth2(12), okta-personal-settings(3), privileged-access(5), security(1), webauthn-registration(7)

@group .well-known
@endpoint GET /.well-known/app-authenticator-configuration
@desc Retrieve the well-known app authenticator configuration
@required {oauthClientId: str # Filters app authenticator configurations by `oauthClientId`}
@returns(200) Success
@errors {400: Bad Request, 429: Too Many Requests}

@endpoint GET /.well-known/apple-app-site-association
@desc Retrieve the customized apple-app-site-association URI content
@returns(200) Success
@errors {429: Too Many Requests}

@endpoint GET /.well-known/assetlinks.json
@desc Retrieve the customized assetlinks.json URI content
@returns(200) {items: map} # Success
@errors {404: Not Found, 429: Too Many Requests}

@endpoint GET /.well-known/okta-organization
@desc Retrieve the Org metadata
@returns(200) {id: str, pipeline: str, _links: map{alternate: any, organization: any}} # Success
@errors {429: Too Many Requests}

@endpoint GET /.well-known/ssf-configuration
@desc Retrieve the SSF transmitter metadata
@returns(200) {authorization_schemes: [map], configuration_endpoint: str(uri), default_subjects: str, delivery_methods_supported: [str(uri)], issuer: str, jwks_uri: str(uri), spec_version: str, verification_endpoint: str(uri)} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /.well-known/webauthn
@desc Retrieve the customized webauthn URI content
@returns(200) Success
@errors {404: Not Found, 429: Too Many Requests}

@endgroup

@group api
@endpoint GET /api/v1/agentPools
@desc List all agent pools
@optional {limitPerPoolType: int=5 # Maximum number of agent pools returned, poolType: str # Agent type to search for, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/agentPools/{poolId}/updates
@desc List all agent pool updates
@optional {scheduled: bool # Return only scheduled or ad-hoc updates. If this parameter isn't provided, Okta returns the entire list of updates.}
@returns(200) OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates
@desc Create an agent pool update
@optional {agents: [map{id: str, isHidden: bool, isLatestGAedVersion: bool, lastConnection: str(date-time), name: str, operationalStatus: str, poolId: str, type: str, updateMessage: str, updateStatus: str, version: str, _links: map}], agentType: str(AD/IWA/LDAP/MFA/OPP/RUM/Radius) # Agent types that are being monitored, enabled: bool # Indicates if auto-update is enabled for the agent pool, id: str # ID of the agent pool update, name: str # Name of the agent pool update, notifyAdmin: bool # Indicates if the admin is notified about the update, reason: str # Reason for the update, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str} # The schedule of auto-update configured by the admin, sortOrder: int # Specifies the sort order, status: str(Cancelled/Failed/InProgress/Paused/Scheduled/Success) # Overall state for the auto-update job from the admin perspective, targetVersion: str # The agent version to update to, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/agentPools/{poolId}/updates/settings
@desc Retrieve an agent pool update's settings
@returns(200) {agentType: str, continueOnError: bool, latestVersion: str, minimalSupportedVersion: str, poolId: str, poolName: str, releaseChannel: str} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/settings
@desc Update an agent pool update settings
@optional {agentType: str(AD/IWA/LDAP/MFA/OPP/RUM/Radius) # Agent types that are being monitored, continueOnError: bool # Continues the update even if some agents fail to update, latestVersion: str # Latest version of the agent, minimalSupportedVersion: str # Minimal version of the agent, poolId: str # ID of the agent pool that the settings apply to, poolName: str # Pool name, releaseChannel: str(BETA/EA/GA/TEST) # Release channel for auto-update}
@returns(201) {agentType: str, continueOnError: bool, latestVersion: str, minimalSupportedVersion: str, poolId: str, poolName: str, releaseChannel: str} # Updated
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/agentPools/{poolId}/updates/{updateId}
@desc Retrieve an agent pool update by ID
@returns(200) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}
@desc Update an agent pool update by ID
@optional {agents: [map{id: str, isHidden: bool, isLatestGAedVersion: bool, lastConnection: str(date-time), name: str, operationalStatus: str, poolId: str, type: str, updateMessage: str, updateStatus: str, version: str, _links: map}], agentType: str(AD/IWA/LDAP/MFA/OPP/RUM/Radius) # Agent types that are being monitored, enabled: bool # Indicates if auto-update is enabled for the agent pool, id: str # ID of the agent pool update, name: str # Name of the agent pool update, notifyAdmin: bool # Indicates if the admin is notified about the update, reason: str # Reason for the update, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str} # The schedule of auto-update configured by the admin, sortOrder: int # Specifies the sort order, status: str(Cancelled/Failed/InProgress/Paused/Scheduled/Success) # Overall state for the auto-update job from the admin perspective, targetVersion: str # The agent version to update to, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Updated
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/agentPools/{poolId}/updates/{updateId}
@desc Delete an agent pool update
@returns(204) Deleted
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}/activate
@desc Activate an agent pool update
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Activated
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}/deactivate
@desc Deactivate an agent pool update
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Deactivated
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}/pause
@desc Pause an agent pool update
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Paused
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}/resume
@desc Resume an agent pool update
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Resumed
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}/retry
@desc Retry an agent pool update
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Retried
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/agentPools/{poolId}/updates/{updateId}/stop
@desc Stop an agent pool update
@returns(201) {agents: [map], agentType: str, enabled: bool, id: str, name: str, notifyAdmin: bool, reason: str, schedule: map{cron: str, delay: int, duration: int, lastUpdated: str(date-time), timezone: str}, sortOrder: int, status: str, targetVersion: str, _links: map{self: any}} # Stopped
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/api-tokens
@desc List all API token metadata
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint DELETE /api/v1/api-tokens/current
@desc Revoke the current API token
@returns(204) No Content
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/api-tokens/{apiTokenId}
@desc Retrieve an API token's metadata
@returns(200) {clientName: str, created: str(date-time), expiresAt: str(date-time), id: str, lastUpdated: str(date-time), name: str, network: map{connection: str, include: [str], exclude: [str]}, tokenWindow: str, userId: str, _link: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/api-tokens/{apiTokenId}
@desc Upsert an API token network condition
@optional {clientName: str # The client name associated with the API Token, created: str(date-time) # The creation date of the API Token, name: str # The name associated with the API Token, network: map{connection: str, include: [str], exclude: [str]} # The Network Condition of the API Token, userId: str # The userId of the user who created the API Token}
@returns(200) {clientName: str, created: str(date-time), expiresAt: str(date-time), id: str, lastUpdated: str(date-time), name: str, network: map{connection: str, include: [str], exclude: [str]}, tokenWindow: str, userId: str, _link: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"api_token_name","clientName":"client_name","userId":"00uabcdefg1234567890","network":{"connection":"ANYWHERE"},"created":"2021-11-09T20:38:10.000Z"}

@endpoint DELETE /api/v1/api-tokens/{apiTokenId}
@desc Revoke an API token
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps
@desc List all applications
@optional {q: str # Searches for apps with `name` or `label` properties that starts with the `q` value using the `startsWith` operation, after: str # Specifies the [pagination](/#pagination) cursor for the next page of results. Treat this as an opaque value obtained through the `next` link relationship., useOptimization: bool=false # Specifies whether to use query optimization. If you specify `useOptimization=true` in the request query, the response contains a subset of app instance properties., limit: int(int32)=-1 # Specifies the number of results per page, filter: str # Filters apps by `status`, `user.id`, `group.id`, `credentials.signing.kid` or `name` expression that supports the `eq` operator, expand: str # An optional parameter used for link expansion to embed more resources in the response. Only supports `expand=user/{userId}` and must be used with the `user.id eq "{userId}"` filter query for the same user. Returns the assigned [application user](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property., includeNonDeleted: bool=false # Specifies whether to include non-active, but not deleted apps in the results}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/apps
@desc Create an application
@required {label: str # User-defined display name for app, signOnMode: str(AUTO_LOGIN/BASIC_AUTH/BOOKMARK/BROWSER_PLUGIN/OPENID_CONNECT/SAML_1_1/SAML_2_0/SECURE_PASSWORD_STORE/WS_FEDERATION) # Authentication mode for the app  | signOnMode | Description | | ---------- | ----------- | | AUTO_LOGIN | Secure Web Authentication (SWA) | | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | | BOOKMARK | Just a bookmark (no-authentication) | | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile |  Select the `signOnMode` for your custom app:}
@optional {activate: bool=true # Executes activation lifecycle operation when creating the app, OktaAccessGateway-Agent: str, accessibility: map{errorRedirectUrl: str, loginRedirectUrl: str, selfService: bool} # Specifies access settings for the app, created: str(date-time) # Timestamp when the application object was created, features: [str] # Enabled app features > **Note:** See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/) for app provisioning features., id: str # Unique ID for the app instance, lastUpdated: str(date-time) # Timestamp when the application object was last updated, licensing: map{seatCount: int} # Licenses for the app, orn: str # The Okta resource name (ORN) for the current app instance, profile: map # Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function.  > **Notes:** > * `profile` isn't encrypted, so don't store sensitive data in it. > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance., status: str(ACTIVE/DELETED/INACTIVE) # App instance status, universalLogout: map{identityStack: str, protocol: str, status: str, supportType: str} # Universal Logout properties for the app. These properties are only returned and can't be updated., visibility: map{appLinks: map, autoLaunch: bool, autoSubmitToolbar: bool, hide: map} # Specifies visibility settings for the app, _embedded: map{user: map} # Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded., _links: any # Discoverable resources related to the app}
@returns(200) {accessibility: map{errorRedirectUrl: str, loginRedirectUrl: str, selfService: bool}, created: str(date-time), features: [str], id: str, label: str, lastUpdated: str(date-time), licensing: map{seatCount: int}, orn: str, profile: map, signOnMode: str, status: str, universalLogout: map{identityStack: str, protocol: str, status: str, supportType: str}, visibility: map{appLinks: map, autoLaunch: bool, autoSubmitToolbar: bool, hide: map{iOS: bool, web: bool}}, _embedded: map{user: map}, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"bookmark","label":"Sample Bookmark App","signOnMode":"BOOKMARK","settings":{"app":{"url":"https://example.com/bookmark.html"}}}

@endpoint GET /api/v1/apps/{appId}
@desc Retrieve an application
@optional {expand: str # An optional query parameter to return the specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. Valid value: `expand=user/{userId}`}
@returns(200) {accessibility: map{errorRedirectUrl: str, loginRedirectUrl: str, selfService: bool}, created: str(date-time), features: [str], id: str, label: str, lastUpdated: str(date-time), licensing: map{seatCount: int}, orn: str, profile: map, signOnMode: str, status: str, universalLogout: map{identityStack: str, protocol: str, status: str, supportType: str}, visibility: map{appLinks: map, autoLaunch: bool, autoSubmitToolbar: bool, hide: map{iOS: bool, web: bool}}, _embedded: map{user: map}, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/apps/{appId}
@desc Replace an application
@required {label: str # User-defined display name for app, signOnMode: str(AUTO_LOGIN/BASIC_AUTH/BOOKMARK/BROWSER_PLUGIN/OPENID_CONNECT/SAML_1_1/SAML_2_0/SECURE_PASSWORD_STORE/WS_FEDERATION) # Authentication mode for the app  | signOnMode | Description | | ---------- | ----------- | | AUTO_LOGIN | Secure Web Authentication (SWA) | | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | | BOOKMARK | Just a bookmark (no-authentication) | | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile |  Select the `signOnMode` for your custom app:}
@optional {accessibility: map{errorRedirectUrl: str, loginRedirectUrl: str, selfService: bool} # Specifies access settings for the app, created: str(date-time) # Timestamp when the application object was created, features: [str] # Enabled app features > **Note:** See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/) for app provisioning features., id: str # Unique ID for the app instance, lastUpdated: str(date-time) # Timestamp when the application object was last updated, licensing: map{seatCount: int} # Licenses for the app, orn: str # The Okta resource name (ORN) for the current app instance, profile: map # Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function.  > **Notes:** > * `profile` isn't encrypted, so don't store sensitive data in it. > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance., status: str(ACTIVE/DELETED/INACTIVE) # App instance status, universalLogout: map{identityStack: str, protocol: str, status: str, supportType: str} # Universal Logout properties for the app. These properties are only returned and can't be updated., visibility: map{appLinks: map, autoLaunch: bool, autoSubmitToolbar: bool, hide: map} # Specifies visibility settings for the app, _embedded: map{user: map} # Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded., _links: any # Discoverable resources related to the app}
@returns(200) {accessibility: map{errorRedirectUrl: str, loginRedirectUrl: str, selfService: bool}, created: str(date-time), features: [str], id: str, label: str, lastUpdated: str(date-time), licensing: map{seatCount: int}, orn: str, profile: map, signOnMode: str, status: str, universalLogout: map{identityStack: str, protocol: str, status: str, supportType: str}, visibility: map{appLinks: map, autoLaunch: bool, autoSubmitToolbar: bool, hide: map{iOS: bool, web: bool}}, _embedded: map{user: map}, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"bookmark","label":"Sample Bookmark App updated","signOnMode":"BOOKMARK","settings":{"app":{"requestIntegration":true,"url":"https://example.com/bookmark.html"}}}

@endpoint DELETE /api/v1/apps/{appId}
@desc Delete an application
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/connections/default
@desc Retrieve the default provisioning connection
@returns(200) {authScheme: str, baseUrl: str, profile: any, status: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/connections/default
@desc Update the default provisioning connection
@optional {activate: bool # Activates the provisioning connection}
@returns(200) {authScheme: str, baseUrl: str, profile: any, status: str, _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"baseUrl":"https://scim.zscalerbeta.net/1234567/890/scim","profile":{"authScheme":"TOKEN","token":"00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x"}}

@endpoint GET /api/v1/apps/{appId}/connections/default/jwks
@desc Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection
@returns(200) {jwks: any} # OK
@errors {401: Unauthorized, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/connections/default/lifecycle/activate
@desc Activate the default provisioning connection
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/connections/default/lifecycle/deactivate
@desc Deactivate the default provisioning connection
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/credentials/csrs
@desc List all certificate signing requests
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/csrs
@desc Generate a certificate signing request
@optional {subject: map{commonName: str, countryName: str, localityName: str, organizationalUnitName: str, organizationName: str, stateOrProvinceName: str}, subjectAltNames: map{dnsNames: [str]}}
@returns(201) {created: str(date-time), csr: str, id: str, kty: str, _links: any} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/credentials/csrs/{csrId}
@desc Retrieve a certificate signing request
@returns(200) {created: str(date-time), csr: str, id: str, kty: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/credentials/csrs/{csrId}
@desc Revoke a certificate signing request
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish
@desc Publish a certificate signing request
@returns(201) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/credentials/jwks
@desc List all the OAuth 2.0 client JSON Web Keys
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/jwks
@desc Add a JSON Web Key
@returns(201) Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"id":"pks2f50kZB0cITmYU0g4","kid":"ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=","status":"ACTIVE"}

@endpoint GET /api/v1/apps/{appId}/credentials/jwks/{keyId}
@desc Retrieve an OAuth 2.0 client JSON Web Key
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/credentials/jwks/{keyId}
@desc Delete an OAuth 2.0 client JSON Web Key
@returns(204) No Content
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate
@desc Activate an OAuth 2.0 client JSON Web Key
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate
@desc Deactivate an OAuth 2.0 client JSON Web Key
@returns(200) OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/credentials/keys
@desc List all key credentials
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/keys/generate
@desc Generate a key credential
@required {validityYears: int # Expiry years of the Application Key Credential}
@returns(201) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/credentials/keys/{keyId}
@desc Retrieve a key credential
@returns(200) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/keys/{keyId}/clone
@desc Clone a key credential
@required {targetAid: str # Unique key of the target Application}
@returns(201) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/credentials/secrets
@desc List all OAuth 2.0 client secrets
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/secrets
@desc Create an OAuth 2.0 client secret
@optional {client_secret: str # The OAuth 2.0 client secret string, status: str(ACTIVE/INACTIVE) # Status of the OAuth 2.0 Client Secret}
@returns(201) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {}

@endpoint GET /api/v1/apps/{appId}/credentials/secrets/{secretId}
@desc Retrieve an OAuth 2.0 client secret
@returns(200) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/credentials/secrets/{secretId}
@desc Delete an OAuth 2.0 client secret
@returns(204) No Content
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate
@desc Activate an OAuth 2.0 client secret
@returns(200) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate
@desc Deactivate an OAuth 2.0 client secret
@returns(200) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/cwo/connections
@desc Retrieve all Cross App Access connections
@optional {after: str # Specifies the pagination cursor for the next page of connection results, limit: int(int32)=-1 # Specifies the number of results to return per page. The values:   * -1: Return all results (up to system maximum)   * 0: Return an empty result set   * Positive integer: Return up to that many results (capped at system maximum)}
@returns(200) Success
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/cwo/connections
@desc Create a Cross App Access connection
@optional {created: str(date-time) # The ISO 8601 formatted date and time when the connection was created, id: str # Unique identifier for the connection, lastUpdated: str(date-time) # The ISO 8601 formatted date and time when the connection was last updated, requestingAppInstanceId: str # ID of the requesting app instance, resourceAppInstanceId: str # ID of the resource app instance, status: str(ACTIVE/INACTIVE) # Indicates if the Cross App Access connection is active or inactive}
@returns(201) {created: str(date-time), id: str, lastUpdated: str(date-time), requestingAppInstanceId: str, resourceAppInstanceId: str, status: str} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/cwo/connections/{connectionId}
@desc Retrieve a Cross App Access connection
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), requestingAppInstanceId: str, resourceAppInstanceId: str, status: str} # Success
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PATCH /api/v1/apps/{appId}/cwo/connections/{connectionId}
@desc Update a Cross App Access connection
@required {status: str(ACTIVE/INACTIVE) # Requested value of Cross App Access connection status}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), requestingAppInstanceId: str, resourceAppInstanceId: str, status: str} # Success
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/cwo/connections/{connectionId}
@desc Delete a Cross App Access connection
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/features
@desc List all features
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/features/{featureName}
@desc Retrieve a feature
@returns(200) {description: str, name: str, status: any, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/apps/{appId}/features/{featureName}
@desc Update a feature
@returns(200) {description: str, name: str, status: any, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"create":{"lifecycleCreate":{"status":"ENABLED"}},"update":{"lifecycleDeactivate":{"status":"ENABLED"},"profile":{"status":"ENABLED"},"password":{"status":"ENABLED","seed":"RANDOM","change":"CHANGE"}}}

@endpoint GET /api/v1/apps/{appId}/federated-claims
@desc List all configured federated claims
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/federated-claims
@desc Create a federated claim
@optional {expression: str # The Okta Expression Language expression to be evaluated at runtime, name: str # The name of the claim to be used in the produced token}
@returns(201) {created: str, expression: str, id: str, lastUpdated: str, name: str} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"role","expression":"appuser.entitlements.role"}

@endpoint GET /api/v1/apps/{appId}/federated-claims/{claimId}
@desc Retrieve a federated claim
@returns(200) {expression: str, name: str} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/apps/{appId}/federated-claims/{claimId}
@desc Replace a federated claim
@optional {created: str # Timestamp when the federated claim was created, expression: str # The Okta Expression Language expression to be evaluated at runtime, id: str # The unique ID of the federated claim, lastUpdated: str # Timestamp when the federated claim was updated, name: str # The name of the claim to be used in the produced token}
@returns(201) {created: str, expression: str, id: str, lastUpdated: str, name: str} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"readOnly","expression":"appuser.entitlements.readOnly"}

@endpoint DELETE /api/v1/apps/{appId}/federated-claims/{claimId}
@desc Delete a federated claim
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/grants
@desc List all app grants
@optional {expand: str # An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/grants
@desc Grant consent to scope
@required {issuer: str # The issuer of your org authorization server. This is typically your Okta domain., scopeId: str # The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted}
@optional {clientId: str # Client ID of the app integration, created: str(date-time) # Timestamp when the object was created, createdBy: map{id: str, type: str} # User that created the object, id: str # ID of the Grant object, lastUpdated: str(date-time) # Timestamp when the object was last updated, source: str(ADMIN/END_USER) # User type source that granted consent, status: str(ACTIVE/REVOKED) # Status, userId: str # User ID that granted consent (if `source` is `END_USER`), _embedded: map{scope: map} # Embedded resources related to the Grant, _links: any}
@returns(201) {clientId: str, created: str(date-time), createdBy: map{id: str, type: str}, id: str, issuer: str, lastUpdated: str(date-time), scopeId: str, source: str, status: str, userId: str, _embedded: map{scope: map{id: str}}, _links: any} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"issuer":"{yourOktaDomain}","scopeId":"okta.users.read"}

@endpoint GET /api/v1/apps/{appId}/grants/{grantId}
@desc Retrieve an app grant
@optional {expand: str # An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`}
@returns(200) {clientId: str, created: str(date-time), createdBy: map{id: str, type: str}, id: str, issuer: str, lastUpdated: str(date-time), scopeId: str, source: str, status: str, userId: str, _embedded: map{scope: map{id: str}}, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/grants/{grantId}
@desc Revoke an app grant
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/group-push/mappings
@desc List all group push mappings
@optional {after: str # Specifies the pagination cursor for the next page of mappings, limit: int(int32)=100 # Specifies the number of results returned, lastUpdated: str # Filters group push mappings by last updated date. The `lastUpdated` parameter supports the following format: `YYYY-MM-DDTHH:mm:ssZ`. This filters mappings updated on or after the specified date and time in UTC.  If you don't specify a value, all group push mappings are returned., sourceGroupId: str # Filters group push mappings by source group ID. If you don't specify a value, all group push mappings are returned., status: str # Filters group push mappings by status. If you don't specify a value, all group push mappings are returned.}
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/group-push/mappings
@desc Create a group push mapping
@required {sourceGroupId: str # The ID of the source group for the group push mapping}
@optional {appConfig: map{type: str} # Additional app configuration for group push mappings. Currently only required for Active Directory., status: str(ACTIVE/INACTIVE)=ACTIVE # The status of the group push mapping, targetGroupId: str # The ID of the existing target group for the group push mapping. This is used to link to an existing group. Required if `targetGroupName` is not provided., targetGroupName: str # The name of the target group for the group push mapping. This is used when creating a new downstream group. If the group already exists, it links to the existing group. Required if `targetGroupId` is not provided.}
@returns(201) {appConfig: map{type: str}, created: str(date-time), errorSummary: str, id: str, lastPush: str(date-time), lastUpdated: str(date-time), sourceGroupId: str, status: str, targetGroupId: str, _links: map} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"sourceGroupId":"00g00000000000000000","status":"ACTIVE","targetGroupName":"NewGroup"}

@endpoint GET /api/v1/apps/{appId}/group-push/mappings/{mappingId}
@desc Retrieve a group push mapping
@returns(200) {appConfig: map{type: str}, created: str(date-time), errorSummary: str, id: str, lastPush: str(date-time), lastUpdated: str(date-time), sourceGroupId: str, status: str, targetGroupId: str, _links: map} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PATCH /api/v1/apps/{appId}/group-push/mappings/{mappingId}
@desc Update a group push mapping
@required {status: str(ACTIVE/INACTIVE)=ACTIVE # The status of the group push mapping}
@returns(200) {appConfig: map{type: str}, created: str(date-time), errorSummary: str, id: str, lastPush: str(date-time), lastUpdated: str(date-time), sourceGroupId: str, status: str, targetGroupId: str, _links: map} # Success
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"status":"INACTIVE"}

@endpoint DELETE /api/v1/apps/{appId}/group-push/mappings/{mappingId}
@desc Delete a group push mapping
@required {deleteTargetGroup: bool=false # If set to `true`, the target group is also deleted. If set to `false`, the target group isn't deleted.}
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/groups
@desc List all application groups
@optional {q: str # Specifies a filter for a list of assigned groups returned based on their names. The value of `q` is matched against the group `name`.  This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the [group name](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups=200&path=profile/name&t=response)., after: str # Specifies the pagination cursor for the `next` page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=20 # Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](/#pagination)., expand: str # An optional query parameter to return the corresponding assigned [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) or  the group assignment metadata details in the `_embedded` property.}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/groups/{groupId}
@desc Retrieve an application group
@optional {expand: str # An optional query parameter to return the corresponding assigned [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) or  the group assignment metadata details in the `_embedded` property.}
@returns(200) {id: str, lastUpdated: any, priority: int, profile: map, _embedded: map, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/apps/{appId}/groups/{groupId}
@desc Assign an application group
@optional {id: str # ID of the [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/), lastUpdated: any, priority: int # Priority assigned to the group. If an app has more than one group assigned to the same user, then the group with the higher priority has its profile applied to the [application user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/). If a priority value isn't specified, then the next highest priority is assigned by default. See [Assign attribute group priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) and the [sample priority use case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use)., profile: map # Specifies the profile properties applied to [application users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) that are assigned to the app through group membership.  Some reference properties are imported from the target app and can't be configured. See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser=200&path=profile&t=response)., _embedded: map # Embedded resource related to the Application Group using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=group` query parameter is specified, then the [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) object is embedded.  If the `expand=metadata` query parameter is specified, then the group assignment metadata is embedded., _links: any}
@returns(200) {id: str, lastUpdated: any, priority: int, profile: map, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"id":"00g15acRUy0SYb9GT0g4","profile":{"preferredLanguage":"English","manager":"Arsene Wenger","securityQuestion":"Who is the footballer to have played the game","securityAnswer":"Jay Jay Okocha","timezone":"Canada/Eastern","initialStatus":"active_with_pass","managerId":"ike.ogb@gmail.com","locale":"en_US","division":"top","organization":null,"userType":null,"department":"Accounting"}}

@endpoint PATCH /api/v1/apps/{appId}/groups/{groupId}
@desc Update an application group
@returns(200) {id: str, lastUpdated: any, priority: int, profile: map, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request [{"op":"replace","path":"/profile/manager","value":"Carlo Ancelotti"}]

@endpoint DELETE /api/v1/apps/{appId}/groups/{groupId}
@desc Unassign an application group
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/lifecycle/activate
@desc Activate an application
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/lifecycle/deactivate
@desc Deactivate an application
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/logo
@desc Upload an application logo
@returns(201) Content Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/apps/{appId}/policies/{policyId}
@desc Assign an authentication policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/sso/saml/metadata
@desc Preview the application SAML metadata
@required {kid: str}
@returns(200) OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/tokens
@desc List all application refresh tokens
@optional {expand: str # An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`, after: str # Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/tokens
@desc Revoke all application tokens
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/tokens/{tokenId}
@desc Retrieve an application token
@optional {expand: str # An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`}
@returns(200) {clientId: str, created: str(date-time), expiresAt: str(date-time), id: str, issuer: str, lastUpdated: str(date-time), scopes: [str], status: str, userId: str, _embedded: map{scopes: [map]}, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/apps/{appId}/tokens/{tokenId}
@desc Revoke an application token
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/apps/{appId}/users
@desc List all application users
@optional {after: str # Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination)., limit: int(int32)=50 # Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](/#pagination)., q: str # Specifies a filter for the list of application users returned based on their profile attributes. The value of `q` is matched against the beginning of the following profile attributes: `userName`, `firstName`, `lastName`, and `email`. This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the attribute values. > **Note:** For OIDC apps, user profiles don't contain the `firstName` or `lastName` attributes. Therefore, the query only matches against the `userName` or `email` attributes., expand: str # An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property. Valid value: `user`}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/users
@desc Assign an application user
@returns(200) {created: any, credentials: map{password: map{value: str(password)}, userName: str}, externalId: str, id: str, lastSync: str(date-time), lastUpdated: any, passwordChanged: str(date-time)?, profile: map, scope: str, status: str, statusChanged: str(date-time), syncState: str, _embedded: map, _links: map{app: any, group: any, user: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"id":"00ud4tVDDXYVKPXKVLCO","scope":"USER","credentials":{"userName":"rae.cloud@example.com"}}

@endpoint GET /api/v1/apps/{appId}/users/{userId}
@desc Retrieve an application user
@optional {expand: str # An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property. Valid value: `user`}
@returns(200) {created: any, credentials: map{password: map{value: str(password)}, userName: str}, externalId: str, id: str, lastSync: str(date-time), lastUpdated: any, passwordChanged: str(date-time)?, profile: map, scope: str, status: str, statusChanged: str(date-time), syncState: str, _embedded: map, _links: map{app: any, group: any, user: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appId}/users/{userId}
@desc Update an application user
@returns(200) {created: any, credentials: map{password: map{value: str(password)}, userName: str}, externalId: str, id: str, lastSync: str(date-time), lastUpdated: any, passwordChanged: str(date-time)?, profile: map, scope: str, status: str, statusChanged: str(date-time), syncState: str, _embedded: map, _links: map{app: any, group: any, user: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"credentials":{"userName":"rae.cloud@example.com","password":{"value":"updatedP@55word"}}}

