๐๏ธ Validate a user token
This endpoint validates a SlashID user token. The response indicates whether the token is valid and its expiration time if so. If the token is not valid, the reason is returned.
๐๏ธ Revoke a user token
This endpoint revokes a SlashID user token.
๐๏ธ List SAML credentials for SSO
Returns a list of existing SAML provider credentials for SSO for your organization.
๐๏ธ Create a new set of SAML provider credentials for SSO
Create a new set of SAML provider credentials for your organization to use with SSO.
๐๏ธ Get an existing set of SAML provider credentials for SSO
Returns an existing set of SAML provider for SSO, specified by the provider credential ID.
๐๏ธ Delete an existing set of SAML provider credentials for SSO
Deletes an existing set of SAML provider credentials for SSO, specified by the provider credential ID.
๐๏ธ Modify an existing set of SAML provider credentials for SSO
Modifies an existing set of SAML provider credentials for SSO, specified by the provider credential ID.
๐๏ธ (Deprecated) Revoke an OAuth token obtained through SSO with OIDC
Revoke a previously obtained OAuth access or refresh token for an IdP. This endpoint is deprecated. Please use /sso/oidc/tokens/revoke/v2 instead.
๐๏ธ Revoke an OAuth token obtained through SSO with OIDC
Revoke a previously obtained OAuth access or refresh token for an IdP
๐๏ธ Retrieve OIDC tokens
Retrieve tokens issued by an OIDC provider as part of an SSO authentication. This endpoint expects a valid SlashID token container issued after an SSO authentication. The response will include all of the OIDC tokens that were issued by that SSO authentication.
๐๏ธ Query tokens obtained through SSO with OIDC
Query the OIDC tokens for a person issued during SSO authentications.
๐๏ธ Get Direct-ID value for a person
This endpoint creates a one-time Direct-ID for a specific user. The returned Direct-ID string can embedded in a URL in the `challenges` query parameter to let your users land on a target page already authenticated.
๐๏ธ Mint a token for a person
This endpoint creates a token for a specific user. Custom claims can be specified in the request body which will be added to the token's payload. Custom claims are added to the token's payload. Tokens created with this endpoint will have an `authenticated_methods` claim equal to ['api']. The following claims are reserved and cannot be specified: - aud - exp - jti - iat - iss - nbf - sub - prev_token_id - oid - org_id - user_id - person_id - first_token - authenticated_methods - oidc_tokens - user_token - groups - roles - access_token - refresh_token - id - id_token - gdpr - gdpr_consent - gdpr_consent_level - parent_user_id - parent_person_id - parent_org_id - parent_oid - attributes - custom_claims - slashid - slashid.dev - slashid.com - slashid.me - sid With the following request body: ``` { 'custom_claims': { 'foo': 'bar', 'baz': {'everything': 42} } } ``` the token in the response will have the following payload: ``` { 'authenticated_methods': [ 'api' ], 'baz': { 'everything': 42 }, 'exp': <expiration time timestamp>, 'first_token': false, 'foo': 'bar', 'iat': <issued at timestamp>, 'iss': <token issuer>, 'jti': <token ID>, 'oid': <organisation ID>, 'person_id': <person ID> } ```
๐๏ธ Retrieve a person's credentials
Retrieves credentials linked to the specified person in your organization.
๐๏ธ Create a new credential
Creates a new credential linked to the specified person in your organization. This credential will then be available for use in future authentication challenges.
๐๏ธ Delete all credentials
Deletes all credentials from a person. Note that deletion is irreversible and the credentials will no longer be usable for authentication.
๐๏ธ Delete a credential object
Deletes the specified credential from a person,organization pair. Note that deletion is irreversible and the credential will no longer be usable for authentication.
๐๏ธ Create or overwrite a password credential.
Creates or overwrites the password credential linked to the specified person in your organization. This credential will then be available for use in future authentication challenges.
