{"openapi":"3.0.0","info":{"title":"User Services API","version":"0.1.0","description":"API documentation for User Services API"},"servers":[{"url":"https://user-services.preview.auditbeam.com","description":"Preview"}],"x-tagGroups":[{"name":"Authentication & Sessions","tags":["Authentication","AuthContext","Passkeys","Email Verification","User Signup"]},{"name":"API Key Management","tags":["API Key Management"]},{"name":"User Management","tags":["Users"]},{"name":"Organizations & Domains","tags":["Organizations","Validated Domains"]},{"name":"Applications & Endpoints","tags":["Applications"]},{"name":"Roles & Access","tags":["Application Roles"]},{"name":"Access Groups","tags":["AccessGroups","AccessGroupRoles","AccessGroupMemberships","IndividualAccess"]},{"name":"Policies","tags":["AuthenticationPolicies","PasswordPolicies","MagicLinkPolicies","IPRestrictionPolicies","IPRestrictionRanges","TimeRestrictionPolicies","TimeRestrictionRanges","PlatformMfaPolicies"]},{"name":"Authorization","tags":["AuthorizationEvaluation"]},{"name":"Other","tags":["Examples"]}],"paths":{"/api/admin/scim-config":{"get":{"tags":["SCIM Config"],"x-endpoint-category":"SCIM Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_config:read:all","description":"View SCIM provisioning configuration","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_config","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get SCIM config for an organization","parameters":[{"in":"query","name":"organization_uuid","required":true,"schema":{"type":"string"}},{"in":"query","name":"uuid","schema":{"type":"string"},"description":"SCIM config UUID (alternative to organization_uuid)"}]},"post":{"tags":["SCIM Config"],"x-endpoint-category":"SCIM Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_config:create:all","description":"Create SCIM provisioning configuration","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_config","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Create SCIM config for an organization","description":"Creates a new SCIM config and returns a one-time bearer token. The token cannot be retrieved again.","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid"],"properties":{"organization_uuid":{"type":"string"},"idp_type":{"type":"string","enum":["entra","okta","generic"]},"stale_days":{"type":"integer"},"auto_verify_email":{"type":"boolean"},"auto_org_enroll":{"type":"boolean"}}}}}}},"put":{"tags":["SCIM Config"],"x-endpoint-category":"SCIM Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_config:update:all","description":"Update SCIM provisioning configuration","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_config","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Update SCIM config","description":"Updates SCIM config settings. Use action=rotate_token to regenerate the bearer token.","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["uuid"],"properties":{"uuid":{"type":"string"},"action":{"type":"string","enum":["rotate_token"]},"enabled":{"type":"boolean"},"idp_type":{"type":"string"},"stale_days":{"type":"integer"},"auto_verify_email":{"type":"boolean"},"auto_org_enroll":{"type":"boolean"}}}}}}},"delete":{"tags":["SCIM Config"],"x-endpoint-category":"SCIM Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_config:delete:all","description":"Delete SCIM provisioning configuration","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_config","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Delete SCIM config","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}]}},"/api/admin/scim-logs":{"get":{"tags":["SCIM Config"],"x-endpoint-category":"SCIM Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_logs:read:all","description":"View SCIM provisioning event logs","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_logs","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get SCIM logs for an organization","parameters":[{"in":"query","name":"organization_uuid","required":true,"schema":{"type":"string"}},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":100}},{"in":"query","name":"event_type","schema":{"type":"string"}},{"in":"query","name":"date","schema":{"type":"string"},"description":"ISO date (YYYY-MM-DD) to filter logs for a single day"},{"in":"query","name":"action","schema":{"type":"string","enum":["dates"]},"description":"Set to \"dates\" to get available log dates instead of log entries"}]}},"/api/admin/sessions/browse":{"get":{"tags":["Admin Sessions"],"x-endpoint-category":"Admin","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"admin_sessions:read:all","description":"Browse all sessions with pagination and filters","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"admin_sessions","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Paginated browse of all sessions","responses":{"200":{"description":"Success"}}}},"/api/admin/sessions":{"get":{"tags":["Admin Sessions"],"x-endpoint-category":"Admin","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"admin_sessions:read:all","description":"Permitted to view session history for any user or organization","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"admin_sessions","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get session history for a user or organization (admin)","responses":{"200":{"description":"Success"}}},"delete":{"tags":["Admin Sessions"],"x-endpoint-category":"Admin","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"admin_sessions:delete:all","description":"Permitted to revoke any session","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"admin_sessions","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Revoke a platform or organization session (admin)","responses":{"200":{"description":"Success"}}}},"/api/admin/users/managed":{"get":{"tags":["SCIM Admin"],"x-endpoint-category":"User Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_managed:read:all","description":"View managed flag status for a user","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_managed","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get managed status for a user","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string"}}]},"patch":{"tags":["SCIM Admin"],"x-endpoint-category":"User Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"scim_managed:update:all","description":"Set or clear IDP managed flag for a user","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"scim_managed","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Set managed flag for a user","description":"Privileged action to set managed=true or managed=false.\nWhen managed=false, SCIM mutations are silently skipped for this user.\nWhen managed=true, the next SCIM operation will re-trigger post-provision hooks.\nRequires admin or super-admin role. Logged to scim_logs.