@endpoint DELETE /api/v1/apps/{appId}/users/{userId}
@desc Unassign an application user
@optional {sendEmail: bool=false # Sends a deactivation email to the administrator if `true`}
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/apps/{appName}/{appId}/oauth2/callback
@desc Verify the provisioning connection
@optional {code: str, state: str}
@returns(204) No content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authenticators
@desc List all authenticators
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/authenticators
@desc Create an authenticator
@optional {activate: bool=true # Whether to execute the activation lifecycle operation when Okta creates the authenticator, created: str(date-time) # Timestamp when the authenticator was created, id: str # A unique identifier for the authenticator, key: str(custom_app/duo/external_idp/google_otp/okta_email/okta_password/okta_verify/onprem_mfa/phone_number/security_key/security_question/smart_card_idp/symantec_vip/webauthn/yubikey_token/tac) # A human-readable string that identifies the authenticator, lastUpdated: str(date-time) # Timestamp when the authenticator was last modified, name: str # Display name of the authenticator, status: str(ACTIVE/INACTIVE), type: str(app/email/federated/password/phone/security_key/security_question/tac) # The type of authenticator, _links: any}
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"key":"duo","name":"Duo Security","provider":{"type":"DUO","configuration":{"userNameTemplate":{"template":"oktaId"},"integrationKey":"testIntegrationKey","secretKey":"testSecretKey","host":"https://api-xxxxxxxx.duosecurity.com"}}}

@endpoint GET /api/v1/authenticators/{authenticatorId}
@desc Retrieve an authenticator
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authenticators/{authenticatorId}
@desc Replace an authenticator
@optional {created: str(date-time) # Timestamp when the authenticator was created, id: str # A unique identifier for the authenticator, key: str(custom_app/duo/external_idp/google_otp/okta_email/okta_password/okta_verify/onprem_mfa/phone_number/security_key/security_question/smart_card_idp/symantec_vip/webauthn/yubikey_token/tac) # A human-readable string that identifies the authenticator, lastUpdated: str(date-time) # Timestamp when the authenticator was last modified, name: str # Display name of the authenticator, status: str(ACTIVE/INACTIVE), type: str(app/email/federated/password/phone/security_key/security_question/tac) # The type of authenticator, _links: any}
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"key":"duo","name":"Duo Security","provider":{"type":"DUO","configuration":{"userNameTemplate":{"template":"oktaId"},"integrationKey":"testIntegrationKey","secretKey":"testSecretKey","host":"https://api-xxxxxxxx.duosecurity.com"}}}

@endpoint GET /api/v1/authenticators/{authenticatorId}/aaguids
@desc List all custom AAGUIDs
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authenticators/{authenticatorId}/aaguids
@desc Create a custom AAGUID
@optional {aaguid: str # An Authenticator Attestation Global Unique Identifier (AAGUID) is a 128-bit identifier indicating the model., attestationRootCertificates: [map{x5c: str}] # Contains the certificate and information about it, authenticatorCharacteristics: map{fipsCompliant: bool, hardwareProtected: bool, platformAttached: bool} # Contains additional properties about custom AAGUID.}
@returns(200) {aaguid: str, attestationRootCertificates: [map], authenticatorCharacteristics: map{fipsCompliant: bool, hardwareProtected: bool, platformAttached: bool}, name: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"aaguid":"cb69481e-8ff7-4039-93ec-0a272911111","name":"My Security Key","authenticatorCharacteristics":{"platformAttached":false,"fipsCompliant":false,"hardwareProtected":false},"attestationRootCertificates":[{"x5c":"X5C..."}]}

@endpoint GET /api/v1/authenticators/{authenticatorId}/aaguids/{aaguid}
@desc Retrieve a custom AAGUID
@returns(200) {aaguid: str, attestationRootCertificates: [map], authenticatorCharacteristics: map{fipsCompliant: bool, hardwareProtected: bool, platformAttached: bool}, name: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authenticators/{authenticatorId}/aaguids/{aaguid}
@desc Replace a custom AAGUID
@optional {attestationRootCertificates: [map{x5c: str}] # Contains the certificate and information about it, authenticatorCharacteristics: map{fipsCompliant: bool, hardwareProtected: bool, platformAttached: bool} # Contains additional properties about custom AAGUID., name: str # The product name associated with this AAGUID.}
@returns(200) {aaguid: str, attestationRootCertificates: [map], authenticatorCharacteristics: map{fipsCompliant: bool, hardwareProtected: bool, platformAttached: bool}, name: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"My Security Key","authenticatorCharacteristics":{"platformAttached":false,"fipsCompliant":false,"hardwareProtected":false},"attestationRootCertificates":[{"x5c":"X5C..."}]}

@endpoint PATCH /api/v1/authenticators/{authenticatorId}/aaguids/{aaguid}
@desc Update a custom AAGUID
@returns(200) {aaguid: str, attestationRootCertificates: [map], authenticatorCharacteristics: map{fipsCompliant: bool, hardwareProtected: bool, platformAttached: bool}, name: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/authenticators/{authenticatorId}/aaguids/{aaguid}
@desc Delete a custom AAGUID
@returns(204) Deleted
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authenticators/{authenticatorId}/lifecycle/activate
@desc Activate an authenticator
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate
@desc Deactivate an authenticator
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authenticators/{authenticatorId}/methods
@desc List all methods of an authenticator
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authenticators/{authenticatorId}/methods/{methodType}
@desc Retrieve an authenticator method
@returns(200) {status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authenticators/{authenticatorId}/methods/{methodType}
@desc Replace an authenticator method
@optional {status: str(ACTIVE/INACTIVE), type: str(cert/duo/email/idp/otp/password/push/security_question/signed_nonce/sms/totp/voice/webauthn/tac) # The type of authenticator method, _links: any}
@returns(200) {status: str, type: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate
@desc Activate an authenticator method
@returns(200) {status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate
@desc Deactivate an authenticator method
@returns(200) {status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers
@desc List all authorization servers
@optional {q: str # Searches the `name` and `audiences` of authorization servers for matching values, limit: int(int32)=200 # Specifies the number of authorization server results on a page. Maximum value: 200, after: str # Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship.}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers
@desc Create an authorization server
@optional {accessTokenEncryptedResponseAlgorithm: str(RSA-OAEP-256/RSA-OAEP-384/RSA-OAEP-512) # The algorithm for encrypting access tokens issued by this authorization server. If this is requested, the response is signed, and then encrypted. The result is a nested JWT. The default, if omitted, is that no encryption is performed., audiences: [str] # The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience., created: str(date-time), credentials: map{signing: map}, description: str # The description of the custom authorization server, id: str # The ID of the custom authorization server, issuer: str # The complete URL for the custom authorization server. This becomes the `iss` claim in an access token., issuerMode: str # Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.  `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.  When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`.  When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface.  When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.  After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled., jwks: map{keys: [map]} # A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for encrypting JWTs minted by the custom authorization server, jwks_uri: str # URL string that references a JSON Web Key Set for encrypting JWTs minted by the custom authorization server, lastUpdated: str(date-time), name: str # The name of the custom authorization server, status: str(ACTIVE/INACTIVE), _links: any}
@returns(201) {accessTokenEncryptedResponseAlgorithm: str, audiences: [str], created: str(date-time), credentials: map{signing: map{kid: str, lastRotated: str(date-time), nextRotation: str(date-time), rotationMode: str, use: str}}, description: str, id: str, issuer: str, issuerMode: str, jwks: map{keys: [map]}, jwks_uri: str, lastUpdated: str(date-time), name: str, status: str, _links: any} # Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Sample Authorization Server","description":"Sample Authorization Server description","audiences":["api://default"]}

@endpoint GET /api/v1/authorizationServers/{authServerId}
@desc Retrieve an authorization server
@returns(200) {accessTokenEncryptedResponseAlgorithm: str, audiences: [str], created: str(date-time), credentials: map{signing: map{kid: str, lastRotated: str(date-time), nextRotation: str(date-time), rotationMode: str, use: str}}, description: str, id: str, issuer: str, issuerMode: str, jwks: map{keys: [map]}, jwks_uri: str, lastUpdated: str(date-time), name: str, status: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authorizationServers/{authServerId}
@desc Replace an authorization server
@optional {accessTokenEncryptedResponseAlgorithm: str(RSA-OAEP-256/RSA-OAEP-384/RSA-OAEP-512) # The algorithm for encrypting access tokens issued by this authorization server. If this is requested, the response is signed, and then encrypted. The result is a nested JWT. The default, if omitted, is that no encryption is performed., audiences: [str] # The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience., created: str(date-time), credentials: map{signing: map}, description: str # The description of the custom authorization server, id: str # The ID of the custom authorization server, issuer: str # The complete URL for the custom authorization server. This becomes the `iss` claim in an access token., issuerMode: str # Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.  `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.  When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`.  When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface.  When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.  After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled., jwks: map{keys: [map]} # A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for encrypting JWTs minted by the custom authorization server, jwks_uri: str # URL string that references a JSON Web Key Set for encrypting JWTs minted by the custom authorization server, lastUpdated: str(date-time), name: str # The name of the custom authorization server, status: str(ACTIVE/INACTIVE), _links: any}
@returns(200) {accessTokenEncryptedResponseAlgorithm: str, audiences: [str], created: str(date-time), credentials: map{signing: map{kid: str, lastRotated: str(date-time), nextRotation: str(date-time), rotationMode: str, use: str}}, description: str, id: str, issuer: str, issuerMode: str, jwks: map{keys: [map]}, jwks_uri: str, lastUpdated: str(date-time), name: str, status: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"New Authorization Server","description":"Authorization Server description","audiences":["api://default"],"credentials":{"signing":{"rotationMode":"AUTO","use":"sig"}},"issuer":"https://{yourOktaDomain}/oauth2/{authorizationServerId}","issuerMode":"ORG_URL","status":"ACTIVE"}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}
@desc Delete an authorization server
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/associatedServers
@desc List all associated authorization servers
@optional {trusted: bool # Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false`, q: str # Searches for the name or audience of the associated authorization servers, limit: int(int32)=200 # Specifies the number of results for a page, after: str # Specifies the pagination cursor for the next page of the associated authorization servers}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/associatedServers
@desc Create an associated authorization server
@optional {trusted: [str] # A list of the authorization server IDs}
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request [{"trusted":"{authorizationServerId}"}]

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}
@desc Delete an associated authorization server
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/claims
@desc List all custom token claims
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/claims
@desc Create a custom token claim
@optional {alwaysIncludeInToken: bool # Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint., claimType: str(IDENTITY/RESOURCE) # Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`), conditions: map{scopes: [str]} # Specifies the scopes for the Claim, group_filter_type: str(CONTAINS/EQUALS/REGEX/STARTS_WITH) # Specifies the type of group filter if `valueType` is `GROUPS`  If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`.  If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim., id: str # ID of the Claim, name: str # Name of the Claim, status: str(ACTIVE/INACTIVE), system: bool # When `true`, indicates that Okta created the Claim, value: str # Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`., valueType: str(EXPRESSION/GROUPS/SYSTEM) # Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(201) {alwaysIncludeInToken: bool, claimType: str, conditions: map{scopes: [str]}, group_filter_type: str, id: str, name: str, status: str, system: bool, value: str, valueType: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request [{"alwaysIncludeInToken":true,"claimType":"IDENTITY","conditions":{"scopes":["profile"]},"group_filter_type":"CONTAINS","name":"Support","status":"ACTIVE","system":false,"value":"Support","valueType":"GROUPS"}]

@endpoint GET /api/v1/authorizationServers/{authServerId}/claims/{claimId}
@desc Retrieve a custom token claim
@returns(200) {alwaysIncludeInToken: bool, claimType: str, conditions: map{scopes: [str]}, group_filter_type: str, id: str, name: str, status: str, system: bool, value: str, valueType: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authorizationServers/{authServerId}/claims/{claimId}
@desc Replace a custom token claim
@optional {alwaysIncludeInToken: bool # Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint., claimType: str(IDENTITY/RESOURCE) # Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`), conditions: map{scopes: [str]} # Specifies the scopes for the Claim, group_filter_type: str(CONTAINS/EQUALS/REGEX/STARTS_WITH) # Specifies the type of group filter if `valueType` is `GROUPS`  If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`.  If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim., id: str # ID of the Claim, name: str # Name of the Claim, status: str(ACTIVE/INACTIVE), system: bool # When `true`, indicates that Okta created the Claim, value: str # Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`., valueType: str(EXPRESSION/GROUPS/SYSTEM) # Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {alwaysIncludeInToken: bool, claimType: str, conditions: map{scopes: [str]}, group_filter_type: str, id: str, name: str, status: str, system: bool, value: str, valueType: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request [{"alwaysIncludeInToken":true,"claimType":"IDENTITY","conditions":{"scopes":["profile"]},"group_filter_type":"CONTAINS","name":"Knowledge_Base","status":"ACTIVE","system":false,"value":"Knowledge Base","valueType":"GROUPS"}]

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/claims/{claimId}
@desc Delete a custom token claim
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/clients
@desc List all client resources for an authorization server
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens
@desc List all refresh tokens for a client
@optional {expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute., after: str # Specifies the pagination cursor for the next page of tokens, limit: int(int32)=-1 # The maximum number of tokens to return (maximum 200)}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens
@desc Revoke all refresh tokens for a client
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}
@desc Retrieve a refresh token for a client
@optional {expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.}
@returns(200) {clientId: str, created: str(date-time), expiresAt: str(date-time), id: str, issuer: str, lastUpdated: str(date-time), scopes: [str], status: str, userId: str, _embedded: map{scopes: [map]}, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}
@desc Revoke a refresh token for a client
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/credentials/keys
@desc List all credential keys
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}
@desc Retrieve an authorization server key
@returns(200) {alg: str, e: str, kid: str, kty: str, n: str, status: str, use: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate
@desc Rotate all credential keys
@optional {use: str # Purpose of the certificate. The only supported value is `sig`.}
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/lifecycle/activate
@desc Activate an authorization server
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate
@desc Deactivate an authorization server
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/policies
@desc List all policies
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/policies
@desc Create a policy
@returns(201) Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"OAUTH_AUTHORIZATION_POLICY","status":"ACTIVE","name":"Default Policy","description":"Default policy description","priority":1,"system":false,"conditions":{"clients\"":{"include\"":["ALL_CLIENTS"]}}}

@endpoint GET /api/v1/authorizationServers/{authServerId}/policies/{policyId}
@desc Retrieve a policy
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authorizationServers/{authServerId}/policies/{policyId}
@desc Replace a policy
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"id":"00p5m9xrrBffPd9ah0g4","type":"OAUTH_AUTHORIZATION_POLICY","status":"ACTIVE","name":"Default Policy","description":"Default policy description","priority":1,"system":false,"conditions":{"clients\"":{"include\"":["ALL_CLIENTS"]}}}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/policies/{policyId}
@desc Delete a policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate
@desc Activate a policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate
@desc Deactivate a policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules
@desc List all policy rules
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules
@desc Create a policy rule
@returns(201) {actions: any, conditions: map{grantTypes: map{include: [str]}, people: map{groups: map{include: [str]}, users: map{include: [str]}}, scopes: map{include: [str]}}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, priority: int, status: str, system: bool, type: str, _links: any} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"RESOURCE_ACCESS","name":"Default Policy Rule","priority":1,"conditions":{"people":{"groups":{"include":["EVERYONE"]}},"grantTypes":{"include":["implicit","client_credentials","authorization_code","password"]},"scopes":{"include":["*"]}},"actions":{"token":{"accessTokenLifetimeMinutes":60,"refreshTokenLifetimeMinutes":0,"refreshTokenWindowMinutes":10080,"inlineHook":{"id":"cal4egvp1mbMldrYN0g7"}}}}

@endpoint GET /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}
@desc Retrieve a policy rule
@returns(200) {actions: any, conditions: map{grantTypes: map{include: [str]}, people: map{groups: map{include: [str]}, users: map{include: [str]}}, scopes: map{include: [str]}}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, priority: int, status: str, system: bool, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}
@desc Replace a policy rule
@returns(200) {actions: any, conditions: map{grantTypes: map{include: [str]}, people: map{groups: map{include: [str]}, users: map{include: [str]}}, scopes: map{include: [str]}}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, priority: int, status: str, system: bool, type: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"RESOURCE_ACCESS","name":"Default Policy Rule","priority":1,"status":"ACTIVE","conditions":{"people":{"groups":{"include":["EVERYONE"]}},"grantTypes":{"include":["implicit","client_credentials","authorization_code","password"]},"scopes":{"include":["*"]}},"actions":{"token":{"accessTokenLifetimeMinutes":60,"refreshTokenLifetimeMinutes":0,"refreshTokenWindowMinutes":10080,"inlineHook":{"id":"cal4egvp1mbMldrYN0g7"}}}}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}
@desc Delete a policy rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate
@desc Activate a policy rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
@desc Deactivate a policy rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys
@desc List all Custom Authorization Server Public JSON Web Keys
@returns(200) Success
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys
@desc Add a JSON Web Key
@optional {e: str # RSA key value (exponent) for key binding, kid: str # Unique identifier of the JSON web key in the custom authorization server's public JWKS, kty: str # Cryptographic algorithm family for the certificate's key pair, n: str # RSA key value (modulus) for key binding, status: str(ACTIVE/INACTIVE) # Status of the JSON Web Key, use: str # Acceptable use of the JSON Web Key}
@returns(201) {created: str, e: str, id: str, kid: str?, kty: str, lastUpdated: str, n: str, status: str, use: str, _links: any} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"kid":"ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B","kty":"RSA","use":"enc","e":"AQAB","n":"AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=","status":"INACTIVE"}

@endpoint GET /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}
@desc Retrieve a Custom Authorization Server Public JSON Web Key
@returns(200) {created: str, e: str, id: str, kid: str?, kty: str, lastUpdated: str, n: str, status: str, use: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}
@desc Delete a Custom Authorization Server Public JSON Web Key
@returns(204) No Content
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}/lifecycle/activate
@desc Activate a Custom Authorization Server Public JSON Web Key
@returns(200) {created: str, e: str, id: str, kid: str?, kty: str, lastUpdated: str, n: str, status: str, use: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}/lifecycle/deactivate
@desc Deactivate a Custom Authorization Server Public JSON Web Key
@returns(200) {created: str, e: str, id: str, kid: str?, kty: str, lastUpdated: str, n: str, status: str, use: str, _links: any} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/authorizationServers/{authServerId}/scopes
@desc List all custom token scopes
@optional {q: str # Searches the `name` of Custom Token Scopes for matching values, filter: str # Filter expression for Custom Token Scopes, after: str # Specifies the pagination cursor for the next page of scopes. Treat the after cursor as an opaque value and obtain it through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int # Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/authorizationServers/{authServerId}/scopes
@desc Create a custom token scope
@required {name: str # Scope name}
@optional {consent: str(FLEXIBLE/IMPLICIT/REQUIRED)=IMPLICIT # Indicates whether a consent dialog is needed for the Scope, default: bool=false # Indicates if this Scope is a default scope, description: str # Description of the Scope, displayName: str # Name of the end user displayed in a consent dialog, id: str # Scope object ID, metadataPublish: str(ALL_CLIENTS/NO_CLIENTS)=NO_CLIENTS # Indicates whether the Scope is included in the metadata, optional: bool=false # Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope., system: bool=false # Indicates if Okta created the Scope, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(201) {consent: str, default: bool, description: str, displayName: str, id: str, metadataPublish: str, name: str, optional: bool, system: bool, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"car:drive","description":"Drive car","consent":"REQUIRED","displayName":"Saml Jackson"}

@endpoint GET /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}
@desc Retrieve a custom token scope
@returns(200) {consent: str, default: bool, description: str, displayName: str, id: str, metadataPublish: str, name: str, optional: bool, system: bool, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}
@desc Replace a custom token scope
@required {name: str # Scope name}
@optional {consent: str(FLEXIBLE/IMPLICIT/REQUIRED)=IMPLICIT # Indicates whether a consent dialog is needed for the Scope, default: bool=false # Indicates if this Scope is a default scope, description: str # Description of the Scope, displayName: str # Name of the end user displayed in a consent dialog, id: str # Scope object ID, metadataPublish: str(ALL_CLIENTS/NO_CLIENTS)=NO_CLIENTS # Indicates whether the Scope is included in the metadata, optional: bool=false # Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope., system: bool=false # Indicates if Okta created the Scope, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {consent: str, default: bool, description: str, displayName: str, id: str, metadataPublish: str, name: str, optional: bool, system: bool, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"description":"Order car","name":"car:order","metadataPublish":"ALL_CLIENTS"}

@endpoint DELETE /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}
@desc Delete a custom token scope
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/behaviors
@desc List all behavior detection rules
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/behaviors
@desc Create a behavior detection rule
@required {name: str # Name of the Behavior Detection Rule, type: str(ANOMALOUS_DEVICE/ANOMALOUS_IP/ANOMALOUS_LOCATION/VELOCITY)}
@optional {created: str # Timestamp when the Behavior Detection Rule was created, id: str # ID of the Behavior Detection Rule, lastUpdated: str # Timestamp when the Behavior Detection Rule was last modified, status: str(ACTIVE/INACTIVE), _link: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {created: str, id: str, lastUpdated: str, name: str, status: str, type: str, _link: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"My Behavior Rule","type":"VELOCITY"}

@endpoint GET /api/v1/behaviors/{behaviorId}
@desc Retrieve a behavior detection rule
@returns(200) {created: str, id: str, lastUpdated: str, name: str, status: str, type: str, _link: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/behaviors/{behaviorId}
@desc Replace a behavior detection rule
@required {name: str # Name of the Behavior Detection Rule, type: str(ANOMALOUS_DEVICE/ANOMALOUS_IP/ANOMALOUS_LOCATION/VELOCITY)}
@optional {created: str # Timestamp when the Behavior Detection Rule was created, id: str # ID of the Behavior Detection Rule, lastUpdated: str # Timestamp when the Behavior Detection Rule was last modified, status: str(ACTIVE/INACTIVE), _link: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {created: str, id: str, lastUpdated: str, name: str, status: str, type: str, _link: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"My Behavior Rule","type":"VELOCITY"}

@endpoint DELETE /api/v1/behaviors/{behaviorId}
@desc Delete a behavior detection rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/behaviors/{behaviorId}/lifecycle/activate
@desc Activate a behavior detection rule
@returns(200) {created: str, id: str, lastUpdated: str, name: str, status: str, type: str, _link: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/behaviors/{behaviorId}/lifecycle/deactivate
@desc Deactivate a behavior detection rule
@returns(200) {created: str, id: str, lastUpdated: str, name: str, status: str, type: str, _link: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands
@desc List all brands
@optional {expand: [str] # Specifies additional metadata to be included in the response, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return, q: str # Searches the records for matching value}
@returns(200) Successfully returned the list of brands
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/brands
@desc Create a brand
@required {name: str # The name of the Brand}
@returns(201) {agreeToCustomPrivacyPolicy: bool, customPrivacyPolicyUrl: str, defaultApp: map{appInstanceId: str, appLinkName: str, classicApplicationUri: str}, emailDomainId: str, id: str, isDefault: bool, locale: str, name: str, removePoweredByOkta: bool} # Successfully created the brand
@errors {400: Bad Request, 403: Forbidden, 409: Could not create the new brand because same name already exist., 429: Too Many Requests}
@example_request {"name":"My Awesome Brand"}

@endpoint GET /api/v1/brands/{brandId}
@desc Retrieve a brand
@optional {expand: [str] # Specifies additional metadata to be included in the response}
@returns(200) {_embedded: map{themes: [map], domains: [map], emailDomain: map{dnsValidationRecords: [map], domain: str, id: str, validationStatus: str, validationSubdomain: str}}, _links: any} # Successfully retrieved the brand
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}
@desc Replace a brand
@required {name: str # The name of the Brand}
@optional {agreeToCustomPrivacyPolicy: bool # Consent for updating the custom privacy URL. Not required when resetting the URL., customPrivacyPolicyUrl: str # Custom privacy policy URL, defaultApp: map{appInstanceId: str, appLinkName: str, classicApplicationUri: str}, emailDomainId: str # The ID of the email domain, locale: str # The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646), removePoweredByOkta: bool=false # Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard}
@returns(200) {agreeToCustomPrivacyPolicy: bool, customPrivacyPolicyUrl: str, defaultApp: map{appInstanceId: str, appLinkName: str, classicApplicationUri: str}, emailDomainId: str, id: str, isDefault: bool, locale: str, name: str, removePoweredByOkta: bool} # Successfully replaced the brand
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"customPrivacyPolicyUrl":"https://www.someHost.com/privacy-policy","agreeToCustomPrivacyPolicy":true,"removePoweredByOkta":true,"name":"New Name For Brand","emailDomainId":"OeD114iNkrcN6aR680g4","locale":"en","defaultApp":{"appInstanceId":"0oa114iNkrcN6aR680g4","appLinkName":null,"classicApplicationUri":null}}

@endpoint DELETE /api/v1/brands/{brandId}
@desc Delete a brand
@returns(204) Successfully deleted the brand.
@errors {403: Forbidden, 404: Not Found, 409: Conflict, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/domains
@desc List all domains associated with a brand
@returns(200) Successfully returned the list of domains for the brand
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/error
@desc Retrieve the error page sub-resources
@returns(200) {_embedded: map{default: map{pageContent: str}, customized: map{pageContent: str}, customizedUrl: str(uri), preview: map{pageContent: str}, previewUrl: str(uri)}, _links: any} # Successfully retrieved the error page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/error/customized
@desc Retrieve the customized error page
@returns(200) Successfully retrieved the customized error page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/pages/error/customized
@desc Replace the customized error page
@returns(200) Successfully replaced the customized error page.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/pages/error/customized
@desc Delete the customized error page
@returns(204) Successfully deleted the customized error page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/error/default
@desc Retrieve the default error page
@returns(200) Successfully retrieved the default error page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/error/preview
@desc Retrieve the preview error page preview
@returns(200) Successfully retrieved the preview error page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/pages/error/preview
@desc Replace the preview error page
@returns(200) Successfully replaced the preview error page.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/pages/error/preview
@desc Delete the preview error page
@returns(204) Successfully deleted the preview error page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/sign-in
@desc Retrieve the sign-in page sub-resources
@returns(200) {_embedded: map{default: map{pageContent: str}, customized: map{pageContent: str}, customizedUrl: str(uri), preview: map{pageContent: str}, previewUrl: str(uri)}, _links: any} # Successfully retrieved the sign-in page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/sign-in/customized
@desc Retrieve the customized sign-in page
@returns(200) Successfully retrieved the customized sign-in page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/pages/sign-in/customized
@desc Replace the customized sign-in page
@returns(200) Successfully replaced the customized sign-in page.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/pages/sign-in/customized
@desc Delete the customized sign-in page
@returns(204) Successfully deleted the sign-in page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/sign-in/default
@desc Retrieve the default sign-in page
@returns(200) Successfully retrieved the default sign-in page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/sign-in/preview
@desc Retrieve the preview sign-in page preview
@returns(200) Successfully retrieved the preview sign-in page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/pages/sign-in/preview
@desc Replace the preview sign-in page
@returns(200) Successfully replaced the preview sign-in page.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/pages/sign-in/preview
@desc Delete the preview sign-in page
@returns(204) Successfully deleted the preview sign-in page.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/sign-in/widget-versions
@desc List all Sign-In Widget versions
@returns(200) Successfully listed the sign-in widget versions.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/pages/sign-out/customized
@desc Retrieve the sign-out page settings
@returns(200) {type: str, url: str} # Successfully retrieved the sign-out page settings.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/pages/sign-out/customized
@desc Replace the sign-out page settings
@required {type: str(EXTERNALLY_HOSTED/OKTA_DEFAULT)}
@optional {url: str}
@returns(200) {type: str, url: str} # Successfully replaced the sign-out page settings.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email
@desc List all email templates
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return, expand: [str] # Specifies additional metadata to be included in the response}
@returns(200) Successfully returned the list of email templates.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}
@desc Retrieve an email template
@optional {expand: [str] # Specifies additional metadata to be included in the response}
@returns(200) {name: str, _embedded: map{settings: map{recipients: str, _links: any}, customizationCount: int}, _links: any} # Successfully retrieved the email template.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}/customizations
@desc List all email customizations
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Successfully retrieved all email customizations for the specified email template.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/brands/{brandId}/templates/email/{templateName}/customizations
@desc Create an email customization
@returns(201) Successfully created the email customization.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 409: Could not create the email customization because it conflicts with an existing email customization., 429: Too Many Requests}
@example_request {"language":"fr","subject":"Bienvenue dans ${org.name}!","body":"< html><html><body><p>Bonjour ${user.profile.firstName}. <a href=\"${activationLink}\">Activer le compte</a></p></body></html>","isDefault":false}

@endpoint DELETE /api/v1/brands/{brandId}/templates/email/{templateName}/customizations
@desc Delete all email customizations
@returns(204) Successfully deleted all customizations for the email template.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}
@desc Retrieve an email customization
@returns(200) Successfully retrieved the email customization.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}
@desc Replace an email customization
@returns(200) Successfully updated the email customization.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 409: Could not update the email customization because the update would cause a conflict with an existing email customization., 429: Too Many Requests}
@example_request {"language":"fr","subject":"Bienvenue dans ${org.name}!","body":"< html><html><body><p>Bonjour ${user.profile.firstName}. <a href=\"${activationLink}\">Activer le compte</a></p></body></html>","isDefault":false}