๐๏ธ Trigger a password reset flow
Triggers a password reset flow for the specified person and credential. The specified person must then take action to complete the flow and set a new password. Optionally, you can specify which of the person's handles will be used to send the password reset link.
๐๏ธ Rotate a person's password
Rotates a person's password. The specified person does not need to have an existing password credential. A new password credential will be created regardless and returned in the response.
๐๏ธ Retrieve attributes for a person from multiple buckets
Retrieve attributes for a person from one or more buckets. If no buckets are specified, attributes from all buckets will be retrieved. Bucket names can be specified as a comma-separated list in the `buckets` query parameter. All buckets specified must exist, and the organization specified in the header must be able to access them. Empty bucket names are not permitted.
๐๏ธ Create or modify attributes for a person in multiple buckets
Create new attributes or modify existing attributes for a person in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request.
๐๏ธ Create or modify attributes for a person in multiple buckets
Create new attributes or modify existing attributes for a person in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched.
๐๏ธ Retrieve attributes for a person from a single bucket
Retrieve attributes for a person from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. If no attribute names are specified, all attributes in the bucket will be retrieved. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted.
๐๏ธ Create or modify attributes for a person in a single bucket
Create new attributes or modify existing attributes for a person in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request.
๐๏ธ Delete attributes for a person from a single bucket
Delete attributes for a person from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted. If no attribute names are specified, all attributes in the bucket will be deleted. WARNING: this action is permanent and cannot be undone.
๐๏ธ Create or modify attributes for a person in a single bucket
Create new attributes or modify existing attributes for a person in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched.
๐๏ธ Get GDPR consent
Takes an organization ID and a person ID and returns the GDPR consent levels and timestamp for that person, if it exists.
๐๏ธ Set GDPR consent
Takes the organization ID, the person ID, and GDPR consent levels, and stores the GDPR consent levels and timestamp. Returns the consent levels and the timestamp at which the consent information was received. This will overwrite existing GDPR consent levels for the specified person. The consent levels indicate the types of data classes the person has allowed during their use of your services, in accordance with GDPR.
๐๏ธ Store GDPR consent
Takes the organization ID, the person ID, and GDPR consent levels, and stores the GDPR consent levels and timestamp. Returns the consent levels and the timestamp at which the consent information was received. This will overwrite existing GDPR consent levels for the specified person. The consent levels indicate the types of data classes the person has allowed during their use of your services, in accordance with GDPR.
๐๏ธ Remove GDPR consent
The function takes the organization ID and person ID and removes the specified GDPR consent, or all consents.
๐๏ธ Retrieve a person
Get a person object by its ID. The function returns the decrypted, abridged person record. Please use the Attributes API to retrieve custom person attributes.
๐๏ธ Delete a person from an organization
Remove the person, specified by its ID, from the organization. Note that access to all the attributes associated with this person will be permanently revoked.
๐๏ธ Modify an existing person
Modify configuration for an existing specific person associated with your organization. This includes the list of roles for the person and whether the person is active or not.
๐๏ธ Get handles for a person
Retrieve the list of handles associated with an existing person
๐๏ธ Add handles to a person
Add one or more handles to an existing person linked to your organization.
๐๏ธ Delete a handle from a person
Remove a handle associated with an existing person
๐๏ธ Get groups for a person
Retrieve the list of groups the specified person belongs to
๐๏ธ Set the groups for a person
Add the person to the groups specified in the request body, and remove the person from any other existing groups. All groups in the request body must already exist. Duplicate groups in the request body will be ignored. If an empty list is supplied in the request body, the person will be removed from all groups they are currently a member of, and will not be added to any others. New groups can be created with the [POST /groups](/docs/api/post-groups) endpoint.
๐๏ธ Get permissions for a person
Retrieve the list of permissions granted to the specified person. It contains both assigned permissions and permissions from roles.
๐๏ธ Get additional permissions for a person
Retrieve the list of additional permissions assigned to person. This endpoint doesn't return permissions from roles.