\n","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["managed"],"properties":{"managed":{"type":"boolean"},"reason":{"type":"string","description":"Reason for the override (logged for audit)"}}}}}}}},"/api/admin/users/mfa-enrollments":{"get":{"tags":["Admin User MFA Enrollments"],"x-endpoint-category":"User Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"member_mfa:read:all","description":"Permitted to view MFA enrollments for any user","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"member_mfa","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get MFA enrollment status for a user by UUID","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"Success"}}},"delete":{"tags":["Admin User MFA Enrollments"],"x-endpoint-category":"User Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"member_mfa:manage:all","description":"Permitted to remove MFA enrollments for any user","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"member_mfa","operation":"manage","scope":"all","birthright":false,"type":"platform"}],"summary":"Remove a specific MFA enrollment for a user","responses":{"200":{"description":"Success"}}}},"/api/admin/users/trusted-devices":{"get":{"tags":["Admin User Trusted Devices"],"x-endpoint-category":"User Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"member_trusted_devices:read:assigned","description":"Permitted to view trusted devices for any user","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"member_trusted_devices","operation":"read","scope":"assigned","birthright":false,"type":"platform"}],"summary":"List trusted devices for a user by UUID","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"Success"}}},"delete":{"tags":["Admin User Trusted Devices"],"x-endpoint-category":"User Administration","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"member_trusted_devices:delete:assigned","description":"Permitted to revoke trusted devices for any user","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"member_trusted_devices","operation":"delete","scope":"assigned","birthright":false,"type":"platform"}],"summary":"Revoke a trusted device for a user","responses":{"200":{"description":"Success"}}}},"/api/api-keys/{uuid}/rotate":{"post":{"tags":["API Key Management"],"x-endpoint-category":"API Keys","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"api_keys:manage:all","description":"Permitted to rotate API key secrets","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"api_keys","operation":"manage","scope":"all","birthright":false,"type":"tenant"},{"name":"my_api_keys:manage:own","description":"Permitted to rotate your own API keys","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_api_keys","operation":"manage","scope":"own","birthright":true,"type":"tenant"}],"summary":"Rotate an API key's secret","description":"Generates a new secret for an existing API key. The old secret is invalidated\nimmediately. The new raw secret is returned **once** in the response and cannot\nbe retrieved again. The key's UUID, permissions, and scope remain unchanged.\n","security":[{"session":[]},{"csrf":[]}],"parameters":[{"in":"path","name":"uuid","required":true,"schema":{"type":"string","format":"uuid"},"description":"The API key UUID"}],"responses":{"200":{"description":"Secret rotated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"uuid":{"type":"string","format":"uuid"},"secret":{"type":"string","description":"New raw secret (shown once — store securely)"},"keyPrefix":{"type":"string","description":"First 8 characters of the new secret"},"message":{"type":"string"}}}}}},"400":{"description":"Key is not active (cannot rotate a disabled or expired key)"},"401":{"description":"Not authenticated"},"403":{"description":"CSRF validation failed"},"404":{"description":"API key not found or not owned by the authenticated user"},"500":{"description":"Internal server error"}}}},"/api/api-keys/{uuid}":{"get":{"tags":["API Key Management"],"x-endpoint-category":"API Keys","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"api_key_detail:read:all","description":"Permitted to view API key details","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"api_key_detail","operation":"read","scope":"all","birthright":false,"type":"tenant"},{"name":"my_api_key_detail:read:own","description":"Permitted to view your own API key details","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_api_key_detail","operation":"read","scope":"own","birthright":true,"type":"tenant"}],"summary":"Get API key details","description":"Retrieves full details for a specific API key including its assigned permissions. Only the owning user can access their keys.","security":[{"session":[]}],"parameters":[{"in":"path","name":"uuid","required":true,"schema":{"type":"string","format":"uuid"},"description":"The API key UUID (access key ID)"}],"responses":{"200":{"description":"API key details retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"uuid":{"type":"string","format":"uuid"},"name":{"type":"string"},"description":{"type":"string","nullable":true},"keyPrefix":{"type":"string"},"scopeType":{"type":"string","enum":["platform","organization","both"]},"status":{"type":"string","enum":["active","disabled","expired"]},"organizationFkId":{"type":"integer","nullable":true},"expiresAt":{"type":"string","format":"date-time","nullable":true},"lastUsedAt":{"type":"string","format":"date-time","nullable":true},"createdAt":{"type":"string","format":"date-time","nullable":true},"permissions":{"type":"array","items":{"type":"object","properties":{"permission_fk_id":{"type":"integer"},"permission_name":{"type":"string"},"scope_context":{"type":"string","enum":["platform","organization"]}}}}}}}}},"401":{"description":"Not authenticated"},"404":{"description":"API key not found or not owned by the authenticated user"},"500":{"description":"Internal server error"}}},"put":{"tags":["API Key Management"],"x-endpoint-category":"API Keys","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"api_keys:update:all","description":"Permitted to update API key settings","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"api_keys","operation":"update","scope":"all","birthright":false,"type":"tenant"},{"name":"my_api_keys:update:own","description":"Permitted to update your own API keys","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_api_keys","operation":"update","scope":"own","birthright":true,"type":"tenant"}],"summary":"Update an API key","description":"Updates the name, description, expiration, or permissions of an API key. Only the owning user can update their keys.","security":[{"session":[]},{"csrf":[]}],"parameters":[{"in":"path","name":"uuid","required":true,"schema":{"type":"string","format":"uuid"},"description":"The API key UUID"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"name":{"type":"string"},"description":{"type":"string","nullable":true},"expiresAt":{"type":"string","format":"date-time","nullable":true},"permissions":{"type":"array","items":{"type":"object","properties":{"permission_fk_id":{"type":"integer"},"scope_context":{"type":"string","enum":["platform","organization"]}}}}}}}}},"responses":{"200":{"description":"API key updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"uuid":{"type":"string","format":"uuid"},"message":{"type":"string"}}}}}},"401":{"description":"Not authenticated"},"403":{"description":"CSRF validation failed"},"404":{"description":"API key not found or not owned by the authenticated user"},"500":{"description":"Internal server error"}}},"delete":{"tags":["API Key Management"],"x-endpoint-category":"API Keys","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"api_keys:delete:all","description":"Permitted to disable API keys","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"api_keys","operation":"delete","scope":"all","birthright":false,"type":"tenant"},{"name":"my_api_keys:delete:own","description":"Permitted to disable your own API keys","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_api_keys","operation":"delete","scope":"own","birthright":true,"type":"tenant"}],"summary":"Disable an API key","description":"Disables an API key immediately. The key's status is set to 'disabled' in the database\nand its synthetic sessions are evicted from KV. Any integrations using this key will\nstop working immediately.