@endpoint DELETE /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}
@desc Delete an email customization
@returns(204) Successfully deleted the email customization.
@errors {403: Forbidden, 404: Not Found, 409: Could not delete the email customization deleted because it is the default email customization., 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview
@desc Retrieve a preview of an email customization
@returns(200) {body: str, subject: str, _links: any} # Successfully generated a preview of the email customization.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}/default-content
@desc Retrieve an email template default content
@optional {language: str # The language to use for the email. Defaults to the current user's language if unspecified.}
@returns(200) Successfully retrieved the email template's default content.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview
@desc Retrieve a preview of the email template default content
@optional {language: str # The language to use for the email. Defaults to the current user's language if unspecified.}
@returns(200) {body: str, subject: str, _links: any} # Successfully generated a preview of the email template's default content.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/templates/email/{templateName}/settings
@desc Retrieve the email template settings
@returns(200) {recipients: str, _links: any} # Successfully retrieved the email template's settings.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/templates/email/{templateName}/settings
@desc Replace the email template settings
@required {recipients: str(ALL_USERS/ADMINS_ONLY/NO_USERS)}
@returns(200) {recipients: str} # Successfully updated the email template's settings.
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 409: Conflict, 422: Could not update the email template's settings due to an invalid setting value., 429: Too Many Requests}

@endpoint POST /api/v1/brands/{brandId}/templates/email/{templateName}/test
@desc Send a test email
@optional {language: str # The language to use for the email. Defaults to the current user's language if unspecified.}
@returns(204) Successfully sent a test email.
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/themes
@desc List all themes
@returns(200) Successfully returned the list of themes
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/themes/{themeId}
@desc Retrieve a theme
@returns(200) {backgroundImage: str, emailTemplateTouchPointVariant: str, endUserDashboardTouchPointVariant: str, errorPageTouchPointVariant: str, favicon: str, id: str, loadingPageTouchPointVariant: str, logo: str, primaryColorContrastHex: str, primaryColorHex: str, secondaryColorContrastHex: str, secondaryColorHex: str, signInPageTouchPointVariant: str, _links: map{self: any}} # Successfully retrieved the theme
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/themes/{themeId}
@desc Replace a theme
@required {emailTemplateTouchPointVariant: str(FULL_THEME/OKTA_DEFAULT)=OKTA_DEFAULT # Variant for email templates. You can publish a theme for email templates with different combinations of assets. Variants are preset combinations of those assets., endUserDashboardTouchPointVariant: str(FULL_THEME/LOGO_ON_FULL_WHITE_BACKGROUND/OKTA_DEFAULT/WHITE_LOGO_BACKGROUND)=OKTA_DEFAULT # Variant for the Okta End-User Dashboard. You can publish a theme for end-user dashboard with different combinations of assets. Variants are preset combinations of those assets., errorPageTouchPointVariant: str(BACKGROUND_IMAGE/BACKGROUND_SECONDARY_COLOR/OKTA_DEFAULT)=OKTA_DEFAULT # Variant for the error page. You can publish a theme for error page with different combinations of assets. Variants are preset combinations of those assets., primaryColorHex: str=null # Primary color hex code, secondaryColorHex: str=null # Secondary color hex code, signInPageTouchPointVariant: str(BACKGROUND_IMAGE/BACKGROUND_SECONDARY_COLOR/OKTA_DEFAULT) # Variant for the Okta sign-in page. You can publish a theme for sign-in page with different combinations of assets. Variants are preset combinations of those assets. > **Note:**  For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used for button background color and `primaryColorContrastHex` is used to optimize the opacity for button text.}
@optional {loadingPageTouchPointVariant: str(NONE/OKTA_DEFAULT)=OKTA_DEFAULT # Variant for the Okta loading page. You can publish a theme for Okta loading page with different combinations of assets. Variants are preset combinations of those assets., primaryColorContrastHex: str=null # Primary color contrast hex code, secondaryColorContrastHex: str=null # Secondary color contrast hex code, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {backgroundImage: str, emailTemplateTouchPointVariant: str, endUserDashboardTouchPointVariant: str, errorPageTouchPointVariant: str, favicon: str, id: str, loadingPageTouchPointVariant: str, logo: str, primaryColorContrastHex: str, primaryColorHex: str, secondaryColorContrastHex: str, secondaryColorHex: str, signInPageTouchPointVariant: str, _links: map{self: any}} # Successfully replaced the theme
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"primaryColorHex":"#1662dd","primaryColorContrastHex":"#000000","secondaryColorHex":"#ebebed","secondaryColorContrastHex":"#000000","signInPageTouchPointVariant":"OKTA_DEFAULT","endUserDashboardTouchPointVariant":"OKTA_DEFAULT","errorPageTouchPointVariant":"OKTA_DEFAULT","emailTemplateTouchPointVariant":"OKTA_DEFAULT","loadingPageTouchPointVariant":"OKTA_DEFAULT"}

@endpoint POST /api/v1/brands/{brandId}/themes/{themeId}/background-image
@desc Upload the background image
@returns(201) {url: str} # Content Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/themes/{themeId}/background-image
@desc Delete the background image
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/brands/{brandId}/themes/{themeId}/favicon
@desc Upload the favicon
@returns(201) {url: str} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/themes/{themeId}/favicon
@desc Delete the favicon
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/brands/{brandId}/themes/{themeId}/logo
@desc Upload the logo
@returns(200) {url: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/brands/{brandId}/themes/{themeId}/logo
@desc Delete the logo
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/well-known-uris
@desc Retrieve all the well-known URIs
@returns(200) {_embedded: map{apple-app-site-association: map{customized: map{representation: map, _links: any}}, assetlinks.json: map{customized: map{representation: [any], _links: any}}, webauthn: map{customized: map{representation: map, _links: any}}}, _links: any} # Successfully retrieved all the well-known URIs
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/well-known-uris/{path}
@desc Retrieve the well-known URI of a specific brand
@returns(200) {representation: map, _links: any} # Successfully retrieved the well-known URI
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/brands/{brandId}/well-known-uris/{path}/customized
@desc Retrieve the customized content of the specified well-known URI
@returns(200) {representation: map, _links: any} # Successfully retrieved the customized well-known URI content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/brands/{brandId}/well-known-uris/{path}/customized
@desc Replace the customized well-known URI of the specific path
@required {representation: map # The well-known URI content in JSON object format}
@returns(200) {representation: map, _links: any} # Successfully updated the well-known URI of the specified path
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"representation":{"key1":"value1","key2":"value2","key3":{"key3.1":"value3.1"}}}

@endpoint GET /api/v1/captchas
@desc List all CAPTCHA instances
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/captchas
@desc Create a CAPTCHA instance
@optional {id: str # The unique key for the CAPTCHA instance, name: str # The name of the CAPTCHA instance, secretKey: str # The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token, siteKey: str # The site key issued from the CAPTCHA provider to render a CAPTCHA on a page, type: str(HCAPTCHA/RECAPTCHA_V2) # The type of CAPTCHA provider, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(201) {id: str, name: str, secretKey: str, siteKey: str, type: str, _links: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"myHCaptcha","secretKey":"xxxxxxxxxxx","siteKey":"xxxxxxxxxxx","type":"HCAPTCHA"}

@endpoint GET /api/v1/captchas/{captchaId}
@desc Retrieve a CAPTCHA instance
@returns(200) {id: str, name: str, secretKey: str, siteKey: str, type: str, _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/captchas/{captchaId}
@desc Update a CAPTCHA instance
@optional {id: str # The unique key for the CAPTCHA instance, name: str # The name of the CAPTCHA instance, secretKey: str # The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token, siteKey: str # The site key issued from the CAPTCHA provider to render a CAPTCHA on a page, type: str(HCAPTCHA/RECAPTCHA_V2) # The type of CAPTCHA provider, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {id: str, name: str, secretKey: str, siteKey: str, type: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"myHCaptcha","secretKey":"xxxxxxxxxxx","siteKey":"xxxxxxxxxxx","type":"HCAPTCHA"}

@endpoint PUT /api/v1/captchas/{captchaId}
@desc Replace a CAPTCHA instance
@optional {id: str # The unique key for the CAPTCHA instance, name: str # The name of the CAPTCHA instance, secretKey: str # The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token, siteKey: str # The site key issued from the CAPTCHA provider to render a CAPTCHA on a page, type: str(HCAPTCHA/RECAPTCHA_V2) # The type of CAPTCHA provider, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {id: str, name: str, secretKey: str, siteKey: str, type: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"myHCaptcha","secretKey":"xxxxxxxxxxx","siteKey":"xxxxxxxxxxx","type":"HCAPTCHA"}

@endpoint DELETE /api/v1/captchas/{captchaId}
@desc Delete a CAPTCHA instance
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/device-assurances
@desc List all device assurance policies
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/device-assurances
@desc Create a device assurance policy
@optional {createdBy: str, createdDate: str, devicePostureChecks: map{include: [any]} # Represents the Device Posture Checks configuration for the device assurance policy, displayRemediationMode: str(HIDE/SHOW) # Represents the remediation mode of this device assurance policy when users are denied access due to device noncompliance, gracePeriod: map{expiry: any, type: str} # Represents the Grace Period configuration for the device assurance policy, id: str, lastUpdate: str, lastUpdatedBy: str, name: str # Display name of the device assurance policy, platform: str(ANDROID/CHROMEOS/IOS/MACOS/WINDOWS), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {createdBy: str, createdDate: str, devicePostureChecks: map{include: [any]}, displayRemediationMode: str, gracePeriod: map{expiry: any, type: str}, id: str, lastUpdate: str, lastUpdatedBy: str, name: str, platform: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Device assurance Android","osVersion":{"minimum":12},"diskEncryptionType":{"include":["USER","FULL"]},"jailbreak":false,"platform":"ANDROID","screenLockType":{"include":["BIOMETRIC"]},"secureHardwarePresent":true}

@endpoint GET /api/v1/device-assurances/{deviceAssuranceId}
@desc Retrieve a device assurance policy
@returns(200) {createdBy: str, createdDate: str, devicePostureChecks: map{include: [any]}, displayRemediationMode: str, gracePeriod: map{expiry: any, type: str}, id: str, lastUpdate: str, lastUpdatedBy: str, name: str, platform: str, _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/device-assurances/{deviceAssuranceId}
@desc Replace a device assurance policy
@optional {createdBy: str, createdDate: str, devicePostureChecks: map{include: [any]} # Represents the Device Posture Checks configuration for the device assurance policy, displayRemediationMode: str(HIDE/SHOW) # Represents the remediation mode of this device assurance policy when users are denied access due to device noncompliance, gracePeriod: map{expiry: any, type: str} # Represents the Grace Period configuration for the device assurance policy, id: str, lastUpdate: str, lastUpdatedBy: str, name: str # Display name of the device assurance policy, platform: str(ANDROID/CHROMEOS/IOS/MACOS/WINDOWS), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {createdBy: str, createdDate: str, devicePostureChecks: map{include: [any]}, displayRemediationMode: str, gracePeriod: map{expiry: any, type: str}, id: str, lastUpdate: str, lastUpdatedBy: str, name: str, platform: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"Device assurance Android","osVersion":{"minimum":12},"diskEncryptionType":{"include":["USER","FULL"]},"jailbreak":false,"platform":"ANDROID","screenLockType":{"include":["BIOMETRIC"]},"secureHardwarePresent":true}

@endpoint DELETE /api/v1/device-assurances/{deviceAssuranceId}
@desc Delete a device assurance policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 409: Conflict, 429: Too Many Requests}

@endpoint GET /api/v1/device-integrations
@desc List all device integrations
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/device-integrations/{deviceIntegrationId}
@desc Retrieve a device integration
@returns(200) {displayName: str, id: str, metadata: map, name: str, platform: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/device-integrations/{deviceIntegrationId}/lifecycle/activate
@desc Activate a device integration
@returns(200) {displayName: str, id: str, metadata: map, name: str, platform: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/device-integrations/{deviceIntegrationId}/lifecycle/deactivate
@desc Deactivate a device integration
@returns(200) {displayName: str, id: str, metadata: map, name: str, platform: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/device-posture-checks
@desc List all device posture checks
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/device-posture-checks
@desc Create a device posture check
@optional {createdBy: str # User who created the device posture check, createdDate: str # Time the device posture check was created, description: str # Description of the device posture check, id: str # The ID of the device posture check, lastUpdate: str # Time the device posture check was updated, lastUpdatedBy: str # User who updated the device posture check, mappingType: str(CHECKBOX/TEXTBOX) # Represents how the device posture check is rendered in device assurance policies, name: str # Display name of the device posture check, platform: str(MACOS/WINDOWS), query: str # OSQuery for the device posture check, remediationSettings: map{link: map, message: map} # Represents the remediation instructions shown to the end user when the device posture check fails, type: str(BUILTIN/CUSTOM), variableName: str # Unique name of the device posture check, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {createdBy: str, createdDate: str, description: str, id: str, lastUpdate: str, lastUpdatedBy: str, mappingType: str, name: str, platform: str, query: str, remediationSettings: map{link: map{defaultUrl: str, customUrl: str}, message: map{defaultI18nKey: str, customText: str}}, type: str, variableName: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Device posture check macOS","description":"Query macOS devices to check if firewall is enabled","variableName":"macOSFirewall","platform":"MACOS","type":"CUSTOM","mappingType":"CHECKBOX","query":"SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;","remediationSettings":{"message":{"defaultI18nKey":null,"customText":"It is our company policy that all devices must have a firewall enabled."},"link":{"defaultUrl":null,"customUrl":"example.myremediationurl.com/docs"}}}

@endpoint GET /api/v1/device-posture-checks/default
@desc List all default device posture checks
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/device-posture-checks/{postureCheckId}
@desc Retrieve a device posture check
@returns(200) {createdBy: str, createdDate: str, description: str, id: str, lastUpdate: str, lastUpdatedBy: str, mappingType: str, name: str, platform: str, query: str, remediationSettings: map{link: map{defaultUrl: str, customUrl: str}, message: map{defaultI18nKey: str, customText: str}}, type: str, variableName: str, _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/device-posture-checks/{postureCheckId}
@desc Replace a device posture check
@optional {createdBy: str # User who created the device posture check, createdDate: str # Time the device posture check was created, description: str # Description of the device posture check, id: str # The ID of the device posture check, lastUpdate: str # Time the device posture check was updated, lastUpdatedBy: str # User who updated the device posture check, mappingType: str(CHECKBOX/TEXTBOX) # Represents how the device posture check is rendered in device assurance policies, name: str # Display name of the device posture check, platform: str(MACOS/WINDOWS), query: str # OSQuery for the device posture check, remediationSettings: map{link: map, message: map} # Represents the remediation instructions shown to the end user when the device posture check fails, type: str(BUILTIN/CUSTOM), variableName: str # Unique name of the device posture check, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {createdBy: str, createdDate: str, description: str, id: str, lastUpdate: str, lastUpdatedBy: str, mappingType: str, name: str, platform: str, query: str, remediationSettings: map{link: map{defaultUrl: str, customUrl: str}, message: map{defaultI18nKey: str, customText: str}}, type: str, variableName: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"Device posture check macOS","description":"Query macOS devices to check if firewall is enabled","variableName":"macOSFirewall","platform":"MACOS","type":"CUSTOM","mappingType":"CHECKBOX","query":"SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;","remediationSettings":{"message":{"defaultI18nKey":null,"customText":"It is our company policy that all devices must have a firewall enabled."},"link":{"defaultUrl":null,"customUrl":"example.myremediationurl.com/docs"}}}

@endpoint DELETE /api/v1/device-posture-checks/{postureCheckId}
@desc Delete a device posture check
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 409: Conflict, 429: Too Many Requests}

@endpoint GET /api/v1/devices
@desc List all devices
@optional {after: str, limit: int=200 # A limit on the number of objects to return (recommend `20`), search: str # A SCIM filter expression that filters the results. Searches include all device `profile` properties and the device `id`, `status`, and `lastUpdated` properties.  Searches for devices can be filtered by the contains (`co`) operator. You can only use `co` with these select device profile attributes: `profile.displayName`, `profile.serialNumber`, `profile.imei`, `profile.meid`, `profile.udid`, and `profile.sid`. See [Operators](https://developer.okta.com/docs/api/#operators)., expand: str(user/userSummary) # Includes associated user details and management status for the device in the `_embedded` attribute}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/devices/{deviceId}
@desc Retrieve a device
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), profile: map{diskEncryptionType: str, displayName: str, imei: str, integrityJailbreak: bool, managed: bool, manufacturer: str, meid: str, model: str, osVersion: str, platform: str, registered: bool, secureHardwarePresent: bool, serialNumber: str, sid: str, tpmPublicKeyHash: str, udid: str}, resourceAlternateId: str, resourceDisplayName: map{sensitive: bool, value: str}, resourceId: str, resourceType: str, status: str, _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/devices/{deviceId}
@desc Delete a device
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/devices/{deviceId}/lifecycle/activate
@desc Activate a device
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/devices/{deviceId}/lifecycle/deactivate
@desc Deactivate a device
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/devices/{deviceId}/lifecycle/suspend
@desc Suspend a Device
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/devices/{deviceId}/lifecycle/unsuspend
@desc Unsuspend a Device
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/devices/{deviceId}/users
@desc List all users for a device
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/directories/{appInstanceId}/groups/modify
@desc Update an Active Directory group membership
@optional {id: str # ID of the Active Directory group to update, parameters: map{action: str, attribute: str, values: [str]} # Attributes used for processing Active Directory group membership update}
@returns(200) OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 502: There are no connected agents., 504: Timed out waiting for agent}
@example_request {"id":"00g1xucgTZFrziXg10g4","parameters":{"action":"ADD","attribute":"member","values":["00u1bh5efGKMsSiLv0g4"]}}

@endpoint GET /api/v1/domains
@desc List all Custom Domains
@returns(200) {domains: [map]} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/domains
@desc Create a Custom Domain
@required {certificateSourceType: str(MANUAL/OKTA_MANAGED) # Certificate source type that indicates whether the certificate is provided by the user or Okta., domain: str # Custom domain name}
@returns(200) {brandId: str, certificateSourceType: str, dnsRecords: [map], domain: str, id: str, publicCertificate: map{expiration: str, fingerprint: str, subject: str}, validationStatus: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/domains/{domainId}
@desc Retrieve a custom domain
@returns(200) {brandId: str, certificateSourceType: str, dnsRecords: [map], domain: str, id: str, publicCertificate: map{expiration: str, fingerprint: str, subject: str}, validationStatus: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/domains/{domainId}
@desc Replace a custom domain's brand
@required {brandId: str # The `id` of the brand used to replace the existing brand.}
@returns(200) {brandId: str, certificateSourceType: str, dnsRecords: [map], domain: str, id: str, publicCertificate: map{expiration: str, fingerprint: str, subject: str}, validationStatus: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/domains/{domainId}
@desc Delete a custom domain
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/domains/{domainId}/certificate
@desc Upsert the custom domain's certificate
@required {certificate: str # Certificate content, certificateChain: str # Certificate chain, privateKey: str # Certificate private key, type: str # Certificate type}
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/domains/{domainId}/verify
@desc Verify a custom domain
@returns(200) {brandId: str, certificateSourceType: str, dnsRecords: [map], domain: str, id: str, publicCertificate: map{expiration: str, fingerprint: str, subject: str}, validationStatus: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/email-domains
@desc List all email domains
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/email-domains
@desc Create an email domain
@required {brandId: str, domain: str}
@optional {validationSubdomain: str=mail # Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain.}
@returns(200) {dnsValidationRecords: [map], domain: str, id: str, validationStatus: str, validationSubdomain: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 409: Conflict, 429: Too Many Requests}
@example_request {"displayName":"Admin","userName":"admin","domain":"example.com","brandId":"bnd100iSrkcN6aR680g1","validationSubdomain":"mail"}

@endpoint GET /api/v1/email-domains/{emailDomainId}
@desc Retrieve an email domain
@returns(200) {_embedded: map{brands: [map]}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/email-domains/{emailDomainId}
@desc Replace an email domain
@returns(200) {dnsValidationRecords: [map], domain: str, id: str, validationStatus: str, validationSubdomain: str} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"displayName":"IT Admin","userName":"noreply"}

@endpoint DELETE /api/v1/email-domains/{emailDomainId}
@desc Delete an email domain
@returns(204) No Content
@errors {400: Unable to delete custom email domain due to mail provider specific restrictions, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/email-domains/{emailDomainId}/verify
@desc Verify an email domain
@returns(200) {dnsValidationRecords: [map], domain: str, id: str, validationStatus: str, validationSubdomain: str} # Success
@errors {400: Email domain could not be verified by mail provider, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/email-servers
@desc List all enrolled SMTP servers
@returns(200) {email-servers: [any]} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/email-servers
@desc Create a custom SMTP server
@returns(201) Successfully enrolled server credentials
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/email-servers/{emailServerId}
@desc Retrieve an SMTP server configuration
@returns(200) {email-servers: [any]} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PATCH /api/v1/email-servers/{emailServerId}
@desc Update an SMTP server configuration
@returns(200) OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/email-servers/{emailServerId}
@desc Delete an SMTP server configuration
@returns(204) No content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/email-servers/{emailServerId}/test
@desc Test an SMTP server configuration
@required {from: str # Email address that sends test emails, to: str # Email address that receives test emails}
@returns(204) No content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/eventHooks
@desc List all event hooks
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/eventHooks
@desc Create an event hook
@required {channel: map{config!: map, type!: str, version!: str}, events: map{filter: map, items!: [str], type!: str}, name: str # Display name for the event hook}
@optional {created: str(date-time) # Timestamp of the event hook creation, createdBy: str # The ID of the user who created the event hook, description: str # Description of the event hook, id: str # Unique key for the event hook, lastUpdated: str(date-time) # Date of the last event hook update, status: str(ACTIVE/INACTIVE) # Status of the event hook, verificationStatus: str(UNVERIFIED/VERIFIED) # Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events., _links: any}
@returns(200) {channel: map{config: map{authScheme: map{key: str, type: str, value: str}, headers: [map], method: str, uri: str}, type: str, version: str}, created: str(date-time), createdBy: str, description: str?, events: map{filter: map?{eventFilterMap: [map], type: str}, items: [str], type: str}, id: str, lastUpdated: str(date-time), name: str, status: str, verificationStatus: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Event Hook Test","events":{"type":"EVENT_TYPE","items":["group.user_membership.add"]},"channel":{"type":"HTTP","version":"1.0.0","config":{"uri":"https://example_external_service/userAdded","headers":[{"key":"X-Other-Header","value":"my-header-value"}],"authScheme":{"type":"HEADER","key":"Authorization","value":"my-shared-secret"}}}}

@endpoint GET /api/v1/eventHooks/{eventHookId}
@desc Retrieve an event hook
@returns(200) {channel: map{config: map{authScheme: map{key: str, type: str, value: str}, headers: [map], method: str, uri: str}, type: str, version: str}, created: str(date-time), createdBy: str, description: str?, events: map{filter: map?{eventFilterMap: [map], type: str}, items: [str], type: str}, id: str, lastUpdated: str(date-time), name: str, status: str, verificationStatus: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/eventHooks/{eventHookId}
@desc Replace an event hook
@required {channel: map{config!: map, type!: str, version!: str}, events: map{filter: map, items!: [str], type!: str}, name: str # Display name for the event hook}
@optional {created: str(date-time) # Timestamp of the event hook creation, createdBy: str # The ID of the user who created the event hook, description: str # Description of the event hook, id: str # Unique key for the event hook, lastUpdated: str(date-time) # Date of the last event hook update, status: str(ACTIVE/INACTIVE) # Status of the event hook, verificationStatus: str(UNVERIFIED/VERIFIED) # Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events., _links: any}
@returns(200) {channel: map{config: map{authScheme: map{key: str, type: str, value: str}, headers: [map], method: str, uri: str}, type: str, version: str}, created: str(date-time), createdBy: str, description: str?, events: map{filter: map?{eventFilterMap: [map], type: str}, items: [str], type: str}, id: str, lastUpdated: str(date-time), name: str, status: str, verificationStatus: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"Event Hook with Filter","description":"An event hook using an Okta Expression Language filter","events":{"type":"EVENT_TYPE","items":["group.user_membership.add"],"filter":{"type":"EXPRESSION_LANGUAGE","eventFilterMap":[{"event":"group.user_membership.add","condition":{"expression":"event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0"}}]}},"channel":{"type":"HTTP","version":"1.0.0","config":{"uri":"https://example_external_service/userAdded","authScheme":{"type":"HEADER","key":"Authorization","value":"my-shared-secret"}}}}

@endpoint DELETE /api/v1/eventHooks/{eventHookId}
@desc Delete an event hook
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/eventHooks/{eventHookId}/lifecycle/activate
@desc Activate an event hook
@returns(200) {channel: map{config: map{authScheme: map{key: str, type: str, value: str}, headers: [map], method: str, uri: str}, type: str, version: str}, created: str(date-time), createdBy: str, description: str?, events: map{filter: map?{eventFilterMap: [map], type: str}, items: [str], type: str}, id: str, lastUpdated: str(date-time), name: str, status: str, verificationStatus: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate
@desc Deactivate an event hook
@returns(200) {channel: map{config: map{authScheme: map{key: str, type: str, value: str}, headers: [map], method: str, uri: str}, type: str, version: str}, created: str(date-time), createdBy: str, description: str?, events: map{filter: map?{eventFilterMap: [map], type: str}, items: [str], type: str}, id: str, lastUpdated: str(date-time), name: str, status: str, verificationStatus: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/eventHooks/{eventHookId}/lifecycle/verify
@desc Verify an event hook
@returns(200) {channel: map{config: map{authScheme: map{key: str, type: str, value: str}, headers: [map], method: str, uri: str}, type: str, version: str}, created: str(date-time), createdBy: str, description: str?, events: map{filter: map?{eventFilterMap: [map], type: str}, items: [str], type: str}, id: str, lastUpdated: str(date-time), name: str, status: str, verificationStatus: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/features
@desc List all features
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/features/{featureId}
@desc Retrieve a feature
@returns(200) {description: str, id: str, name: str, stage: map{state: str, value: str}, status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/features/{featureId}/dependencies
@desc List all dependencies
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/features/{featureId}/dependents
@desc List all dependents
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/features/{featureId}/{lifecycle}
@desc Update a feature lifecycle
@optional {mode: str # Indicates if you want to force enable or disable a feature. Supported value is `force`.}
@returns(200) {description: str, id: str, name: str, stage: map{state: str, value: str}, status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/first-party-app-settings/{appName}
@desc Retrieve the Okta application settings
@returns(200) {sessionIdleTimeoutMinutes: int, sessionMaxLifetimeMinutes: int} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/first-party-app-settings/{appName}
@desc Replace the Okta application settings
@optional {sessionIdleTimeoutMinutes: int=15 # The maximum idle time before the Okta Admin Console session expires. Must be no more than 12 hours., sessionMaxLifetimeMinutes: int=720 # The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days.}
@returns(200) {sessionIdleTimeoutMinutes: int, sessionMaxLifetimeMinutes: int} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"sessionMaxLifetimeMinutes":720,"sessionIdleTimeoutMinutes":15}

@endpoint GET /api/v1/groups
@desc List all groups
@optional {search: str # Searches for groups with a supported [filtering](https://developer.okta.com/docs/api/#filter) expression for all properties except for `_embedded`, `_links`, and `objectClass`. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination).  Using search requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), for example, `search=type eq "OKTA_GROUP"` is encoded as `search=type+eq+%22OKTA_GROUP%22`.  This operation searches many properties:  * Any group profile attribute, including imported app group profile attributes. * The top-level properties: `id`, `created`, `lastMembershipUpdated`, `lastUpdated`, and `type`. * The [source](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups=200&path=_links/source&t=response) of groups with type of `APP_GROUP`, accessed as `source.id`.  You can also use the `sortBy` and `sortOrder` parameters.  Searches for groups can be filtered by the following operators: `sw`, `eq`, and `co`. You can only use `co` with these select profile attributes: `profile.name` and `profile.description`. See [Operators](https://developer.okta.com/docs/api/#operators)., filter: str # Filter expression for groups. See [Filter](https://developer.okta.com/docs/api/#filter).  > **Note:** All filters must be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`., q: str # Finds a group that matches the `name` property. > **Note:** Paging and searching are currently mutually exclusive. You can't page a query. The default limit for a query is 300 results. Query is intended for an auto-complete picker use case where users refine their search string to constrain the results., after: str # Specifies the pagination cursor for the next page of groups. The `after` cursor should be treated as an opaque value and obtained through the next link relation. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32) # Specifies the number of group results in a page.  Okta recommends using a specific value other than the default or maximum. If your request times out, retry your request with a smaller `limit` and [page the results](https://developer.okta.com/docs/api/#pagination).  The Okta default `Everyone` group isn't returned for users with a group admin role., expand: str # If specified, additional metadata is included in the response. Possible values are `stats` and `app`. This additional metadata is listed in the [`_embedded`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/addGroup=200&path=_embedded&t=response) property of the response.  > **Note:** You can use the `stats` value to return the number of users within a group. This is listed as the `_embedded.stats.usersCount` value in the response. See this [Knowledge Base article](https://support.okta.com/help/s/article/Is-there-an-API-that-returns-the-number-of-users-in-a-group?language=en_US) for more information and an example., sortBy: str # Specifies field to sort by **(for search queries only)**. `sortBy` can be any single property, for example `sortBy=profile.name`., sortOrder: str=asc # Specifies sort order: `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present. Groups with the same value for the `sortBy` property are ordered by `id`'.}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/groups
@desc Add a group
@optional {profile: map{description: str, name: str} # Profile for any group that is not imported from Active Directory. Specifies the standard and custom profile properties for a group.  The `objectClass` for these groups is `okta:user_group`.}
@returns(200) {created: str(date-time), id: str, lastMembershipUpdated: str(date-time), lastUpdated: str(date-time), objectClass: [str], profile: any, type: str, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/groups/rules
@desc List all group rules
@optional {limit: int(int32)=50 # Specifies the number of rule results in a page, after: str # Specifies the pagination cursor for the next page of rules, search: str # Specifies the keyword to search rules for, expand: str # If specified as `groupIdToGroupNameMap`, then displays group names}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/groups/rules
@desc Create a group rule
@optional {actions: map{assignUserToGroups: map} # Defines which users and groups to assign, conditions: map{expression: map, people: map} # Defines group rule conditions, name: str # Name of the group rule, type: str}
@returns(200) {actions: map{assignUserToGroups: map{groupIds: [str]}}, conditions: map{expression: map{type: str, value: str}, people: map{groups: map{exclude: [str]}, users: map{exclude: [str]}}}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"type":"group_rule","name":"Engineering group rule","conditions":{"people":{"users":{"exclude":["00u22w79JPMEeeuLr0g4"]},"groups":{"exclude":[]}},"expression":{"value":"user.role==\"Engineer\"","type":"urn:okta:expression:1.0"}},"actions":{"assignUserToGroups":{"groupIds":["00gjitX9HqABSoqTB0g3"]}}}