๐๏ธ Set the permissions for a person
Grant the person the permissions specified in the request body, and revoke the person any other existing permissions. All permissions in the request body must already exist. Duplicate permissions in the request body will be ignored. If an empty list is supplied in the request body, the person will be revoked all permissions they currently have.
๐๏ธ Get roles for a person
Retrieve the list of roles granted to the specified person
๐๏ธ Set the roles for a person
Grant the person the roles specified in the request body, and revoke the person any other existing roles. All roles in the request body must already exist. Duplicate roles in the request body will be ignored. If an empty list is supplied in the request body, the person will be revoked all roles they currently have.
๐๏ธ Retrieve the list of person's organizations
Retrieve details of all the organizations a person belongs to, including: - The organization of the request: the person must be a member of the organization you authenticate with for you to be allowed to retrieve this list - Any sub- and super-organizations that share the person pool with the organization of the request: A hierarchy of organizations can be created using [this API endpoint](/docs/api/post-organizations-suborganizations). When organizations are configured to share a person pool, if the same person registers with multiple organizations in the pool using the same handle, all organizations will see the same person ID for that person.
๐๏ธ Retrieve a list of persons
Retrieve the full list of persons in your organization.
๐๏ธ Create or update a person (idempotent)
This endpoint works as the [`POST /persons`](/docs/api/post-persons) endpoint, except that it is idempotent. If the person already exists, it will be updated with the new data and 200 status code will be returned.
๐๏ธ Create new person
Create a new person linked to your organization. The request must contain at least one handle for the person (email address, phone number, or username). Optionally, you can specify a list of roles, a geographical region and attributes. Attributes are a map from attribute bucket names to key-value pairs. If a person with the specified handles already exists, an error will be returned. If the region is not specified, the person will be created in the region closest to the region of your backend. If you explicitly specify the region and a person with the provided handle already exists in a different region, this endpoint will return an error. A person's region association is eventually consistent between regions. Because of that, creating a person between regions within the time frame of data replication can result in a person being created in multiple regions. You can learn more on the [Cross-region replication model](/docs/access/concepts/replication) page.
๐๏ธ Fetch the import CSV template
Fetch the import CSV template
๐๏ธ Bulk import persons
Bulk import persons into your organization by uploading a CSV file. The import will take the following CSV column headers into consideration: 'slashid:emails','slashid:phone_numbers','slashid:usernames','slashid:region','slashid:groups','slashid:attributes' Each row in the CSV must contain at least one handle for the person (email address, phone number, or a username). Optionally, you can specify a list of roles, a geographical region and attributes. Attributes are a JSON-encoded map from attribute bucket names to key-value pairs. Email addresses, phone numbers, and usernames must be comma-separated.
๐๏ธ Get a list of groups
List the names of all groups that exist for your organization
๐๏ธ Create a group
This endpoint creates a new persons group with the given name. If the group exists already, no action will be taken. The group name must be unique within your organization; is case-sensitive; and must conform to the following: - must be at least 2 characters long - may be at most 100 characters long - may contain only the characters `A-Z a-z 0-9 - _ .` - must start and end with an alphanumeric character (`A-Z a-z 0-9`) A person can be added to a group through the [`POST /persons/:person_id/groups`](/docs/api/put-persons-person-id-groups) endpoint.
๐๏ธ Get a group
Get the named group
๐๏ธ Delete a group
Remove all persons from a group and permanently delete the group.
๐๏ธ List the persons in a group
Lists all the persons in the named group. Returns an array of person IDs.
๐๏ธ Add persons to a group
This endpoint adds one or more persons to an existing group. The group and all of the persons must exist. The persons to be added to the group must always be an array in the request body, even if only one user is being added. All persons needs to be in the same region. A new group can be created with the [POST /groups](/docs/api/post-groups) endpoint.
