Authnv2.1pilot-root.1kosmos.net/authnOpenAPI
1Kosmos · Passwordless Authentication

Authn API

Non-phishable, passwordless authentication — biometrics, OTP, push and journeys, federated over OIDC and SAML.

Authentication → All products

The Authn service delivers passwordless, phishing-resistant authentication. Drive biometric login (FaceID / TouchID with liveness), one-time passwords, TOTP and push; orchestrate multi-step authentication journeys; and federate with external identity and service providers — all issuing standards-based JWTs. FIDO2 and NIST 800-63-3 certified.

59 endpoints

across 18 resource groups.

ECDSA-signed

every request is signed with your key pair.

JSON over HTTPS

predictable REST, conventional status codes.

OpenAPI 3.0

Download the spec →

Reference

Base URL

All Authn endpoints are relative to your environment host. Examples on this page use the 1Kosmos pilot environment — swap in your production root when you go live.

Pilot https://pilot-root.1kosmos.net/authn

Content type

Requests and responses use application/json.

GEThttps://pilot-root.1kosmos.net/authn/healthz
curl -X GET 'https://pilot-root.1kosmos.net/authn/healthz' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
Security

Authentication

Authn uses ECDSA key-pair authentication. Each request carries your credentials as HTTP headers; verification-grade calls additionally sign the request body. Retrieve the system signing key from /publickeys.

Credentials
authMyPublicKeyCaller's ECDSA publicKeyheader
authMyPrivateKeyCaller's ECDSA privateKeyheader
authLicenseLicense key from License APIheader
GEThttps://pilot-root.1kosmos.net/authn/healthz
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/healthz' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
Reference

Errors

Authn uses conventional HTTP status codes: 2xx success, 4xx a problem with the request, 5xx a service-side error.

StatusMeaningDescription
200 / 204OKThe request succeeded.
400Bad RequestValidation failed.
401UnauthorizedMissing or invalid credentials.
403ForbiddenAuthenticated, but not permitted.
404Not FoundThe resource does not exist.
500Server ErrorSomething went wrong on our side.
4XXerror response
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Validation error"
}
Authn

Authenticate

Initiate and complete authentication flows.

POST/tenant/{tenantId}/community/{communityId}/authenticate

Authenticate users

Authenticate users

License must be authorized for community

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents authenticated user and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize 🔒
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize 🔒
publickeyrequiredstringPublic Key / Try Authorize 🔒
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

Validation: 1. Username is required 2. At least one of password, pin, or otp should be provided

FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticate
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticate' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"schemeId": "string optional", "moduleId": "string optional", "SAMLResponse": "string optional", "credentials": {"username": "string optional", "password": "string optional", "dn": "string optional", "otp": "string optional", "isPasswordDeferred": "boolean optional", "isSharedPasswordDeferred": "boolean optional", "pin": "string optional", "isOtpFromUwl": "boolean optional"}, "jwt": "string optional"}}'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } ```
{
  "data": {
    "user": {
      "type": "basic",
      "email_verified": true,
      "disabled": false,
      "username": "Username",
      "status": "active",
      "firstname": "Fname",
      "middlename": "Mname",
      "lastname": "Lname",
      "email": "email@email.email",
      "phone": "111111111",
      "phone_verified": true,
      "address": {
        "house": "House",
        "streetname": "Streetname",
        "city": "City",
        "country": "Country",
        "zip": "Zip"
      },
      "address_verified": true,
      "uid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "dguid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "tenantId": "607714223fc37d72a2422e86",
      "communityId": "607714223fd37d72a2422e87",
      "roleValue": "none"
    },
    "proof_of_authentication_jwt": "jwt"
  },
  "publicKey": "xxxxxxx",
  "signature_token": "xxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/authenticate_with_behavior_auth

Authenticate users with behavior (typing pattern)

Authenticate users using typing pattern. License must be authorized for community. Returns user object and JWT with behavior_auth method if successful.

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

Validation: 1. Username is required 2. TypingPattern is required

FieldTypeDescription
usernamestring
authModulestring
patternstring
jwtstring
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticate_with_behavior_auth
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticate_with_behavior_auth' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"username": "string", "authModule": "string", "pattern": "string", "jwt": "string"}'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } ```
{
  "data": {
    "user": {
      "type": "basic",
      "email_verified": true,
      "disabled": false,
      "username": "Username",
      "status": "active",
      "firstname": "Fname",
      "middlename": "Mname",
      "lastname": "Lname",
      "email": "email@email.email",
      "phone": "111111111",
      "phone_verified": true,
      "address": {
        "house": "House",
        "streetname": "Streetname",
        "city": "City",
        "country": "Country",
        "zip": "Zip"
      },
      "address_verified": true,
      "uid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "dguid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "tenantId": "607714223fc37d72a2422e86",
      "communityId": "607714223fd37d72a2422e87",
      "roleValue": "none"
    },
    "proof_of_authentication_jwt": "jwt"
  },
  "publicKey": "xxxxxxx",
  "signature_token": "xxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/authenticate_with_fido

Authenticate users with FIDO

Authenticate users with FIDO

License must be authorized for community

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents authenticated user and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

Validation: 1. assertionResults {} is required

FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticate_with_fido
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticate_with_fido' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"username": "string", "authModule": "string", "assertionResults": {}, "jwt": "jwt optional"}}'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } ```
{
  "data": {
    "status": "Ok",
    "errorMessage": "",
    "sub": "xxxxx",
    "user": "{ \"username\" : \"xxxxx\"}",
    "authenticatorId": "xxxxxx",
    "authselection": "xxxxxx",
    "proof_of_authentication_jwt": "xxxx.xxxx.xxxx"
  },
  "publicKey": "xxxxxxx",
  "signature_token": "xxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/authenticate_with_ktoken

Authenticate users with ktoken

Authenticate users with ktoken

License must be authorized for community

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents authenticated user and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

Validation: 1. ktoken is required

FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticate_with_ktoken
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticate_with_ktoken' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"ktoken": "g56hrstyj6i7je5jstbsr65jeh", "attributes": ["groups", "uid", "username"], "jwt": "jwt optional"}}'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } ```
{
  "data": {
    "user": {
      "type": "basic",
      "email_verified": true,
      "disabled": false,
      "username": "Username",
      "status": "active",
      "firstname": "Fname",
      "middlename": "Mname",
      "lastname": "Lname",
      "email": "email@email.email",
      "phone": "111111111",
      "phone_verified": true,
      "address": {
        "house": "House",
        "streetname": "Streetname",
        "city": "City",
        "country": "Country",
        "zip": "Zip"
      },
      "address_verified": true,
      "uid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "dguid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "tenantId": "607714223fc37d72a2422e86",
      "communityId": "607714223fd37d72a2422e87",
      "roleValue": "none"
    },
    "proof_of_authentication_jwt": "jwt"
  },
  "publicKey": "xxxxxxx",
  "signature_token": "xxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/authenticate_with_liveid

Authenticate users with LiveId [V2 CP]

Authenticate users with LiveId Selfie

License must be authorized for community

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents authenticated user and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticate_with_liveid
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticate_with_liveid' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '"string"'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } Response object If **PIN** not needed: { "data": { "publicKey": "<wallet publickey>", "did": "<wallet did>", "publicKey": "$wallet.publicKey", "username": "", "uid": "", "dguid": "", "status": "", "roleValue": "", "type": "", "moduleId": "", "onboarding_status": "", "email": "", "firstname": "", "lastname": "", "phone": "", "urn": "", "proof_of_authentication_jwt": "xxx" "pon_data": {} }, "publicKey": "<authn_public_key>" } Response object If **PIN** needed: { "data": { "user_token": "<user jwt token>", "next": { "step": "need_mfa", "allowed_factors": [ "pin" ] } }, "publicKey": "<authn_public_key>" } ```
"string"
POST/tenant/{tenantId}/community/{communityId}/authenticate_with_uwl

Authenticate users with UWL

Authenticate users with UWL

License must be authorized for community

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents authenticated user and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