\n","security":[{"session":[]},{"csrf":[]}],"parameters":[{"in":"path","name":"uuid","required":true,"schema":{"type":"string","format":"uuid"},"description":"The API key UUID"}],"responses":{"200":{"description":"API key disabled successfully","content":{"application/json":{"schema":{"type":"object","properties":{"uuid":{"type":"string","format":"uuid"},"message":{"type":"string"}}}}}},"401":{"description":"Not authenticated"},"403":{"description":"CSRF validation failed"},"404":{"description":"API key not found or not owned by the authenticated user"},"500":{"description":"Internal server error"}}}},"/api/api-keys":{"post":{"tags":["API Key Management"],"x-endpoint-category":"API Keys","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"api_keys:create:all","description":"Permitted to create new API keys","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"api_keys","operation":"create","scope":"all","birthright":false,"type":"tenant"},{"name":"my_api_keys:create:own","description":"Permitted to create your own API keys","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_api_keys","operation":"create","scope":"own","birthright":true,"type":"tenant"}],"summary":"Create a new API key","description":"Generates a new API key for the authenticated user. The raw secret is returned\n**once** in the response and cannot be retrieved again. The key can be scoped to\nplatform-level access, a single organization, or both.\n","security":[{"session":[]},{"csrf":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["name","scopeType"],"properties":{"name":{"type":"string","description":"Human-readable label for the key","example":"CI/CD Pipeline"},"description":{"type":"string","nullable":true,"description":"Optional longer description","example":"Used by GitHub Actions for deployments"},"scopeType":{"type":"string","enum":["platform","organization","both"],"description":"Whether the key has platform-level, organization-level, or both scopes"},"organizationId":{"type":"integer","nullable":true,"description":"Required when scopeType is 'organization' or 'both'"},"permissions":{"type":"array","items":{"type":"object","properties":{"permission_fk_id":{"type":"integer"},"scope_context":{"type":"string","enum":["platform","organization"]}}},"description":"Granular permission assignments (must be a subset of the user's own permissions)"},"expiresAt":{"type":"string","format":"date-time","nullable":true,"description":"Expiration timestamp (null = no expiry)"}}}}}},"responses":{"201":{"description":"API key created successfully","content":{"application/json":{"schema":{"type":"object","properties":{"uuid":{"type":"string","format":"uuid","description":"Access key ID (used in X-Api-Key header)"},"secret":{"type":"string","description":"Raw secret (shown once — store securely)"},"keyPrefix":{"type":"string","description":"First 8 characters of the secret for identification"},"name":{"type":"string"},"scopeType":{"type":"string","enum":["platform","organization","both"]},"message":{"type":"string"}}}}}},"400":{"description":"Missing required fields (name, scopeType)"},"401":{"description":"Not authenticated"},"403":{"description":"CSRF validation failed"},"500":{"description":"Internal server error"}}},"get":{"tags":["API Key Management"],"x-endpoint-category":"API Keys","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_api_keys:read:own","description":"Permitted to view own API keys","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_api_keys","operation":"read","scope":"own","birthright":true,"type":"tenant"}],"summary":"List the authenticated user's API keys","description":"Returns all API keys belonging to the authenticated user. Secrets are never included — only the key prefix is returned for identification.","security":[{"session":[]}],"responses":{"200":{"description":"API keys retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"keys":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string","format":"uuid"},"name":{"type":"string"},"description":{"type":"string","nullable":true},"key_prefix":{"type":"string"},"scope_type":{"type":"string","enum":["platform","organization","both"]},"status":{"type":"string","enum":["active","disabled","expired"]},"organization_fk_id":{"type":"integer","nullable":true},"expires_at":{"type":"string","format":"date-time","nullable":true},"last_used_at":{"type":"string","format":"date-time","nullable":true},"created_at_date":{"type":"string","format":"date-time","nullable":true}}}}}}}}},"401":{"description":"Not authenticated"},"500":{"description":"Internal server error"}}}},"/api/applications":{"get":{"tags":["Applications"],"x-endpoint-category":"Platform Authorization","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"applications:read:all","description":"Permitted to view registered applications","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"applications","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get applications","description":"Retrieves applications - either all applications (paginated) or a specific application by UUID","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional application UUID to get a specific application. If not provided, returns all applications."},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when getting all applications)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when getting all applications)"}],"responses":{"200":{"description":"Applications retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single application response","properties":{"application":{"type":"object","properties":{"application_name":{"type":"string"},"application_description":{"type":"string","nullable":true},"application_api_url":{"type":"string","nullable":true},"application_api_docs":{"type":"string","nullable":true},"admin_application":{"type":"boolean"}}}}},{"type":"object","description":"Multiple applications response","properties":{"applications":{"type":"array","items":{"type":"object","properties":{"application_name":{"type":"string"},"application_description":{"type":"string","nullable":true},"application_api_url":{"type":"string","nullable":true},"application_api_docs":{"type":"string","nullable":true},"admin_application":{"type":"boolean"}}}},"total":{"type":"integer","description":"Total number of applications"},"page":{"type":"integer","description":"Current page number"},"pageSize":{"type":"integer","description":"Number of items per page"},"totalPages":{"type":"integer","description":"Total number of pages"}}}]}}}},"400":{"description":"Bad request (e.g., missing required parameters)"},"500":{"description":"Server error"}}}},"/api/auth/organization-session":{"get":{"tags":["Organization Session"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_sessions:read:all","description":"Permitted to retrieve current organization session","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"org_sessions","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get current organization session","responses":{"200":{"description":"Success"}}},"post":{"tags":["Organization Session"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_sessions:create:all","description":"Permitted to create organization session","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"org_sessions","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Create organization session for authenticated user","responses":{"200":{"description":"Success"}}}},"/api/authorization-evaluation":{"get":{"tags":["AuthorizationEvaluation"],"x-endpoint-category":"Authorization","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"authorization:execute:all","description":"Permitted to evaluate user authorization and effective permissions","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"authorization","operation":"execute","scope":"all","birthright":false,"type":"platform"}],"summary":"Evaluate a user's authorization","description":"Resolves a user's complete authorization state. Evaluates platform admin permissions via admin_role_assignment → admin_role → admin_role_permission_group → permission_group_membership → permission. When organization_uuid is provided, also evaluates organization-level permissions via access groups (with hierarchical inheritance) and individual access roles. Expired or disabled roles are excluded. Designed to be called after authentication but before session/dashboard rendering.