Download OpenAPI specification:Download
The Identity Cloud REST API lets customers manage their Identity Cloud tenant. The API exposes access management and identity management endpoints, with additional endpoints specific to Identity Cloud tenant environments.
We are now publishing the API spec in OpenAPI 3.0. For the legacy Swagger 2.0 spec, please download swagger.yaml, but note that it may not contain all new functionality.
For Identity Cloud documentation, please visit Backstage.
The Identity Cloud REST API has two different authentication methods:
For a summary of how to use these authentication methods, refer to Authenticate to Identity Cloud REST API.
Environment secrets and variables (ESVs) let you individually configure the development, staging, and production environments in your Identity Cloud tenant.
Variables are used to set configuration values that need to be different for each tenant environment. For example, an external service might need one URL in your development environment, but a different URL in your production environment.
Variables are not versioned, and can be read back. They should not contain secrets.
Variables are injected into Identity Cloud configuration when the underlying services are started or restarted.
_pageSize | integer [ 1 .. 100 ] Default: 25 Accept-API-Version: resource=2.0 only, maximum number of results returned by endpoint before paging |
_pagedResultsCookie | string Default: "" Accept-API-Version: resource=2.0 only, opaque data used for paging result data, can be used for paging instead of having to track pageSize and pagedResultsOffset |
_pagedResultsOffset | integer >= 0 Default: 0 Accept-API-Version: resource=2.0 only, offset of the first result to be returned by endpoint |
_onlyPending | boolean Default: false Accept-API-Version: resource=2.0 only, returns ESVs with unapplied changes |
Accept-API-Version | string resource=2.0 |
{- "pagedResultsCookie": null,
- "remainingPagedResults": 0,
- "result": [
- {
- "_id": "esv-myvariable1",
- "description": "My variable",
- "expressionType": "list",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": false,
- "valueBase64": "ZGF0YQ=="
}
], - "resultCount": 4,
- "totalPagedResults": 1,
- "totalPagedResultsPolicy": "string"
}
variableId required | string^esv-[a-z0-9_-]{1,124}$ ID of the variable |
Accept-API-Version | string resource=2.0 |
{- "_id": "esv-myvariable1",
- "description": "My variable",
- "expressionType": "list",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": false,
- "valueBase64": "ZGF0YQ=="
}
variableId required | string^esv-[a-z0-9_-]{1,124}$ ID of the variable |
Accept-API-Version | string resource=2.0 |
{- "_id": "esv-myvariable1",
- "description": "My variable",
- "expressionType": "list",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": false,
- "valueBase64": "ZGF0YQ=="
}
variableId required | string^esv-[a-z0-9_-]{1,124}$ ID of the variable |
_action required | string Value: "setDescription" |
Accept-API-Version | string resource=2.0 |
The description of this variable
description required | string <= 1000 characters |
{- "description": "My secret"
}
{- "code": 401,
- "message": "unauthorized"
}
Create or update a variable using a predefined name. Once created, a variable name cannot be changed.
variableId required | string^esv-[a-z0-9_-]{1,124}$ ID of the variable |
Accept-API-Version | string resource=2.0 |
JSON body of the new variable
description | string <= 1000 characters |
expressionType | string Enum: "string" "list" "array" "object" "bool" "int" "number" "base64encodedinlined" "keyvaluelist" |
valueBase64 required | string <byte> ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[... |
{- "description": "My variable",
- "expressionType": "array",
- "valueBase64": "ZGF0YQ=="
}
{- "_id": "esv-myvariable1",
- "description": "My variable",
- "expressionType": "list",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": false,
- "valueBase64": "ZGF0YQ=="
}
Secrets are used to set configuration values that need encrypting. The values may or may not need to be different for each tenant environment. Authorization passwords and authentication signing keys are examples of secrets that might exist in your configuration.
Secrets can have multiple versions enabled to allow rotation, and once set they cannot be read back.
Secrets are injected into Identity Cloud configuration when the underlying services are started or restarted.
Get all secrets, but not their secret versions or secret version values.