๐๏ธ Delete a person from a group
Removes the identified person from the named group. Returns an error if the person is not in the group.
๐๏ธ Get a list of permissions
List the names of all permissions that exist for your organization
๐๏ธ Create a permission
This endpoint creates a new permission with the given name. If the permission exists already, no action will be taken. A person can be assigned a permission through the [`POST /persons/:person_id/permissions`](/docs/api/put-persons-person-id-permissions) endpoint. Sub-organization can create permissions only when [`inherit_rbac_pools` is disabled](/docs/api/post-organizations-suborganizations). If `inherit_rbac_pools` is enabled, the permissions from the root organization will be inherited.
๐๏ธ Get a permission
Get the named permission
๐๏ธ Delete a permission
Remove a permission and revoke it for all users. A permission cannot be deleted as long as it's included in a role. Sub-organization can delete roles only when [`inherit_rbac_pools` is disabled](/docs/api/post-organizations-suborganizations).
๐๏ธ Update a permission
Update a permission
๐๏ธ Get a list of roles
List the names of all roles that exist for your organization
๐๏ธ Create a role
This endpoint creates a new role with the given name. If the Role exists already, no action will be taken.
๐๏ธ Get a role
Get the named role
๐๏ธ Delete a role
Remove a role and revoke it for all users.
๐๏ธ Update a role
Update an existing role.
๐๏ธ Check whether a person has a permission
Check whether the given person has the given permission. The service automatically takes into account permissions included in granted roles as well as permissions granted individually.
๐๏ธ List available external credentials
Lists the all available external credentials for third party services. The call doesn't return any key material, credential IDs can be used to retrieve the credential.
๐๏ธ Create a new set of external credentials
Create a new set of credentials for your organization to use with third party services. Includes a provider name and a content whose body is a key value pair of the data needed to authenticate with the third party service - currently only API Key, API ID/API Key, Client Credentials, Access Token and username/password combinations are supported.
๐๏ธ Remove an external credential by id
Remove the specified external credential by id or delete all external credentials. If a credential id is specified, it takes precedence over the deleteAll parameter, so a request with a credentialId specified and deleteAll=true will delete only the specified credential from the list of external credentials. If the specified credential id does not exist in the list of allowed origin credentials, no action will be taken, and a 200 status code will be returned.
๐๏ธ Get the specified credential
Returns the credential specified by the ID. The returned object contains the name of the provider, the credential type and an object which contains the credential material necessary to access a third-party provider (API Key, API ID/API Key, Client Credentials, Access Token and username/password)
๐๏ธ Modify the selected credential
Set the content of the selected credential to be the request body. If the content or name for this credential had previously been created for your organization, it will be overwritten and cannot be retrieved. Otherwise, the new content will be set.
๐๏ธ List available templates
Lists the names of all available templates for communicating with users. Template names can be used to retrieve the template body for your organization.
๐๏ธ Get the named template
Retrieves the message template named in the path. If a custom template was previously created, it will be returned. Otherwise the default template is returned Likewise, any template fields were left empty during creation will be set to their default values.
๐๏ธ Modify the named template
Sets the named message template for your organization. If a template already exists it will be overwritten and cannot be retrieved. The following templates are available for customization: - `email_authn_challenge`: E-mail template with magic link; - `text_authn_challenge`: SMS template with magic link; - `text_otp_message`: SMS template with OTP code; - `email_password_reset_challenge`: E-mail template with a password reset link; - `text_password_reset_challenge`: SMS template with a password reset link. All templates must conform to the [mustache template syntax](https://mustache.github.io/mustache.5.html). The following tags are available: - `{{attestation_url}}`: Magic link URL (at least one of `attestation_url` and `attestation_query_string` are required on `email_authn_challenge` and `text_authn_challenge`) - `{{attestation_query_string}}`: Magic link URL query string (at least one of `attestation_query_string` and `attestation_url` are required on `email_authn_challenge` and `text_authn_challenge`) - `{{password_reset_url}}`: Password reset URL (required on `email_password_reset_challenge` and `text_password_reset_challenge`) - `{{otp_code}}`: OTP code (Required on `text_otp_message`) - `{{org_name}}`: Organization name (Optional) - `{{new_user}}`: `true` for new signups, false for returning users (Optional) Constraints: - Email templates: - Sender name must be at most 128B in size - Subject must be at most 128B in size - Body must be HTML and at most 50KB in size. - SMS: - Body must be at most 140 bytes in size.