\n","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the user to evaluate"},{"in":"query","name":"organization_uuid","required":false,"schema":{"type":"string"},"description":"UUID of the organization to evaluate org-level permissions for"}],"responses":{"200":{"description":"Authorization evaluation completed successfully","content":{"application/json":{"schema":{"type":"object","properties":{"platform_admin":{"type":"object","description":"Platform admin (Super Admin) evaluation result","properties":{"user_id":{"type":"integer"},"is_platform_admin":{"type":"boolean"},"roles":{"type":"array","items":{"type":"object","properties":{"admin_role_assignment_uuid":{"type":"string"},"admin_role_id":{"type":"integer"},"admin_role_uuid":{"type":"string"},"role_name":{"type":"string","nullable":true},"role_description":{"type":"string","nullable":true},"role_group":{"type":"string","nullable":true},"permissions":{"type":"array","items":{"type":"object","properties":{"permission_id":{"type":"integer"},"permission_uuid":{"type":"string"},"name":{"type":"string"},"description":{"type":"string"},"super_admin":{"type":"boolean"},"admin_privilege":{"type":"boolean"},"permission_version":{"type":"integer"},"deprecated_permission":{"type":"boolean"}}}}}}},"permissions":{"type":"array","description":"De-duplicated list of all permissions across all active roles","items":{"type":"object","properties":{"permission_id":{"type":"integer"},"permission_uuid":{"type":"string"},"name":{"type":"string"},"description":{"type":"string"},"super_admin":{"type":"boolean"},"admin_privilege":{"type":"boolean"},"permission_version":{"type":"integer"},"deprecated_permission":{"type":"boolean"}}}}}}}}}}},"400":{"description":"Missing user_uuid query parameter"},"404":{"description":"User not found"},"500":{"description":"Server error"}}}},"/api/example":{"get":{"tags":["Examples"],"x-endpoint-category":"System","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Example API endpoint","description":"This is an example API endpoint","responses":{"200":{"description":"Successful response","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","example":"Hello from the API!"}}}}}}}}},"/api/individual-access":{"get":{"tags":["IndividualAccess"],"x-endpoint-category":"Access Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"individual_access:read:assigned","description":"Permitted to view individual access permissions","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"individual_access","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get individual access roles","description":"Retrieves individual access roles - either a specific role by UUID or all roles (paginated) with optional filters.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional role UUID to get a specific individual access role. If not provided, returns all roles."},{"in":"query","name":"user_uuid","schema":{"type":"string"},"description":"Optional user UUID filter when listing"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Optional organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when listing)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when listing)"}],"responses":{"200":{"description":"Individual access role(s) retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single individual access role response","properties":{"uuid":{"type":"string"},"user_fk_id":{"type":"integer"},"access_type":{"type":"string"},"organization_fk_id":{"type":"integer","nullable":true},"tenant_fk_id":{"type":"integer","nullable":true},"application_role_fk_id":{"type":"integer"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}},{"type":"object","description":"Multiple individual access roles response","properties":{"individualAccessRoles":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"user_fk_id":{"type":"integer"},"access_type":{"type":"string"},"organization_fk_id":{"type":"integer","nullable":true},"tenant_fk_id":{"type":"integer","nullable":true},"application_role_fk_id":{"type":"integer"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}}},"total":{"type":"integer"},"page":{"type":"integer"},"pageSize":{"type":"integer"},"totalPages":{"type":"integer"}}}]}}}},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"put":{"tags":["IndividualAccess"],"x-endpoint-category":"Access Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"individual_access:update:assigned","description":"Permitted to update individual access permissions","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"individual_access","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an individual access role","description":"Updates an existing individual access role by its UUID. Accepts UUID-based references for related entities.","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Individual access role UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"access_type":{"type":"string"},"application_role_uuid":{"type":"string"},"organization_uuid":{"type":"string"},"tenant_uuid":{"type":"string"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time"}}},"examples":{"changeRole":{"summary":"Update application role","value":{"application_role_uuid":"22222222-2222-2222-2222-222222222222"}},"setExpiration":{"summary":"Set expiration","value":{"expires":true,"expires_at":"2025-12-31T23:59:59.000Z"}}}}}},"responses":{"200":{"description":"Individual access role updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"individualAccessRole":{"type":"object","properties":{"uuid":{"type":"string"},"user_fk_id":{"type":"integer"},"access_type":{"type":"string"},"organization_fk_id":{"type":"integer","nullable":true},"tenant_fk_id":{"type":"integer","nullable":true},"application_role_fk_id":{"type":"integer"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}}}}}}},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["IndividualAccess"],"x-endpoint-category":"Access Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"individual_access:delete:assigned","description":"Permitted to revoke individual access permissions","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"individual_access","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an individual access role","description":"Deletes an individual access role by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Individual access role UUID to delete"}],"responses":{"200":{"description":"Individual access role deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/internal/organization-tenant-link":{"patch":{"tags":["Internal Tenant Link"],"x-endpoint-category":"Internal","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_tenants:update:all","description":"Permitted to link/unlink organizations to tenant infrastructure","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"org_tenants","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Link or unlink organization from tenant-manager","responses":{"200":{"description":"Success"}}}},"/api/internal/tenant-state":{"post":{"tags":["Internal Tenant State"],"x-endpoint-category":"Internal","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"tenant_state:create:all","description":"Permitted to update organization tenant state via internal