_pageSize | integer [ 1 .. 100 ] Default: 25 Accept-API-Version: resource=2.0 only, maximum number of results returned by endpoint before paging |
_pagedResultsCookie | string Default: "" Accept-API-Version: resource=2.0 only, opaque data used for paging result data, can be used for paging instead of having to track pageSize and pagedResultsOffset |
_pagedResultsOffset | integer >= 0 Default: 0 Accept-API-Version: resource=2.0 only, offset of the first result to be returned by endpoint |
_onlyPending | boolean Default: false Accept-API-Version: resource=2.0 only, returns ESVs with unapplied changes |
Accept-API-Version | string resource=2.0 |
{- "pagedResultsCookie": "null",
- "remainingPagedResults": 0,
- "result": [
- {
- "_id": "esv-mysecret1",
- "activeVersion": "1",
- "description": "My secret",
- "encoding": "generic",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": true,
- "loadedVersion": "1",
- "useInPlaceholders": true
}
], - "resultCount": 4,
- "totalPagedResults": 1,
- "totalPagedResultsPolicy": "string"
}
Delete a secret and all its secret versions and secret version values.
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
Accept-API-Version | string resource=2.0 |
{- "_id": "esv-mysecret1",
- "activeVersion": "1",
- "description": "My secret",
- "encoding": "generic",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": true,
- "loadedVersion": "1",
- "useInPlaceholders": true
}
Get a secret, but not its secret versions or secret version values.
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
Accept-API-Version | string resource=2.0 |
{- "_id": "esv-mysecret1",
- "activeVersion": "1",
- "description": "My secret",
- "encoding": "generic",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": true,
- "loadedVersion": "1",
- "useInPlaceholders": true
}
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
_action required | string Value: "setDescription" |
The description of this secret
description required | string <= 1000 characters |
{- "description": "My secret"
}
{- "code": 401,
- "message": "unauthorized"
}
Create a secret and its first secret version.
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
Accept-API-Version | string resource=2.0 |
JSON body of the new secret
description | string <= 1000 characters |
encoding required | string Enum: "generic" "pem" "base64hmac" "base64aes" |
useInPlaceholders required | boolean |
valueBase64 required | string <byte> ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[... |
{- "description": "My secret",
- "encoding": "generic",
- "useInPlaceholders": true,
- "valueBase64": "ZGF0YQ=="
}
{- "_id": "esv-mysecret1",
- "activeVersion": "1",
- "description": "My secret",
- "encoding": "generic",
- "lastChangeDate": "1999-12-31T23:59:59Z",
- "lastChangedBy": "bjensen",
- "loaded": true,
- "loadedVersion": "1",
- "useInPlaceholders": true
}
Get all versions and version metadata of a secret. It is not possible to view the secret values.
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
Accept-API-Version | string resource=2.0 |
[- {
- "createDate": "1999-12-31T23:59:59Z",
- "loaded": false,
- "status": "DISABLED",
- "version": "latest"
}
]
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
_action required | string Value: "create" Can only be create |
Accept-API-Version | string resource=2.0 |
JSON body of the new secret version
valueBase64 required | string <byte> ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[... |
{- "valueBase64": "ZGF0YQ=="
}
{- "createDate": "1999-12-31T23:59:59Z",
- "loaded": false,
- "status": "DISABLED",
- "version": "latest"
}
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
versionId required | string^latest$|^[0-9]+$ ID of the secret version |
Accept-API-Version | string resource=2.0 |
{- "createDate": "1999-12-31T23:59:59Z",
- "loaded": false,
- "status": "DISABLED",
- "version": "latest"
}
Get a version and version metadata of a secret. It is not possible to view the secret value.