@endpoint GET /api/v1/groups/rules/{groupRuleId}
@desc Retrieve a group rule
@optional {expand: str # If specified as `groupIdToGroupNameMap`, then show group names}
@returns(200) {actions: map{assignUserToGroups: map{groupIds: [str]}}, conditions: map{expression: map{type: str, value: str}, people: map{groups: map{exclude: [str]}, users: map{exclude: [str]}}}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/groups/rules/{groupRuleId}
@desc Replace a group rule
@optional {actions: map{assignUserToGroups: map} # Defines which users and groups to assign, conditions: map{expression: map, people: map} # Defines group rule conditions, created: str(date-time) # Creation date for group rule, id: str # ID of the group rule, lastUpdated: str(date-time) # Date group rule was last updated, name: str # Name of the group rule, status: str(ACTIVE/INACTIVE/INVALID) # Status of group rule, type: str # Type to indicate a group rule operation. Only `group_rule` is allowed.}
@returns(200) {actions: map{assignUserToGroups: map{groupIds: [str]}}, conditions: map{expression: map{type: str, value: str}, people: map{groups: map{exclude: [str]}, users: map{exclude: [str]}}}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"group_rule","id":"0pr3f7zMZZHPgUoWO0g4","status":"INACTIVE","name":"Engineering group rule","created":"2016-12-01T14:40:04.000Z","lastUpdated":"2016-12-01T14:40:04.000Z","conditions":{"people":{"users":{"exclude":["00u22w79JPMEeeuLr0g4"]},"groups":{"exclude":[]}},"expression":{"value":"user.role==\"Engineer\"","type":"urn:okta:expression:1.0"}},"actions":{"assignUserToGroups":{"groupIds":["00gjitX9HqABSoqTB0g3"]}}}

@endpoint DELETE /api/v1/groups/rules/{groupRuleId}
@desc Delete a group rule
@optional {removeUsers: bool=false # If set to `true`, removes users from groups assigned by this rule}
@returns(202) Accepted
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/groups/rules/{groupRuleId}/lifecycle/activate
@desc Activate a group rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate
@desc Deactivate a group rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}
@desc Retrieve a group
@returns(200) {created: str(date-time), id: str, lastMembershipUpdated: str(date-time), lastUpdated: str(date-time), objectClass: [str], profile: any, type: str, _embedded: map, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/groups/{groupId}
@desc Replace a group
@optional {profile: map{description: str, name: str} # Profile for any group that is not imported from Active Directory. Specifies the standard and custom profile properties for a group.  The `objectClass` for these groups is `okta:user_group`.}
@returns(200) {created: str(date-time), id: str, lastMembershipUpdated: str(date-time), lastUpdated: str(date-time), objectClass: [str], profile: any, type: str, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/groups/{groupId}
@desc Delete a group
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/apps
@desc List all assigned apps
@optional {after: str # Specifies the pagination cursor for the next page of apps, limit: int(int32)=20 # Specifies the number of app results for a page}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/owners
@desc List all group owners
@optional {search: str # SCIM filter expression for group owners. Allows you to filter owners by type., after: str # Specifies the pagination cursor for the next page of owners, limit: int(int32)=1000 # Specifies the number of owner results in a page}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/groups/{groupId}/owners
@desc Assign a group owner
@required {groupId: str # The `id` of the group}
@optional {id: str # The `id` of the group owner, type: str(GROUP/USER) # The entity type of the owner}
@returns(201) {displayName: str, id: str, lastUpdated: str(date-time), originId: str, originType: str, resolved: bool, type: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"id":"00u1cmc03xjzePoWD0h8","type":"USER"}

@endpoint DELETE /api/v1/groups/{groupId}/owners/{ownerId}
@desc Delete a group owner
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/roles
@desc List all group role assignments
@optional {expand: str # An optional parameter used to return targets configured for the standard role assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/groups/{groupId}/roles
@desc Assign a role to a group
@optional {disableNotifications: bool=false # Grants the group third-party admin status when set to `true`}
@returns(200) Success
@returns(201) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/roles/{roleAssignmentId}
@desc Retrieve a group role assignment
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/groups/{groupId}/roles/{roleAssignmentId}
@desc Unassign a group role
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps
@desc List all group role app targets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}
@desc Assign a group role app target
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}
@desc Unassign a group role app target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}
@desc Assign a group role app instance target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}
@desc Unassign a group role app instance target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups
@desc List all group role group targets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}
@desc Assign a group role group target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}
@desc Unassign a group role group target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/groups/{groupId}/users
@desc List all member users
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=1000 # Specifies the number of user results in a page}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/groups/{groupId}/users/{userId}
@desc Assign a user to a group
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/groups/{groupId}/users/{userId}
@desc Unassign a user from a group
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/hook-keys
@desc List all keys
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/hook-keys
@desc Create a key
@optional {name: str # Display name for the key}
@returns(200) {created: str(date-time)?, id: str, isUsed: str(boolean), keyId: str, lastUpdated: str(date-time)?, name: str, _embedded: map{alg: str, e: str, kid: str, kty: str, n: str, use: str?}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/hook-keys/public/{keyId}
@desc Retrieve a public key
@returns(200) {alg: str, e: str, kid: str, kty: str, n: str, use: str?} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/hook-keys/{id}
@desc Retrieve a key by ID
@optional {id: str # A valid key ID}
@returns(200) {created: str(date-time)?, id: str, isUsed: str(boolean), keyId: str, lastUpdated: str(date-time)?, name: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/hook-keys/{id}
@desc Replace a key
@optional {name: str # Display name for the key}
@returns(200) {created: str(date-time)?, id: str, isUsed: str(boolean), keyId: str, lastUpdated: str(date-time)?, name: str, _embedded: map{alg: str, e: str, kid: str, kty: str, n: str, use: str?}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/hook-keys/{id}
@desc Delete a key
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/assignees/users
@desc List all users with role assignments
@optional {after: str # Specifies the pagination cursor for the next page of targets, limit: int(int32)=100 # Specifies the number of results returned. Defaults to `100`.}
@returns(200) {value: [map], _links: map{next: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/iam/governance/bundles
@desc List all governance bundles for the Admin Console
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) {bundles: [map], _links: any} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/iam/governance/bundles
@desc Create a governance bundle for the Admin Console in RAMP
@optional {description: str, entitlements: [map{resourceSets: [str], role: str, targets: [str]}], name: str}
@returns(200) {description: str, id: str, name: str, orn: str, status: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Group admin bundle","description":"Group bundle for administrative access","entitlements":{"role":"GROUP_MEMBERSHIP_ADMIN"}}

@endpoint GET /api/v1/iam/governance/bundles/{bundleId}
@desc Retrieve a governance bundle from RAMP
@returns(200) {description: str, id: str, name: str, orn: str, status: str, _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/iam/governance/bundles/{bundleId}
@desc Replace a governance bundle in RAMP
@optional {description: str, entitlements: [map{resourceSets: [str], role: str, targets: [str]}], name: str}
@returns(200) {description: str, id: str, name: str, orn: str, status: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Group admin bundle","description":"Group bundle for administrative access","entitlements":{"role":"GROUP_MEMBERSHIP_ADMIN"}}

@endpoint DELETE /api/v1/iam/governance/bundles/{bundleId}
@desc Delete a governance bundle from RAMP
@returns(204) No Content
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/iam/governance/bundles/{bundleId}/entitlements
@desc List all entitlements for a governance bundle
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) {entitlements: [map], _links: map{next: any, self: any, bundle: any}} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values
@desc List all entitlement values for a bundle entitlement
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) {entitlementValues: [map], _links: any} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/iam/governance/optIn
@desc Retrieve the opt-in status from RAMP
@returns(200) {optInStatus: str, _links: any} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/iam/governance/optIn
@desc Opt in the Admin Console to RAMP
@returns(200) {optInStatus: str, _links: any} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/iam/governance/optOut
@desc Opt out the Admin Console from RAMP
@returns(200) {optInStatus: str, _links: any} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/iam/resource-sets
@desc List all resource sets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) {resource-sets: [map], _links: map{next: map{hints: map{allow: [str]}, href: str, name: str, templated: bool, type: str}}} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/iam/resource-sets
@desc Create a resource set
@required {description: str # Description of the resource set, label: str # Unique name for the resource set, resources: [str] # The endpoint (URL) that references all resource objects included in the resource set. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn).}
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"label":"SF-IT-People","description":"People in the IT department of San Francisco","resources":["https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3","https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users","https://{yourOktaDomain}/api/v1/users","https://{yourOktaDomain}/api/v1/realms/00guaxWZ0AOa5NFAj0g3","https://{yourOktaDomain}/api/v1/realms"]}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}
@desc Retrieve a resource set
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/iam/resource-sets/{resourceSetIdOrLabel}
@desc Replace a resource set
@optional {created: str(date-time) # Timestamp when the role was created, description: str # Description of the resource set, id: str # Unique ID for the resource set object, label: str # Unique label for the resource set, lastUpdated: str(date-time) # Timestamp when the role was last updated, _links: any}
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"label":"SF-IT-People","description":"People in the IT department of San Francisco"}

@endpoint DELETE /api/v1/iam/resource-sets/{resourceSetIdOrLabel}
@desc Delete a resource set
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings
@desc List all role resource set bindings
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) {roles: [map], _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings
@desc Create a role resource set binding
@optional {members: [str] # URLs to user and/or group instances that are assigned to the role, role: str # Unique key for the role}
@returns(200) {_links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"role":"cr0Yq6IJxGIr0ouum0g3","members":["https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3"]}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}
@desc Retrieve a role resource set binding
@returns(200) {id: str, _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}
@desc Delete a role resource set binding
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members
@desc List all role resource set binding members
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) {members: [map], _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PATCH /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members
@desc Add more role resource set binding members
@optional {additions: [str] # A list of member resources to add to the role resource set binding}
@returns(200) {_links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"additions":["https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3","https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3"]}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}
@desc Retrieve a role resource set binding member
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}
@desc Unassign a role resource set binding member
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources
@desc List all resource set resources
@returns(200) {resources: [map], _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources
@desc Add a resource set resource with conditions
@required {conditions: map{Exclude: map} # Conditions for further restricting a resource., resourceOrnOrUrl: str # Resource in ORN or REST API URL format}
@returns(200) {conditions: map{Exclude: map{okta:ORN: [str]}}, created: str(date-time), id: str, lastUpdated: str(date-time), orn: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"resourceOrnOrUrl":"https://{yourOktaDomain}/api/v1/apps","conditions":{"Exclude":{"okta:ORN":["orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4","orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack"]}}}

@endpoint PATCH /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources
@desc Add more resources to a resource set
@optional {additions: [str] # A list of resources to add to the resource set}
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"additions":["https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3","https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users"]}

@endpoint GET /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}
@desc Retrieve a resource set resource
@returns(200) {conditions: map{Exclude: map{okta:ORN: [str]}}, created: str(date-time), id: str, lastUpdated: str(date-time), orn: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}
@desc Replace the resource set resource conditions
@optional {conditions: map{Exclude: map} # Conditions for further restricting a resource.}
@returns(200) {conditions: map{Exclude: map{okta:ORN: [str]}}, created: str(date-time), id: str, lastUpdated: str(date-time), orn: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"conditions":{"Exclude":{"okta:ORN":["orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4","orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack"]}}}

@endpoint DELETE /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}
@desc Delete a resource set resource
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/roles
@desc List all custom roles
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) {roles: [map], _links: map{next: map{hints: map{allow: [str]}, href: str, name: str, templated: bool, type: str}}} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/iam/roles
@desc Create a custom role
@required {description: str # Description of the role, label: str # Unique label for the role, permissions: [any] # Array of permissions that the role grants. See [Permissions](/openapi/okta-management/guides/permissions).}
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"label":"UserCreator","description":"Create users","permissions":["okta.users.create","okta.users.read","okta.groups.read","okta.users.userprofile.manage"]}

@endpoint GET /api/v1/iam/roles/{roleIdOrLabel}
@desc Retrieve a role
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/iam/roles/{roleIdOrLabel}
@desc Replace a custom role
@required {description: str # Description of the role, label: str # Unique label for the role}
@returns(200) {created: str(date-time), description: str, id: str, label: str, lastUpdated: str(date-time), _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"label":"UserCreator","description":"Create users"}

@endpoint DELETE /api/v1/iam/roles/{roleIdOrLabel}
@desc Delete a custom role
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/roles/{roleIdOrLabel}/permissions
@desc List all custom role permissions
@returns(200) {permissions: [map]} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}
@desc Retrieve a custom role permission
@returns(200) {conditions: map?{exclude: map?, include: map?}, created: str(date-time), label: str, lastUpdated: str(date-time), _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}
@desc Create a custom role permission
@optional {conditions: map{exclude: map, include: map} # Conditions for further restricting a permission. See [Permission conditions](https://help.okta.com/okta_help.htm?type=oie&id=ext-permission-conditions).}
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"conditions":{"include":{"okta:ResourceAttribute/User/Profile":["city","state"]}}}

@endpoint PUT /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}
@desc Replace a custom role permission
@optional {conditions: map{exclude: map, include: map} # Conditions for further restricting a permission. See [Permission conditions](https://help.okta.com/okta_help.htm?type=oie&id=ext-permission-conditions).}
@returns(200) {conditions: map?{exclude: map?, include: map?}, created: str(date-time), label: str, lastUpdated: str(date-time), _links: any} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"conditions":{"include":{"okta:ResourceAttribute/User/Profile":["city","state"]}}}

@endpoint DELETE /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}
@desc Delete a custom role permission
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/identity-sources/{identitySourceId}/sessions
@desc List all identity source sessions
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/identity-sources/{identitySourceId}/sessions
@desc Create an identity source session
@returns(200) {created: str(date-time), id: str, identitySourceId: str, importType: str, lastUpdated: str(date-time), status: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}
@desc Retrieve an identity source session
@returns(200) {created: str(date-time), id: str, identitySourceId: str, importType: str, lastUpdated: str(date-time), status: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}
@desc Delete an identity source session
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete
@desc Upload the data to be deleted in Okta
@optional {entityType: str # The type of data to bulk delete in a session. Currently, only `USERS` is supported., profiles: [map{externalId: str}] # Array of profiles to be deleted}
@returns(202) Accepted
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"entityType":"USERS","profiles":[{"externalId":"EXT123456784C2IF"},{"externalId":"EXT123456784C3IF"},{"externalId":"EXT123456784C4IF"}]}

@endpoint POST /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert
@desc Upload the data to be upserted in Okta
@optional {entityType: str # The type of data to upsert into the session. Currently, only `USERS` is supported., profiles: [map{externalId: str, profile: map}] # Array of user profiles to be uploaded}
@returns(202) Accepted
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"entityType":"USERS","profiles":[{"externalId":"EXT123456784C2IF","profile":{"userName":"isaac.brock@example.com","firstName":"Isaac","lastName":"Brock","email":"isaac.brock@example.com","secondEmail":"isaac2.brock@example.com","mobilePhone":"123-456-7890","homeAddress":"Kirkland, WA"}}]}

@endpoint POST /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import
@desc Start the import from the identity source
@returns(200) {created: str(date-time), id: str, identitySourceId: str, importType: str, lastUpdated: str(date-time), status: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps
@desc List all IdPs
@optional {q: str # Searches the `name` property of IdPs for matching value, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return, type: str # Filters IdPs by `type`}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/idps
@desc Create an IdP
@optional {created: str(date-time) # Timestamp when the object was created, id: str # Unique key for the IdP, issuerMode: str(CUSTOM_URL/DYNAMIC/ORG_URL)=DYNAMIC # Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP, lastUpdated: str(date-time) # Timestamp when the object was last updated, name: str # Unique name for the IdP, policy: any # Policy settings for the IdP. The following provisioning and account linking actions are supported by each IdP provider: | IdP type                                                          | User provisioning actions | Group provisioning actions            | Account link actions | Account link filters | | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- | | `SAML2`                                                           | `AUTO` or `DISABLED`      | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED`   | `groups`, `users`    | | `X509`, `IDV_PERSONA`, `IDV_INCODE`, and `IDV_CLEAR`              | `DISABLED`                | No support for JIT provisioning       |                      |                      | | All other IdP types                                               | `AUTO`, `DISABLED`        | `NONE` or `ASSIGN`                    | `AUTO`, `DISABLED`   | `groups`, `users`    |, properties: map{aalValue: str, additionalAmr: [str], ialValue: str, inquiryTemplateId!: str} # The properties in the IdP `properties` object vary depending on the IdP type, protocol: any # IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages, status: str(ACTIVE/INACTIVE), type: str(AMAZON/APPLE/DISCORD/FACEBOOK/GITHUB/GITLAB/GOOGLE/IDV_CLEAR/IDV_INCODE/IDV_PERSONA/LINKEDIN/LOGINGOV/LOGINGOV_SANDBOX/MICROSOFT/OIDC/OKTA_INTEGRATION/PAYPAL/PAYPAL_SANDBOX/SALESFORCE/SAML2/SPOTIFY/X509/XERO/YAHOO/YAHOOJP) # The IdP object's `type` property identifies the social or enterprise IdP used for authentication.  Each IdP uses a specific protocol, therefore the `protocol` object must correspond with the IdP `type`.  If the protocol is OAuth 2.0-based, the `protocol` object's `scopes` property must also correspond with the scopes supported by the IdP `type`.  For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider=policy&t=request).  | Type               | Description                                                                                                                                           | Corresponding protocol | Corresponding protocol scopes                                         | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | --------------------------------------------------------------------  | | `AMAZON`           | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/)&nbsp;as the IdP                                        | OpenID Connect         | `profile`, `profile:user_id`                                          | | `APPLE`            | [Apple](https://developer.apple.com/sign-in-with-apple/)&nbsp;as the IdP                                                                | OpenID Connect         | `names`, `email`, `openid`                                            | | `DISCORD`          | [Discord](https://discord.com/login)&nbsp;as the IdP                                                                                    | OAuth 2.0              | `identify`, `email`                                                   | | `FACEBOOK`         | [Facebook](https://developers.facebook.com)&nbsp;as the IdP                                                                             | OAuth 2.0              | `public_profile`, `email`                                             | | `GITHUB`           | [GitHub](https://github.com/join)&nbsp;as the IdP                                                                                       | OAuth 2.0              | `user`                                                                | | `GITLAB`           | [GitLab](https://gitlab.com/users/sign_in)&nbsp;as the IdP                                                                              | OpenID Connect         | `openid`, `read_user`, `profile`, `email`                             | | `GOOGLE`           | [Google](https://accounts.google.com/signup)&nbsp;as the IdP                                                                            | OpenID Connect         | `openid`, `email`, `profile`                                          | | `IDV_PERSONA`      | [Persona](https://app.withpersona.com/dashboard/login)&nbsp;as the IDV IdP                                                              | ID verification        |                                                                       | | `IDV_CLEAR`        | [CLEAR Verified](https://www.clearme.com/)&nbsp;as the IDV IdP                                                                          | ID verification        | `openid`, `profile`, `identity_assurance`                             | | `IDV_INCODE`       | [Incode](https://incode.com/)&nbsp;as the IDV IdP                                                                                       | ID verification        | `openid`, `profile`, `identity_assurance`                             | | `LINKEDIN`         | [LinkedIn](https://developer.linkedin.com/)&nbsp;as the IdP                                                                             | OAuth 2.0              | `r_emailaddress`, `r_liteprofile`                                     | | `LOGINGOV`         | [Login.gov](https://developers.login.gov/)&nbsp;as the IdP                                                                              | OpenID Connect         | `email`, `profile`, `profile:name`                                    | | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/)&nbsp;as the IdP                                                   | OpenID Connect         | `email`, `profile`, `profile:name`                                    | | `MICROSOFT`        | [Microsoft Enterprise SSO](https://azure.microsoft.com/)&nbsp;as the IdP                                                                | OpenID Connect         | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` | | `OIDC`             | IdP that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html)                                               | OpenID Connect         | `openid`, `email`, `profile`                                          | | `PAYPAL`           | [Paypal](https://www.paypal.com/signin)&nbsp;as the IdP                                                                                 | OpenID Connect         | `openid`, `email`, `profile`                                          | | `PAYPAL_SANDBOX`   | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/)&nbsp;as the IdP                                                           | OpenID Connect         | `openid`, `email`, `profile`                                          | | `SALESFORCE`       | [SalesForce](https://login.salesforce.com/)&nbsp;as the IdP                                                                             | OAuth 2.0              | `id`, `email`, `profile`                                              | | `SAML2`            | Enterprise IdP that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)| SAML 2.0  |                                                                                | | `SPOTIFY`          | [Spotify](https://developer.spotify.com/)&nbsp;as the IdP                                                                               | OpenID Connect         | `user-read-email`, `user-read-private`                                | | `X509`             | [Smart Card IdP](https://tools.ietf.org/html/rfc5280)                                                                                   | Mutual TLS             |                                                                       | | `XERO`             | [Xero](https://www.xero.com/us/signup/api/)&nbsp;as the IdP                                                                             | OpenID Connect         | `openid`, `profile`, `email`                                          | | `YAHOO`            | [Yahoo](https://login.yahoo.com/)&nbsp;as the IdP                                                                                       | OpenID Connect         | `openid`, `profile`, `email`                                          | | `YAHOOJP`          | [Yahoo Japan](https://login.yahoo.co.jp/config/login)&nbsp;as the IdP                                                                   | OpenID Connect         | `openid`, `profile`, `email`                                          | | `OKTA_INTEGRATION`             | IdP that supports the [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) Org2Org IdP                                               | OpenID Connect         | `openid`, `email`, `profile`                                          |, _links: map}
@returns(200) {created: str(date-time), id: str, issuerMode: str, lastUpdated: str(date-time), name: str, policy: any, properties: map?{aalValue: str?, additionalAmr: [str]?, ialValue: str?, inquiryTemplateId: str}, protocol: any, status: str, type: str, _links: map} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"type":"OIDC","name":"Example OpenID Connect IdP","protocol":{"algorithms":{"request":{"signature":{"algorithm":"HS256","scope":"REQUEST"}}},"endpoints":{"acs":{"binding":"HTTP-POST","type":"INSTANCE"},"authorization":{"binding":"HTTP-REDIRECT","url":"https://idp.example.com/authorize"},"token":{"binding":"HTTP-POST","url":"https://idp.example.com/token"},"userInfo":{"binding":"HTTP-REDIRECT","url":"https://idp.example.com/userinfo"},"jwks":{"binding":"HTTP-REDIRECT","url":"https://idp.example.com/keys"},"slo":{"url":"https://idp.example.com/slo"}},"scopes":["openid","profile","email"],"settings":{"participateSlo":true},"type":"OIDC","credentials":{"client":{"client_id":"your-client-id","client_secret":"your-client-secret","pkce_required":"true"}},"issuer":{"url":"https://idp.example.com"}},"policy":{"accountLink":{"action":"AUTO","filter":null},"provisioning":{"action":"AUTO","conditions":{"deprovisioned":{"action":"NONE"},"suspended":{"action":"NONE"}},"groups":{"action":"NONE"}},"mapAMRClaims":false,"maxClockSkew":120000,"subject":{"userNameTemplate":{"template":"idpuser.email"},"matchType":"USERNAME"}}}

@endpoint GET /api/v1/idps/credentials/keys
@desc List all IdP key credentials
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/idps/credentials/keys
@desc Create an IdP key credential
@required {x5c: [str] # Base64-encoded X.509 certificate chain with DER encoding}
@returns(200) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/idps/credentials/keys/{kid}
@desc Retrieve an IdP key credential
@returns(200) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/idps/credentials/keys/{kid}
@desc Replace an IdP key credential
@optional {created: str(date-time) # Timestamp when the object was created, e: str # The exponent value for the RSA public key, expiresAt: str(date-time) # Timestamp when the object expires, kid: str # Unique identifier for the key, kty: str # Identifies the cryptographic algorithm family used with the key, lastUpdated: str(date-time) # Timestamp when the object was last updated, n: str # The modulus value for the RSA public key, use: str # Intended use of the public key, x5c: [str] # Base64-encoded X.509 certificate chain with DER encoding, x5t#S256: str # Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate}
@returns(200) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"e":"65537","n":"101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747","x5c":["MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9"],"x5t#S256":"wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE"}