callback","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"tenant_state","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Update organization tenant state callback from tenant-manager","responses":{"200":{"description":"Success"}}}},"/api/login/check-token":{"put":{"tags":["AuthContext"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"auth_tokens:update:all","description":"Permitted to modify authentication tokens in KV store","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"auth_tokens","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Update an authentication context","description":"Updates partial fields on an existing auth context by key.","parameters":[{"in":"query","name":"key","required":true,"schema":{"type":"string"},"description":"ContextId key to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"Partial fields to merge into the stored context object"}}}},"responses":{"200":{"description":"Updated auth context","content":{"application/json":{"schema":{"type":"object","properties":{"key":{"type":"string"},"value":{"type":"object"}}}}}},"400":{"description":"Missing key"},"500":{"description":"Server error"}}},"delete":{"tags":["AuthContext"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"auth_tokens:delete:all","description":"Permitted to delete authentication tokens from KV store","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"auth_tokens","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Delete authentication context(s)","description":"Deletes a specific context by key or, if key=all, deletes all contexts.","parameters":[{"in":"query","name":"key","required":true,"schema":{"type":"string"},"description":"Context key to delete, or 'all' to delete all keys"}],"responses":{"200":{"description":"Delete result","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Deleted all keys","properties":{"deleted":{"type":"integer"},"keys":{"type":"array","items":{"type":"string"}}}},{"type":"object","description":"Deleted a single key","properties":{"deleted":{"type":"integer"},"key":{"type":"string"}}}]}}}},"400":{"description":"Missing key"},"500":{"description":"Server error"}}}},"/api/login/context":{"put":{"tags":["AuthContext"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"login_contexts:update:all","description":"Permitted to modify authentication contexts in KV store","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"login_contexts","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Update an authentication context","description":"Updates partial fields on an existing auth context by key.","parameters":[{"in":"query","name":"key","required":true,"schema":{"type":"string"},"description":"ContextId key to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"Partial fields to merge into the stored context object"}}}},"responses":{"200":{"description":"Updated auth context","content":{"application/json":{"schema":{"type":"object","properties":{"key":{"type":"string"},"value":{"type":"object"}}}}}},"400":{"description":"Missing key"},"500":{"description":"Server error"}}},"delete":{"tags":["AuthContext"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"login_contexts:delete:all","description":"Permitted to delete authentication contexts from KV store","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"login_contexts","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Delete authentication context(s)","description":"Deletes a specific context by key or, if key=all, deletes all contexts.","parameters":[{"in":"query","name":"key","required":true,"schema":{"type":"string"},"description":"Context key to delete, or 'all' to delete all keys"}],"responses":{"200":{"description":"Delete result","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Deleted all keys","properties":{"deleted":{"type":"integer"},"keys":{"type":"array","items":{"type":"string"}}}},{"type":"object","description":"Deleted a single key","properties":{"deleted":{"type":"integer"},"key":{"type":"string"}}}]}}}},"400":{"description":"Missing key"},"500":{"description":"Server error"}}}},"/api/login/magic":{"get":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"magic_links:read:all","description":"Consume a magic link token to authenticate","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"magic_links","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Consume magic link for authentication","description":"Authenticates a user using a magic link token from email.\nValidates the token and creates a session for the user.\n","parameters":[{"in":"query","name":"token","required":true,"schema":{"type":"string"},"description":"Magic link token from email"}],"responses":{"200":{"description":"Authentication successful","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"message":{"type":"string"},"session":{"type":"object"},"userEmail":{"type":"string"},"redirectUrl":{"type":"string"}}}}}},"400":{"description":"Missing or invalid token"},"403":{"description":"Magic link expired or already used"},"404":{"description":"Invalid magic link"},"500":{"description":"Server error"}}},"post":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"magic_links:create:all","description":"Request a magic link authentication email","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"magic_links","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Request magic link authentication","description":"Sends a magic link email to the user for passwordless authentication.\nRequires a valid authentication context ID.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["contextId"],"properties":{"contextId":{"type":"string","description":"Authentication context ID from login flow"}}}}}},"responses":{"200":{"description":"Magic link sent successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"message":{"type":"string"},"contextId":{"type":"string"},"email":{"type":"string"},"expiresInHours":{"type":"number"}}}}}},"400":{"description":"Missing context ID or invalid request"},"403":{"description":"Magic link authentication not available for user"},"404":{"description":"Authentication context not found or expired"},"500":{"description":"Server error"}}}},"/api/login/mfa/email":{"post":{"tags":["Authentication - MFA"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"mfa_email_otp:create:all","description":"Send email OTP code for MFA verification","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"mfa_email_otp","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Send email OTP for MFA verification","description":"Sends a 6-digit OTP to the user's email address.\nRate limited to 1 send per 60 seconds per context.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["contextId"],"properties":{"contextId":{"type":"string"}}}}}},"responses":{"200":{"description":"OTP sent successfully"},"400":{"description":"Invalid request"},"429":{"description":"Rate limited - wait before requesting again"}}}},"/api/login/mfa/methods":{"get":{"tags":["Authentication - MFA"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"mfa_methods:read:all","description":"Get available MFA methods during login","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"mfa_methods","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get available MFA methods for a login context","parameters":[{"in":"query","name":"contextId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Available MFA methods"},"400":{"description":"Missing context ID"},"401":{"description":"Invalid or expired context"}}}},"/api/login/mfa/verify":{"post":{"tags":["Authentication - MFA"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"mfa_verification:create:all","description":"Verify MFA code to complete authentication","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"mfa_verification","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Verify MFA code during login","description":"Verifies a TOTP, email OTP, or recovery code during the MFA step of login.