๐๏ธ List the allowed domains
Returns a list of the allowed origin domains for your organization.
๐๏ธ Add allowed domains
Add the specified domain patterns to the list of allowed origin domains, or overwrite the existing list. Domains may be specified exactly, or as patterns using asterisk wildcards '*'. The '*' wildcard will match zero or more characters. If a pattern is used, any origin domain matching the pattern will be treated as an allowed domain. Otherwise, the origin domain must match the allowed domain exactly. Matching is case-insensitive. For example, to specify that domain 'xyz.com' and all of its subdomains are allowed, use ['xyz.com', '*.xyz.com']. This would allow requests with origins 'xyz.com', 'a.xyz.com', 'b.c.xyz.com', and so on (but would not allow requests from 'xyz.net'). If overwrite is set to true, all existing allowed domains/patterns will be removed and replaced with the provided list. If overwrite is set to false, the provided list of domain patterns will be appended to the existing list of allowed origin domains. Adding a domain pattern that already exists in the list of allowed origin domains will have no effect.
๐๏ธ Remove allowed domains
Remove the specified domain from the list of allowed origin domains, or delete all domains. origin domains. If the specified domain does not exist in the list of allowed origin domains, no action will be taken, and a 200 status code will be returned. If both domain and deleteAll query parameters are specified, API will return 400 (Bad Request) status code.
๐๏ธ Get the organization's token template
Retrieves the token template for the given organization. If a custom token template was previously created, it will be returned. Otherwise the default template is returned.
๐๏ธ Modify the organization's token template
Sets the token template for your organization. If a template already exists it will be overwritten and cannot be retrieved. The template must conform to the [mustache template syntax](https://mustache.github.io/mustache.5.html). The following tags are available: - `{{ organization }}`: provides information on the organization. Renders to ```json { 'id': '00000000-0000-0000-0000-000000000000', 'name': 'Your Org Name', 'ancestors': [ { 'id': '00000000-0000-0000-0000-111111111111', 'name': 'Parent Name' }, ... ] } ``` The following sub-tags are available: - `{{ organization.id }}`: the ID of the organization. Renders to `00000000-0000-0000-0000-000000000000` - `{{ organization.name }}`: the name of the organization. Renders to `Your Org Name` - `{{ organization.ancestors }}`: the list of ancestor organizations, starting from the parent up to the root. Renders to ```json [{'id': '00000000-0000-0000-0000-111111111111', 'name': 'Parent Name'}, ...] ``` - `{{ person.permissions }}`: provides information on the person's permissions (additional and from roles). Renders to ```json [ 'permission1', 'permission2' ] ```
๐๏ธ List OIDC credentials for SSO
Returns a list of existing OIDC provider credentials for SSO for your organization. Optionally, a provider can be specified to return only credentials for that provider.
๐๏ธ Create a new set of OIDC provider credentials for SSO
Create a new set of OIDC provider credentials for your organization to use with SSO. Includes a client ID, client secret, and the name of the provider. The client ID and client secret should be generated separately using the third-party identity provider you wish to integrate with (such as Google). Not all identity providers are currently supported.
๐๏ธ Get an existing set of OIDC provider credentials for SSO
Returns an existing set of OIDC provider for SSO, specified by the client ID.
๐๏ธ Delete an existing set of OIDC provider credentials for SSO
Deletes an existing set of OIDC provider credentials for SSO, specified by the client ID.