Validation: 1. ktoken is required

FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticate_with_uwl
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticate_with_uwl' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"username": "string required", "authenticator_did": "string required", "authenticator_publickey": "string required", "nonce": "string required", "nonce_signature": "string required", "jwt": "jwt optional"}}'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } ```
{
  "data": {
    "user": {
      "type": "basic",
      "email_verified": true,
      "disabled": false,
      "username": "Username",
      "status": "active",
      "firstname": "Fname",
      "middlename": "Mname",
      "lastname": "Lname",
      "email": "email@email.email",
      "phone": "111111111",
      "phone_verified": true,
      "address": {
        "house": "House",
        "streetname": "Streetname",
        "city": "City",
        "country": "Country",
        "zip": "Zip"
      },
      "address_verified": true,
      "uid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "dguid": "6cc4cc4e-eac9-478f-a871-976ff007ee29",
      "tenantId": "607714223fc37d72a2422e86",
      "communityId": "607714223fd37d72a2422e87",
      "roleValue": "none"
    },
    "proof_of_authentication_jwt": "jwt"
  },
  "publicKey": "xxxxxxx",
  "signature_token": "xxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/oidc/sso

Authenticate users for Service Provider by OIDC SSO mechanism

Authenticate users

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents oidc_token and other data to complete SSO and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/oidc/sso
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/oidc/sso' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"OIDCPayload": {"OIDCRequest": "xxxxxxxxxxxxx", "acr": "string optional"}, "userSession": {"pon_data": {}, "authenticator_data": {}, "user": {"uid": "xxxxxxxxxxxxx", "moduleId": "xxxxxxxxxxxxx"}, "jit": "xxxxxxxxxxxxx", "aal": "xxxxxxxxxxxxx", "wallet": {"publicKey": "xxxxxxxxxxxxx", "privateKey": "xxxxxxxxxxxxx", "id": "xxxxxxxxxxxxx"}}}}'
RESPONSE
200
400
401
403
404
420
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "sid": "xxxxxxxxxxxxx",
  "oidc_token": "xxxxxxxxxxxxx",
  "oidc_url_response": "xxxxxxxxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/request/proof_of_authentication

Gets jwt proof of authentication

Gets the proof of users authentication encoded in a jwt.

License must be authorized for community with authLevel = system, service, service_ext

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents authenticated user and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
x-forwarded-forstringclient ip address that can be forwarded through n service layers
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

Validation: 1. If ktoken is provided, then username, password, pin and otp are not allowed 2. If ktoken is not provided, then username is required 3. If ktoken is not provided, then at least one of password or otp or pin should be provided

FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/request/proof_of_authentication
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/request/proof_of_authentication' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'x-forwarded-for: <value>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"user": {"username": "string required", "uid": "string optional", "moduleId": "string optional", "urn": "string optional"}, "methods": ["string required"], "ttl": 30}}'
RESPONSE
200
400
401
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>", "signature_token": "<hashed_signature_token>" } ```
{
  "proof_of_authentication": "jwt"
}
POST/tenant/{tenantId}/community/{communityId}/saml/idp-init

IDP-Initiated SAML SSO

Generate a SAML assertion without a prior SAMLRequest (unsolicited response).

The service provider must be of type saml with saml_config.idpInitiated: true. The SP's own saml_config is used for ACS URL, audience, signing, nameid, and attributes.

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object with SAMLResponse, relayState, and SP info

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unencrypted data as well, it is only a preview available in Swagger

{
    serviceProviderId: "string required - ID of the SAML service provider with idpInitiated: true",
    idpInitConfig: "object optional":
    {
        relayState: "string optional - relay state to pass through"
    },
    userSession: "object required":
    {
        pon_data: "object required",
        authenticator_data: "object required",
        user: "object required":
        {
            uid: "string required",
            moduleId: "string required"
        },
        wallet: {
            publicKey: "string optional",
            privateKey: "string optional",
            id: "string optional"
        },
        aal: "string required"
    }
}
FieldTypeDescription
datastringECDSA encrypted request data
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/saml/idp-init
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/saml/idp-init' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
200
400
401
403
404
Success publicKey is publicKey of Authn API, useful for decryption response data is ECDSA encrypted object: ``` { "SAMLResponse": "base64 string", "relayState": "string (optional)", "sp": { "assertionConsumerServiceURL": "string - url", "assertionMethod": "string - post or get" } } ```
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/saml/sso

Authenticate users for Service Provider by SAML SSO mechanism

Authenticate users

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents SAMLResponse and other data to complete SSO and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

{
    SAMLPayload: "object required":
    {
        SAMLRequest: "string required",
        Signature: "string optional",
        SigAlg: "string optional",
        RelayState: "string optional",
    },
    userSession: "object required":
    {
        pon_data: "object required",
        authenticator_data: "object required",
        user: "object required":
        {
            uid: "string required"
        },
        wallet: {
            publicKey: "string optional",
            privateKey: "string optional",
            id: "string optional",
        }
    }
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/saml/sso
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/saml/sso' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"SAMLPayload": {"SAMLRequest": "string", "Signature": "xxxxxxxxxxxxx", "RelayState": "xxxxxxxxxxxxx", "SigAlg": "xxxxxxxxxxxxx"}, "userSession": {"pon_data": {"key": "value"}, "authenticator_data": {"key": "value"}, "user": {"uid": "uid", "moduleId": "moduleId"}, "wallet": {"publicKey": "publicKey", "privateKey": "privateKey", "id": "id"}, "aal": "xxxxxxxxxxxxx"}}}'
RESPONSE
200
400
401
403
420
Success publicKey is publicKey of Authn API, useful for decryption response data is ECDSA encrypted object represents SAMLResponse and other properties useful for perform SAML SSO: ``` { "SAMLResponse": "base64 string", "sp": { "assertionConsumerServiceURL": "string - url" "assertionMethod": "string - post or get" } } ```
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/wsfed/sso

Authenticate users for Service Provider by WSFED SSO mechanism

Authenticate users

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents SAMLResponse and other data to complete SSO and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

{
    WSfedPayload: "object required":
    {
        wtrealm: "string required",
        wa: "string required",
        wreply: "string optional",
        wctx: "string optional",
    },
    userSession: "object required":
    {
        pon_data: "object required",
        authenticator_data: "object required",
        user: "object required":
        {
            uid: "string required"
        },
        wallet: {
            publicKey: "string optional",
            privateKey: "string optional",
            id: "string optional",
        }
    }
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/wsfed/sso
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/wsfed/sso' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"WSFedPayload": {"wtrealm": "string", "wa": "xxxxxxxxxxxxx", "wreply": "xxxxxxxxxxxxx", "wctx": "xxxxxxxxxxxxx"}, "userSession": {"pon_data": {"key": "value"}, "authenticator_data": {"key": "value"}, "user": {"uid": "uid", "moduleId": "moduleId"}, "wallet": {"publicKey": "publicKey", "privateKey": "privateKey", "id": "id"}, "aal": "xxxxxxxxxxxxx"}}}'
RESPONSE
200
400
401
403
420
Success publicKey is publicKey of Authn API, useful for decryption response data is ECDSA encrypted object represents SAMLResponse and other properties useful for perform SAML SSO: ``` { "wresult": "string", "wctx": "string", "sp": { "assertionConsumerServiceURL": "string - url" "assertionMethod": "string - post or get" } } ```
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Authn

Identity Providers

Federate with upstream identity providers.