\nOn success, creates a session and returns session cookies.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["contextId","method","code"],"properties":{"contextId":{"type":"string"},"method":{"type":"string","enum":["totp","email","recovery_code"]},"code":{"type":"string"},"rememberDevice":{"type":"boolean"}}}}}},"responses":{"200":{"description":"MFA verification successful"},"401":{"description":"MFA verification failed"}}}},"/api/login/passkey":{"post":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"passkey_auth:create:all","description":"Complete passkey authentication with credential","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"passkey_auth","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Begin or complete passkey authentication","description":"Two-phase passkey authentication for login:\n1. Begin: Verify user can use passkeys → Get challenge and options\n2. Complete: Verify passkey assertion → Return authentication result\n3. Credential: Authenticate directly by credential ID (for resident keys)\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Begin passkey authentication","required":["action","email","rpId","turnstileToken"],"properties":{"action":{"type":"string","enum":["begin"]},"email":{"type":"string","format":"email"},"contextId":{"type":"string","description":"Context ID from initial login step (optional)"},"rpId":{"type":"string"},"origin":{"type":"string"},"turnstileToken":{"type":"string"}}},{"type":"object","description":"Complete passkey authentication","required":["action","challengeId","credentialId","signCount","userVerification"],"properties":{"action":{"type":"string","enum":["complete"]},"challengeId":{"type":"string"},"credentialId":{"type":"string"},"signCount":{"type":"integer","minimum":0},"userVerification":{"type":"boolean"},"origin":{"type":"string"},"rpId":{"type":"string"}}},{"type":"object","description":"Authenticate by credential ID (resident keys)","required":["action","credentialId","rpId","turnstileToken"],"properties":{"action":{"type":"string","enum":["credential"]},"credentialId":{"type":"string"},"rpId":{"type":"string"},"origin":{"type":"string"},"turnstileToken":{"type":"string"}}}]}}}},"responses":{"200":{"description":"Authentication phase completed successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"challengeId":{"type":"string","description":"Challenge ID for completion (begin action only)"},"authenticationOptions":{"type":"object","description":"WebAuthn authentication options (begin action only)"},"userId":{"type":"integer","description":"User ID (complete action only)"},"passkey":{"type":"object","description":"Passkey information (complete action only)"},"securityWarnings":{"type":"object","description":"Security alerts (complete action only)"}}}}}},"400":{"description":"Invalid request data"},"403":{"description":"Turnstile verification failed or user cannot authenticate"},"404":{"description":"User or passkey not found"},"500":{"description":"Server error"}}},"get":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"passkey_auth:read:all","description":"Begin passkey authentication challenge","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"passkey_auth","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get passkey authentication status","description":"Check if a user can authenticate with passkeys","parameters":[{"in":"query","name":"email","required":true,"schema":{"type":"string","format":"email"},"description":"User's email address"}],"responses":{"200":{"description":"Authentication status retrieved","content":{"application/json":{"schema":{"type":"object","properties":{"canAuthenticate":{"type":"boolean"},"passkeyCount":{"type":"integer"},"user":{"type":"object","properties":{"email":{"type":"string"},"uuid":{"type":"string"},"isActive":{"type":"boolean"}}}}}}}},"400":{"description":"Missing email parameter"},"404":{"description":"User not found"},"500":{"description":"Server error"}}}},"/api/login/password":{"post":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"password_login:create:all","description":"Authenticate with username and password","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"password_login","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Authenticate user with password using context","description":"Authenticates a user using their authentication context ID and password.\nCreates a platform session and returns session cookies.\nIf MFA is required, returns mfa_required status with available methods.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["contextId","password"],"properties":{"contextId":{"type":"string","description":"Authentication context ID from initial login request"},"password":{"type":"string","description":"User's password"}}}}}},"responses":{"200":{"description":"Authentication successful or MFA required","content":{"application/json":{"schema":{"oneOf":[{"type":"object","properties":{"success":{"type":"boolean"},"status":{"type":"string","enum":["success"]},"sessionId":{"type":"string"}}},{"type":"object","properties":{"success":{"type":"boolean"},"status":{"type":"string","enum":["mfa_required"]},"mfaMethods":{"type":"array","items":{"type":"string"}},"contextId":{"type":"string"}}}]}}}},"400":{"description":"Missing context ID or password"},"401":{"description":"Authentication failed or session expired"},"500":{"description":"Server error"}}}},"/api/login":{"post":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"sessions:create:all","description":"Authenticate user and determine available login methods","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"sessions","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Authenticate user and determine available login methods","description":"Comprehensive authentication flow that:\n- Verifies human using Cloudflare Turnstile\n- Checks if user exists and is active\n- Returns available authentication methods\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["email","turnstileToken"],"properties":{"email":{"type":"string","format":"email","description":"User's email address"},"turnstileToken":{"type":"string","description":"Cloudflare Turnstile token for human verification"}}}}}},"responses":{"200":{"description":"Authentication policy evaluation successful","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","description":"Whether the request was successful"},"data":{"type":"object","description":"Authentication policy data"},"contextId":{"type":"string","description":"Unique context ID for this authentication session"}}}}}},"400":{"description":"Invalid request data"},"403":{"description":"Turnstile verification failed"},"500":{"description":"Internal server error"}}}},"/api/login/saml/acs":{"post":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"saml_auth:create:all","description":"Process SAML assertion responses from identity providers","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"saml_auth","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Handle SAML Assertion Consumer Service","description":"Processes SAML responses from Identity Providers.\nHandles the final step of SAML authentication flow.