@endpoint DELETE /api/v1/idps/credentials/keys/{kid}
@desc Delete an IdP key credential
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}
@desc Retrieve an IdP
@returns(200) {created: str(date-time), id: str, issuerMode: str, lastUpdated: str(date-time), name: str, policy: any, properties: map?{aalValue: str?, additionalAmr: [str]?, ialValue: str?, inquiryTemplateId: str}, protocol: any, status: str, type: str, _links: map} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/idps/{idpId}
@desc Replace an IdP
@optional {created: str(date-time) # Timestamp when the object was created, id: str # Unique key for the IdP, issuerMode: str(CUSTOM_URL/DYNAMIC/ORG_URL)=DYNAMIC # Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP, lastUpdated: str(date-time) # Timestamp when the object was last updated, name: str # Unique name for the IdP, policy: any # Policy settings for the IdP. The following provisioning and account linking actions are supported by each IdP provider: | IdP type                                                          | User provisioning actions | Group provisioning actions            | Account link actions | Account link filters | | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- | | `SAML2`                                                           | `AUTO` or `DISABLED`      | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED`   | `groups`, `users`    | | `X509`, `IDV_PERSONA`, `IDV_INCODE`, and `IDV_CLEAR`              | `DISABLED`                | No support for JIT provisioning       |                      |                      | | All other IdP types                                               | `AUTO`, `DISABLED`        | `NONE` or `ASSIGN`                    | `AUTO`, `DISABLED`   | `groups`, `users`    |, properties: map{aalValue: str, additionalAmr: [str], ialValue: str, inquiryTemplateId!: str} # The properties in the IdP `properties` object vary depending on the IdP type, protocol: any # IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages, status: str(ACTIVE/INACTIVE), type: str(AMAZON/APPLE/DISCORD/FACEBOOK/GITHUB/GITLAB/GOOGLE/IDV_CLEAR/IDV_INCODE/IDV_PERSONA/LINKEDIN/LOGINGOV/LOGINGOV_SANDBOX/MICROSOFT/OIDC/OKTA_INTEGRATION/PAYPAL/PAYPAL_SANDBOX/SALESFORCE/SAML2/SPOTIFY/X509/XERO/YAHOO/YAHOOJP) # The IdP object's `type` property identifies the social or enterprise IdP used for authentication.  Each IdP uses a specific protocol, therefore the `protocol` object must correspond with the IdP `type`.  If the protocol is OAuth 2.0-based, the `protocol` object's `scopes` property must also correspond with the scopes supported by the IdP `type`.  For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider=policy&t=request).  | Type               | Description                                                                                                                                           | Corresponding protocol | Corresponding protocol scopes                                         | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | --------------------------------------------------------------------  | | `AMAZON`           | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/)&nbsp;as the IdP                                        | OpenID Connect         | `profile`, `profile:user_id`                                          | | `APPLE`            | [Apple](https://developer.apple.com/sign-in-with-apple/)&nbsp;as the IdP                                                                | OpenID Connect         | `names`, `email`, `openid`                                            | | `DISCORD`          | [Discord](https://discord.com/login)&nbsp;as the IdP                                                                                    | OAuth 2.0              | `identify`, `email`                                                   | | `FACEBOOK`         | [Facebook](https://developers.facebook.com)&nbsp;as the IdP                                                                             | OAuth 2.0              | `public_profile`, `email`                                             | | `GITHUB`           | [GitHub](https://github.com/join)&nbsp;as the IdP                                                                                       | OAuth 2.0              | `user`                                                                | | `GITLAB`           | [GitLab](https://gitlab.com/users/sign_in)&nbsp;as the IdP                                                                              | OpenID Connect         | `openid`, `read_user`, `profile`, `email`                             | | `GOOGLE`           | [Google](https://accounts.google.com/signup)&nbsp;as the IdP                                                                            | OpenID Connect         | `openid`, `email`, `profile`                                          | | `IDV_PERSONA`      | [Persona](https://app.withpersona.com/dashboard/login)&nbsp;as the IDV IdP                                                              | ID verification        |                                                                       | | `IDV_CLEAR`        | [CLEAR Verified](https://www.clearme.com/)&nbsp;as the IDV IdP                                                                          | ID verification        | `openid`, `profile`, `identity_assurance`                             | | `IDV_INCODE`       | [Incode](https://incode.com/)&nbsp;as the IDV IdP                                                                                       | ID verification        | `openid`, `profile`, `identity_assurance`                             | | `LINKEDIN`         | [LinkedIn](https://developer.linkedin.com/)&nbsp;as the IdP                                                                             | OAuth 2.0              | `r_emailaddress`, `r_liteprofile`                                     | | `LOGINGOV`         | [Login.gov](https://developers.login.gov/)&nbsp;as the IdP                                                                              | OpenID Connect         | `email`, `profile`, `profile:name`                                    | | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/)&nbsp;as the IdP                                                   | OpenID Connect         | `email`, `profile`, `profile:name`                                    | | `MICROSOFT`        | [Microsoft Enterprise SSO](https://azure.microsoft.com/)&nbsp;as the IdP                                                                | OpenID Connect         | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` | | `OIDC`             | IdP that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html)                                               | OpenID Connect         | `openid`, `email`, `profile`                                          | | `PAYPAL`           | [Paypal](https://www.paypal.com/signin)&nbsp;as the IdP                                                                                 | OpenID Connect         | `openid`, `email`, `profile`                                          | | `PAYPAL_SANDBOX`   | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/)&nbsp;as the IdP                                                           | OpenID Connect         | `openid`, `email`, `profile`                                          | | `SALESFORCE`       | [SalesForce](https://login.salesforce.com/)&nbsp;as the IdP                                                                             | OAuth 2.0              | `id`, `email`, `profile`                                              | | `SAML2`            | Enterprise IdP that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)| SAML 2.0  |                                                                                | | `SPOTIFY`          | [Spotify](https://developer.spotify.com/)&nbsp;as the IdP                                                                               | OpenID Connect         | `user-read-email`, `user-read-private`                                | | `X509`             | [Smart Card IdP](https://tools.ietf.org/html/rfc5280)                                                                                   | Mutual TLS             |                                                                       | | `XERO`             | [Xero](https://www.xero.com/us/signup/api/)&nbsp;as the IdP                                                                             | OpenID Connect         | `openid`, `profile`, `email`                                          | | `YAHOO`            | [Yahoo](https://login.yahoo.com/)&nbsp;as the IdP                                                                                       | OpenID Connect         | `openid`, `profile`, `email`                                          | | `YAHOOJP`          | [Yahoo Japan](https://login.yahoo.co.jp/config/login)&nbsp;as the IdP                                                                   | OpenID Connect         | `openid`, `profile`, `email`                                          | | `OKTA_INTEGRATION`             | IdP that supports the [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) Org2Org IdP                                               | OpenID Connect         | `openid`, `email`, `profile`                                          |, _links: map}
@returns(200) {created: str(date-time), id: str, issuerMode: str, lastUpdated: str(date-time), name: str, policy: any, properties: map?{aalValue: str?, additionalAmr: [str]?, ialValue: str?, inquiryTemplateId: str}, protocol: any, status: str, type: str, _links: map} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"id":"0oa62bc8wppPw0UGr0h7","type":"SAML2","name":"Example SAML IdP","status":"INACTIVE","created":null,"lastUpdated":"2016-03-29T21:23:45.000Z","protocol":{"type":"SAML2","endpoints":{"sso":{"url":"https://idp.example.com/saml2/sso","binding":"HTTP-REDIRECT","destination":"https://idp.example.com/saml2/sso"},"slo":{"url":"https://idp.example.com/slo","binding":"HTTP-POST"},"acs":{"binding":"HTTP-POST","type":"INSTANCE"}},"algorithms":{"request":{"signature":{"algorithm":"SHA-256","scope":"REQUEST"}},"response":{"signature":{"algorithm":"SHA-256","scope":"ANY"}}},"settings":{"nameFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified","participateSlo":true},"credentials":{"trust":{"issuer":"https://idp.example.com","audience":"https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M","kid":"your-key-id"}}},"policy":{"provisioning":{"action":"AUTO","profileMaster":true,"groups":{"action":"NONE"},"conditions":{"deprovisioned":{"action":"NONE"},"suspended":{"action":"NONE"}}},"accountLink":{"filter":null,"action":"AUTO"},"subject":{"userNameTemplate":{"template":"idpuser.subjectNameId"},"filter":null,"matchType":"USERNAME"},"mapAMRClaims":false,"maxClockSkew":120000},"_links":{"metadata":{"href":"https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml","type":"application/xml","hints":{"allow":["GET"]}},"acs":{"href":"https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7","type":"application/xml","hints":{"allow":["POST"]}},"users":{"href":"https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users","hints":{"allow":["GET"]}},"activate":{"href":"https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate","hints":{"allow":["POST"]}}}}

@endpoint DELETE /api/v1/idps/{idpId}
@desc Delete an IdP
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/credentials/csrs
@desc List all certificate signing requests
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/credentials/csrs
@desc Generate a certificate signing request
@optional {subject: map{commonName: str, countryName: str, localityName: str, organizationalUnitName: str, organizationName: str, stateOrProvinceName: str}, subjectAltNames: map{dnsNames: [str]}}
@returns(201) {created: str(date-time), csr: str, id: str, kty: str, _links: map} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}
@desc Retrieve a certificate signing request
@returns(200) {created: str(date-time), csr: str, id: str, kty: str, _links: map} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}
@desc Revoke a certificate signing request
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish
@desc Publish a certificate signing request
@returns(201) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/credentials/keys
@desc List all signing key credentials for IdP
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/credentials/keys/active
@desc List the active signing key credential for IdP
@returns(200) Success
@returns(204) No Content
@errors {429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/credentials/keys/generate
@desc Generate a new signing key credential for IdP
@required {validityYears: int(int32) # expiry of the IdP key credential}
@returns(200) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/credentials/keys/{kid}
@desc Retrieve a signing key credential for IdP
@returns(200) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/credentials/keys/{kid}/clone
@desc Clone a signing key credential for IdP
@required {targetIdpId: str # `id` of the target IdP}
@returns(201) {created: str(date-time), e: str, expiresAt: str(date-time), kid: str, kty: str, lastUpdated: str(date-time), n: str, use: str, x5c: [str], x5t#S256: str} # Created
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/lifecycle/activate
@desc Activate an IdP
@returns(200) {created: str(date-time), id: str, issuerMode: str, lastUpdated: str(date-time), name: str, policy: any, properties: map?{aalValue: str?, additionalAmr: [str]?, ialValue: str?, inquiryTemplateId: str}, protocol: any, status: str, type: str, _links: map} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/lifecycle/deactivate
@desc Deactivate an IdP
@returns(200) {created: str(date-time), id: str, issuerMode: str, lastUpdated: str(date-time), name: str, policy: any, properties: map?{aalValue: str?, additionalAmr: [str]?, ialValue: str?, inquiryTemplateId: str}, protocol: any, status: str, type: str, _links: map} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/users
@desc List all users for IdP
@optional {q: str # Searches the records for matching value, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return, expand: str # Expand user data}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/users/{userId}
@desc Retrieve a user for IdP
@returns(200) {created: str(date-time), externalId: str, id: str, lastUpdated: str(date-time), profile: map, _embedded: map, _links: map} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/idps/{idpId}/users/{userId}
@desc Link a user to IdP
@optional {externalId: str # Unique IdP-specific identifier for a user}
@returns(200) {created: str(date-time), externalId: str, id: str, lastUpdated: str(date-time), profile: map, _embedded: map, _links: map} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/idps/{idpId}/users/{userId}
@desc Unlink a user from IdP
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/idps/{idpId}/users/{userId}/credentials/tokens
@desc List all tokens from OIDC IdP
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/inlineHooks
@desc List all inline hooks
@optional {type: str(com.okta.import.transform/com.okta.oauth2.tokens.transform/com.okta.saml.tokens.transform/com.okta.user.credential.password.import/com.okta.user.pre-registration/com.okta.telephony.provider) # One of the supported inline hook types}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/inlineHooks
@desc Create an inline hook
@optional {channel: map{type: str, version: str}, name: str # The display name of the inline hook, type: str(com.okta.import.transform/com.okta.oauth2.tokens.transform/com.okta.saml.tokens.transform/com.okta.telephony.provider/com.okta.user.credential.password.import/com.okta.user.pre-registration) # One of the inline hook types, version: str # Version of the inline hook type. The currently supported version is `1.0.0`.}
@returns(200) {channel: map{type: str, version: str}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, version: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Token hook with HTTP authentication","type":"com.okta.oauth2.tokens.transform","version":"1.0.0","channel":{"type":"HTTP","version":"1.0.0","config":{"uri":"https://example.com/tokenHook","headers":[{"key":"x-any-key","value":"my-header-value"}],"method":"POST","authScheme":{"type":"HEADER","key":"Authorization","value":"my-shared-secret"}}}}

@endpoint GET /api/v1/inlineHooks/{inlineHookId}
@desc Retrieve an inline hook
@returns(200) {channel: map{type: str, version: str}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, version: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/inlineHooks/{inlineHookId}
@desc Update an inline hook
@optional {channel: map{type: str, version: str}, name: str # The display name of the inline hook, version: str # Version of the inline hook type. The currently supported version is `1.0.0`.}
@returns(200) {channel: map{type: str, version: str}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, version: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"New name token hook with HTTP authentication","version":"1.0.0","channel":{"type":"HTTP","version":"1.0.0","config":{"uri":"https://example.com/tokenHook","headers":[{"key":"x-any-key","value":"my-header-value"}],"method":"POST","authScheme":{"type":"HEADER","key":"Authorization","value":"my-shared-secret"}}}}

@endpoint PUT /api/v1/inlineHooks/{inlineHookId}
@desc Replace an inline hook
@optional {channel: map{type: str, version: str}, name: str # The display name of the inline hook, version: str # Version of the inline hook type. The currently supported version is `1.0.0`.}
@returns(200) {channel: map{type: str, version: str}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, version: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"New name token hook with HTTP authentication","version":"1.0.0","channel":{"type":"HTTP","version":"1.0.0","config":{"uri":"https://example.com/tokenHook","headers":[{"key":"x-any-key","value":"my-header-value"}],"method":"POST","authScheme":{"type":"HEADER","key":"Authorization","value":"my-shared-secret"}}}}

@endpoint DELETE /api/v1/inlineHooks/{inlineHookId}
@desc Delete an inline hook
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/inlineHooks/{inlineHookId}/execute
@desc Execute an inline hook
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"eventId":"3o9jBzq1SmOGmmsDsqyyeQ","eventTime":"2020-01-17T21:23:56.000Z","eventType":"com.okta.user.credential.password.import","eventTypeVersion":"1.0","contentType":"application/json","cloudEventVersion":"0.1","source":"https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7","data":{"context":{"request":{"id":"XiIl6wn7005Rr@fjYqeC7CCDBxw","method":"POST","url":{"value":"/idp/idx/challenge/answer"},"ipAddress":"66.124.153.138"},"credential":{"username":"isaac.brock@example.com","password":"Okta"}},"action":{"credential":"UNVERIFIED"}}}

@endpoint POST /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate
@desc Activate an inline hook
@returns(200) {channel: map{type: str, version: str}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, version: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate
@desc Deactivate an inline hook
@returns(200) {channel: map{type: str, version: str}, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, version: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/logStreams
@desc List all log streams
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return, filter: str # An expression that [filters](/#filter) the returned objects. You can only use the `eq` operator on either the `status` or `type` properties in the filter expression.}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/logStreams
@desc Create a log stream
@required {created: str(date-time) # Timestamp when the log stream object was created, id: str # Unique identifier for the log stream, lastUpdated: str(date-time) # Timestamp when the log stream object was last updated, name: str # Unique name for the log stream object, status: str(ACTIVE/INACTIVE) # Lifecycle status of the log stream object, type: str(aws_eventbridge/splunk_cloud_logstreaming) # Specifies the streaming provider used  Supported providers:   * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge))   * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html))  Select the provider type to see provider-specific configurations in the `settings` property:, _links: map{activate: any, deactivate: any, self!: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: map{activate: any, deactivate: any, self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"type":"aws_eventbridge","name":"Example AWS EventBridge","settings":{"eventSourceName":"your-event-source-name","accountId":"123456789012","region":"us-east-2"}}

@endpoint GET /api/v1/logStreams/{logStreamId}
@desc Retrieve a log stream
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: map{activate: any, deactivate: any, self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/logStreams/{logStreamId}
@desc Replace a log stream
@required {name: str # Unique name for the log stream object, type: str(aws_eventbridge/splunk_cloud_logstreaming) # Specifies the streaming provider used  Supported providers:   * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge))   * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html))  Select the provider type to see provider-specific configurations in the `settings` property:}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: map{activate: any, deactivate: any, self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"aws_eventbridge","name":"Updated AWS EventBridge","settings":{"eventSourceName":"your-event-source-name","accountId":"123456789012","region":"us-east-2"}}

@endpoint DELETE /api/v1/logStreams/{logStreamId}
@desc Delete a log stream
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/logStreams/{logStreamId}/lifecycle/activate
@desc Activate a log stream
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: map{activate: any, deactivate: any, self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/logStreams/{logStreamId}/lifecycle/deactivate
@desc Deactivate a log stream
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, type: str, _links: map{activate: any, deactivate: any, self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/logs
@desc List all System Log events
@optional {since: str(ISO 8601 compliant timestamp)=7 days prior to until # Filters the lower time bound of the log events `published` property for bounded queries or persistence time for polling queries, until: str(ISO 8601 compliant timestamp)=current time # Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries., after: str(Opaque token) # Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter, filter: str(SCIM Filter expression) # Filter expression that filters the results. All operators except [ ] are supported. See [Filter](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators)., q: str(URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding)) # Filters log events results by one or more case insensitive keywords., limit: int(Integer between 0 and 1000)=100 # Sets the number of results that are returned in the response, sortOrder: str(ASCENDING/DESCENDING)=ASCENDING # The order of the returned events that are sorted by the `published` property}
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/mappings
@desc List all profile mappings
@optional {after: str # Mapping `id` that specifies the pagination cursor for the next page of mappings, limit: int(int32)=20 # Specifies the number of results per page, sourceId: str # The user type or app instance ID that acts as the source of expressions in a mapping. If this parameter is included, all returned mappings have this as their `source.id`., targetId: str # The user type or app instance ID that acts as the target of expressions in a mapping. If this parameter is included, all returned mappings have this as their `target.id`.}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/mappings/{mappingId}
@desc Retrieve a profile mapping
@returns(200) {id: str, properties: map{expression: str, pushStatus: str}, source: map{id: str, name: str, type: str, _links: any}, target: map{id: str, name: str, type: str, _links: any}, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/mappings/{mappingId}
@desc Update a profile mapping
@required {properties: map{expression: str, pushStatus: str} # A target property, in string form, that maps to a valid [JSON Schema Draft](https://tools.ietf.org/html/draft-zyp-json-schema-04) document.}
@returns(200) {id: str, properties: map{expression: str, pushStatus: str}, source: map{id: str, name: str, type: str, _links: any}, target: map{id: str, name: str, type: str, _links: any}, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"properties":{"fullName":{"expression":"user.firstName + user.lastName","pushStatus":"PUSH"},"nickName":{"expression":"user.nickName","pushStatus":"PUSH"}}}

@endpoint GET /api/v1/meta/schemas/apps/{appId}/default
@desc Retrieve the default app user schema for an app
@returns(200) {$schema: str, created: str, definitions: any, id: str, lastUpdated: str, name: str, properties: any, title: str, type: str, _links: map{self: any}} # successful operation
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/meta/schemas/apps/{appId}/default
@desc Update the app user profile schema for an app
@optional {$schema: str # JSON schema version identifier, created: str # Timestamp when the schema was created, definitions: any # User profile subschemas  The profile object for a user is defined by a composite schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the profile object must be unique and can't conflict with a property name defined in the `#base` subschema., id: str # URI of user schema, lastUpdated: str # Timestamp when the schema was last updated, name: str # Name of the schema, properties: any # User Object Properties, title: str # User-defined display name for the schema, type: str # Type of [root schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {$schema: str, created: str, definitions: any, id: str, lastUpdated: str, name: str, properties: any, title: str, type: str, _links: map{self: any}} # successful operation
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"definitions":{"custom":{"id":"#custom","type":"object","properties":{"salesforceUserName":{"title":"Salesforce username","externalName":"salesforceUserName","description":"User's username for Salesforce","type":"string","required":false,"minLength":1,"maxLength":20}},"required":[]}}}

@endpoint GET /api/v1/meta/schemas/group/default
@desc Retrieve the default group schema
@returns(200) {$schema: str, created: str, definitions: map{base: map{id: str, properties: any, required: [str], type: str}, custom: map{id: str, properties: map, required: [str], type: str}}, description: str, id: str, lastUpdated: str, name: str, properties: map{profile: map{allOf: [map]}}, title: str, type: str, _links: map{self: any}} # successful operation
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/meta/schemas/group/default
@desc Update the group profile schema
@optional {$schema: str # JSON schema version identifier, created: str # Timestamp when the schema was created, definitions: map{base: map, custom: map}, description: str # Description for the schema, id: str # URI of group schema, lastUpdated: str # Timestamp when the schema was last updated, name: str # Name of the schema, properties: map{profile: map}, title: str # User-defined display name for the schema, type: str # Type of [root schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {$schema: str, created: str, definitions: map{base: map{id: str, properties: any, required: [str], type: str}, custom: map{id: str, properties: map, required: [str], type: str}}, description: str, id: str, lastUpdated: str, name: str, properties: map{profile: map{allOf: [map]}}, title: str, type: str, _links: map{self: any}} # successful operation
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"definitions":{"custom":{"id":"#custom","type":"object","properties":{"groupContact":{"title":"Group administrative contact","description":"Group administrative contact","type":"string","required":false,"minLength":1,"maxLength":20,"permissions":[{"principal":"SELF","action":"READ_WRITE"}]}},"required":[]}}}

@endpoint GET /api/v1/meta/schemas/logStream
@desc List the log stream schemas
@returns(200) successful operation
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/meta/schemas/logStream/{logStreamType}
@desc Retrieve the log stream schema for the schema type
@returns(200) {$schema: str, errorMessage: map, id: str, oneOf: [map]?, pattern: str, properties: map, required: [str], title: str, type: str, _links: map{self: any}} # successful operation
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/meta/schemas/user/linkedObjects
@desc List all linked object definitions
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/meta/schemas/user/linkedObjects
@desc Create a linked object definition
@optional {associated: map{description: str, name!: str, title!: str, type!: str}, primary: map{description: str, name!: str, title!: str, type!: str}, _links: map{self: map} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(201) {associated: map{description: str, name: str, title: str, type: str}, primary: map{description: str, name: str, title: str, type: str}, _links: map{self: map{href: str}}} # Created
@errors {400: Bad Request, 403: Forbidden, 409: Conflict, 429: Too Many Requests}
@example_request {"primary":{"name":"manager","title":"manager","description":"Manager link property","type":"USER"},"associated":{"name":"subordinate","title":"subordinate","description":"Subordinate link property","type":"USER"}}

@endpoint GET /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}
@desc Retrieve a linked object definition
@returns(200) {associated: map{description: str, name: str, title: str, type: str}, primary: map{description: str, name: str, title: str, type: str}, _links: map{self: map{href: str}}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}
@desc Delete a linked object definition
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/meta/schemas/user/{schemaId}
@desc Retrieve a user schema
@returns(200) {$schema: str, created: str, definitions: any, id: str, lastUpdated: str, name: str, properties: any, title: str, type: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/meta/schemas/user/{schemaId}
@desc Update a user schema
@optional {$schema: str # JSON schema version identifier, created: str # Timestamp when the schema was created, definitions: any # User profile subschemas  The profile object for a user is defined by a composite schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the profile object must be unique and can't conflict with a property name defined in the `#base` subschema., id: str # URI of user schema, lastUpdated: str # Timestamp when the schema was last updated, name: str # Name of the schema, properties: any # User Object Properties, title: str # User-defined display name for the schema, type: str # Type of [root schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {$schema: str, created: str, definitions: any, id: str, lastUpdated: str, name: str, properties: any, title: str, type: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"definitions":{"custom":{"id":"#custom","type":"object","properties":{"salesforceUserName":{"title":"Salesforce username","description":"User's username for Salesforce","type":"string","required":false,"minLength":1,"maxLength":20,"permissions":[{"principal":"SELF","action":"READ_WRITE"}]}},"required":[]}}}

@endpoint GET /api/v1/meta/types/user
@desc List all user types
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/meta/types/user
@desc Create a user type
@required {displayName: str # The human-readable name of the user type, name: str # The name of the user type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated.}
@optional {created: str(date-time) # A timestamp from when the user type was created, createdBy: str # The user ID of the account that created the user type, default: bool # A boolean value to indicate if this is the default user type, description: str # The human-readable description of the user type, id: str # The unique key for the user type, lastUpdated: str(date-time) # A timestamp from when the user type was most recently updated, lastUpdatedBy: str # The user ID of the most recent account to edit the user type, _links: any}
@returns(200) {created: str(date-time), createdBy: str, default: bool, description: str, displayName: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"description":"A new custom user type","displayName":"New user type","name":"newUserType"}

@endpoint GET /api/v1/meta/types/user/{typeId}
@desc Retrieve a user type
@returns(200) {created: str(date-time), createdBy: str, default: bool, description: str, displayName: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/meta/types/user/{typeId}
@desc Update a user type
@optional {description: str # The updated human-readable description of the user type, displayName: str # The updated human-readable display name for the user type}
@returns(200) {created: str(date-time), createdBy: str, default: bool, description: str, displayName: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"displayName":"Updated Display Name"}

@endpoint PUT /api/v1/meta/types/user/{typeId}
@desc Replace a user type
@required {description: str # The human-readable description of the user type, displayName: str # The human-readable name of the user type, name: str # The name of the existing type}
@returns(200) {created: str(date-time), createdBy: str, default: bool, description: str, displayName: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"displayName":"Replacement Display Name","description":"Replacement description","name":"newUserType"}

@endpoint DELETE /api/v1/meta/types/user/{typeId}
@desc Delete a user type
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/meta/uischemas
@desc List all UI schemas
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/meta/uischemas
@desc Create a UI schema
@optional {uiSchema: map{buttonLabel: str, elements: map, label: str, type: str} # Properties of the UI schema}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), uiSchema: map{buttonLabel: str, elements: map{label: str, options: map{format: str}, scope: str, type: str}, label: str, type: str}, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"uiSchema":{"type":"Group","elements":[{"type":"Control","scope":"#/properties/firstName","label":"First Name","options":{"format":"text"}},{"type":"Control","scope":"#/properties/lastName","label":"Last Name","options":{"format":"text"}},{"type":"Control","scope":"#/properties/email","label":"Primary email","options":{"format":"text"}}],"buttonLabel":"Submit","label":"Sign in"}}

@endpoint GET /api/v1/meta/uischemas/{id}
@desc Retrieve a UI schema
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), uiSchema: map{buttonLabel: str, elements: map{label: str, options: map{format: str}, scope: str, type: str}, label: str, type: str}, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/meta/uischemas/{id}
@desc Replace a UI schema
@optional {uiSchema: map{buttonLabel: str, elements: map, label: str, type: str} # Properties of the UI schema}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), uiSchema: map{buttonLabel: str, elements: map{label: str, options: map{format: str}, scope: str, type: str}, label: str, type: str}, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"uiSchema":{"type":"Group","elements":[{"type":"Control","scope":"#/properties/firstName","label":"First Name","options":{"format":"text"}},{"type":"Control","scope":"#/properties/lastName","label":"Last Name","options":{"format":"text"}},{"type":"Control","scope":"#/properties/email","label":"Primary email","options":{"format":"text"}}],"buttonLabel":"Submit","label":"Sign in"}}

@endpoint DELETE /api/v1/meta/uischemas/{id}
@desc Delete a UI schema
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/org
@desc Retrieve the Org general settings
@returns(200) {address1: str, address2: str, city: str, companyName: str, country: str, created: str(date-time), endUserSupportHelpURL: str, expiresAt: str(date-time), id: str, lastUpdated: str(date-time), phoneNumber: str, postalCode: str, state: str, status: str, subdomain: str, supportPhoneNumber: str, website: str, _links: map{contacts: any, logo: any, oktaCommunication: any, oktaSupport: any, preferences: any, uploadLogo: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org
@desc Update the Org general settings
@optional {address1: str # Primary address of the organization associated with the org, address2: str # Secondary address of the organization associated with the org, city: str # City of the organization associated with the org, companyName: str # Name of org, country: str # County of the organization associated with the org, created: str(date-time) # When org was created, endUserSupportHelpURL: str # Support link of org, expiresAt: str(date-time) # Expiration of org, id: str # Org ID, lastUpdated: str(date-time) # When org was last updated, phoneNumber: str # Phone number of the organization associated with the org, postalCode: str # Postal code of the organization associated with the org, state: str # State of the organization associated with the org, status: str(ACTIVE/INACTIVE) # Status of org, subdomain: str # Subdomain of org, supportPhoneNumber: str # Support help phone of the organization associated with the org, website: str # Website of the organization associated with the org, _links: map{contacts: any, logo: any, oktaCommunication: any, oktaSupport: any, preferences: any, uploadLogo: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification}
@returns(200) {address1: str, address2: str, city: str, companyName: str, country: str, created: str(date-time), endUserSupportHelpURL: str, expiresAt: str(date-time), id: str, lastUpdated: str(date-time), phoneNumber: str, postalCode: str, state: str, status: str, subdomain: str, supportPhoneNumber: str, website: str, _links: map{contacts: any, logo: any, oktaCommunication: any, oktaSupport: any, preferences: any, uploadLogo: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"address1":"100 1st St","address2":"6th floor","city":"San Fransico","companyName":"okta","country":"United States","endUserSupportHelpURL":"support.okta.com","phoneNumber":"+18887227871","postalCode":"94105","state":"California","supportPhoneNumber":"+18887227871","website":"www.okta.com"}

@endpoint PUT /api/v1/org
@desc Replace the Org general settings
@optional {address1: str # Primary address of the organization associated with the org, address2: str # Secondary address of the organization associated with the org, city: str # City of the organization associated with the org, companyName: str # Name of org, country: str # County of the organization associated with the org, created: str(date-time) # When org was created, endUserSupportHelpURL: str # Support link of org, expiresAt: str(date-time) # Expiration of org, id: str # Org ID, lastUpdated: str(date-time) # When org was last updated, phoneNumber: str # Phone number of the organization associated with the org, postalCode: str # Postal code of the organization associated with the org, state: str # State of the organization associated with the org, status: str(ACTIVE/INACTIVE) # Status of org, subdomain: str # Subdomain of org, supportPhoneNumber: str # Support help phone of the organization associated with the org, website: str # Website of the organization associated with the org, _links: map{contacts: any, logo: any, oktaCommunication: any, oktaSupport: any, preferences: any, uploadLogo: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification}
@returns(200) {address1: str, address2: str, city: str, companyName: str, country: str, created: str(date-time), endUserSupportHelpURL: str, expiresAt: str(date-time), id: str, lastUpdated: str(date-time), phoneNumber: str, postalCode: str, state: str, status: str, subdomain: str, supportPhoneNumber: str, website: str, _links: map{contacts: any, logo: any, oktaCommunication: any, oktaSupport: any, preferences: any, uploadLogo: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"address1":"100 1st St","address2":"6th floor","city":"San Fransico","companyName":"okta","country":"United States","endUserSupportHelpURL":"support.okta.com","phoneNumber":"+18887227871","postalCode":"94105","state":"California","supportPhoneNumber":"+18887227871","website":"www.okta.com"}

@endpoint GET /api/v1/org/captcha
@desc Retrieve the org-wide CAPTCHA settings
@returns(200) {captchaId: str, enabledPages: [str], _links: map{self: map{hints: map{allow: [str]}, href: str, name: str, templated: bool, type: str}}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/org/captcha
@desc Replace the org-wide CAPTCHA settings
@optional {captchaId: str # The unique key of the associated CAPTCHA instance, enabledPages: [str] # An array of pages that have CAPTCHA enabled, _links: map{self: map} # Link relations for the CAPTCHA settings object}
@returns(200) {captchaId: str, enabledPages: [str], _links: map{self: map{hints: map{allow: [str]}, href: str, name: str, templated: bool, type: str}}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"captchaId":"abcd4567","enabledPages":["SSR","SIGN_IN"]}