POST/tenant/{tenantId}/community/{communityId}/idp/fetch

Fetch IDPs

Fetch IDPs

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing list of IDPs

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"id": "id", "type": "oidc"}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
[
  "string"
]
POST/tenant/{tenantId}/community/{communityId}/idp/{idpIdentifier}/metadata

Get IDP saml metadata

Get IDP saml metadata

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing IDP Metadata

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idpIdentifierrequiredstringUnique identifier of idp
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

{
    ssoUrl: "string required",
    sloUrl: "string required"
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp/{idpIdentifier}/metadata
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp/<idpIdentifier>/metadata' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"ssoUrl": "string", "sloUrl": "string"}}'
RESPONSE
200
400
403
404
Success
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
POST/tenant/{tenantId}/community/{communityId}/samlRequest/generate

Generate SAML Request

Generate SAML Request

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing generated saml request

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/samlRequest/generate
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/samlRequest/generate' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"idpId": "uuid", "dns": "1k-dev.1kosmos.net"}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "SAMLRequest": "string",
  "RedirectUrl": "www.google.com",
  "RequestBinding": "string",
  "ForceAuthn": true
}
PUT/tenant/{tenantId}/community/{communityId}/idp

Create IDP

Create IDP

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"type": "oidc", "oidc_config": {"name": "name", "description": "description", "scopes": [{"name": "name", "display_name": "Display Name", "consent_required": true, "claims": [{"claim_name": null, "attribute_name": null, "attribute_type": null, "value_type": null, "value": null}]}]}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
"string"
PATCH/tenant/{tenantId}/community/{communityId}/idp/{id}

Update IDP

Update IDP

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing updated

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of idp
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
PATCHhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp/{id}
cURL
Node.js
Python
curl -X PATCH 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"oidc_config": {"name": "name", "description": "description", "scopes": [{"name": "name", "display_name": "Display Name", "consent_required": true, "claims": [{"claim_name": null, "attribute_name": null, "attribute_type": null, "value_type": null, "value": null}]}]}}}'
RESPONSE
200
400
403
404
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
"string"
DELETE/tenant/{tenantId}/community/{communityId}/idp/{id}

Delete IDP

Delete IDP

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns 204 No Content

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of idp
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
DELETEhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp/{id}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
204
400
403
No Content - SUCCESS
// no response body
Authn

Service Providers

Register the applications that consume authentication.

GET/tenant/{tenantId}/community/{communityId}/serviceprovider/{id}

Get Service Provider by ID or entityId or client_id

Get Service Provider by ID or entityId. If service with given id will not be found, then API will try to find by saml_config.entityId

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

id (required)

Id of MongoDB object or saml_config.entityId or oidc_config.client_id

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded service provider object

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of service provider or saml_config.entityId
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
GEThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/serviceprovider/{id}
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/serviceprovider/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
400
404
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": "string"
}
POST/tenant/{tenantId}/community/{communityId}/serviceprovider/fetch

Get list of service providers

Get list of service providers

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded array of service provider objects

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/serviceprovider/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/serviceprovider/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": [
    {}
  ]
}
PUT/tenant/{tenantId}/community/{communityId}/serviceprovider

Create Service Provider

Create Service Provider

License must be of authLevel = system/service

Parameters

### tenantId (required) Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents created service provider and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

For type SAML: send only saml_config

For type OIDC: send only oidc_config

FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/serviceprovider
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/serviceprovider' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": "string"
}
PUT/tenant/{tenantId}/community/{communityId}/serviceprovider/{type}

Create Service Provider for featured applications

Create Service Provider for featured applications

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

type (required)

Supported types: auth0, okta, salesforce, forgerock, gsuite, zendesk

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents created service provider and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
typerequiredstringSupported types - auth0, okta, salesforce, forgerock, gsuite, zendesk
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

{
    "name": "string required",
    "domain": "url required / for GSuite: string required",
    "ssoUrl": "url required / for Zendesk: optional",
    "config": "object required - see available configs below"
}

Configs:

For Auth0:
{
    "clientId": "string required",
    "clientSecret": "string required"
}

For Okta:
{
    "apiToken": "string required"
}

For Forgerock:
{
    "username": "string required",
    "password": "string required",
    "useExistingCOT": "boolean required",
    "COT": "string optional if useExistingCOT === false",
    "hostedSP": "string optional if useExistingCOT === true"
}

For Salesforce:
{
    "username": "string required",
    "password": "string required",
    "securityToken": "string required"
}

For GSuite
{
    "serviceAccountEmail": "string required",
    "adminEmail": "string required",
    "serviceAccountPrivateKey": "string required",
    "sloUrl": "string required"
}

For Zendesk:
{}

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/serviceprovider/{type}
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/serviceprovider/<type>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"name": "string", "domain": "string", "ssoUrl": "https://1k-dev.1kosmos.net/newui/default/sso", "config": {}}}'
RESPONSE
200
400
403
Success publicKey is publicKey of Authn API, useful for decryption response data is ECDSA encrypted object represents created service provider: ``` { "_id": "6070951e8dfc7f29228126c9", "name": "Service provider's name", "environment": "Environment name", "type": "saml", "saml_config": { "_id": "6070951e8dfc7f29228126ca", "accessUrl": "http://google.com", "entityId": "http://google.com", "assertionMethod": "post", "assertionConsumerServiceURL": "http://google.com", "logoutRequestSignRequired": true, "logoutResponseSignRequired": true, "authRequestSignRequired": true, "assertionSignRequired": true, "signingCert": "signingCert", "encryptionCert": "encryptionCert" "encryptionAlgo": "ecdsa", "nameid": { "_id": "6070951e8dfc7f29228126cb", "format": "emailAddress", "value": "one of session_scope", "attribute_type": "session/ledger/identity" }, "attributes": [ { "_id": "6070951e8dfc7f29228126cc", "uuid": "xxxx-xxxxxxx-xxxxxxxxxx-xxxxxxxxxx" "claim_name": "string", "attribute_name": "string", "attribute_type": "session", "value_type": "static", "value": "value" } ], "metadata": "<note>\\n<to>T</to>\\n<from>F</from>\\n<heading>R</heading>\\n<body>DF</body>\\n</note>" }, "forceReauthentication": "true/false" "communityId": "community", "logo": "logo", "__v": 0 } ```
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
PATCH/tenant/{tenantId}/community/{communityId}/serviceprovider/{id}

Update Service Provider

Update Service Provider

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

id (required)

Id of MongoDB object

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns ECDSA encoded object represents updated service provider and public key

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of service provider
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}

For type SAML: send only saml_config

For type OIDC: send only oidc_config

FieldTypeDescription
dataobject
PATCHhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/serviceprovider/{id}
cURL
Node.js
Python
curl -X PATCH 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/serviceprovider/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
200
400
403
404
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": "string"
}
DELETE/tenant/{tenantId}/community/{communityId}/serviceprovider/{id}

Delete Service Provider

Delete Service Provider

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

id (required)

Id of MongoDB object

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

204 No Content

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of service provider
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

  {
     "data": "<ecdsa_encrypted_data>"
  }
FieldTypeDescription
dataobject
DELETEhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/serviceprovider/{id}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/serviceprovider/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {}}'
RESPONSE
204
400
403
Success
// no response body
POST/tenant/{tenantId}/community/{communityId}/user_consent/check

Check user consents

Check user consents

License must be of authLevel = system, service, service_ext, app or app_ext

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than CaaS.environment.allowed_time_span from now

publickey (required)

Public key

Returns

Returns object with consents array

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body is unencrypted

FieldTypeDescription
userUrnstring
spIdstring
scopeIdsarray<string>
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/user_consent/check
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/user_consent/check' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"userUrn": "xxxxxxxxxxxxx", "spId": "xxxxxxxxxxxxx", "scopeIds": ["xxxxxxxx"]}'
RESPONSE
200
400
403
404
SUCCESS
{
  "consents": [
    {
      "version": "xxxxxxx",
      "jurisdiction": "xxxxxxx",
      "consentTimestamp": 123456789,
      "collectionMethod": "xxxxxxx",
      "consentReceiptID": "xxxxxxx",
      "publicKey": "xxxxxxx",
      "piiPrincipal": {
        "urn": "xxxxxxx",
        "username": "xxxxxxx",
        "did": "xxxxxxx",
        "publicKey": "xxxxxxx"
      },
      "piiProcessor": [
        {
          "tenantDns": "xxxxxxx",
          "tenantId": "xxxxxxx",
          "communityName": "xxxxxxx",
          "communityId": "xxxxxxx"
        }
      ],
      "policyUrl": "xxxxxxx",
      "scopes": [
        {
          "name": "xxxxxxx",
          "uuid": "xxxxxxx",
          "claims": [
            "xxxxxxx"
          ],
          "consentType": "xxxxxxx"
        }
      ],
      "requestID": "xxxxxxx",
      "user_agent": "xxxxxxx",
      "clientIP": "xxxxxxx",
      "signature": "xxxxxxx",
      "services": [
        "string"
      ]
    }
  ]
}
POST/tenant/{tenantId}/community/{communityId}/user_consent/fetch