\n","requestBody":{"required":true,"content":{"application/x-www-form-urlencoded":{"schema":{"type":"object","required":["SAMLResponse"],"properties":{"SAMLResponse":{"type":"string","description":"Base64 encoded SAML response from IdP"},"RelayState":{"type":"string","description":"Optional relay state for redirect after authentication"}}}}}},"responses":{"200":{"description":"SAML authentication successful","content":{"application/json":{"schema":{"type":"object","properties":{"token":{"type":"string","description":"JWT authentication token"}}}}}},"500":{"description":"Server error or SAML processing failed"}}}},"/api/login/saml/metadata/{orgId}":{"get":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"saml_metadata:read:all","description":"Get SAML SP metadata XML for organization IdP configuration","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"saml_metadata","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get SAML service provider metadata","description":"Returns SAML metadata XML for a specific organization.\nUsed by Identity Providers to configure SAML integration.\n","parameters":[{"in":"path","name":"orgId","required":true,"schema":{"type":"string"},"description":"Organization ID for SAML configuration"}],"responses":{"200":{"description":"SAML metadata XML","content":{"application/xml":{"schema":{"type":"string"}}}},"400":{"description":"Missing organization ID"},"500":{"description":"Server error or invalid SAML configuration"}}}},"/api/login/saml":{"get":{"tags":["Authentication"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"saml_auth:read:all","description":"Initiate SAML SSO authentication flow","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"saml_auth","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Initiate SAML authentication","description":"Initiates SAML authentication flow for a specific organization.\nRedirects to the Identity Provider (IdP) for authentication.\n","parameters":[{"in":"query","name":"orgId","required":true,"schema":{"type":"integer"},"description":"Organization ID for SAML configuration"},{"in":"query","name":"stepUp","required":false,"schema":{"type":"boolean"},"description":"Force authentication step-up for sensitive data"},{"in":"query","name":"returnTo","required":false,"schema":{"type":"string"},"description":"URL to return to after authentication"}],"responses":{"302":{"description":"Redirect to Identity Provider"},"400":{"description":"Missing or invalid orgId"},"500":{"description":"Server error or invalid SAML configuration"}}}},"/api/login/token":{"get":{"tags":["Login Token"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"login_tokens:read:all","description":"Retrieve login token","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"login_tokens","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Login token endpoint","responses":{"200":{"description":"Success"}}}},"/api/logout":{"post":{"tags":["Logout"],"x-endpoint-category":"Authentication","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"sessions:delete:all","description":"Log out and revoke active sessions","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"sessions","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Log out user by revoking platform and organization sessions","responses":{"200":{"description":"Success"}}}},"/api/myAccount/change-password":{"post":{"tags":["My Account Password"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_password:create:own","description":"Permitted to change own password","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_password","operation":"create","scope":"own","birthright":true,"type":"platform"}],"summary":"Change password for authenticated user","responses":{"200":{"description":"Success"}}}},"/api/myAccount/default-organization":{"put":{"tags":["Authenticated User"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"organizations:update:own","description":"Permitted to set default organization for auto-login","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"organizations","operation":"update","scope":"own","birthright":true,"type":"platform"}],"summary":"Set default organization","description":"Sets the user's default organization for auto-login","security":[{"cookieAuth":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organizationId"],"properties":{"organizationId":{"type":"integer","description":"Organization ID to set as default (null to clear)"}}}}}},"responses":{"200":{"description":"Default organization updated"},"400":{"description":"Invalid request"},"401":{"description":"Unauthorized"},"403":{"description":"User is not a member of the specified organization"},"500":{"description":"Server error"}}}},"/api/myAccount/organizations":{"get":{"tags":["Authenticated User"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_org_memberships:read:own","description":"Permitted to view own organization memberships","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_org_memberships","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get current user's organization memberships","description":"Retrieves all active organization memberships for the authenticated user","security":[{"session":[]}],"responses":{"200":{"description":"Organization memberships retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"organizations":{"type":"array","items":{"type":"object","properties":{"id":{"type":"integer"},"uuid":{"type":"string"},"organizationId":{"type":"integer"},"organizationUuid":{"type":"string"},"organizationName":{"type":"string"},"isEnabled":{"type":"boolean"},"expires":{"type":"boolean"},"expiresAt":{"type":"string","format":"date-time"},"lastSeenDate":{"type":"string","format":"date-time"},"expirationStatus":{"type":"string","enum":["permanent","expires_no_date","active_expiring","expired"]}}}}}}}}},"401":{"description":"Unauthorized - invalid or expired session"},"500":{"description":"Server error"}}}},"/api/myAccount":{"get":{"tags":["Authenticated User"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Get current user profile","description":"Retrieves the profile information for the authenticated user.\nSupports both browser session cookies and API key authentication\n(X-Api-Key + X-Api-Secret headers).\n","x-permissions":[{"name":"my_account:read:own","description":"Permitted to view own account profile","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_account","operation":"read","scope":"own","birthright":true,"type":"platform"}],"security":[{"session":[]},{"apiKey":[]}],"responses":{"200":{"description":"User profile retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"user":{"type":"object","properties":{"id":{"type":"integer"},"uuid":{"type":"string"},"email":{"type":"string"},"firstName":{"type":"string"},"lastName":{"type":"string"},"displayName":{"type":"string"},"department":{"type":"string"},"jobTitle":{"type":"string"},"lastSeenDate":{"type":"string"},"createdAt":{"type":"string"}}}}}}}},"401":{"description":"Unauthorized - invalid or expired session"},"500":{"description":"Server error"}}},"put":{"tags":["Authenticated User"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Update current user profile","description":"Updates the profile information for the authenticated user","x-permissions":[{"name":"my_account:update:own","description":"Permitted to update own account profile","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_account","operation":"update","scope":"own","birthright":true,"type":"platform"}],"security":[{"session":[]},{"apiKey":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"firstName":{"type":"string"},"lastName":{"type":"string"},"displayName":{"type":"string"},"department":{"type":"string"},"jobTitle":{"type":"string"}}}}}},"responses":{"200":{"description":"Profile updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"message":{"type":"string"},"user":{"type":"object"}}}}}},"400":{"description":"Bad request - invalid data"},"401":{"description":"Unauthorized - invalid or expired session"},"500":{"description":"Server error"}}}},"/api/myAccount/scopes":{"get":{"tags":["Authenticated User"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Get current user's granted permission scopes","description":"Returns all permission scopes granted to the authenticated user\nfrom their platform session (birthright + admin permissions).