@endpoint DELETE /api/v1/org/captcha
@desc Delete the org-wide CAPTCHA settings
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/org/contacts
@desc List all org contact types
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/contacts/{contactType}
@desc Retrieve the contact type user
@returns(200) {userId: str, _links: map{user: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/org/contacts/{contactType}
@desc Replace the contact type user
@optional {userId: str # Contact user ID, _links: map{user: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the contact type user object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification}
@returns(200) {userId: str, _links: map{user: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"userId":"00ux3u0ujW1r5AfZC1d7"}

@endpoint POST /api/v1/org/email/bounces/remove-list
@desc Remove bounced emails
@optional {emailAddresses: [str] # A list of email addresses to remove from the email-service bounce list}
@returns(200) {errors: [map]} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"emailAddresses":["name@company.com","unknown.email@okta.com","name@okta@com"]}

@endpoint GET /api/v1/org/factors/yubikey_token/tokens
@desc List all YubiKey OTP tokens
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/org/factors/yubikey_token/tokens
@desc Upload a YubiKey OTP seed
@optional {serialNumber: str # The unique identifier assigned to each YubiKey device, publicId: str # The YubiKey's public ID, privateId: str # The YubiKey's private ID, aesKey: str # The cryptographic key used in the AES (Advanced Encryption Standard) algorithm to encrypt and decrypt the YubiKey OTP}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), lastVerified: str(date-time), profile: map, status: str, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"serialNumber":"7886622","publicId":"ccccccijgibu","privateId":"b74be6169486","aesKey":"1fcc6d8ce39bf1604e0b17f3e0a11067"}

@endpoint GET /api/v1/org/factors/yubikey_token/tokens/{tokenId}
@desc Retrieve a YubiKey OTP token
@required {tokenId: str # The YubiKey OTP token ID}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), lastVerified: str(date-time), profile: map, status: str, _embedded: map, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/org/logo
@desc Upload the org logo
@returns(201) Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/orgSettings/thirdPartyAdminSetting
@desc Retrieve the org third-party admin setting
@returns(200) {thirdPartyAdmin: bool} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org/orgSettings/thirdPartyAdminSetting
@desc Update the org third-party admin setting
@optional {thirdPartyAdmin: bool # Indicates if the third-party admin functionality is enabled}
@returns(200) {thirdPartyAdmin: bool} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/preferences
@desc Retrieve the org preferences
@returns(200) {showEndUserFooter: bool, _links: map{hideEndUserFooter: any, showEndUserFooter: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org/preferences/hideEndUserFooter
@desc Set the hide dashboard footer preference
@returns(200) {showEndUserFooter: bool, _links: map{hideEndUserFooter: any, showEndUserFooter: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org/preferences/showEndUserFooter
@desc Set the show dashboard footer preference
@returns(200) {showEndUserFooter: bool, _links: map{hideEndUserFooter: any, showEndUserFooter: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/privacy/aerial
@desc Retrieve Okta Aerial consent for your org
@returns(200) {accountId: str, grantedBy: str, grantedDate: str, _links: any} # Success
@errors {400: Can't complete request due to errors, 403: Forbidden, 404: Consent hasn't been given and there are no grants to any Aerial Accounts, 429: Too Many Requests}

@endpoint POST /api/v1/org/privacy/aerial/grant
@desc Grant Okta Aerial access to your org
@required {accountId: str # The unique ID of the Aerial account}
@returns(200) {accountId: str, grantedBy: str, grantedDate: str, _links: any} # Success
@errors {400: Can't complete request due to errors, 403: Forbidden, 429: Too Many Requests}
@example_request {"accountId":"0200bs0617vvhv2v675mch1cukp"}

@endpoint POST /api/v1/org/privacy/aerial/revoke
@desc Revoke Okta Aerial access to your org
@required {accountId: str # The unique ID of the Aerial account}
@returns(200) {_links: any} # Success
@errors {400: Can't complete request due to errors, 403: Forbidden, 429: Too Many Requests}
@example_request {"accountId":"0200bs0617vvhv2v675mch1cukp"}

@endpoint GET /api/v1/org/privacy/oktaCommunication
@desc Retrieve the Okta communication settings
@returns(200) {optOutEmailUsers: bool, _links: map{optIn: any, optOut: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org/privacy/oktaCommunication/optIn
@desc Opt in to Okta user communication emails
@returns(200) {optOutEmailUsers: bool, _links: map{optIn: any, optOut: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org/privacy/oktaCommunication/optOut
@desc Opt out of Okta user communication emails
@returns(200) {optOutEmailUsers: bool, _links: map{optIn: any, optOut: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/privacy/oktaSupport
@desc Retrieve the Okta Support settings
@returns(200) {caseNumber: str?, expiration: str(date-time)?, support: str, _links: map{extend: any, revoke: any, grant: any, case: any, cases: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/privacy/oktaSupport/cases
@desc List all Okta Support cases
@returns(200) {supportCases: [map]} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PATCH /api/v1/org/privacy/oktaSupport/cases/{caseNumber}
@desc Update an Okta Support case
@optional {caseNumber: str # Okta Support case number, impersonation: map{status: str, expiration: str(date-time)} # Allows the Okta Support team to sign in to your org as an admin and troubleshoot issues, selfAssigned: map{status: str} # Customer allows Okta Support access to self-assigned cases. Support cases are self-assigned when an Okta Support team member creates and assigns the case to themselves., subject: str # Subject of the support case}
@returns(200) {caseNumber: str, impersonation: map{status: str, expiration: str(date-time)?}, selfAssigned: map{status: str}, subject: str} # Success
@errors {403: Forbidden, 429: Too Many Requests}
@example_request {"impersonation":{"status":"ENABLED"}}

@endpoint POST /api/v1/org/privacy/oktaSupport/extend
@desc Extend Okta Support access
@errors {301: Moved Permanently}

@endpoint POST /api/v1/org/privacy/oktaSupport/grant
@desc Grant Okta Support access
@errors {301: Moved Permanently}

@endpoint POST /api/v1/org/privacy/oktaSupport/revoke
@desc Revoke Okta Support access
@errors {301: Moved Permanently}

@endpoint GET /api/v1/org/settings/autoAssignAdminAppSetting
@desc Retrieve the Okta Admin Console assignment setting
@returns(200) {autoAssignAdminAppSetting: bool} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/org/settings/autoAssignAdminAppSetting
@desc Update the Okta Admin Console assignment setting
@optional {autoAssignAdminAppSetting: bool # Automatically assigns the Okta Admin Console to the user when an admin role is assigned}
@returns(200) {autoAssignAdminAppSetting: bool} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/org/settings/clientPrivilegesSetting
@desc Retrieve the default public client app role setting
@returns(200) {clientPrivilegesSetting: bool} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/org/settings/clientPrivilegesSetting
@desc Assign the default public client app role setting
@optional {clientPrivilegesSetting: bool # If true, assigns the super admin role by default to new public client apps}
@returns(200) {clientPrivilegesSetting: bool} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/orgs
@desc Create an org
@required {admin: map{credentials: map, profile!: map} # Profile and credential information for the first super admin user of the child org. If you plan to configure and manage the org programmatically, create a system user with a dedicated email address and a strong password. > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the org for the first time., edition: str # Edition for the org. `SKU` is the only supported value., name: str(utf-8) # Unique name of the org. This name appears in the HTML `` tag of the new org sign-in page. Only less than 4-width UTF-8 encoded characters are allowed., subdomain: str # Subdomain of the org. Must be unique and include no spaces.}
@optional {created: str(date-time) # Timestamp when the org was created, id: str # Org ID, lastUpdated: str(date-time) # Timestamp when the org was last updated, settings: map # Settings associated with the created org, status: str # Status of the org. `ACTIVE` is returned after the org is created., token: str # API token associated with the child org super admin account. Use this API token to provision resources (such as policies, apps, and groups) on the newly created child org. This token is revoked if the super admin account is deactivated. > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/)., tokenType: str # Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens)., website: str # Default website for the org, _links: map # Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification}
@returns(201) {admin: map{credentials: map{password: map{value: str(password)}, recovery_question: map{answer: str, question: str}}, profile: map{firstName: str?, lastName: str?, email: str(email), login: str}}, created: str(date-time), edition: str, id: str, lastUpdated: str(date-time), name: str(utf-8), settings: map, status: str, subdomain: str, token: str, tokenType: str, website: str, _links: map} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests, 500: Internal Server Error}
@example_request {"subdomain":"my-child-org-1","name":"My Child Org 1","website":"http://www.examplecorp.com","edition":"SKU","admin":{"profile":{"firstName":"First","lastName":"Last","email":"FirstLast@example.com","login":"FirstLast@example.com","mobilePhone":null},"credentials":{"password":{"value":"XXXX"}}}}

@endpoint GET /api/v1/policies
@desc List all policies
@required {type: str(OKTA_SIGN_ON/PASSWORD/MFA_ENROLL/IDP_DISCOVERY/ACCESS_POLICY/DEVICE_SIGNAL_COLLECTION/PROFILE_ENROLLMENT/POST_AUTH_SESSION/ENTITY_RISK) # Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`,  `DEVICE_SIGNAL_COLLECTION`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`.}
@optional {status: str # Refines the query by the `status` of the policy - `ACTIVE` or `INACTIVE`, q: str # Refines the query by policy name prefix (startWith method) passed in as `q=string`, expand: str=, sortBy: str # Refines the query by sorting on the policy `name` in ascending order, limit: str # Defines the number of policies returned, see [Pagination](https://developer.okta.com/docs/api/#pagination), resourceId: str # Reference to the associated authorization server, after: str # End page cursor for pagination, see [Pagination](https://developer.okta.com/docs/api/#pagination)}
@returns(200) {created: str(date-time), description: str, id: str, lastUpdated: str(date-time), name: str, priority: int, status: any, system: bool, type: str, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/policies
@desc Create a policy
@required {name: str # Name of the policy, type: str(<x-lifecycle class="ea"></x-lifecycle> DEVICE_SIGNAL_COLLECTION/ACCESS_POLICY/ENTITY_RISK/IDP_DISCOVERY/MFA_ENROLL/OKTA_SIGN_ON/PASSWORD/POST_AUTH_SESSION/PROFILE_ENROLLMENT) # All Okta orgs contain only one IdP discovery policy with an immutable default rule routing to your org's sign-in page, one entity risk policy, and one session protection policy. Creating or replacing a policy with the `IDP_DISCOVERY` type, the `ENTITY_RISK` type, or the `POST_AUTH_SESSION` type isn't supported. The following policy types are available with Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`,  `DEVICE_SIGNAL_COLLECTION`, and `ENTITY_RISK`.}
@optional {activate: bool=true # This query parameter is only valid for Classic Engine orgs., created: str(date-time)=Assigned # Timestamp when the policy was created, description: str=null # Description of the policy, id: str=Assigned # Identifier of the policy, lastUpdated: str(date-time)=Assigned # Timestamp when the policy was last modified, priority: int=Last / Lowest Priority, for example `1` # Specifies the order in which this policy is evaluated in relation to the other policies, status: any, system: bool=false # Specifies whether Okta created the policy, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}}
@returns(200) {created: str(date-time), description: str, id: str, lastUpdated: str(date-time), name: str, priority: int, status: any, system: bool, type: str, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/policies/simulate
@desc Create a policy simulation
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"policyType":["OKTA_SIGN_ON","MFA_ENROLL"],"appInstance":"0oa4eroj3nYCIJIW70g7","policyContext":{"groups":{"ids":["00g4eralvekR5RLuS0g7","00g4eralvekR5RLuS0g8"]},"risk":{"level":"LOW"},"zones":{"ids":["nzo4eralxcRnbIHYJ0g7"]},"device":{"platform":"IOS","registered":true,"managed":true}}}

@endpoint GET /api/v1/policies/{policyId}
@desc Retrieve a policy
@optional {expand: str=}
@returns(200) {created: str(date-time), description: str, id: str, lastUpdated: str(date-time), name: str, priority: int, status: any, system: bool, type: str, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/policies/{policyId}
@desc Replace a policy
@required {name: str # Name of the policy, type: str(<x-lifecycle class="ea"></x-lifecycle> DEVICE_SIGNAL_COLLECTION/ACCESS_POLICY/ENTITY_RISK/IDP_DISCOVERY/MFA_ENROLL/OKTA_SIGN_ON/PASSWORD/POST_AUTH_SESSION/PROFILE_ENROLLMENT) # All Okta orgs contain only one IdP discovery policy with an immutable default rule routing to your org's sign-in page, one entity risk policy, and one session protection policy. Creating or replacing a policy with the `IDP_DISCOVERY` type, the `ENTITY_RISK` type, or the `POST_AUTH_SESSION` type isn't supported. The following policy types are available with Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`,  `DEVICE_SIGNAL_COLLECTION`, and `ENTITY_RISK`.}
@optional {created: str(date-time)=Assigned # Timestamp when the policy was created, description: str=null # Description of the policy, id: str=Assigned # Identifier of the policy, lastUpdated: str(date-time)=Assigned # Timestamp when the policy was last modified, priority: int=Last / Lowest Priority, for example `1` # Specifies the order in which this policy is evaluated in relation to the other policies, status: any, system: bool=false # Specifies whether Okta created the policy, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}}
@returns(200) {created: str(date-time), description: str, id: str, lastUpdated: str(date-time), name: str, priority: int, status: any, system: bool, type: str, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/policies/{policyId}
@desc Delete a policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/policies/{policyId}/app
@desc List all apps mapped to a policy
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/clone
@desc Clone an existing policy
@returns(200) {created: str(date-time), description: str, id: str, lastUpdated: str(date-time), name: str, priority: int, status: any, system: bool, type: str, _embedded: map, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/lifecycle/activate
@desc Activate a policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/lifecycle/deactivate
@desc Deactivate a policy
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/policies/{policyId}/mappings
@desc List all resources mapped to a policy
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/mappings
@desc Map a resource to a policy
@optional {resourceId: str # Unique identifier of the resource to map, resourceType: str(ACCESS_POLICY/APP) # Specifies the type of resource to map. You can either map an app onto a policy, or map a device signal collection policy onto an authentication policy.}
@returns(200) {id: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/policies/{policyId}/mappings/{mappingId}
@desc Retrieve a policy resource mapping
@returns(200) {id: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/policies/{policyId}/mappings/{mappingId}
@desc Delete a policy resource mapping
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/policies/{policyId}/rules
@desc List all policy rules
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/rules
@desc Create a policy rule
@optional {activate: bool=true # Set this parameter to `false` to create an `INACTIVE` rule., created: str(date-time) # Timestamp when the rule was created, id: str # Identifier for the rule, lastUpdated: str(date-time) # Timestamp when the rule was last modified, name: str # Name of the rule, priority: int # Priority of the rule, status: any, system: bool=false # Specifies whether Okta created the policy rule (`system=true`). You can't delete policy rules that have `system` set to `true`., type: str(ACCESS_POLICY/DEVICE_SIGNAL_COLLECTION/ENTITY_RISK/IDP_DISCOVERY/MFA_ENROLL/PASSWORD/POST_AUTH_SESSION/PROFILE_ENROLLMENT/SIGN_ON) # Rule type, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}}
@returns(200) {created: str(date-time)?, id: str, lastUpdated: str(date-time)?, name: str, priority: int?, status: any, system: bool, type: str, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"SSPR Rule","priority":1,"status":"ACTIVE","conditions":{"people":{"users":{"exclude":[]}},"network":{"connection":"ANYWHERE"}},"actions":{"passwordChange":{"access":"ALLOW"},"selfServicePasswordReset":{"access":"ALLOW","requirement":{"primary":{"methods":["push","sms"]},"stepUp":{"required":true,"methods":["security_question"]}}},"selfServiceUnlock":{"access":"ALLOW"}},"system":false,"type":"PASSWORD"}

@endpoint GET /api/v1/policies/{policyId}/rules/{ruleId}
@desc Retrieve a policy rule
@returns(200) {created: str(date-time)?, id: str, lastUpdated: str(date-time)?, name: str, priority: int?, status: any, system: bool, type: str, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/policies/{policyId}/rules/{ruleId}
@desc Replace a policy rule
@optional {created: str(date-time) # Timestamp when the rule was created, id: str # Identifier for the rule, lastUpdated: str(date-time) # Timestamp when the rule was last modified, name: str # Name of the rule, priority: int # Priority of the rule, status: any, system: bool=false # Specifies whether Okta created the policy rule (`system=true`). You can't delete policy rules that have `system` set to `true`., type: str(ACCESS_POLICY/DEVICE_SIGNAL_COLLECTION/ENTITY_RISK/IDP_DISCOVERY/MFA_ENROLL/PASSWORD/POST_AUTH_SESSION/PROFILE_ENROLLMENT/SIGN_ON) # Rule type, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}}
@returns(200) {created: str(date-time)?, id: str, lastUpdated: str(date-time)?, name: str, priority: int?, status: any, system: bool, type: str, _links: map{activate: any, deactivate: any, mappings: any, rules: any, self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"id":"ruleId","name":"SSPR Rule","priority":1,"status":"ACTIVE","conditions":{"people":{"users":{"exclude":[]}},"network":{"connection":"ANYWHERE"}},"actions":{"passwordChange":{"access":"ALLOW"},"selfServicePasswordReset":{"access":"ALLOW","requirement":{"primary":{"methods":["push","sms"]},"stepUp":{"required":true,"methods":["security_question"]}}},"selfServiceUnlock":{"access":"ALLOW"}},"system":false,"type":"PASSWORD"}

@endpoint DELETE /api/v1/policies/{policyId}/rules/{ruleId}
@desc Delete a policy rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate
@desc Activate a policy rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
@desc Deactivate a policy rule
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/principal-rate-limits
@desc List all principal rate limits
@required {filter: str # Filters the list of principal rate limit entities by the provided principal type (`principalType`). For example, `filter=principalType eq "SSWS_TOKEN"` or `filter=principalType eq "OAUTH_CLIENT"`.}
@optional {after: str # The cursor to use for pagination. It's an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=20 # Specifies the number of items to return in a single response page.}
@returns(200) OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/principal-rate-limits
@desc Create a principal rate limit
@required {principalId: str # The unique identifier of the principal. This is the ID of the API token or OAuth 2.0 app., principalType: str(OAUTH_CLIENT/SSWS_TOKEN) # The type of principal, either an API token or an OAuth 2.0 app}
@optional {createdBy: str # The Okta user ID of the user who created the principle rate limit entity, createdDate: str(date-time) # The date and time the principle rate limit entity was created, defaultConcurrencyPercentage: int # The default percentage of a given concurrency limit threshold that the owning principal can consume, defaultPercentage: int # The default percentage of a given rate limit threshold that the owning principal can consume, id: str # The unique identifier of the principle rate limit entity, lastUpdate: str(date-time) # The date and time the principle rate limit entity was last updated, lastUpdatedBy: str # The Okta user ID of the user who last updated the principle rate limit entity, orgId: str # The unique identifier of the Okta org}
@returns(201) {createdBy: str, createdDate: str(date-time), defaultConcurrencyPercentage: int, defaultPercentage: int, id: str, lastUpdate: str(date-time), lastUpdatedBy: str, orgId: str, principalId: str, principalType: str} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"principalId":"prlh5hd6act3aHDrr1f5","principalType":"SSWS_TOKEN","defaultPercentage":50,"defaultConcurrencyPercentage":75}

@endpoint GET /api/v1/principal-rate-limits/{principalRateLimitId}
@desc Retrieve a principal rate limit
@returns(200) {createdBy: str, createdDate: str(date-time), defaultConcurrencyPercentage: int, defaultPercentage: int, id: str, lastUpdate: str(date-time), lastUpdatedBy: str, orgId: str, principalId: str, principalType: str} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/principal-rate-limits/{principalRateLimitId}
@desc Replace a principal rate limit
@required {principalId: str # The unique identifier of the principal. This is the ID of the API token or OAuth 2.0 app., principalType: str(OAUTH_CLIENT/SSWS_TOKEN) # The type of principal, either an API token or an OAuth 2.0 app}
@optional {createdBy: str # The Okta user ID of the user who created the principle rate limit entity, createdDate: str(date-time) # The date and time the principle rate limit entity was created, defaultConcurrencyPercentage: int # The default percentage of a given concurrency limit threshold that the owning principal can consume, defaultPercentage: int # The default percentage of a given rate limit threshold that the owning principal can consume, id: str # The unique identifier of the principle rate limit entity, lastUpdate: str(date-time) # The date and time the principle rate limit entity was last updated, lastUpdatedBy: str # The Okta user ID of the user who last updated the principle rate limit entity, orgId: str # The unique identifier of the Okta org}
@returns(200) {createdBy: str, createdDate: str(date-time), defaultConcurrencyPercentage: int, defaultPercentage: int, id: str, lastUpdate: str(date-time), lastUpdatedBy: str, orgId: str, principalId: str, principalType: str} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"principalId":"prlh5hd6act3aHDrr1f5","principalType":"SSWS_TOKEN","defaultPercentage":50,"defaultConcurrencyPercentage":75}

@endpoint GET /api/v1/push-providers
@desc List all push providers
@optional {type: str # Filters push providers by `providerType`}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/push-providers
@desc Create a push provider
@optional {id: str # Unique key for the Push Provider, lastUpdatedDate: str # Timestamp when the Push Provider was last modified, name: str # Display name of the push provider, providerType: str(APNS/FCM), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {id: str, lastUpdatedDate: str, name: str, providerType: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"APNs Example","providerType":"APNS","configuration":{"keyId":"KEY_ID","teamId":"TEAM_ID","tokenSigningKey":"-----BEGIN PRIVATE KEY-----\\nPRIVATE_KEY\\n-----END PRIVATE KEY-----\\n","fileName":"fileName.p8"}}

@endpoint GET /api/v1/push-providers/{pushProviderId}
@desc Retrieve a push provider
@returns(200) {id: str, lastUpdatedDate: str, name: str, providerType: str, _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/push-providers/{pushProviderId}
@desc Replace a push provider
@optional {id: str # Unique key for the Push Provider, lastUpdatedDate: str # Timestamp when the Push Provider was last modified, name: str # Display name of the push provider, providerType: str(APNS/FCM), _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {id: str, lastUpdatedDate: str, name: str, providerType: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"APNs Example","providerType":"APNS","configuration":{"keyId":"KEY_ID","teamId":"TEAM_ID","tokenSigningKey":"-----BEGIN PRIVATE KEY-----\\nPRIVATE_KEY\\n-----END PRIVATE KEY-----\\n","fileName":"fileName.p8"}}

@endpoint DELETE /api/v1/push-providers/{pushProviderId}
@desc Delete a push provider
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 409: Conflict, 429: Too Many Requests}

@endpoint GET /api/v1/rate-limit-settings/admin-notifications
@desc Retrieve the rate limit admin notification settings
@returns(200) {notificationsEnabled: bool} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/rate-limit-settings/admin-notifications
@desc Replace the rate limit admin notification settings
@required {notificationsEnabled: bool}
@returns(200) {notificationsEnabled: bool} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"notificationsEnabled":true}

@endpoint GET /api/v1/rate-limit-settings/per-client
@desc Retrieve the per-client rate limit settings
@returns(200) {defaultMode: str, useCaseModeOverrides: map{LOGIN_PAGE: str, OAUTH2_AUTHORIZE: str, OIE_APP_INTENT: str}} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/rate-limit-settings/per-client
@desc Replace the per-client rate limit settings
@required {defaultMode: str(DISABLE/ENFORCE/PREVIEW)}
@optional {useCaseModeOverrides: map{LOGIN_PAGE: str, OAUTH2_AUTHORIZE: str, OIE_APP_INTENT: str} # A map of Per-Client Rate Limit Use Case to the applicable PerClientRateLimitMode. Overrides the `defaultMode` property for the specified use cases.}
@returns(200) {defaultMode: str, useCaseModeOverrides: map{LOGIN_PAGE: str, OAUTH2_AUTHORIZE: str, OIE_APP_INTENT: str}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"defaultMode":"ENFORCE"}

@endpoint GET /api/v1/rate-limit-settings/warning-threshold
@desc Retrieve the rate limit warning threshold percentage
@returns(200) {warningThreshold: int} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /api/v1/rate-limit-settings/warning-threshold
@desc Replace the rate limit warning threshold percentage
@required {warningThreshold: int # The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs.}
@returns(200) {warningThreshold: int} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"warningThreshold":66}

@endpoint GET /api/v1/realm-assignments
@desc List all realm assignments
@optional {limit: int=20 # A limit on the number of objects to return, after: str # The cursor used for pagination. It represents the priority of the last realm assignment returned in the previous fetch operation.}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/realm-assignments
@desc Create a realm assignment
@optional {actions: map{assignUserToRealm: map} # Action to apply to a user, conditions: map{expression: map, profileSourceId: str} # Conditions of applying realm assignment, name: str # Name of the realm, priority: int # The priority of the realm assignment. The lower the number, the higher the priority. This helps resolve conflicts between realm assignments.  > **Note:** When you create realm assignments in bulk, realm assignment priorities must be unique.}
@returns(201) {actions: map{assignUserToRealm: map{realmId: str}}, conditions: map{expression: map{value: str}, profileSourceId: str}, created: str(date-time), domains: [any], id: str, isDefault: bool, lastUpdated: str(date-time), name: str, priority: int, status: str, _links: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"actions":{"assignUserToRealm":{"realmId":"00g1b7rvh0xPLKXFf0g5"}},"conditions":{"profileSourceId":"0oa4enoRyjwSCy5hx0g4","expression":{"value":"user.profile.role ==\\\"Manager\\\""}},"name":"Realm Assignment 1","priority":0}

@endpoint GET /api/v1/realm-assignments/operations
@desc List all realm assignment operations
@optional {limit: int=20 # A limit on the number of objects to return, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/realm-assignments/operations
@desc Execute a realm assignment
@optional {assignmentId: str # ID of the realm}
@returns(201) {assignmentOperation: map{configuration: map{actions: map{assignUserToRealm: map}, conditions: map{expression: map, profileSourceId: str}, id: str, name: str}}, completed: str(date-time), created: str(date-time), id: str, numUserMoved: num, realmId: str, realmName: str, started: str(date-time), status: str, type: str, _links: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"assignmentId":"0pr1b7rxZj2ibQzfP0g5"}

@endpoint GET /api/v1/realm-assignments/{assignmentId}
@desc Retrieve a realm assignment
@returns(200) {actions: map{assignUserToRealm: map{realmId: str}}, conditions: map{expression: map{value: str}, profileSourceId: str}, created: str(date-time), domains: [any], id: str, isDefault: bool, lastUpdated: str(date-time), name: str, priority: int, status: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/realm-assignments/{assignmentId}
@desc Replace a realm assignment
@optional {actions: map{assignUserToRealm: map} # Action to apply to a user, conditions: map{expression: map, profileSourceId: str} # Conditions of applying realm assignment, name: str, priority: int # The priority of the realm assignment. The lower the number, the higher the priority. This helps resolve conflicts between realm assignments.  > **Note:** When you create realm assignments in bulk, realm assignment priorities must be unique.}
@returns(200) {actions: map{assignUserToRealm: map{realmId: str}}, conditions: map{expression: map{value: str}, profileSourceId: str}, created: str(date-time), domains: [any], id: str, isDefault: bool, lastUpdated: str(date-time), name: str, priority: int, status: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"actions":{"assignUserToRealm":{"realmId":"00g1b7rvh0xPLKXFf0g5"}},"conditions":{"profileSourceId":"0oa4enoRyjwSCy5hx0g4","expression":{"value":"user.profile.role ==\\\"Manager\\\""}},"name":"Realm Assignment 1","priority":0}

@endpoint DELETE /api/v1/realm-assignments/{assignmentId}
@desc Delete a realm assignment
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/realm-assignments/{assignmentId}/lifecycle/activate
@desc Activate a realm assignment
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/realm-assignments/{assignmentId}/lifecycle/deactivate
@desc Deactivate a realm assignment
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/realms
@desc List all realms
@optional {limit: int(int32)=200 # Specifies the number of results returned. Defaults to 10 if `search` is provided., after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., search: str # Searches for realms with a supported filtering expression for most properties.  Searches for realms can be filtered by the contains (`co`) operator. You can only use `co` with the `profile.name` property. See [Operators](https://developer.okta.com/docs/api/#operators)., sortBy: str # Specifies the field to sort by and can be any single property (for search queries only), sortOrder: str=asc # Specifies the sort order: `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present.}
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/realms
@desc Create a realm
@optional {profile: map{domains: [any], name!: str, realmType: str}}
@returns(200) {created: str(date-time), id: str, isDefault: bool, lastUpdated: str(date-time), profile: map{domains: [any], name: str, realmType: str}, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"profile":{"name":"Car Co","realmType":"PARTNER","domains":["atko.com","user.com"]}}