Fetch user consents

Fetch user consents

License must be of authLevel = system, service, service_ext, app or app_ext

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than CaaS.environment.allowed_time_span from now

publickey (required)

Public key

Returns

Returns object with consents array

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body is unencrypted

FieldTypeDescription
userUrnstring
spIdstring
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/user_consent/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/user_consent/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"userUrn": "xxxxxxxxxxxxx", "spId": "xxxxxxxxxxxxx"}'
RESPONSE
200
400
403
SUCCESS
{
  "consents": [
    {
      "version": "xxxxxxx",
      "jurisdiction": "xxxxxxx",
      "consentTimestamp": 123456789,
      "collectionMethod": "xxxxxxx",
      "consentReceiptID": "xxxxxxx",
      "publicKey": "xxxxxxx",
      "piiPrincipal": {
        "urn": "xxxxxxx",
        "username": "xxxxxxx",
        "did": "xxxxxxx",
        "publicKey": "xxxxxxx"
      },
      "piiProcessor": [
        {
          "tenantDns": "xxxxxxx",
          "tenantId": "xxxxxxx",
          "communityName": "xxxxxxx",
          "communityId": "xxxxxxx"
        }
      ],
      "policyUrl": "xxxxxxx",
      "scopes": [
        {
          "name": "xxxxxxx",
          "uuid": "xxxxxxx",
          "claims": [
            "xxxxxxx"
          ],
          "consentType": "xxxxxxx"
        }
      ],
      "requestID": "xxxxxxx",
      "user_agent": "xxxxxxx",
      "clientIP": "xxxxxxx",
      "signature": "xxxxxxx",
      "services": [
        "string"
      ]
    }
  ]
}
POST/tenant/{tenantId}/community/{communityId}/user_consent/fetch_by_scope

Fetch latest user consent by controller type and scope name

Fetch the latest consent record for a user filtered by controller type and scope name. Returns the most recent record sorted by updatedTs descending, or null if no match.

License must be of authLevel = system, service, service_ext, app or app_ext

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number)

publickey (required)

Public key

Returns

Returns object with consent (latest record or null)

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body is unencrypted

FieldTypeDescription
userUrnrequiredstring
controllerTyperequiredstring
scopeNamerequiredstring
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/user_consent/fetch_by_scope
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/user_consent/fetch_by_scope' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"userUrn": "xxxxxxxxxxxxx", "controllerType": "xxxxxxxxxxxxx", "scopeName": "xxxxxxxxxxxxx"}'
RESPONSE
200
400
403
500
Returns the latest consent record or null
{
  "consent": {}
}
Authn

Authentication Journey

Compose multi-step, policy-driven login journeys.

POST/tenant/{tenantId}/community/{communityId}/authenticationJourney/fetch

Fetch AuthenticationJourney

Fetch AuthenticationJourney

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticationJourney/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticationJourney/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"ids": ["xxxxxxxx"]}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "id": "uuid",
  "tenantId": "tenantId",
  "communityId": "communityId",
  "journeyName": "journeyName",
  "enabled": true,
  "groups": {
    "value": [
      "groups"
    ],
    "operator": "overlap"
  },
  "deviceId": {
    "value": [
      "deviceId"
    ],
    "operator": "overlap"
  },
  "application": {
    "value": [
      "Salesforce"
    ],
    "operator": "in"
  },
  "username": {
    "value": [
      "username"
    ],
    "operator": "in"
  },
  "ip": {
    "value": [
      "10.10.10.10"
    ],
    "operator": "in_range"
  },
  "domain": {
    "value": [
      "1k-dev.com"
    ],
    "operator": "in"
  },
  "machineNames": {
    "value": [
      "qa-win2016-0"
    ],
    "operator": "in"
  },
  "machineIds": {
    "value": [
      "B324123"
    ],
    "operator": "in"
  },
  "machineUsers": {
    "value": [
      "user@qa-win2016-0"
    ],
    "operator": "in"
  },
  "mobileLocation": {
    "value": 100,
    "operator": "gt"
  },
  "decision": {
    "action": "mfa_required",
    "authenticationMethods": [
      "password_and_otp"
    ]
  }
}
PUT/tenant/{tenantId}/community/{communityId}/authenticationJourney

Create AuthenticationJourney

Create AuthenticationJourney

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticationJourney
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticationJourney' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"name": "auth-journey-1", "enabled": true, "groups": {"value": ["group a", "group b"], "operator": "overlap"}, "deviceIds": {"value": ["device-id-1", "device-id-2"], "operator": "overlap"}, "applications": {"value": ["salesforce", "gsuite"], "operator": "in"}, "usernames": {"value": ["username_1", "username_2"], "operator": "in"}, "ip": {"value": "192.136.456.200-192.136.456.300", "operator": "in"}, "domain": {"value": ["google.com", "1kosmos.com"], "operator": "in"}, "decision": {"action": "mfa_required", "authenticationMethods": ["password_and_otp", "fido"]}, "machineNames": {"value": ["qa-win2016-0"], "operator": "in"}, "machineIds": {"value": ["B324123"], "operator": "in"}, "machineUsers": {"value": ["user@qa-win2016-0"], "operator": "in"}, "mobileLocation": {"value": 100, "operator": "gt"}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "name": "auth-journey-1",
    "enabled": true,
    "groups": {
      "value": [
        "group a",
        "group b"
      ],
      "operator": "overlap"
    },
    "deviceIds": {
      "value": [
        "device-id-1",
        "device-id-2"
      ],
      "operator": "overlap"
    },
    "applications": {
      "value": [
        "salesforce",
        "gsuite"
      ],
      "operator": "in"
    },
    "usernames": {
      "value": [
        "username_1",
        "username_2"
      ],
      "operator": "in"
    },
    "ip": {
      "value": "192.136.456.200-192.136.456.300",
      "operator": "in"
    },
    "domain": {
      "value": [
        "google.com",
        "1kosmos.com"
      ],
      "operator": "in"
    },
    "decision": {
      "action": "mfa_required",
      "authenticationMethods": [
        "password_and_otp",
        "fido"
      ]
    },
    "machineNames": {
      "value": [
        "qa-win2016-0"
      ],
      "operator": "in"
    },
    "machineIds": {
      "value": [
        "B324123"
      ],
      "operator": "in"
    },
    "machineUsers": {
      "value": [
        "user@qa-win2016-0"
      ],
      "operator": "in"
    },
    "mobileLocation": {
      "value": 100,
      "operator": "gt"
    }
  }
}
PATCH/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}

Update AuthenticationJourney

Update AuthenticationJourney - this does a full delete and replace of all rules, then updates the authenticationJourney

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of authenticationJourney
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
PATCHhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}
cURL
Node.js
Python
curl -X PATCH 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticationJourney/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"name": "auth-journey-1", "enabled": true, "groups": {"value": ["group a", "group b"], "operator": "overlap"}, "deviceIds": {"value": ["device-id-1", "device-id-2"], "operator": "overlap"}, "applications": {"value": ["salesforce", "gsuite"], "operator": "in"}, "usernames": {"value": ["username_1", "username_2"], "operator": "in"}, "ip": {"value": "192.136.456.200-192.136.456.300", "operator": "in"}, "domain": {"value": ["google.com", "1kosmos.com"], "operator": "in"}, "decision": {"action": "mfa_required", "authenticationMethods": ["password_and_otp", "fido"]}, "machineNames": {"value": ["qa-win2016-0"], "operator": "in"}, "machineIds": {"value": ["B324123"], "operator": "in"}, "machineUsers": {"value": ["user@qa-win2016-0"], "operator": "in"}, "mobileLocation": {"value": 100, "operator": "gt"}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "name": "auth-journey-1",
    "enabled": true,
    "groups": {
      "value": [
        "group a",
        "group b"
      ],
      "operator": "overlap"
    },
    "deviceIds": {
      "value": [
        "device-id-1",
        "device-id-2"
      ],
      "operator": "overlap"
    },
    "applications": {
      "value": [
        "salesforce",
        "gsuite"
      ],
      "operator": "in"
    },
    "usernames": {
      "value": [
        "username_1",
        "username_2"
      ],
      "operator": "in"
    },
    "ip": {
      "value": "192.136.456.200-192.136.456.300",
      "operator": "in"
    },
    "domain": {
      "value": [
        "google.com",
        "1kosmos.com"
      ],
      "operator": "in"
    },
    "decision": {
      "action": "mfa_required",
      "authenticationMethods": [
        "password_and_otp",
        "fido"
      ]
    },
    "machineNames": {
      "value": [
        "qa-win2016-0"
      ],
      "operator": "in"
    },
    "machineIds": {
      "value": [
        "B324123"
      ],
      "operator": "in"
    },
    "machineUsers": {
      "value": [
        "user@qa-win2016-0"
      ],
      "operator": "in"
    },
    "mobileLocation": {
      "value": 100,
      "operator": "gt"
    }
  }
}
DELETE/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}