๐๏ธ Modify an existing set of OIDC provider credentials for SSO
Modifies the client secret and/or label of an existing set of OIDC provider credentials for SSO, specified by the client ID.
๐๏ธ Retrieve information about an organization
Retrieve information about which other organizations the given shares persons and groups with.
๐๏ธ Delete an organization
Delete a non-root, leaf organization, including all its persons memberships and their groups memberships and attributes.
๐๏ธ Retrieve attributes for the organization from multiple buckets
Retrieve attributes for the organization from one or more buckets. If no buckets are specified, attributes from all buckets will be retrieved. Bucket names can be specified as a comma-separated list in the `buckets` query parameter. All buckets specified must exist, and the organization specified in the header must be able to access them. Empty bucket names are not permitted.
๐๏ธ Create or modify attributes for the organization in multiple buckets
Create new attributes or modify existing attributes for the organization in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request.
๐๏ธ Create or modify attributes for the organization in multiple buckets
Create new attributes or modify existing attributes for the organization in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched.
๐๏ธ Retrieve attributes for the organization from a single bucket
Retrieve attributes for the organization from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. If no attribute names are specified, all attributes in the bucket will be retrieved. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted.
๐๏ธ Create or modify attributes for the organization in a single bucket
Create new attributes or modify existing attributes for the organization in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request.
๐๏ธ Delete attributes for the organization from a single bucket
Delete attributes for the organization from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted. If no attribute names are specified, all attributes in the bucket will be deleted. WARNING: this action is permanent and cannot be undone.
๐๏ธ Create or modify attributes for the organization in a single bucket
Create new attributes or modify existing attributes for the organization in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched.
๐๏ธ List suborganizations
Retrieve a list of all descendant organizations.
๐๏ธ Create a suborganization
Create a new organization subordinate to your organization.
๐๏ธ Generate a new API key for the specified organization
A new API key is created and returned. The previous API key will no longer be valid after this.
๐๏ธ Get organization config
Get the current configuration for your organization
๐๏ธ Update organization config
Modify the configuration for your organization. The token duration determines the number of seconds a token issued by SlashID will be valid for. If not set, or set to 0, the default duration of 24 hours will be used for all tokens. The groups claim name determines the name of the claim in the token payload where a user's groups are found. If not set, or set to the empty string, the default claim name `groups` will be used for all tokens.
๐๏ธ Get current pricing tier details.
This returns the quotas associated with your organization's current pricing tier.
๐๏ธ Get details on all pricing tiers.
This returns the quotas for each available pricing tier.
๐๏ธ Get resource usage for the organization hierarchy.
This returns the resources used by your organization and its suborganizations. This can be used to evaluate the need for a tier upgrade.
๐๏ธ List organization's attribute buckets
Get a list of available attribute buckets for your organization
๐๏ธ Get organization KYC config
Get the current KYC configuration for your organization
๐๏ธ Update KYC organization config
Modify the KYC configuration for your organization. The mobile redirect base URL determines where a user will be redirected to when temporarily switching to a mobile device in order to upload/capture document pictures.
๐๏ธ List all webhooks
Retrieve a list of all webhooks for your organization.