@endpoint GET /api/v1/realms/{realmId}
@desc Retrieve a realm
@returns(200) {created: str(date-time), id: str, isDefault: bool, lastUpdated: str(date-time), profile: map{domains: [any], name: str, realmType: str}, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/realms/{realmId}
@desc Replace the realm profile
@optional {profile: map{domains: [any], name!: str, realmType: str}}
@returns(200) {created: str(date-time), id: str, isDefault: bool, lastUpdated: str(date-time), profile: map{domains: [any], name: str, realmType: str}, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"profile":{"name":"Car Co","realmType":"PARTNER","domains":["atko.com","user.com"]}}

@endpoint DELETE /api/v1/realms/{realmId}
@desc Delete a realm
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/risk/events/ip
@desc Send multiple risk events
@returns(202) Accepted
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request [{"timestamp":"2021-01-20T00:00:00.001Z","subjects":[{"ip":"6.7.6.7","riskLevel":"MEDIUM"},{"ip":"1.1.1.1","riskLevel":"HIGH","message":"Detected Attack tooling and suspicious activity"}]},{"timestamp":"2021-01-20T01:00:00.001Z","subjects":[{"ip":"6.7.6.7","riskLevel":"LOW"},{"ip":"2.2.2.2","riskLevel":"HIGH"}]}]

@endpoint GET /api/v1/risk/providers
@desc List all risk providers
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/risk/providers
@desc Create a risk provider
@required {action: str(enforce_and_log/log_only/none)=log_only # Action taken by Okta during authentication attempts based on the risk events sent by this provider, clientId: str # The ID of the [OAuth 2.0 service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that's used to send risk events to Okta, id: str # The ID of the risk provider object, name: str # Name of the risk provider, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@optional {created: str(date-time) # Timestamp when the risk provider object was created, lastUpdated: str(date-time) # Timestamp when the risk provider object was last updated}
@returns(201) {action: str, clientId: str, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, _links: map{self: any}} # Created
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Risk-Partner-X","action":"log_only","clientId":"00ckjsfgjkdkjdkkljjsd"}

@endpoint GET /api/v1/risk/providers/{riskProviderId}
@desc Retrieve a risk provider
@returns(200) {action: str, clientId: str, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, _links: map{self: any}} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/risk/providers/{riskProviderId}
@desc Replace a risk provider
@required {action: str(enforce_and_log/log_only/none)=log_only # Action taken by Okta during authentication attempts based on the risk events sent by this provider, clientId: str # The ID of the [OAuth 2.0 service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that's used to send risk events to Okta, id: str # The ID of the risk provider object, name: str # Name of the risk provider, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@optional {created: str(date-time) # Timestamp when the risk provider object was created, lastUpdated: str(date-time) # Timestamp when the risk provider object was last updated}
@returns(200) {action: str, clientId: str, created: str(date-time), id: str, lastUpdated: str(date-time), name: str, _links: map{self: any}} # OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"Risk-Partner-Y","action":"enforce_and_log","clientId":"00ckjsfgjkdkjdkkljjsd"}

@endpoint DELETE /api/v1/risk/providers/{riskProviderId}
@desc Delete a risk provider
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/roles/{roleRef}/subscriptions
@desc List all subscriptions for a role
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/roles/{roleRef}/subscriptions/{notificationType}
@desc Retrieve a subscription for a role
@returns(200) {channels: [str], notificationType: str, status: str, _links: map{self: map{hints: map{allow: [str]}, href: str, name: str, templated: bool, type: str}}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe
@desc Subscribe a role to a specific notification type
@returns(200) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe
@desc Unsubscribe a role from a specific notification type
@returns(200) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/security-events-providers
@desc List all security events providers
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/security-events-providers
@desc Create a security events provider
@required {name: str # The name of the Security Events Provider instance, settings: map # Information about the Security Events Provider for signal ingestion, type: str # The application type of the Security Events Provider}
@returns(200) {id: str, name: str, settings: map{issuer: str, jwks_url: str(url), well_known_url: str(url)?}, status: str, type: str, _links: any} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Security Events Provider with well-known URL","type":"okta","settings":{"well_known_url":"https://example.okta.com/.well-known/ssf-configuration"}}

@endpoint GET /api/v1/security-events-providers/{securityEventProviderId}
@desc Retrieve the security events provider
@returns(200) {id: str, name: str, settings: map{issuer: str, jwks_url: str(url), well_known_url: str(url)?}, status: str, type: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/security-events-providers/{securityEventProviderId}
@desc Replace a security events provider
@required {name: str # The name of the Security Events Provider instance, settings: map # Information about the Security Events Provider for signal ingestion, type: str # The application type of the Security Events Provider}
@returns(200) {id: str, name: str, settings: map{issuer: str, jwks_url: str(url), well_known_url: str(url)?}, status: str, type: str, _links: any} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"Security Events Provider with well-known URL","type":"okta","settings":{"well_known_url":"https://example.okta.com/.well-known/ssf-configuration"}}

@endpoint DELETE /api/v1/security-events-providers/{securityEventProviderId}
@desc Delete a security events provider
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate
@desc Activate a security events provider
@returns(200) {id: str, name: str, settings: map{issuer: str, jwks_url: str(url), well_known_url: str(url)?}, status: str, type: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate
@desc Deactivate a security events provider
@returns(200) {id: str, name: str, settings: map{issuer: str, jwks_url: str(url), well_known_url: str(url)?}, status: str, type: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/sessions
@desc Create a session with session token
@optional {sessionToken: str # The session token obtained during authentication}
@returns(200) {amr: [str], createdAt: str(date-time), expiresAt: str(date-time), id: str, idp: map{id: str, type: str}, lastFactorVerification: str(date-time), lastPasswordVerification: str(date-time), login: str, status: str, userId: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"sessionToken":"00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow"}

@endpoint GET /api/v1/sessions/me
@desc Retrieve the current session
@optional {Cookie: str}
@returns(200) {amr: [str], createdAt: str(date-time), expiresAt: str(date-time), id: str, idp: map{id: str, type: str}, lastFactorVerification: str(date-time), lastPasswordVerification: str(date-time), login: str, status: str, userId: str, _links: map{self: any}} # Success
@errors {404: Not Found}

@endpoint DELETE /api/v1/sessions/me
@desc Close the current session
@optional {Cookie: str}
@returns(204) No Content
@errors {404: Not Found}

@endpoint POST /api/v1/sessions/me/lifecycle/refresh
@desc Refresh the current session
@optional {Cookie: str}
@returns(200) {amr: [str], createdAt: str(date-time), expiresAt: str(date-time), id: str, idp: map{id: str, type: str}, lastFactorVerification: str(date-time), lastPasswordVerification: str(date-time), login: str, status: str, userId: str, _links: map{self: any}} # Success
@errors {404: Not Found}

@endpoint GET /api/v1/sessions/{sessionId}
@desc Retrieve a session
@returns(200) {amr: [str], createdAt: str(date-time), expiresAt: str(date-time), id: str, idp: map{id: str, type: str}, lastFactorVerification: str(date-time), lastPasswordVerification: str(date-time), login: str, status: str, userId: str, _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/sessions/{sessionId}
@desc Revoke a session
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/sessions/{sessionId}/lifecycle/refresh
@desc Refresh a session
@returns(200) {amr: [str], createdAt: str(date-time), expiresAt: str(date-time), id: str, idp: map{id: str, type: str}, lastFactorVerification: str(date-time), lastPasswordVerification: str(date-time), login: str, status: str, userId: str, _links: map{self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/ssf/stream
@desc Retrieve the SSF stream configuration(s)
@optional {stream_id: str # The ID of the specified SSF Stream configuration}
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/ssf/stream
@desc Create an SSF stream
@required {delivery: map{authorization_header: str, endpoint_url!: str(uri), method!: str} # Contains information about the intended SET delivery method by the receiver, events_requested: [str(uri)] # The events (mapped by the array of event type URIs) that the receiver wants to receive}
@optional {format: str # The Subject Identifier format expected for any SET transmitted.}
@returns(201) {aud: any, delivery: map{authorization_header: str?, endpoint_url: str(uri), method: str}, events_delivered: [str(uri)], events_requested: [str(uri)], events_supported: [str(uri)], format: str, iss: str, min_verification_interval: int?, stream_id: str} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 409: Conflict, 429: Too Many Requests}

@endpoint PUT /api/v1/ssf/stream
@desc Replace an SSF stream
@required {delivery: map{authorization_header: str, endpoint_url!: str(uri), method!: str} # Contains information about the intended SET delivery method by the receiver, events_requested: [str(uri)] # The events (mapped by the array of event type URIs) that the receiver wants to receive}
@optional {aud: any # The audience used in the SET. This value is set as `aud` in the claim.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., events_delivered: [str(uri)] # The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., events_supported: [str(uri)] # An array of event type URIs that the transmitter supports.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., format: str # The Subject Identifier format expected for any SET transmitted., iss: str # The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., min_verification_interval: int # The minimum amount of time, in seconds, between two verification requests.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., stream_id: str # The ID of the SSF Stream configuration}
@returns(200) {aud: any, delivery: map{authorization_header: str?, endpoint_url: str(uri), method: str}, events_delivered: [str(uri)], events_requested: [str(uri)], events_supported: [str(uri)], format: str, iss: str, min_verification_interval: int?, stream_id: str} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PATCH /api/v1/ssf/stream
@desc Update an SSF stream
@required {delivery: map{authorization_header: str, endpoint_url!: str(uri), method!: str} # Contains information about the intended SET delivery method by the receiver, events_requested: [str(uri)] # The events (mapped by the array of event type URIs) that the receiver wants to receive}
@optional {aud: any # The audience used in the SET. This value is set as `aud` in the claim.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., events_delivered: [str(uri)] # The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., events_supported: [str(uri)] # An array of event type URIs that the transmitter supports.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., format: str # The Subject Identifier format expected for any SET transmitted., iss: str # The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., min_verification_interval: int # The minimum amount of time, in seconds, between two verification requests.  A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter., stream_id: str # The ID of the SSF Stream configuration}
@returns(200) {aud: any, delivery: map{authorization_header: str?, endpoint_url: str(uri), method: str}, events_delivered: [str(uri)], events_requested: [str(uri)], events_supported: [str(uri)], format: str, iss: str, min_verification_interval: int?, stream_id: str} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/ssf/stream
@desc Delete an SSF stream
@optional {stream_id: str # The ID of the specified SSF Stream configuration}
@returns(204) No Content
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/ssf/stream/status
@desc Retrieve the SSF Stream status
@required {stream_id: str # The ID of the specified SSF Stream configuration}
@returns(200) {status: str, stream_id: str} # OK
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/ssf/stream/verification
@desc Verify an SSF stream
@required {stream_id: str # The ID of the SSF Stream Configuration}
@optional {state: str # An arbitrary string that Okta as a transmitter must echo back to the Event Receiver in the Verification Event's payload}
@returns(204) No Content
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/templates/sms
@desc List all SMS templates
@optional {templateType: str}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/templates/sms
@desc Create an SMS template
@optional {created: str(date-time), id: str, lastUpdated: str(date-time), name: str # Human-readable name of the Template, template: str # Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/), translations: map # - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template. - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters., type: str # Type of the Template}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, template: str, translations: map, type: str} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"Custom","type":"SMS_VERIFY_CODE","template":"${org.name}: your verification code is ${code}","translations":{"es":"${org.name}: el código de verificación es ${code}","fr":"${org.name}: votre code de vérification est ${code}","it":"${org.name}: il codice di verifica è ${code}"}}

@endpoint GET /api/v1/templates/sms/{templateId}
@desc Retrieve an SMS template
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, template: str, translations: map, type: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/templates/sms/{templateId}
@desc Update an SMS template
@optional {created: str(date-time), id: str, lastUpdated: str(date-time), name: str # Human-readable name of the Template, template: str # Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/), translations: map # - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template. - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters., type: str # Type of the Template}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, template: str, translations: map, type: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"translations":{"de":"${org.name}: ihre bestätigungscode ist ${code}."}}

@endpoint PUT /api/v1/templates/sms/{templateId}
@desc Replace an SMS template
@optional {created: str(date-time), id: str, lastUpdated: str(date-time), name: str # Human-readable name of the Template, template: str # Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/), translations: map # - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template. - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters., type: str # Type of the Template}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, template: str, translations: map, type: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"name":"Custom","type":"SMS_VERIFY_CODE","template":"${org.name}: your verification code is ${code}","translations":{"es":"${org.name}: el código de verificación es ${code}","fr":"${org.name}: votre code de vérification est ${code}","it":"${org.name}: il codice di verifica è ${code}"}}

@endpoint DELETE /api/v1/templates/sms/{templateId}
@desc Delete an SMS template
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/threats/configuration
@desc Retrieve the ThreatInsight configuration
@returns(200) {action: str, created: str(date-time), excludeZones: [str], lastUpdated: str(date-time), _links: map{self: any}} # Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/threats/configuration
@desc Update the ThreatInsight configuration
@required {action: str(none/audit/block) # Specifies how Okta responds to authentication requests from suspicious IP addresses}
@optional {created: str(date-time) # Timestamp when the ThreatInsight Configuration object was created, excludeZones: [str] # Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs. IPs in the excluded network zones aren't logged or blocked. This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked., lastUpdated: str(date-time) # Timestamp when the ThreatInsight Configuration object was last updated, _links: map{self: any} # Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.}
@returns(200) {action: str, created: str(date-time), excludeZones: [str], lastUpdated: str(date-time), _links: map{self: any}} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"action":"audit","excludeZones":["nzo1q7jEOsoCnoKcj0g4","nzouagptWUz5DlLfM0g3"]}

@endpoint GET /api/v1/trustedOrigins
@desc List all trusted origins
@optional {q: str # A search string that prefix matches against the `name` and `origin`, filter: str # [Filter](https://developer.okta.com/docs/api/#filter) trusted origins with a supported expression for a subset of properties. You can filter on the following properties: `name`, `origin`, `status`, and `type` (type of scopes)., after: str # After cursor provided by a prior request, limit: int(int32)=20 # Specifies the number of results}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/trustedOrigins
@desc Create a trusted origin
@optional {name: str # Unique name for the trusted origin, origin: str # Unique origin URL for the trusted origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor., scopes: [map{allowedOktaApps: [str], type: str}] # Array of scope types that this trusted origin is used for}
@returns(200) {created: str(date-time), createdBy: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, origin: str, scopes: [map], status: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"name":"New trusted origin","origin":"http://example.com","scopes":[{"type":"CORS"},{"type":"REDIRECT"}]}

@endpoint GET /api/v1/trustedOrigins/{trustedOriginId}
@desc Retrieve a trusted origin
@returns(200) {created: str(date-time), createdBy: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, origin: str, scopes: [map], status: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/trustedOrigins/{trustedOriginId}
@desc Replace a trusted origin
@optional {created: str(date-time) # Timestamp when the trusted origin was created, createdBy: str # The ID of the user who created the trusted origin, id: str # Unique identifier for the trusted origin, lastUpdated: str(date-time) # Timestamp when the trusted origin was last updated, lastUpdatedBy: str # The ID of the user who last updated the trusted origin, name: str # Unique name for the trusted origin, origin: str # Unique origin URL for the trusted origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor., scopes: [map{allowedOktaApps: [str], type: str}] # Array of scope types that this trusted origin is used for, status: str(ACTIVE/INACTIVE), _links: any}
@returns(200) {created: str(date-time), createdBy: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, origin: str, scopes: [map], status: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"value":{"id":"tosue7JvguwJ7U6kz0g3","name":"Updated Example trusted origin","origin":"http://updated.example.com","scopes":[{"type":"CORS"},{"type":"REDIRECT"}],"status":"ACTIVE","created":"2017-12-16T05:01:12.000Z","createdBy":"00ut5t92p6IEOi4bu0g3","lastUpdated":"2017-12-16T05:01:12.000Z","lastUpdatedBy":"00ut5t92p6IEOi4bu0g3","_links":{"self":{"href":"https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3","hints":{"allow":["GET","PUT","DELETE"]}},"deactivate":{"href":"https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate","hints":{"allow":["POST"]}}}}}

@endpoint DELETE /api/v1/trustedOrigins/{trustedOriginId}
@desc Delete a trusted origin
@returns(204) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate
@desc Activate a trusted origin
@returns(200) {created: str(date-time), createdBy: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, origin: str, scopes: [map], status: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate
@desc Deactivate a trusted origin
@returns(200) {created: str(date-time), createdBy: str, id: str, lastUpdated: str(date-time), lastUpdatedBy: str, name: str, origin: str, scopes: [map], status: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users
@desc List all users
@optional {Content-Type: str # Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization.  Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck.  Enum values for `okta-response`:   * `omitCredentials`: Omits the credentials subobject from the response.   * `omitCredentialsLinks`: Omits the following HAL links from the response: Update password, Change recovery question, Start forgot password flow, Reset password, Reset factors, Unlock.   * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response., search: str # Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for optimal search performance.   > **Note:** Using an overly complex or long search query can result in an error.  This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. Returned users include those with the `DEPROVISIONED` status.  Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`.   This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`. If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. See [Special Characters](https://developer.okta.com/docs/api/#special-characters).  This operation searches many properties:   * Any user profile attribute, including custom-defined attributes   * The top-level properties: `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated`   * The [user type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType/operation/updateUserType) accessed as `type.id`  > **Note:**  The ability to search by user classification is available as an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. The `classification.type` property cannot be used in conjunction with other search terms. You can search using `classification.type eq "LITE"` or `classification.type eq "STANDARD"`.  You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`.  You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter).  Searches for users can be filtered by the following operators: `sw`, `eq`, and `co`. You can only use `co` with these select user profile attributes: `profile.firstName`, `profile.lastName`, `profile.email`, and `profile.login`. See [Operators](https://developer.okta.com/docs/api/#operators)., filter: str # Filters users with a supported expression for a subset of properties.   > **Note:** Returned users include those with the `DEPROVISIONED` status.  This requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. Filtering is case-sensitive for property names and query values, while operators are case-insensitive.  Filtering supports the following limited number of properties: `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, `profile.firstName`, and `profile.lastName`.  Additionally, filtering supports only the equal `eq` operator from the standard Okta API filtering semantics, except in the case of the `lastUpdated` property. This property can also use the inequality operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only the logical operators `and` and `or` are supported. The `not` operator isn't supported. See [Filter](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators)., q: str # Finds users who match the specified query. This doesn't support pagination.  > **Note:** For optimal performance, use the `search` parameter instead.  Use the `q` parameter for simple queries, such as a lookup of users by name when creating a people picker.  The value of `q` is matched against `firstName`, `lastName`, or `email`. This performs a `startsWith` match, but this is an implementation detail and can change without notice. You don't need to specify `firstName`, `lastName`, or `email`.  > **Note:** Using the `q` parameter in a request omits users that have a status of `DEPROVISIONED`. To return all users, use a filter or search query instead., after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=200 # Specifies the number of results returned. Defaults to 10 if `q` is provided., sortBy: str # Specifies field to sort by (for search queries only). This can be any single property, for example `sortBy=profile.lastName`. Users with the same value for the `sortBy` property will be ordered by `id`., sortOrder: str # Specifies the sort order: `asc` or `desc` (for search queries only). Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. `sortOrder` is ignored if `sortBy` isn't present., expand: str # A parameter to include metadata in the `_embedded` property. Supported value: `classification`.}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/users
@desc Create a user
@required {profile: map{city: str, costCenter: str, countryCode: str, department: str, displayName: str, division: str, email: str(email), employeeNumber: str, firstName: str, honorificPrefix: str, honorificSuffix: str, lastName: str, locale: str, login: str, manager: str, managerId: str, middleName: str, mobilePhone: str, nickName: str, organization: str, postalAddress: str, preferredLanguage: str, primaryPhone: str, profileUrl: str, secondEmail: str(email), state: str, streetAddress: str, timezone: str, title: str, userType: str, zipCode: str} # Specifies the default and custom profile properties for a user.  The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643).  The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.  You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.  Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting.}
@optional {activate: bool=true # Executes an [activation lifecycle](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user, provider: bool=false # Indicates whether to create a user with a specified authentication provider, nextLogin: str # With `activate=true`, if `nextLogin=changePassword`, a user is created, activated, and the password is set to `EXPIRED`. The user must change it the next time they sign in., credentials: map{password: map, provider: map, recovery_question: map} # Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org., groupIds: [str] # The list of group IDs of groups that the user is added to at the time of creation, realmId: str # The ID of the realm in which the user is residing. See [Realms](/openapi/okta-management/management/tag/Realm/)., type: map{id: str} # The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can only be assigned a different user type by an administrator through a full replacement (`PUT`) operation.}
@returns(200) {activated: str(date-time)?, created: str(date-time), credentials: map{password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}}, id: str, lastLogin: str(date-time)?, lastUpdated: str(date-time), passwordChanged: str(date-time)?, profile: map{city: str?, costCenter: str?, countryCode: str?, department: str, displayName: str?, division: str?, email: str(email), employeeNumber: str, firstName: str?, honorificPrefix: str?, honorificSuffix: str?, lastName: str?, locale: str, login: str, manager: str?, managerId: str?, middleName: str?, mobilePhone: str?, nickName: str?, organization: str?, postalAddress: str?, preferredLanguage: str?, primaryPhone: str?, profileUrl: str?, secondEmail: str(email)?, state: str?, streetAddress: str?, timezone: str?, title: str?, userType: str?, zipCode: str?}, realmId: str, status: str, statusChanged: str(date-time)?, transitioningToStatus: str?, type: map{id: str}, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"profile":{"firstName":"Isaac","lastName":"Brock","email":"isaac.brock@example.com","login":"isaac.brock@example.com","mobilePhone":"555-415-1337"}}

@endpoint POST /api/v1/users/me/lifecycle/delete_sessions
@desc End a current user session
@optional {keepCurrent: bool=true # Skip deleting the user's current session when set to `true`}
@returns(200) OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{id}
@desc Retrieve a user
@optional {Content-Type: str # Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization.  Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck.  Enum values for `okta-response`:   * `omitCredentials`: Omits the credentials subobject from the response.   * `omitCredentialsLinks`: Omits the following HAL links from the response: Update password, Change recovery question, Start forgot password flow, Reset password, Reset factors, Unlock.   * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response., expand: str # An optional parameter to include metadata in the `_embedded` attribute. Valid values: `blocks` or  `classification`.}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}
@desc Update a user
@optional {strict: bool # If true, validates against minimum age and history password policy, If-Match: str # The ETag value of the user's expected current state. This becomes a conditional request used for concurrency control. See [Conditional Requests and Entity Tags](/#conditional-requests-and-entity-tags)., credentials: map{password: map, provider: map, recovery_question: map} # Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org., profile: map{city: str, costCenter: str, countryCode: str, department: str, displayName: str, division: str, email: str(email), employeeNumber: str, firstName: str, honorificPrefix: str, honorificSuffix: str, lastName: str, locale: str, login: str, manager: str, managerId: str, middleName: str, mobilePhone: str, nickName: str, organization: str, postalAddress: str, preferredLanguage: str, primaryPhone: str, profileUrl: str, secondEmail: str(email), state: str, streetAddress: str, timezone: str, title: str, userType: str, zipCode: str} # Specifies the default and custom profile properties for a user.  The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643).  The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.  You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.  Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting., realmId: str # The ID of the realm in which the user is residing. See [Realms](/openapi/okta-management/management/tag/Realm/).}
@returns(200) {activated: str(date-time)?, created: str(date-time), credentials: map{password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}}, id: str, lastLogin: str(date-time)?, lastUpdated: str(date-time), passwordChanged: str(date-time)?, profile: map{city: str?, costCenter: str?, countryCode: str?, department: str, displayName: str?, division: str?, email: str(email), employeeNumber: str, firstName: str?, honorificPrefix: str?, honorificSuffix: str?, lastName: str?, locale: str, login: str, manager: str?, managerId: str?, middleName: str?, mobilePhone: str?, nickName: str?, organization: str?, postalAddress: str?, preferredLanguage: str?, primaryPhone: str?, profileUrl: str?, secondEmail: str(email)?, state: str?, streetAddress: str?, timezone: str?, title: str?, userType: str?, zipCode: str?}, realmId: str, status: str, statusChanged: str(date-time)?, transitioningToStatus: str?, type: map{id: str}, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"profile":{"firstName":"Isaac","email":"isaac.brock@update.example.com","mobilePhone":"555-415-1337"}}

@endpoint PUT /api/v1/users/{id}
@desc Replace a user
@optional {strict: bool # If `true`, validates against minimum age and history password policy, If-Match: str # The ETag value of the user's expected current state. This becomes a conditional request used for concurrency control. See [Conditional Requests and Entity Tags](/#conditional-requests-and-entity-tags)., credentials: map{password: map, provider: map, recovery_question: map} # Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org., profile: map{city: str, costCenter: str, countryCode: str, department: str, displayName: str, division: str, email: str(email), employeeNumber: str, firstName: str, honorificPrefix: str, honorificSuffix: str, lastName: str, locale: str, login: str, manager: str, managerId: str, middleName: str, mobilePhone: str, nickName: str, organization: str, postalAddress: str, preferredLanguage: str, primaryPhone: str, profileUrl: str, secondEmail: str(email), state: str, streetAddress: str, timezone: str, title: str, userType: str, zipCode: str} # Specifies the default and custom profile properties for a user.  The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643).  The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.  You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.  Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting., realmId: str # The ID of the realm in which the user is residing. See [Realms](/openapi/okta-management/management/tag/Realm/).}
@returns(200) {activated: str(date-time)?, created: str(date-time), credentials: map{password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}}, id: str, lastLogin: str(date-time)?, lastUpdated: str(date-time), passwordChanged: str(date-time)?, profile: map{city: str?, costCenter: str?, countryCode: str?, department: str, displayName: str?, division: str?, email: str(email), employeeNumber: str, firstName: str?, honorificPrefix: str?, honorificSuffix: str?, lastName: str?, locale: str, login: str, manager: str?, managerId: str?, middleName: str?, mobilePhone: str?, nickName: str?, organization: str?, postalAddress: str?, preferredLanguage: str?, primaryPhone: str?, profileUrl: str?, secondEmail: str(email)?, state: str?, streetAddress: str?, timezone: str?, title: str?, userType: str?, zipCode: str?}, realmId: str, status: str, statusChanged: str(date-time)?, transitioningToStatus: str?, type: map{id: str}, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"credentials":{"password":{"value":"tlpWENT2m"},"recovery_question":{"question":"Who's a major player in the cowboy scene?","answer":"Annie Oakley"},"provider":{"type":"OKTA","name":"OKTA"}},"profile":{"firstName":"Isaac","lastName":"Brock","email":"isaac.brock@example.com","login":"isaac.brock@example.com","mobilePhone":"555-415-1337"}}

@endpoint DELETE /api/v1/users/{id}
@desc Delete a user
@optional {sendEmail: bool=false # Sends a deactivation email to the admin if `true`, Prefer: str}
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{id}/appLinks
@desc List all assigned app links
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{id}/blocks
@desc List all user blocks
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{id}/groups
@desc List all groups
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{id}/idps
@desc List all IdPs for user
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/activate
@desc Activate a user
@optional {sendEmail: bool=true # Sends an activation email to the user if `true`}
@returns(200) {activationToken: str, activationUrl: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/deactivate
@desc Deactivate a user
@optional {sendEmail: bool=false # Sends a deactivation email to the admin if `true`, Prefer: str # Request asynchronous processing}
@returns(200) OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/expire_password
@desc Expire the password
@returns(200) {activated: str(date-time)?, created: str(date-time), credentials: map{password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}}, id: str, lastLogin: str(date-time)?, lastUpdated: str(date-time), passwordChanged: str(date-time)?, profile: map{city: str?, costCenter: str?, countryCode: str?, department: str, displayName: str?, division: str?, email: str(email), employeeNumber: str, firstName: str?, honorificPrefix: str?, honorificSuffix: str?, lastName: str?, locale: str, login: str, manager: str?, managerId: str?, middleName: str?, mobilePhone: str?, nickName: str?, organization: str?, postalAddress: str?, preferredLanguage: str?, primaryPhone: str?, profileUrl: str?, secondEmail: str(email)?, state: str?, streetAddress: str?, timezone: str?, title: str?, userType: str?, zipCode: str?}, realmId: str, status: str, statusChanged: str(date-time)?, transitioningToStatus: str?, type: map{id: str}, _embedded: map, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/expire_password_with_temp_password
@desc Expire the password with a temporary password
@optional {revokeSessions: bool=false # Revokes the user's existing sessions if `true`}
@returns(200) {activated: str(date-time)?, created: str(date-time), credentials: map{password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}}, id: str, lastLogin: str(date-time)?, lastUpdated: str(date-time), passwordChanged: str(date-time)?, profile: map{city: str?, costCenter: str?, countryCode: str?, department: str, displayName: str?, division: str?, email: str(email), employeeNumber: str, firstName: str?, honorificPrefix: str?, honorificSuffix: str?, lastName: str?, locale: str, login: str, manager: str?, managerId: str?, middleName: str?, mobilePhone: str?, nickName: str?, organization: str?, postalAddress: str?, preferredLanguage: str?, primaryPhone: str?, profileUrl: str?, secondEmail: str(email)?, state: str?, streetAddress: str?, timezone: str?, title: str?, userType: str?, zipCode: str?}, realmId: str, status: str, statusChanged: str(date-time)?, transitioningToStatus: str?, type: map{id: str}, _embedded: map, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/reactivate
@desc Reactivate a user
@optional {sendEmail: bool=false # Sends an activation email to the user if `true`}
@returns(200) {activationToken: str, activationUrl: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/reset_factors
@desc Reset the factors
@returns(200) OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/reset_password
@desc Reset a password
@required {sendEmail: bool}
@optional {revokeSessions: bool=false # Revokes all user sessions, except for the current session, if set to `true`}
@returns(200) {resetPasswordUrl: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/suspend
@desc Suspend a user
@returns(200) OK
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/unlock
@desc Unlock a user
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{id}/lifecycle/unsuspend
@desc Unsuspend a user
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}
@desc Assign a linked object value for primary
@returns(204) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}
@desc List the primary or all of the associated linked object values
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}
@desc Delete a linked object value
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/authenticator-enrollments
@desc List all authenticator enrollments
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, profile: map{phoneNumber: str}, status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/authenticator-enrollments/phone
@desc Create an auto-activated Phone authenticator enrollment
@required {userId: str # ID of an existing Okta user, authenticatorId: str # Unique identifier of the `phone` authenticator, profile: map{phoneNumber!: str} # Defines the authenticator specific parameters}
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, profile: map{phoneNumber: str}, status: str, type: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"authenticatorId":"aut5l4ttFyGEWdy6V0k7","profile":{"phoneNumber":"+14086673418"}}