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
versionId required | string^latest$|^[0-9]+$ ID of the secret version |
Accept-API-Version | string resource=2.0 |
{- "createDate": "1999-12-31T23:59:59Z",
- "loaded": false,
- "status": "DISABLED",
- "version": "latest"
}
Update the status of a version of a secret to either ENABLED or DISABLED. The latest version of a secret cannot be updated to a status of DISABLED.
secretId required | string^esv-[a-z0-9_-]{1,124}$ ID of the secret |
versionId required | string^latest$|^[0-9]+$ ID of the secret version |
_action required | string Value: "changestatus" Can only be changestatus |
Accept-API-Version | string resource=2.0 |
JSON body of the new status of the secret version
status required | string Enum: "DISABLED" "ENABLED" |
{- "status": "DISABLED"
}
{- "createDate": "1999-12-31T23:59:59Z",
- "loaded": false,
- "status": "DISABLED",
- "version": "latest"
}
A restart of Identity Cloud services is used when new variables or secrets have been created and need to be injected into Identity Cloud configuration.
Get restart status indicating whether any upgrade or rollout restart is taking place on Identity Cloud services.
Accept-API-Version | string resource=2.0 |
{- "restartStatus": "restarting"
}
Initiate restart of Identity Cloud services. This will inject any new variables or secrets into Identity Cloud configuration.
_action required | string Value: "restart" Can only be restart |
Accept-API-Version | string resource=2.0 |
{- "restartStatus": "restarting"
}
Get count of ESV secrets and variables in the environment.
_onlyPending | boolean Default: false Accept-API-Version: resource=2.0 only, returns ESVs with unapplied changes |
Accept-API-Version | string resource=2.0 |
{- "secrets": 10,
- "variables": 0
}
Identity Cloud lets you run self-service promotions to move configuration between a sequential pair of tenant environments.
Starts the lock process on the lower and upper environments
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "description": "Environment lock in progress",
- "promotionId": "ba594bbe-a589-4676-80a4-42975a56f5b6",
- "result": "locking"
}
Start the unlock process on the lower and upper environments.
promotionId required | string Promotion unique identifier |
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "description": "Environment unlocked",
- "promotionId": "ba594bbe-a589-4676-80a4-42975a56f5b6",
- "result": "unlocked"
}
Get the lock status of the lower and upper environments.
localLockOnly | boolean If set to true this parameter will only return the lock status of the environment the request is aimed at |
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "description": "<meaningful when result=Error>",
- "lowerEnv": {
- "promotionId": "ba594bbe-a589-4676-80a4-42975a56f5b6",
- "proxyState": "string",
- "state": "string"
}, - "promotionId": "ba594bbe-a589-4676-80a4-42975a56f5b6",
- "result": "locked",
- "upperEnv": {
- "promotionId": "ba594bbe-a589-4676-80a4-42975a56f5b6",
- "proxyState": "string",
- "state": "string"
}
}
Get the status of a promotion, if one is in progress.
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "blockingError": false,
- "encryptedSecrets": [
- "mySecret"
], - "globalLock": "LOCKED",
- "message": "Environment ready for promotion",
- "missingESVs": [
- "myVariable"
], - "promotionId": "7e7634c3-406e-4d37-80a3-d34461c2f309",
- "status": "READY",
- "timeStamp": "2022-02-01T14:17:02+01:00"
}
Promote configuration from the lower environment to the upper environment.
Accept-API-Version required | string protocol=1.0,resource=1.0 |
A request body with info required to initiate a promotion
dryRun required | boolean A boolean denoting whether this a dry run |
ignoreEncryptedSecrets | boolean A boolean denoting whether or not to ignore encrypted secrets detected in config during the promotion |
promoter | string The name of the admin user who initiated the promotion |
promotionDescription | string Promoter specified note to make it easier for them to identify what was promoted |
unlockEnvironmentsAfterPromotion | boolean A boolean denoting whether or not to automatically unlock the environments after a successful promotion |
zendeskTicketReference | string A string denoting the Zendesk ticket reference to be added to the promotion commit message |
{- "dryRun": true,
- "ignoreEncryptedSecrets": true,
- "promoter": "string",
- "promotionDescription": "string",
- "unlockEnvironmentsAfterPromotion": true,
- "zendeskTicketReference": "string"
}
{- "result": "Promotion Complete"
}
This will return the contents of the last run config promotion report
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "createdDate": "2022-01-27T15-23+00Z",
- "dryRun": true,
- "missingESVs": [
- "myVariable"
], - "previouslyIgnoredEncryptedSecrets": [
- "string"
], - "promoter": "Barb Jensen",
- "promotionDescription": "Promoting our Forgotten Username journey",
- "promotionId": "da0c66a4-9f37-4f9a-9988-0786ad301b17",
- "report": {
- "AMConfig": [
- {
- "configChange": {
- "added": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "deleted": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "modified": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
]
}, - "configItem": "Email > Templates"
}
], - "IDMConfig": [
- {
- "configChange": {
- "added": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "deleted": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "modified": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
]
}, - "configItem": "Email > Templates"
}
]
}, - "reportId": "da0c66a4-9f37-4f9a-9988-0786ad301b17",
- "reportName": "Report_2022-01-27T15-23+00Z_dryrun=true_a7456dd2-1acd-4bd9-8555-d44b2275a2da"
}
Get a specific promotion report.