๐๏ธ Create a new webhook
Create a new webhook for your organization. Webhooks will be called in response to triggers, and you can use the `/organizations/webhooks/{webhook_id}/triggers` endpoint to specify which trigger(s) should call each webhook. The request body must contain the target URL for the webhook, and this must be unique for your organization (you cannot have two webhooks with the same target URL). The target URL must use the HTTPS protocol, and must have a host. The host cannot be `localhost` or an IP address. The target URL may have a path element, but may not contain query parameters or fragments. Additionally, you can specify custom headers that will be sent in the HTTP header of each request to your webhook's target URL. These are encrypted when stored, so can be used for sensitive data. You can also choose the webhook's timeout value. This will determine how long your webhook server has to respond to a request before it is considered failed. If you do not set a value, defaults will be used: for synchronous webhook calls, this is 2 seconds; for asynchronous calls, 10 seconds. When choosing a timeout, you should consider how long your webhook will typically need to process a request, and how this may affect user experience (in the case of sychronous webhooks). The value provided should be a string that can be parsed as a [Golang `time.Duration`](https://pkg.go.dev/time#Duration); for example, '10s', '500ms'. The timeout may not be more than 20 seconds, and cannot be negative. If you do not set a timeout, when retrieving the webhook you will see a timeout set to 0s, indicating that the defaults will be used when the webhook is called. You may also specify a name and description for the webhook. The response will contain a webhook ID, which uniquely identifies the newly created webhook. This ID can be used to modify or delete the webhook, and to add triggers for it. For more information on using webhooks with SlashID, see our [dedicated guide](/docs/access/guides/webhooks).
๐๏ธ Get a webhook
Retrieve information about a specific webhook, identified by its ID.
๐๏ธ Delete a webhook
Delete the specified webhook. This will also delete all triggers associated with this webhook. This action cannot be undone.
๐๏ธ Update a webhook
Update an existing webhook, identified by its ID. This endpoint can be used to modify the target URL, custom headers, name, or description of the webhook. Note that the target URL cannot be changed to a URL already in use by another webhook for your organization. Modifying the custom headers will overwrite any existing custom headers for this webhook.
๐๏ธ List webhook triggers
List all the triggers for a specific webhook.
๐๏ธ Create a webhook trigger
Create a new trigger for an existing webhook. Each webhook can have multiple triggers, and will be called on each of them. The trigger type specifies what kind of trigger will cause the webhook to be called. The trigger name specifies the exact trigger that will cause the webhook to be called, amongst all triggers of this type. For a full list of trigger types and names, refer to our [webhooks guide](/docs/access/guides/webhooks).
๐๏ธ Delete a webhook trigger
Delete a trigger for a specific webhook. The webhook will no longer be called on this trigger. Note that for a short period after the delete request has successfully returned, triggers in flight may still cause the webhook to be called.
๐๏ธ Retrieve verification JWKS for webhooks
Endpoint to retrieve a JSON Web Key Set (JWKS) for webhook body verification. When SlashID calls your webhooks in response to a trigger, the body of the request is a signed and encoded JSON Web Token (JWT). The public part of the signing key can be retrieved from this endpoint and used to verify that the request body comes from SlashID, is intended for your webhook, and has not been modified. SlashID uses the ES256 JSON Web Algorithm (JWA), which is the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and SHA256. Support for JWTs and JWKS is available for many languages - [jwt.io](https://jwt.io/libraries) maintains an extensive (but not exhaustive) list of libraries for popular languages. Note that this endpoint is rate-limited to 30 requests per minute per organization, with bursts of 60. It is therefore recommended that you cache the keyset locally in your webhook handlers.
๐๏ธ Retrieve a list of OAuth2 clients
Retrieve a list of existing OAuth 2.0 clients for your organization.
๐๏ธ Create a new OAuth2 client
Create a new client ID/secret pair that can be used with the client credentials grant type. A valid SlashID organization ID and API key must be used to authenticate and authorize the request. The client credentials can be configured. SlashID currently supports the following OAuth 2.0 grants: - client credentials - authorization code - refresh token The `grant_types` field may contain only the values `client_credentials` and `authorization_code`. Other values will return a `400` error code. The client credentials grant requires a client secret, and so all clients allowing that grant should be regarded as confidential, as defined in the OAuth 2.0 specification (https://oauth.net/2/client-types/). The response body will include the client ID and client secret. For the client credentials grant, these can be used with the `/oauth2/tokens` endpoints to obtain an access token. For the authorization code grant, these can be used as described in the [OAuth 2.0 specification](https://datatracker.ietf.org/doc/html/rfc6749). The client secret must be stored securely, and cannot be retrieved in subsequent API calls. If you lose the client secret, a new secret can be generated using the `PUT /oauth2/clients/{oauth_client_id}/secret` endpoint.