Delete Authentication Journey

Delete Authentication Journey

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns 204 No Content

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of authenticationJourney
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
DELETEhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/authenticationJourney/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
204
400
403
No Content - SUCCESS
// no response body
Authn

Authentication Journey V 2

Authentication Journey V 2 endpoints.

POST/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney/fetch

Fetch AuthenticationJourneyV2

This Endpoint will fetch an authentication journey under the authenticationjourney_v2 collection by provided filters.

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/v2/tenant/<tenantId>/community/<communityId>/authenticationJourney/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"ids": ["xxxxxxxx"], "requestingAppId": "adminx", "appConfigIds": ["123456", "22222"], "category": "adaptive_auth_fallback_policy_v2"}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "id": "uuid",
  "tenantId": "tenantId",
  "communityId": "communityId",
  "journeyName": "journeyName",
  "enabled": true,
  "groups": {
    "value": [
      "groups"
    ],
    "operator": "overlap"
  },
  "deviceId": {
    "value": [
      "deviceId"
    ],
    "operator": "overlap"
  },
  "application": {
    "value": [
      "Salesforce"
    ],
    "operator": "in"
  },
  "username": {
    "value": [
      "username"
    ],
    "operator": "in"
  },
  "ip": {
    "value": [
      "10.10.10.10"
    ],
    "operator": "in_range"
  },
  "domain": {
    "value": [
      "1k-dev.com"
    ],
    "operator": "in"
  },
  "machineNames": {
    "value": [
      "qa-win2016-0"
    ],
    "operator": "in"
  },
  "machineIds": {
    "value": [
      "B324123"
    ],
    "operator": "in"
  },
  "machineUsers": {
    "value": [
      "user@qa-win2016-0"
    ],
    "operator": "in"
  },
  "mobileLocation": {
    "value": 100,
    "operator": "gt"
  },
  "decision": {
    "action": "mfa_required",
    "authenticationMethods": [
      "password_and_otp"
    ]
  }
}
PUT/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney

Create V2 AuthenticationJourney

This Endpoint will create an authentication journey under the authenticationjourney_v2 collection, as well as rules for that authentication journey in rules engine.

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/v2/tenant/<tenantId>/community/<communityId>/authenticationJourney' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"name": "auth-journey-1", "enabled": true, "category": "adaptive_auth_fallback_policy_v2", "groups": {"value": ["group a", "group b"], "operator": "overlap"}, "deviceIds": {"value": ["device-id-1", "device-id-2"], "operator": "overlap"}, "requestingAppId": {"value": "adminx", "operator": "eq"}, "relyingAppId": {"value": "gsuite", "operator": "eq"}, "appConfigId": {"value": "124356656", "operator": "eq"}, "usernames": {"value": ["username_1", "username_2"], "operator": "in"}, "ip": {"value": "192.136.456.200-192.136.456.300", "operator": "in"}, "domain": {"value": ["google.com", "1kosmos.com"], "operator": "in"}, "decision": {"action": "mfa_required", "authenticationMethods": ["password_and_otp", "fido"]}, "machineNames": {"value": ["qa-win2016-0"], "operator": "in"}, "machineIds": {"value": ["B324123"], "operator": "in"}, "machineUsers": {"value": ["user@qa-win2016-0"], "operator": "in"}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "name": "auth-journey-1",
    "enabled": true,
    "category": "adaptive_auth_fallback_policy_v2",
    "groups": {
      "value": [
        "group a",
        "group b"
      ],
      "operator": "overlap"
    },
    "deviceIds": {
      "value": [
        "device-id-1",
        "device-id-2"
      ],
      "operator": "overlap"
    },
    "requestingAppId": {
      "value": "adminx",
      "operator": "eq"
    },
    "relyingAppId": {
      "value": "gsuite",
      "operator": "eq"
    },
    "appConfigId": {
      "value": "124356656",
      "operator": "eq"
    },
    "usernames": {
      "value": [
        "username_1",
        "username_2"
      ],
      "operator": "in"
    },
    "ip": {
      "value": "192.136.456.200-192.136.456.300",
      "operator": "in"
    },
    "domain": {
      "value": [
        "google.com",
        "1kosmos.com"
      ],
      "operator": "in"
    },
    "decision": {
      "action": "mfa_required",
      "authenticationMethods": [
        "password_and_otp",
        "fido"
      ]
    },
    "machineNames": {
      "value": [
        "qa-win2016-0"
      ],
      "operator": "in"
    },
    "machineIds": {
      "value": [
        "B324123"
      ],
      "operator": "in"
    },
    "machineUsers": {
      "value": [
        "user@qa-win2016-0"
      ],
      "operator": "in"
    }
  }
}
PATCH/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}

Update AuthenticationJourney V2

This Endpoint will updates an authentication journey under the authenticationjourney_v2 collection, as well as this does a full delete and replace of all related rules in rules engine.

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of authenticationJourney
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
    "data": "<ecdsa_encrypted_data>"
}
FieldTypeDescription
dataobject
PATCHhttps://pilot-root.1kosmos.net/authn/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}
cURL
Node.js
Python
curl -X PATCH 'https://pilot-root.1kosmos.net/authn/v2/tenant/<tenantId>/community/<communityId>/authenticationJourney/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"name": "auth-journey-1", "enabled": true, "category": "adaptive_auth_fallback_policy_v2", "groups": {"value": ["group a", "group b"], "operator": "overlap"}, "deviceIds": {"value": ["device-id-1", "device-id-2"], "operator": "overlap"}, "requestingAppId": {"value": "adminx", "operator": "eq"}, "relyingAppId": {"value": "gsuite", "operator": "eq"}, "appConfigId": {"value": "124356656", "operator": "eq"}, "usernames": {"value": ["username_1", "username_2"], "operator": "in"}, "ip": {"value": "192.136.456.200-192.136.456.300", "operator": "in"}, "domain": {"value": ["google.com", "1kosmos.com"], "operator": "in"}, "decision": {"action": "mfa_required", "authenticationMethods": ["password_and_otp", "fido"]}, "machineNames": {"value": ["qa-win2016-0"], "operator": "in"}, "machineIds": {"value": ["B324123"], "operator": "in"}, "machineUsers": {"value": ["user@qa-win2016-0"], "operator": "in"}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "name": "auth-journey-1",
    "enabled": true,
    "category": "adaptive_auth_fallback_policy_v2",
    "groups": {
      "value": [
        "group a",
        "group b"
      ],
      "operator": "overlap"
    },
    "deviceIds": {
      "value": [
        "device-id-1",
        "device-id-2"
      ],
      "operator": "overlap"
    },
    "requestingAppId": {
      "value": "adminx",
      "operator": "eq"
    },
    "relyingAppId": {
      "value": "gsuite",
      "operator": "eq"
    },
    "appConfigId": {
      "value": "124356656",
      "operator": "eq"
    },
    "usernames": {
      "value": [
        "username_1",
        "username_2"
      ],
      "operator": "in"
    },
    "ip": {
      "value": "192.136.456.200-192.136.456.300",
      "operator": "in"
    },
    "domain": {
      "value": [
        "google.com",
        "1kosmos.com"
      ],
      "operator": "in"
    },
    "decision": {
      "action": "mfa_required",
      "authenticationMethods": [
        "password_and_otp",
        "fido"
      ]
    },
    "machineNames": {
      "value": [
        "qa-win2016-0"
      ],
      "operator": "in"
    },
    "machineIds": {
      "value": [
        "B324123"
      ],
      "operator": "in"
    },
    "machineUsers": {
      "value": [
        "user@qa-win2016-0"
      ],
      "operator": "in"
    }
  }
}
DELETE/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}

Delete V2 Authentication Journey

This Endpoint will deletes an authentication journey under the authenticationjourney_v2 collection by Id, as well as delete rules based on an authentication journey Ids from rules engine.