reportId required | string Promotion report unique identifier |
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "createdDate": "2022-01-27T15-23+00Z",
- "dryRun": true,
- "missingESVs": [
- "myVariable"
], - "previouslyIgnoredEncryptedSecrets": [
- "string"
], - "promoter": "Barb Jensen",
- "promotionDescription": "Promoting our Forgotten Username journey",
- "promotionId": "da0c66a4-9f37-4f9a-9988-0786ad301b17",
- "report": {
- "AMConfig": [
- {
- "configChange": {
- "added": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "deleted": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "modified": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
]
}, - "configItem": "Email > Templates"
}
], - "IDMConfig": [
- {
- "configChange": {
- "added": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "deleted": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "modified": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
]
}, - "configItem": "Email > Templates"
}
]
}, - "reportId": "da0c66a4-9f37-4f9a-9988-0786ad301b17",
- "reportName": "Report_2022-01-27T15-23+00Z_dryrun=true_a7456dd2-1acd-4bd9-8555-d44b2275a2da"
}
Get a provisional report of changes since the last time the lower environment was promoted to the upper environment. The report generated is for informational purposes only and may not reflect all the changes in a full promotion. A dry-run promotion is always recommended prior to a full promotion between environments.
Accept-API-Version required | string protocol=1.0,resource=1.0 |
{- "createdDate": "2022-01-27T15-23+00Z",
- "dryRun": true,
- "missingESVs": [
- "myVariable"
], - "previouslyIgnoredEncryptedSecrets": [
- "string"
], - "promoter": "Barb Jensen",
- "promotionDescription": "Promoting our Forgotten Username journey",
- "promotionId": "da0c66a4-9f37-4f9a-9988-0786ad301b17",
- "report": {
- "AMConfig": [
- {
- "configChange": {
- "added": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "deleted": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "modified": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
]
}, - "configItem": "Email > Templates"
}
], - "IDMConfig": [
- {
- "configChange": {
- "added": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "deleted": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
], - "modified": [
- {
- "name": "UMA Provider",
- "realm": "/bravo",
- "uid": "ou=39c08084-1238-43e8-857f-2e11005eac49,ou=scriptConfigurations,ou=default,ou=OrganizationConfig,ou=1.0,ou=ScriptingService,ou=services,o=alpha,ou=services,ou=am-config"
}
]
}, - "configItem": "Email > Templates"
}
]
}, - "reportId": "da0c66a4-9f37-4f9a-9988-0786ad301b17",
- "reportName": "Report_2022-01-27T15-23+00Z_dryrun=true_a7456dd2-1acd-4bd9-8555-d44b2275a2da"
}
Get a list of previous promotion reports in date order.
Accept-API-Version required | string protocol=1.0,resource=1.0 |
[- {
- "createdDate": "2022-01-19T13:04:00Z",
- "dryRun": true,
- "promotionId": "7575f185-cd0b-4823-b8b1-f677895291d4",
- "reportId": "d19e140-8325-4669-b9f3-1cd82784e24e"
}, - {
- "createdDate": "2022-01-19T13:05:00Z",
- "dryRun": true,
- "promotionId": "7575f185-cd0b-4823-b8b1-f677895291dt",
- "reportId": "d19e140-8325-4669-b9f3-1cd82784e24f"
}
]