๐๏ธ Retrieve an OAuth2 client
Get details on the identified client. Authenticated with a SlashID organization ID and API key; the organization ID must match or be a parent of the client owner.
๐๏ธ Delete an existing OAuth2 client
Delete the identified client. Authenticated with a SlashID organization ID and API key; the organization ID must match or be a parent of the client owner.
๐๏ธ Modify an existing OAuth2 client
Update the identified client. Authenticated with a SlashID organization ID and API key; the organization ID must match or be a parent of the client owner. SlashID currently only supported a subset of OAuth clients, therefore we enforce that grant_types must be ['client_credentials']. Setting this field to any other value will result in an error response with a `400` status code.
๐๏ธ Generate a new client secret
A new client secret is created and returned. The previous secret will no longer be valid after this.
๐๏ธ Retrieve the configuration for the hosted UI
The configuration is used to theme the hosted UI.
๐๏ธ Modify the configuration for the hosted UI
The configuration is used to theme the hosted UI.
๐๏ธ Request an authorization code
Used to initiate an authorization code flow. SlashID is an OAuth 2.0 and OpenID Connect 1.0 provider.
๐๏ธ Obtain an access token
Obtain a new OAuth 2.0 access token using an OAuth 2.0 client ID/secret pair.
๐๏ธ Revoke an access token
Revoke an OAuth 2.0 access token using an OAuth 2.0 client ID/secret pair.
๐๏ธ Introspect an access token
Introspect an OAuth 2.0 access or refresh token using an OAuth 2.0 client ID/secret pair. Note: there is a know issue for this endpoint, whereby the expiry for refresh tokens in the response is incorrect. However, expired refresh tokens will still return a response with `active: false`.
๐๏ธ Mint OAuth 2.0 & OIDC tokens
This endpoint creates a set of OAuth 2.0 tokens for a specific user. To generate a refresh token request scope `offline_access`. To generate an ID token request scope `openid`. Custom claims can be specified in the request body which will be added to the token's payload. Custom claims are added to the token's payload. Tokens created with this endpoint will have an `authenticated_methods` claim equal to ['api']. The following claims are reserved and cannot be specified: - aud - exp - jti - iat - iss - nbf - sub - prev_token_id - oid - org_id - user_id - person_id - first_token - authenticated_methods - oidc_tokens - user_token - groups - roles - access_token - refresh_token - id - id_token - gdpr - gdpr_consent - gdpr_consent_level - parent_user_id - parent_person_id - parent_org_id - parent_oid - attributes - custom_claims - slashid - slashid.dev - slashid.com - slashid.me - sid With the following request body: ``` { 'custom_claims': { 'foo': 'bar', 'baz': {'everything': 42} } } ``` the token in the response will have the following payload: ``` { 'authenticated_methods': [ 'api' ], 'baz': { 'everything': 42 }, 'exp': <expiration time timestamp>, 'first_token': false, 'foo': 'bar', 'iat': <issued at timestamp>, 'iss': <token issuer>, 'jti': <token ID>, 'oid': <organisation ID>, 'person_id': <person ID> } ```
๐๏ธ Retrieve a person's profile
Given the SlashID Access Token obtained during signin, this endpoint returns a person's profile. This endpoint will work only if `openid` was granted as a scope for the Access Token. The information included in the response depends on the scopes requested. For example, a scope of just `openid` may return less information than a scope of `openid profile email`.
๐๏ธ Retrieve a person's profile
Given the SlashID Access Token obtained during signin, this endpoint returns a person's profile. This endpoint will work only if `openid` was granted as a scope for the Access Token. The information included in the response depends on the scopes requested. For example, a scope of just `openid` may return less information than a scope of `openid profile email`.