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns 204 No Content

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of authenticationJourney
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
DELETEhttps://pilot-root.1kosmos.net/authn/v2/tenant/{tenantId}/community/{communityId}/authenticationJourney/{id}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/v2/tenant/<tenantId>/community/<communityId>/authenticationJourney/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
204
400
403
No Content - SUCCESS
// no response body
Authn

External Idp

External Idp endpoints.

POST/tenant/{tenantId}/community/{communityId}/external_idp/fetch

Fetch ExternalIdp

Fetch ExternalIdp

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
   data: {
     ids: [string, optional]
   }
}
FieldTypeDescription
dataobject
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/external_idp/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/external_idp/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"ids": ["xxxxxxxx"]}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "connection": {
      "idpName": "Okta",
      "idpEntityId": "Okta",
      "samlLoginUrl": "Okta",
      "samlLogoutUrl": "Okta",
      "ssoBinding": "Okta",
      "sloBinding": "Okta",
      "forceAuthn": true,
      "spEntityId": "Okta",
      "spSigningCertificate": "Okta",
      "spPrivateKey": "Okta",
      "idpSigningCertificate": "Okta"
    },
    "routingPolicy": {
      "enabled": true,
      "groups": {
        "value": [
          "group-a",
          "group-b"
        ],
        "operator": "overlap"
      },
      "usernames": {
        "value": [
          "user_a",
          "user_b"
        ],
        "operator": "overlap"
      },
      "usersInIdpStore": true
    }
  }
}
PUT/tenant/{tenantId}/community/{communityId}/external_idp

Create ExternalIdp

Create ExternalIdp

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

{
   data: {
     connection: {
       idpName: "string, required",
       idpEntityId: "string, required",
       samlLoginUrl: "string, required",
       samlLogoutUrl: "string, required",
       ssoBinding: "string, required",
       sloBinding: "string, required",
       forceAuthn: "boolean, required",
       spEntityId: "string, required",
       spSigningCertificate: "string, required",
       spPrivateKey: "string, required",
       idpSigningCertificate: "string, required"
     },
     routingPolicy: {  //optional object
       enabled: "boolean, required",
       groups: { //optional object
         value: ["string, required"]
         operator: "string, required (one of overlap, nooverlap)"
       },
       usernames: { //optional object
         value: ["string, required"]
         operator: "string, required (one of overlap, nooverlap)"
       },
       usersInIdpStore: "boolean, optional (defaults to false)"
     },
   }
}
FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/external_idp
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/external_idp' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"connection": {"idpName": "Okta", "idpEntityId": "Okta", "samlLoginUrl": "Okta", "samlLogoutUrl": "Okta", "ssoBinding": "Okta", "sloBinding": "Okta", "forceAuthn": true, "spEntityId": "Okta", "spSigningCertificate": "Okta", "spPrivateKey": "Okta", "idpSigningCertificate": "Okta"}, "routingPolicy": {"enabled": true, "groups": {"value": ["group-a", "group-b"], "operator": "overlap"}, "usernames": {"value": ["user_a", "user_b"], "operator": "overlap"}, "usersInIdpStore": true}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "connection": {
      "idpName": "Okta",
      "idpEntityId": "Okta",
      "samlLoginUrl": "Okta",
      "samlLogoutUrl": "Okta",
      "ssoBinding": "Okta",
      "sloBinding": "Okta",
      "forceAuthn": true,
      "spEntityId": "Okta",
      "spSigningCertificate": "Okta",
      "spPrivateKey": "Okta",
      "idpSigningCertificate": "Okta"
    },
    "routingPolicy": {
      "enabled": true,
      "groups": {
        "value": [
          "group-a",
          "group-b"
        ],
        "operator": "overlap"
      },
      "usernames": {
        "value": [
          "user_a",
          "user_b"
        ],
        "operator": "overlap"
      },
      "usersInIdpStore": true
    }
  }
}
PATCH/tenant/{tenantId}/community/{communityId}/external_idp/{id}

Update ExternalIdp, does a replacement of the external idp config with the provided data

Update ExternalIdp

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing created IDP

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of external idp
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

{
   data: {
     connection: { //required object
       idpName: "string, required",
       idpEntityId: "string, required",
       samlLoginUrl: "string, required",
       samlLogoutUrl: "string, required",
       ssoBinding: "string, required",
       sloBinding: "string, required",
       forceAuthn: "boolean, required",
       spEntityId: "string, required",
       spSigningCertificate: "string, required",
       spPrivateKey: "string, required",
       idpSigningCertificate: "string, required"
     },
     routingPolicy: {  //optional object
       enabled: "boolean, required",
       groups: { //optional object
         value: ["string, required"]
         operator: "string, required (one of overlap, nooverlap)"
       },
       usernames: { //optional object
         value: ["string, required"]
         operator: "string, required (one of overlap, nooverlap)"
       },
       usersInIdpStore: "boolean, optional (defaults to false)"
     },
   }
}
FieldTypeDescription
dataobject
PATCHhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/external_idp/{id}
cURL
Node.js
Python
curl -X PATCH 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/external_idp/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"connection": {"idpName": "Okta", "idpEntityId": "Okta", "samlLoginUrl": "Okta", "samlLogoutUrl": "Okta", "ssoBinding": "Okta", "sloBinding": "Okta", "forceAuthn": true, "spEntityId": "Okta", "spSigningCertificate": "Okta", "spPrivateKey": "Okta", "idpSigningCertificate": "Okta"}, "routingPolicy": {"enabled": true, "groups": {"value": ["group-a", "group-b"], "operator": "overlap"}, "usernames": {"value": ["user_a", "user_b"], "operator": "overlap"}, "usersInIdpStore": true}}}'
RESPONSE
200
400
403
SUCCESS IMPORTANT - Unencrypted response is only available in Swagger In real application, you will get data as follow: ``` { "data": "<ecdsa_encrypted_response>", "publicKey": "<authn_public_key>" } ```
{
  "data": {
    "connection": {
      "idpName": "Okta",
      "idpEntityId": "Okta",
      "samlLoginUrl": "Okta",
      "samlLogoutUrl": "Okta",
      "ssoBinding": "Okta",
      "sloBinding": "Okta",
      "forceAuthn": true,
      "spEntityId": "Okta",
      "spSigningCertificate": "Okta",
      "spPrivateKey": "Okta",
      "idpSigningCertificate": "Okta"
    },
    "routingPolicy": {
      "enabled": true,
      "groups": {
        "value": [
          "group-a",
          "group-b"
        ],
        "operator": "overlap"
      },
      "usernames": {
        "value": [
          "user_a",
          "user_b"
        ],
        "operator": "overlap"
      },
      "usersInIdpStore": true
    }
  }
}
DELETE/tenant/{tenantId}/community/{communityId}/external_idp/{id}

Delete external idp

Delete external idp

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns 204 No Content

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of external idp
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

In real application, you have to send encrypted data as follow:

{
   data: {
     username: string, optional,
     ip: string, optional,
     userAgent: string, optional
   }
}
FieldTypeDescription
dataobject
DELETEhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/external_idp/{id}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/external_idp/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"username": "xxxxxxxxxxxxx", "ip": "xxxxxxxxxxxxx", "userAgent": "xxxxxxxxxxxxx"}}'
RESPONSE
204
400
403
No Content - SUCCESS
// no response body
Authn

Schemes

Schemes endpoints.