@endpoint POST /api/v1/users/{userId}/authenticator-enrollments/tac
@desc Create an auto-activated TAC authenticator enrollment
@required {userId: str # ID of an existing Okta user, authenticatorId: str # Unique identifier of the TAC authenticator}
@optional {profile: map{multiUse: bool, ttl: str} # Defines the authenticator specific parameters}
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, nickname: str, profile: map{expiresAt: str(date-time), multiUse: bool, tac: str}, status: str, type: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"authenticatorId":"autnmtl4xbt8RQVzA0g4","profile":{"ttl":11,"multiUse":false}}

@endpoint GET /api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}
@desc Retrieve an authenticator enrollment
@returns(200) {created: str(date-time), id: str, key: str, lastUpdated: str(date-time), name: str, profile: map{phoneNumber: str}, status: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}
@desc Delete an authenticator enrollment
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/classification
@desc Retrieve a user's classification
@returns(200) {lastUpdated: str(date-time), type: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userId}/classification
@desc Replace the user's classification
@optional {type: str(LITE/STANDARD) # The type of user classification}
@returns(200) {lastUpdated: str(date-time), type: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"LITE"}

@endpoint GET /api/v1/users/{userId}/clients
@desc List all clients
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/clients/{clientId}/grants
@desc List all grants for a client
@optional {expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute., after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=20 # Specifies the number of tokens to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/clients/{clientId}/grants
@desc Revoke all grants for a client
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/clients/{clientId}/tokens
@desc List all refresh tokens for a client
@optional {expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute., after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=20 # Specifies the number of tokens to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/clients/{clientId}/tokens
@desc Revoke all refresh tokens for a client
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}
@desc Retrieve a refresh token for a client
@optional {expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.}
@returns(200) {clientId: str, created: str(date-time), expiresAt: str(date-time), id: str, issuer: str, lastUpdated: str(date-time), scopes: [str], status: str, userId: str, _embedded: map{scopes: [map]}, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}
@desc Revoke a token for a client
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/credentials/change_password
@desc Update password
@optional {strict: bool=false # If true, validates against the password minimum age policy, newPassword: map{hash: map, hook: map, value: str(password)} # Specifies a password for a user.  When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator:  **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**).  For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation., oldPassword: map{hash: map, hook: map, value: str(password)} # Specifies a password for a user.  When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator:  **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**).  For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation., revokeSessions: bool=false # When set to `true`, revokes all user sessions, except for the current session}
@returns(200) {password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"oldPassword":{"value":"tlpWENT2m"},"newPassword":{"value":"uTVM,TPw55"},"revokeSessions":true}

@endpoint POST /api/v1/users/{userId}/credentials/change_recovery_question
@desc Update recovery question
@optional {password: map{hash: map, hook: map, value: str(password)} # Specifies a password for a user.  When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator:  **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**).  For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation., provider: map{name: str, type: str} # Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**., recovery_question: map{answer: str, question: str} # Specifies a secret question and answer that's validated (case insensitive) when a user forgets their password or unlocks their account. The answer property is write-only.}
@returns(200) {password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"password":{"value":"tlpWENT2m"},"recovery_question":{"question":"How many roads must a man walk down?","answer":"forty two"}}

@endpoint POST /api/v1/users/{userId}/credentials/forgot_password
@desc Start forgot password flow
@optional {sendEmail: bool=true # Sends a forgot password email to the user if `true`}
@returns(200) {resetPasswordUrl: str} # Reset URL
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/credentials/forgot_password_recovery_question
@desc Reset password with recovery question
@optional {sendEmail: bool=true, password: map{hash: map, hook: map, value: str(password)} # Specifies a password for a user.  When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator:  **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**).  For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation., provider: map{name: str, type: str} # Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**., recovery_question: map{answer: str, question: str} # Specifies a secret question and answer that's validated (case insensitive) when a user forgets their password or unlocks their account. The answer property is write-only.}
@returns(200) {password: map{hash: map{algorithm: str, digestAlgorithm: str, iterationCount: int, keySize: int, salt: str, saltOrder: str, value: str, workFactor: int}, hook: map{type: str}, value: str(password)}, provider: map{name: str, type: str}, recovery_question: map{answer: str, question: str}} # Credentials
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"password":{"value":"uTVM,TPw55"},"recovery_question":{"answer":"Annie Oakley"}}

@endpoint GET /api/v1/users/{userId}/devices
@desc List all devices
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/factors
@desc List all enrolled factors
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/factors
@desc Enroll a factor
@optional {updatePhone: bool=false # If `true`, indicates that you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated factor., templateId: str # ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` factors. If the provided ID doesn't exist, the default template is used instead., tokenLifetimeSeconds: int(int32)=300 # Defines how long the token remains valid, activate: bool=false # If `true`, the factor is immediately activated as part of the enrollment. An activation process isn't required. Currently auto-activation is supported by `sms`, `call`, `email` and `token:hotp` (Custom TOTP) factors., Accept-Language: str # An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead., created: str(date-time) # Timestamp when the factor was enrolled, factorType: str(call/email/push/question/signed_nonce/sms/token/token:hardware/token:hotp/token:software:totp/u2f/web/webauthn) # Type of factor, id: str # ID of the factor, lastUpdated: str(date-time) # Timestamp when the factor was last updated, profile: map # Specific attributes related to the factor, provider: str # Provider for the factor. Each provider can support a subset of factor types., status: str(ACTIVE/DISABLED/ENROLLED/EXPIRED/INACTIVE/NOT_SETUP/PENDING_ACTIVATION) # Status of the factor, vendorName: str # Name of the factor vendor. This is usually the same as the provider except for On-Prem MFA, which depends on admin settings., _embedded: map, _links: any}
@returns(200) {created: str(date-time), factorType: str, id: str, lastUpdated: str(date-time), profile: map, provider: str, status: str, vendorName: str, _embedded: map, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"question":{"summary":"question factor","value":{"factorType":"question","provider":"OKTA","profile":{"question":"disliked_food","answer":"mayonnaise"}}}}

@endpoint GET /api/v1/users/{userId}/factors/catalog
@desc List all supported factors
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/factors/questions
@desc List all supported security questions
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/factors/{factorId}
@desc Retrieve a factor
@returns(200) {created: str(date-time), factorType: str, id: str, lastUpdated: str(date-time), profile: map, provider: str, status: str, vendorName: str, _embedded: map, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/factors/{factorId}
@desc Unenroll a factor
@optional {removeRecoveryEnrollment: bool=false # If `true`, removes the phone number as both a recovery method and a factor. This parameter is only used for the `sms` and `call` factors.}
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate
@desc Activate a factor
@returns(200) {factorType: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"passCode":"123456"}

@endpoint POST /api/v1/users/{userId}/factors/{factorId}/resend
@desc Resend a factor enrollment
@optional {templateId: str # ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` factors., factorType: str(call/email/sms) # Type of the factor}
@returns(200) {factorType: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"factorType":"sms","provider":"OKTA","profile":{"phoneNumber":"+1-555-415-1337"}}

@endpoint GET /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}
@desc Retrieve a factor transaction status
@returns(200) {factorResult: str} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/factors/{factorId}/verify
@desc Verify a factor
@optional {templateId: str # ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` factors., tokenLifetimeSeconds: int(int32)=300 # Defines how long the token remains valid, X-Forwarded-For: str # Public IP address for the user agent, User-Agent: str # Type of user agent detected when the request is made. Required to verify `push` factors., Accept-Language: str # An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead.}
@returns(200) {expiresAt: str(date-time), factorMessage: str?, factorResult: str, profile: map, _embedded: any, _links: any} # Success
@returns(201) {expiresAt: str(date-time), factorMessage: str?, factorResult: str, profile: map, _embedded: any, _links: any} # Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"passCode":"123456"}

@endpoint GET /api/v1/users/{userId}/grants
@desc List all user grants
@optional {scopeId: str # The scope ID to filter on, expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute., after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int(int32)=20 # Specifies the number of grants to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/grants
@desc Revoke all user grants
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/grants/{grantId}
@desc Retrieve a user grant
@optional {expand: str # Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.}
@returns(200) {clientId: str, created: str(date-time), createdBy: map{id: str, type: str}, id: str, issuer: str, lastUpdated: str(date-time), scopeId: str, source: str, status: str, userId: str, _embedded: map{scope: map{id: str}}, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/grants/{grantId}
@desc Revoke a user grant
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/risk
@desc Retrieve the user's risk
@returns(200) {riskLevel: str, _links: any} # OK
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userId}/risk
@desc Upsert the user's risk
@optional {riskLevel: str(HIGH/LOW) # The risk level associated with the user}
@returns(200) {reason: str, riskLevel: str, _links: any} # Updated the user's risk
@returns(201) {reason: str, riskLevel: str, _links: any} # Created the user's risk
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"riskLevel":"HIGH"}

@endpoint GET /api/v1/users/{userId}/roles
@desc List all user role assignments
@optional {expand: str # An optional parameter used to return targets configured for the standard role assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/roles
@desc Assign a user role
@optional {disableNotifications: bool=false # Setting this to `true` grants the user third-party admin status}
@returns(201) Created
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleAssignmentId}
@desc Retrieve a user role assignment
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/roles/{roleAssignmentId}
@desc Unassign a user role
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleAssignmentId}/governance
@desc Retrieve all user role governance sources
@returns(200) {grants: [map], _links: map{assignee: any, self: any}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}
@desc Retrieve a user role governance source
@returns(200) {bundleId: str, expirationDate: str(date-time), grantId: str, type: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources
@desc Retrieve the user role governance source resources
@returns(200) {resources: [map], _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps
@desc List all admin role app targets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps
@desc Assign all apps as target to admin role
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}
@desc Assign an admin role app target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}
@desc Unassign an admin role app target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}
@desc Assign an admin role app instance target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}
@desc Unassign an admin role app instance target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups
@desc List all admin role group targets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}
@desc Assign an admin role group target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}
@desc Unassign an admin role group target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/roles/{roleIdOrEncodedRoleId}/targets
@desc Retrieve a role target by assignment type
@optional {assignmentType: str(USER/GROUP) # Specifies the assignment type of the user, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /api/v1/users/{userId}/sessions
@desc Revoke all user sessions
@optional {oauthTokens: bool=false # Revokes issued OpenID Connect and OAuth refresh and access tokens, forgetDevices: bool=true # Clears the user's remembered factors for all devices. > **Note:** This parameter defaults to false in Classic Engine.}
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/subscriptions
@desc List all subscriptions for a user
@required {userId: str}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/users/{userId}/subscriptions/{notificationType}
@desc Retrieve a subscription for a user
@required {userId: str, notificationType: str}
@returns(200) {channels: [str], notificationType: str, status: str, _links: map{self: map{hints: map{allow: [str]}, href: str, name: str, templated: bool, type: str}}} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe
@desc Subscribe a user to a specific notification type
@required {userId: str, notificationType: str}
@returns(200) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe
@desc Unsubscribe a user from a specific notification type
@required {userId: str, notificationType: str}
@returns(200) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /api/v1/zones
@desc List all network zones
@optional {after: str, limit: int(int32)=-1, filter: str}
@returns(200) Success
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint POST /api/v1/zones
@desc Create a network zone
@required {name: str # Unique name for this Network Zone, type: str(DYNAMIC/IP/DYNAMIC_V2) # The type of Network Zone}
@optional {created: str(date-time) # Timestamp when the object was created, id: str # Unique identifier for the Network Zone, lastUpdated: str(date-time) # Timestamp when the object was last modified, status: str(ACTIVE/INACTIVE) # Network Zone status, system: bool # Indicates a system Network Zone: * `true` for system Network Zones * `false` for custom Network Zones  The Okta org provides the following default system Network Zones: * `LegacyIpZone` * `BlockedIpZone` * `DefaultEnhancedDynamicZone` * `DefaultExemptIpZone`  Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries., usage: str(BLOCKLIST/POLICY) # The usage of the Network Zone, _links: any}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, system: bool, type: str, usage: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}
@example_request {"type":"IP","name":"newNetworkZone","gateways":[{"type":"CIDR","value":"1.2.3.4/24"},{"type":"CIDR","value":"2.3.4.5/24"}],"proxies":[{"type":"CIDR","value":"2.2.3.4/24"},{"type":"CIDR","value":"3.3.4.5/24"}]}

@endpoint GET /api/v1/zones/{zoneId}
@desc Retrieve a network zone
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, system: bool, type: str, usage: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /api/v1/zones/{zoneId}
@desc Replace a network zone
@required {name: str # Unique name for this Network Zone, type: str(DYNAMIC/IP/DYNAMIC_V2) # The type of Network Zone}
@optional {created: str(date-time) # Timestamp when the object was created, id: str # Unique identifier for the Network Zone, lastUpdated: str(date-time) # Timestamp when the object was last modified, status: str(ACTIVE/INACTIVE) # Network Zone status, system: bool # Indicates a system Network Zone: * `true` for system Network Zones * `false` for custom Network Zones  The Okta org provides the following default system Network Zones: * `LegacyIpZone` * `BlockedIpZone` * `DefaultEnhancedDynamicZone` * `DefaultExemptIpZone`  Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries., usage: str(BLOCKLIST/POLICY) # The usage of the Network Zone, _links: any}
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, system: bool, type: str, usage: str, _links: any} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"IP","id":"nzovw2rFz2YoqmvwZ0g9","name":"UpdatedNetZone","status":"ACTIVE","system":false,"usage":"POLICY","gateways":[{"type":"CIDR","value":"10.2.3.4/24"},{"type":"CIDR","value":"12.2.3.4/24"},{"type":"RANGE","value":"13.4.5.6-13.4.5.8"},{"type":"CIDR","value":"14.2.3.4/24"}],"proxies":[{"type":"CIDR","value":"12.2.3.4/24"},{"type":"CIDR","value":"13.3.4.5/24"},{"type":"RANGE","value":"14.4.5.6-14.4.5.8"},{"type":"RANGE","value":"15.5.6.7/24-15.5.6.9"}],"_links":{"self":{"href":"https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9","hints":{"allow":["GET","PUT","DELETE"]}},"deactivate":{"href":"https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate","hints":{"allow":["POST"]}}}}

@endpoint DELETE /api/v1/zones/{zoneId}
@desc Delete a network zone
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/zones/{zoneId}/lifecycle/activate
@desc Activate a network zone
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, system: bool, type: str, usage: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /api/v1/zones/{zoneId}/lifecycle/deactivate
@desc Deactivate a network zone
@returns(200) {created: str(date-time), id: str, lastUpdated: str(date-time), name: str, status: str, system: bool, type: str, usage: str, _links: any} # Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endgroup

@group attack-protection
@endpoint GET /attack-protection/api/v1/authenticator-settings
@desc Retrieve the authenticator settings
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /attack-protection/api/v1/authenticator-settings
@desc Replace the authenticator settings
@optional {verifyKnowledgeSecondWhen2faRequired: bool=false # If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA).}
@returns(200) {verifyKnowledgeSecondWhen2faRequired: bool} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /attack-protection/api/v1/user-lockout-settings
@desc Retrieve the user lockout settings
@returns(200) OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /attack-protection/api/v1/user-lockout-settings
@desc Replace the user lockout settings
@optional {preventBruteForceLockoutFromUnknownDevices: bool=false # Prevents brute-force lockout from unknown devices for the password authenticator.}
@returns(200) {preventBruteForceLockoutFromUnknownDevices: bool} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endgroup

@group device-access
@endpoint GET /device-access/api/v1/desktop-mfa/enforce-number-matching-challenge-settings
@desc Retrieve the Desktop MFA Enforce Number Matching Challenge org setting
@returns(200) {desktopMFAEnforceNumberMatchingChallengeEnabled: bool} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /device-access/api/v1/desktop-mfa/enforce-number-matching-challenge-settings
@desc Replace the Desktop MFA Enforce Number Matching Challenge org setting
@optional {desktopMFAEnforceNumberMatchingChallengeEnabled: bool=false # Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled}
@returns(200) {desktopMFAEnforceNumberMatchingChallengeEnabled: bool} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endpoint GET /device-access/api/v1/desktop-mfa/recovery-pin-settings
@desc Retrieve the Desktop MFA Recovery PIN org setting
@returns(200) {desktopMFARecoveryPinEnabled: bool} # OK
@errors {403: Forbidden, 429: Too Many Requests}

@endpoint PUT /device-access/api/v1/desktop-mfa/recovery-pin-settings
@desc Replace the Desktop MFA Recovery PIN org setting
@optional {desktopMFARecoveryPinEnabled: bool=false # Indicates whether or not the Desktop MFA Recovery PIN feature is enabled}
@returns(200) {desktopMFARecoveryPinEnabled: bool} # OK
@errors {400: Bad Request, 403: Forbidden, 429: Too Many Requests}

@endgroup

@group integrations
@endpoint GET /integrations/api/v1/api-services
@desc List all API service integration instances
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).}
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 429: Too Many Requests}

@endpoint POST /integrations/api/v1/api-services
@desc Create an API service integration instance
@required {grantedScopes: [str] # The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management)., type: str # The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`.}
@optional {properties: map # App instance properties}
@returns(201) Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}
@example_request {"type":"my_app_cie","grantedScopes":["okta.logs.read","okta.groups.read","okta.users.read"]}

@endpoint GET /integrations/api/v1/api-services/{apiServiceId}
@desc Retrieve an API service integration instance
@returns(200) {configGuideUrl: str, createdAt: str, createdBy: str, grantedScopes: [str], id: str, name: str, properties: map, type: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /integrations/api/v1/api-services/{apiServiceId}
@desc Delete an API service integration instance
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets
@desc List all API service integration instance secrets
@returns(200) OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets
@desc Create an API service integration instance secret
@returns(201) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # Created
@errors {400: Bad Request, 401: Unauthorized, 403: Forbidden, 429: Too Many Requests}

@endpoint DELETE /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}
@desc Delete an API service integration instance secret
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate
@desc Activate an API service integration instance secret
@returns(200) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate
@desc Deactivate an API service integration instance secret
@returns(200) {client_secret: str, created: str, id: str, lastUpdated: str, secret_hash: str, status: str, _links: any} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endgroup

@group oauth2
@endpoint GET /oauth2/v1/clients/{clientId}/roles
@desc List all client role assignments
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /oauth2/v1/clients/{clientId}/roles
@desc Assign a client role
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"type":"HELP_DESK_ADMIN"}

@endpoint GET /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}
@desc Retrieve a client role
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}
@desc Unassign a client role
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps
@desc List all client role app targets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}
@desc Assign a client role app target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}
@desc Unassign a client role app target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}
@desc Assign a client role app instance target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}
@desc Unassign a client role app instance target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups
@desc List all client role group targets
@optional {after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., limit: int=20 # A limit on the number of objects to return}
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}
@desc Assign a client role group target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}
@desc Unassign a client role group target
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endgroup

@group okta-personal-settings
@endpoint PUT /okta-personal-settings/api/v1/edit-feature
@desc Replace the Okta Personal admin settings
@optional {enableEnduserEntryPoints: bool # Allow entry points for an Okta Personal account in a Workforce org, enableExportApps: bool # Allow users to migrate apps from a Workforce account to an Okta Personal account}
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"enableExportApps":true,"enableEnduserEntryPoints":true}

@endpoint GET /okta-personal-settings/api/v1/export-blocklists
@desc List all blocked email domains
@returns(200) {domains: [any]} # OK
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PUT /okta-personal-settings/api/v1/export-blocklists
@desc Replace the blocked email domains
@optional {domains: [any] # List of blocked email domains}
@returns(204) No Content
@errors {401: Unauthorized, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"domains":["yahoo.com","google.com"]}

@endgroup

@group privileged-access
@endpoint GET /privileged-access/api/v1/service-accounts
@desc List all app service accounts
@optional {limit: int=20 # A limit on the number of objects to return, after: str # The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination)., match: str # Searches for app service accounts where the account name (`name`), username (`username`), app instance label (`containerInstanceName`), or OIN app key name (`containerGlobalName`) contains the given value}
@returns(200) Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /privileged-access/api/v1/service-accounts
@desc Create an app service account
@required {containerOrn: str # The [ORN](/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the relevant resource.  Use the specific app ORN format (`orn:{partition}:idp:{yourOrgId}:apps:{appType}:{appId}`) to identify an Okta app instance in your org., name: str(regex) # The user-defined name for the app service account, username: str # The username that serves as the direct link to your managed app account. Ensure that this value precisely matches the identifier of the target app account.}
@optional {containerGlobalName: str # The key name of the app in the Okta Integration Network (OIN), containerInstanceName: str # The app instance label, created: str(date-time) # Timestamp when the app service account was created, description: str(regex) # The description of the app service account, id: str(regex) # The UUID of the app service account, lastUpdated: str(date-time) # Timestamp when the app service account was last updated, ownerGroupIds: [str] # A list of IDs of the Okta groups who own the app service account, ownerUserIds: [str] # A list of IDs of the Okta users who own the app service account, password: str(password) # The app service account password. Required for apps that don't have provisioning enabled or don't support password synchronization., status: str(ALERT/ERROR/INFO/NO_ISSUES/UNSECURED) # Describes the current status of an app service account, statusDetail: str(CREATION_FAILED/MISSING_PASSWORD/PENDING/ROTATED/ROTATING/ROTATION_FAILED/STAGED/VAULTED) # Describes the detailed status of an app service account}
@returns(200) {containerGlobalName: str, containerInstanceName: str, containerOrn: str, created: str(date-time), description: str(regex), id: str(regex), lastUpdated: str(date-time), name: str(regex), ownerGroupIds: [str], ownerUserIds: [str], password: str(password), status: str, statusDetail: str, username: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint GET /privileged-access/api/v1/service-accounts/{id}
@desc Retrieve an app service account
@returns(200) {containerGlobalName: str, containerInstanceName: str, containerOrn: str, created: str(date-time), description: str(regex), id: str(regex), lastUpdated: str(date-time), name: str(regex), ownerGroupIds: [str], ownerUserIds: [str], password: str(password), status: str, statusDetail: str, username: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint PATCH /privileged-access/api/v1/service-accounts/{id}
@desc Update an existing app service account
@optional {description: str(regex) # The description of the app service account, name: str(regex) # The user-defined name for the app service account, ownerGroupIds: [str] # A list of IDs of the Okta groups who own the app service account, ownerUserIds: [str] # A list of IDs of the Okta users who own the app service account}
@returns(200) {containerGlobalName: str, containerInstanceName: str, containerOrn: str, created: str(date-time), description: str(regex), id: str(regex), lastUpdated: str(date-time), name: str(regex), ownerGroupIds: [str], ownerUserIds: [str], password: str(password), status: str, statusDetail: str, username: str} # Success
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /privileged-access/api/v1/service-accounts/{id}
@desc Delete an app service account
@returns(204) No Content
@errors {400: Bad Request, 403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endgroup

@group security
@endpoint POST /security/api/v1/security-events
@desc Publish a security event token
@returns(202) Accepted
@errors {400: Bad Request}

@endgroup

@group webauthn-registration
@endpoint POST /webauthn-registration/api/v1/activate
@desc Activate a preregistered WebAuthn factor
@optional {credResponses: [map{authenticatorEnrollmentId: str, credResponseJwe: str}] # List of credential responses from the fulfillment provider, fulfillmentProvider: str # Name of the fulfillment provider for the WebAuthn preregistration factor, pinResponseJwe: str # Encrypted JWE of the PIN response from the fulfillment provider, serial: str # Serial number of the YubiKey, userId: str # ID of an existing Okta user, version: str # Firmware version of the YubiKey, yubicoSigningJwks: [map{crv!: str, kid!: str, kty!: str, use!: str, x!: str, y!: str}] # List of usable signing keys from Yubico (in JSON Web Key Sets (JWKS) format). The signing keys are used to verify the JSON Web Signature (JWS) inside the JWE.}
@returns(200) {authenticatorEnrollmentIds: [str], fulfillmentProvider: str, userId: str} # Success
@errors {400: PIN or cred requests generation failed, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"credResponses":[{"authenticatorEnrollmentId":"fwf5ajzJEWqknX6lk0g4","credResponseJwe":"eyJlcGsiOnsia3R5IjoiRUM..."}],"fulfillmentProvider":"yubico","pinResponseJwe":"eyJl5IjoiRUMiLCJjcnYcGsiOnsia3...","serial":"3632071","userId":"00us2hPODQncCkxef0g3","version":"5.4.3","yubicoSigningJwks":[{"crv":"P-384","kid":"APCS-Tsgnkey-C19881-H0027616953","kty":"EC","use":"sig","x":"tJc-j5osUCP-75ihCOKsswTOj3XsekayG3x79K2ndyOIXu08gDMkvL8rks06tEAa","y":"hfVGbQeG4l2orqenn-GATWwTm8tLqHFHuwfJp33CCNOMtYYsgkAEnW60ORzt4YV-"}]}

@endpoint POST /webauthn-registration/api/v1/enroll
@desc Enroll a preregistered WebAuthn factor
@optional {enrollmentRpIds: [str] # List of relying party hostnames to register on the YubiKey, fulfillmentProvider: str # Name of the fulfillment provider for the WebAuthn preregistration factor, userId: str # ID of an existing Okta user, yubicoTransportKeyJWK: map{crv!: str, kid!: str, kty!: str, use!: str, x!: str, y!: str} # Elliptic curve key in JSON Web Key (JWK) format. It's used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS (JSON Web Signature) objects in fulfillment responses. The currently agreed protocol uses P-384.}
@returns(200) {credRequests: [map], fulfillmentProvider: str, pinRequestJwe: str, userId: str} # Success
@errors {400: PIN or cred requests generation failed, 403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"enrollmentRpIds":["myorg.okta.com"],"fulfillmentProvider":"yubico","userId":"00us2hPODQncCkxef0g3","yubicoTransportKeyJWK":{"crv":"P-384","kid":"APCS-Ttrans-C19881-I009","kty":"EC","use":"enc","x":"r6AzcX3OSiJk1yQaBVYiBOtzFS9gNSpMDPvnVvl0CAX7el1ZyzmPG_BZ7u8sqTmF","y":"RxPyGH1Xg74E2f5AQGkkddzsvTNY1R3R7mXTEM5wQtr1Y7C4XHlvITNZfU6G"}}

@endpoint POST /webauthn-registration/api/v1/initiate-fulfillment-request
@desc Generate a fulfillment request
@optional {fulfillmentData: [map{customizationId: str, inventoryProductId: str, productId: str}] # List of fulfillment order details, fulfillmentProvider: str # Name of the fulfillment provider for the WebAuthn preregistration factor, userId: str # ID of an existing Okta user}
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"userId":"00us2hPODQncCkxef0g3","fulfillmentProvider":"yubico","fulfillmentData":[{"productId":"55","customizationId":"RXJN83","inventoryProductId":"106"}]}

@endpoint POST /webauthn-registration/api/v1/send-pin
@desc Send a PIN to user
@optional {authenticatorEnrollmentId: str # ID for a WebAuthn preregistration factor in Okta, fulfillmentProvider: str # Name of the fulfillment provider for the WebAuthn preregistration factor, userId: str # ID of an existing Okta user}
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}
@example_request {"authenticatorEnrollmentId":"fwf5ajzJEWqknX6lk0g4","fulfillmentProvider":"yubico","userId":"00us2hPODQncCkxef0g3"}

@endpoint GET /webauthn-registration/api/v1/users/{userId}/enrollments
@desc List all WebAuthn preregistration factors
@returns(200) Success
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint DELETE /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}
@desc Delete a WebAuthn preregistration factor
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endpoint POST /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}/mark-error
@desc Assign the fulfillment error status to a WebAuthn preregistration factor
@returns(204) No Content
@errors {403: Forbidden, 404: Not Found, 429: Too Many Requests}

@endgroup

@end