POST/tenant/{tenantId}/community/{communityId}/scheme/fetch

Get Auth Schemes list

Get Auth Schemes list

License must be of authLevel = system/service

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Array of Auth Schemes

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
defaultboolean
fetchModulesboolean
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/scheme/fetch
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/scheme/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"default": true, "fetchModules": false}'
RESPONSE
200
400
403
Success List of Auth Schemes is returned (can be empty array if not found)
[
  {}
]
PUT/tenant/{tenantId}/community/{communityId}/scheme

Create Auth Scheme

Create Auth Scheme

License must be of authLevel = system/service

Notice that creating new schema there are some conditions:

  • You can't create second auth scheme with the same exact pair of 'tag' and 'communityId'
  • Array with modules should have unique id for each module
  • Each community can have only 1 auth scheme with 'isDefault === true', setting authScheme with 'isDefault === false' will reset the one that is default to not default.

Parameters

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns created Auth Scheme

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
tagstring
enabledboolean
isDefaultboolean
dbModuleobject
modulesarray<object>
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/scheme
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/scheme' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"tag": "ExampleTag", "enabled": true, "isDefault": false, "dbModule": {"id": "id123456", "type": "Example type", "method": "Example type", "name": "Example name", "criteria": "required"}, "modules": [{}]}'
RESPONSE
201
400
403
Success A newly created Auth Scheme is returned
{
  "_id": "6051d2a5ba947f531d5760e1",
  "tag": "ExampleTag",
  "communityId": "string",
  "enabled": true,
  "isDefault": false,
  "dbModule": {
    "id": "id123456",
    "type": "Example type",
    "method": "Example type",
    "name": "Example name",
    "criteria": "required"
  },
  "modules": [
    {}
  ],
  "__v": 0
}
PATCH/tenant/{tenantId}/community/{communityId}/scheme/{id}

Update Auth Scheme

Update Auth Scheme

License must be of authLevel = system/service

Notice that updating new schema there are some conditions:

  • You can't create second auth scheme with the same exact pair of 'tag' and 'communityId'
  • Array with modules should have unique id for each module
  • Each community can have only 1 auth scheme with 'isDefault === true', setting authScheme with 'isDefault === false' will reset the one that is default to not default.

IMPORTANT: Only full object can be updated

Parameters

id (required)

Id of MongoDB object

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns updated Auth Scheme

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of MongoDB object to update
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
tagstring
enabledboolean
isDefaultboolean
dbModuleobject
modulesarray<object>
PATCHhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/scheme/{id}
cURL
Node.js
Python
curl -X PATCH 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/scheme/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"tag": "ExampleTag", "enabled": true, "isDefault": false, "dbModule": {"id": "id123456", "type": "Example type", "method": "Example type", "name": "Example name", "criteria": "required"}, "modules": [{}]}'
RESPONSE
200
400
403
Success Updated Auth Module is returned
{
  "_id": "6051d2a5ba947f531d5760e1",
  "tag": "ExampleTag",
  "communityId": "string",
  "enabled": true,
  "isDefault": false,
  "dbModule": {
    "id": "id123456",
    "type": "Example type",
    "method": "Example type",
    "name": "Example name",
    "criteria": "required"
  },
  "modules": [
    {}
  ],
  "__v": 0
}
DELETE/tenant/{tenantId}/community/{communityId}/scheme/{id}

Delete Auth Scheme

Delete Auth Scheme

Parameters

id (required)

Id of MongoDB object

tenantId (required)

Id of tenant

communityId (required)

Id of community

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

No content

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
idrequiredstringId of MongoDB object to delete
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
DELETEhttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/scheme/{id}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/scheme/<id>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
204
400
403
No information Deleted auth scheme
// no response body
Authn

Service Provider Catalog

Service Provider Catalog endpoints.

GET/spcatalog/list

Get list of service provider catalog items

Returns object containing service provider catalog items

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object containing service provider catalog items

Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
GEThttps://pilot-root.1kosmos.net/authn/spcatalog/list
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/spcatalog/list' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
403
404
Success
{
  "spCatalogItemOne": {
    "name": "spCatalogItemOne",
    "logo": "logo1",
    "template": "template1",
    "sso_url": "http://sso1.test",
    "type": "salesforce",
    "description": "string"
  },
  "spCatalogItemTwo": {
    "name": "spCatalogItemTwo",
    "logo": "logo2",
    "template": "template2",
    "sso_url": "http://sso2.test",
    "type": "salesforce",
    "description": "string"
  }
}
PUT/spcatalog/item

Create or update Service Provider Catalog item

Create or update Service Provider Catalog item

License must any but valid

Request Body

name (required)

Name of this SP Catalog item

logo (required)

Logo of SP Catalog item

sso_url (required)

SSO using during Single Sign On process

template (require)

Template

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object represents created or updated catalog item

Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
namestring
logostring
sso_urlstring
templatestring
typestring
descriptionstring
PUThttps://pilot-root.1kosmos.net/authn/spcatalog/item
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/spcatalog/item' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"name": "spCatalogItemOne", "logo": "logo", "sso_url": "http://sso.test", "template": "template", "type": "salesforce", "description": "string"}'
RESPONSE
200
400
403
Success
{
  "sp_catalog.spCatalogItemOne": {
    "name": "spCatalogItemOne",
    "logo": "logo",
    "sso_url": "http://sso.test",
    "template": "template",
    "type": "salesforce",
    "description": "string"
  }
}
DELETE/spcatalog/item/{name}

Delete Service Provider Catalog item

Delete Service Provider Catalog item

License must be of authLevel = system/service

Parameters

name (required)

Name of deleting item

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

204 No Content

Path parameters
NameTypeDescription
namerequiredstringName of service provider item
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
DELETEhttps://pilot-root.1kosmos.net/authn/spcatalog/item/{name}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/authn/spcatalog/item/<name>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
204
400
403
Success
// no response body
Authn

Auth Policy V 2

Auth Policy V 2 endpoints.

POST/v2/tenant/{tenantId}/community/{communityId}/auth_policy/auth_schemes

Evaluate adaptive authentication policy and returning schemes

Fetch auth schemes after evaluating facts against adaptive authentication policies

License must be a valid license authorized for the community

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns decision from rules evaluation. Possible decisions are "mfa_needed", "grant_access", "deny_access".

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
factsobject
enforceFallbackPolicyboolean
POSThttps://pilot-root.1kosmos.net/authn/v2/tenant/{tenantId}/community/{communityId}/auth_policy/auth_schemes
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/v2/tenant/<tenantId>/community/<communityId>/auth_policy/auth_schemes' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"facts": {"groups": ["groupA", "groupB"], "requestingAppId": "adminx", "appConfigId": "123-546-7868-3454"}, "enforceFallbackPolicy": true}'
RESPONSE
200
400
403
SUCCESS
{
  "schemes": [
    {
      "factors": [
        "password"
      ],
      "authenticationJourneyV2Id": "13435667",
      "result": "grant_access"
    }
  ]
}
POST/v2/tenant/{tenantId}/community/{communityId}/auth_policy/evaluate

Evaluate adaptive authentication policy

Fetch decision after evaluating facts against adaptive authentication policy

License must be a valid license authorized for the community

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns decision from rules evaluation. Possible decisions are "mfa_needed", "grant_access", "deny_access".

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
factsobject
enforceFallbackPolicyboolean
jwtstring
typestringOptional type parameter. Set to "fallback" to request fallback authentication journey.
POSThttps://pilot-root.1kosmos.net/authn/v2/tenant/{tenantId}/community/{communityId}/auth_policy/evaluate
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/v2/tenant/<tenantId>/community/<communityId>/auth_policy/evaluate' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"facts": {"groups": ["groupA", "groupB"], "requestingAppId": "adminx", "IP": "10.0.0.7", "machine_domain": "someDomain.com", "username": "userA", "deviceId": "someDomain.com", "machine_name": "userA", "machine_id": "B324123", "machine_user": "someDomain.com", "authenticationMethods": ["password", "otp"]}, "enforceFallbackPolicy": true, "jwt": "jwt optional", "type": "fallback"}'
RESPONSE
200
400
403
SUCCESS
{
  "next": {
    "step": "need_mfa",
    "allowed_factors": [
      "idp_redirect"
    ],
    "idps": [
      "idp-1"
    ]
  },
  "proof_of_authentication_jwt": "xxxxxx-xxxxx-xxxxxxx",
  "signature_token": "xxxxxxx"
}
Authn

IDP Config

IDP Config endpoints.

GET/tenant/{tenantId}/community/{communityId}/idp_config

Get IDP Config

Fetch Indentity Provider's config

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data field containing IDP config

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
GEThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp_config
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp_config' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
400
403
Success
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
PUT/tenant/{tenantId}/community/{communityId}/idp_config

Set IDP Config

Create or update Indentity Provider's config

License must be of authLevel = system/service

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns object with public key and encrypted data containing IDP config

IMPORTANT: You can see unencrypted data, it is only a preview available in Swagger

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body

Request body contains 'data' field with encrypted object below:

IMPORTANT - you can send unencrypted data and you will get unecrypted data as well, it is only a preview available in Swagger

{
    signingCert: "string required",
    signingKey: "string required",
    entityId: "string required",
    authnRequestsSigned: "boolean required",
    encryptionCert: "string required",
    encryptionKey: "string required",
    sso_bindings: ['string'],
    slo_bindings: ['string'],
    identifier: "string (required during update call)"
}
FieldTypeDescription
dataobject
PUThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/idp_config
cURL
Node.js
Python
curl -X PUT 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/idp_config' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": {"signingCert": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "signingKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "encryptionCert": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "entityId": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "authnRequestsSigned": true, "encryptionKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "sso_bindings": ["string"], "slo_bindings": ["string"], "identifier": "string"}}'
RESPONSE
200
400
403
404
Success
{
  "data": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Authn

JWT

JWT endpoints.

POST/jwt/verifyToken

/jwt/verifyToken

Verify JWT Token.

Request Body

token (required)

Returns

Returns a decoded token value.

Headers
NameTypeDescription
x-forwarded-forstringclient ip address that can be forwarded through n service layers
Request body
FieldTypeDescription
tokenstring
POSThttps://pilot-root.1kosmos.net/authn/jwt/verifyToken
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/jwt/verifyToken' \
  -H 'x-forwarded-for: <value>' \
  -H 'Content-Type: application/json' \
  -d '{"token": "XXXXXX.yyyyy.zzzzzzzzzzzzzzz"}'
RESPONSE
200
401
Success
// no response body
POST/v2/jwt/verifyToken

/v2/jwt/verifyToken

Verifies the JWT token and validates the caller's IP address.

Request Body

token (required)

Returns

Returns a decoded token value.

Headers
NameTypeDescription
x-forwarded-forstringclient ip address that can be forwarded through n service layers
Request body
FieldTypeDescription
tokenstring
POSThttps://pilot-root.1kosmos.net/authn/v2/jwt/verifyToken
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/v2/jwt/verifyToken' \
  -H 'x-forwarded-for: <value>' \
  -H 'Content-Type: application/json' \
  -d '{"token": "XXXXXX.yyyyy.zzzzzzzzzzzzzzz"}'
RESPONSE
200
401
Success
// no response body
Authn

Auth Policy

Auth Policy endpoints.

POST/tenant/{tenantId}/community/{communityId}/auth_policy/evaluate

Evaluate adaptive authentication policy

Fetch decision after evaluating facts against adaptive authentication policy

License must be a valid license authorized for the community

Headers

licensekey (required)

License key encrypted with ECDSA - system or service level key is required

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now

publickey (required)

Public key

Returns

Returns decision from rules evaluation. Possible decisions are "mfa_needed", "grant_access", "deny_access".

Path parameters
NameTypeDescription
tenantIdrequiredstringId of tenant
communityIdrequiredstringId of community
Headers
NameTypeDescription
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 60 seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
Request body
FieldTypeDescription
factsobject
enforceFallbackPolicyboolean
POSThttps://pilot-root.1kosmos.net/authn/tenant/{tenantId}/community/{communityId}/auth_policy/evaluate
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/tenant/<tenantId>/community/<communityId>/auth_policy/evaluate' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"facts": {"groups": ["groupA", "groupB"], "applicationId": "application1", "IP": "10.0.0.7", "machine_domain": "someDomain.com", "username": "userA", "deviceId": "someDomain.com", "machine_name": "userA", "machine_id": "B324123", "machine_user": "someDomain.com", "authenticationMethods": ["password", "otp"]}, "enforceFallbackPolicy": true}'
RESPONSE
200
400
403
SUCCESS
{
  "next": {
    "step": "need_mfa",
    "allowed_factors": [
      "idp_redirect"
    ],
    "idps": [
      "idp-1"
    ]
  },
  "proof_of_authentication_jwt": "xxxxxx-xxxxx-xxxxxxx",
  "signature_token": "xxxxxxx"
}
Authn

ECDSA Helper

ECDSA Helper endpoints.

POST/ecdsa_helper/{method}

Encrypt and decrypt the data string by public key and private key

Encrypt and decrypt the data string by public key and private key.

Parameters

method (optional)

The method parameter is type of enum. Default value is encrypt.

This parameter only accepts following values

encrypt, decrypt

Request Body

dataStr (required)

The dataStr key is type of string.

publicKey (required)

The publicKey is type of string.

privateKey (required)

The privateKey is type of string.

Returns

Returns the encrypted/decrypted string.

This API throw an error if something goes wrong. A common source of error is public or private key is not valid.

Path parameters
NameTypeDescription
methodstring
Request body
FieldTypeDescription
dataStrrequiredstringMessage to encrypt or decrypt
publicKeyrequiredstring
privateKeyrequiredstring
POSThttps://pilot-root.1kosmos.net/authn/ecdsa_helper/{method}
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/authn/ecdsa_helper/<method>' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"dataStr": "Hey, This is example data string.", "publicKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "privateKey": "xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}'
RESPONSE
200
Success
{
  "data": "xxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxx"
}
Authn

Environment

Environment endpoints.

GET/environment

/environment

Provide details regarding the environments.

Returns

Returns an environment object

GEThttps://pilot-root.1kosmos.net/authn/environment
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/environment' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
Success
// no response body
Authn

Healthz

Healthz endpoints.

GET/healthz

Get healthz.

Get healthz

Returns

Returns a healthz object

  • ``version = <git-tag>.<commit-id>.<dob>``
  • ``git-tag``: When code is compiled from a git-tag, this must carry the tag name. This should match one of the git tags.
  • ``commit-id``: This is the git-commit-id. eg: When code is built from this, the hex code, in the end, is the commit it.
  • ``dob``: Date Of Build. This is epoc-time-in-seconds that tell the time when the build was created.
  • ​if the code is not built from a git-tag, then the ``version =<commit-id>.<dob>``
GEThttps://pilot-root.1kosmos.net/authn/healthz
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/healthz' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
Success ``` { "status": "all services operational", "publicKey": "string" //same as <service>/publickeys endpoint, "code": "200", "version": "<version>" //as defined above } ```
{
  "status": "all services operational",
  "publicKey": "//same as <service>/publickeys endpoint",
  "code": "200",
  "version": "xxxx.xxxx.xxxx"
}
Authn

Public Key

Public Key endpoints.

GET/publickeys

Get system's public key

Get system's public key. No authorization

Returns

Returns a public key object

GEThttps://pilot-root.1kosmos.net/authn/publickeys
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/publickeys' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
404
{
  "publicKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Authn

Service Directory

Service Directory endpoints.

GET/sd

Get all service directories.

Get all service directories.

Returns

Returns all service directories.

GEThttps://pilot-root.1kosmos.net/authn/sd
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/authn/sd' \
  -H 'authMyPublicKey: YOUR_PUBLIC_KEY' \
  -H 'authMyPrivateKey: YOUR_PRIVATE_KEY' \
  -H 'authLicense: YOUR_LICENSE_KEY'
RESPONSE
200
{
  "name1": "https://xxx.xxxxxx.xxx/xxxxx",
  "name2": "https://xxx.xxxxxx.xxx/xxxxx",
  "name3": "https://xxx.xxxxxx.xxx/xxxxx"
}
© 2026 1Kosmos · Authn service API v2.1Generated from the OpenAPI spec · authn.json