\n","x-permissions":[{"name":"my_account:read:own","description":"Permitted to view own account scopes","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_account","operation":"read","scope":"own","birthright":true,"type":"platform"}],"security":[{"session":[]},{"apiKey":[]}],"responses":{"200":{"description":"Scopes retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"scopes":{"type":"array","items":{"type":"string"},"description":"Array of scope strings in format \"objectType:operation:level\""}}}}}},"401":{"description":"Unauthorized - invalid or expired session"},"500":{"description":"Server error"}}}},"/api/myAccount/session-history":{"get":{"tags":["My Account Session History"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_sessions:read:own","description":"Permitted to view own session history","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_sessions","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get session history for current user (platform + org sessions grouped)","responses":{"200":{"description":"Success"}}},"delete":{"tags":["My Account Session History"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_sessions:delete:own","description":"Permitted to revoke own sessions (platform or organization)","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_sessions","operation":"delete","scope":"own","birthright":true,"type":"platform"}],"summary":"Revoke a specific platform or organization session","responses":{"200":{"description":"Success"}}}},"/api/myAccount/sessions":{"get":{"tags":["My Account Sessions"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_sessions:read:own","description":"Permitted to view own active sessions","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_sessions","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get active sessions for current user","responses":{"200":{"description":"Success"}}},"delete":{"tags":["My Account Sessions"],"x-endpoint-category":"Account Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_sessions:delete:own","description":"Permitted to revoke own sessions","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_sessions","operation":"delete","scope":"own","birthright":true,"type":"platform"}],"summary":"Revoke a specific session","responses":{"200":{"description":"Success"}}}},"/api/organizations/access-groups/membership":{"get":{"tags":["AccessGroupMemberships"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_group_members:read:assigned","description":"Permitted to view access group membership","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_group_members","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get access group memberships","description":"Retrieves memberships - either a specific membership by UUID or all memberships (paginated) with optional filters.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional membership UUID to get a specific membership. If not provided, returns all memberships."},{"in":"query","name":"user_uuid","schema":{"type":"string"},"description":"Optional user UUID filter when listing"},{"in":"query","name":"access_group_uuid","schema":{"type":"string"},"description":"Optional access group UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when listing)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when listing)"}],"responses":{"200":{"description":"Membership(s) retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single membership response","properties":{"uuid":{"type":"string"},"user_fk_id":{"type":"integer"},"access_group_fk_id":{"type":"integer"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}},{"type":"object","description":"Multiple memberships response","properties":{"memberships":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"user_fk_id":{"type":"integer"},"access_group_fk_id":{"type":"integer"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}}},"total":{"type":"integer"},"page":{"type":"integer"},"pageSize":{"type":"integer"},"totalPages":{"type":"integer"}}}]}}}},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"put":{"tags":["AccessGroupMemberships"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_group_members:update:assigned","description":"Permitted to update access group membership","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_group_members","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a membership","description":"Updates membership expiration using optional duration input. If duration is provided and expires is true, backend computes cutoff date.","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Membership UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"expires":{"type":"boolean"},"expiration":{"type":"object","properties":{"minutes":{"type":"integer"},"hours":{"type":"integer"},"days":{"type":"integer"},"weeks":{"type":"integer"},"months":{"type":"integer"}}}}},"examples":{"makeNonExpiring":{"summary":"Remove expiration","value":{"expires":false}},"expireIn4Hours":{"summary":"Set expiration to 4 hours from now","value":{"expires":true,"expiration":{"hours":4}}}}}}},"responses":{"200":{"description":"Membership updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"membership":{"type":"object","properties":{"uuid":{"type":"string"},"user_fk_id":{"type":"integer"},"access_group_fk_id":{"type":"integer"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}}}}}}},"400":{"description":"Missing membership UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["AccessGroupMemberships"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_group_members:delete:assigned","description":"Permitted to remove members from access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_group_members","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a membership","description":"Deletes a membership by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Membership UUID to delete"}],"responses":{"200":{"description":"Membership deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing membership UUID"},"500":{"description":"Server error"}}}},"/api/organizations/access-groups/roles":{"get":{"tags":["AccessGroupRoles"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_group_roles:read:assigned","description":"Permitted to view roles assigned to access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_group_roles","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get access group roles","description":"Retrieves access group roles – either a specific role by UUID or all roles (paginated). Supports filtering by related UUIDs.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional role UUID to get a specific role. If not provided, returns all roles."},{"in":"query","name":"access_group_uuid","schema":{"type":"string"},"description":"Optional access group UUID to filter when listing"},{"in":"query","name":"application_role_uuid","schema":{"type":"string"},"description":"Optional application role UUID to filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when listing)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when listing)"}],"responses":{"200":{"description":"Role(s) retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single role response","properties":{"uuid":{"type":"string"},"access_group_fk_id":{"type":"integer"},"application_role_fk_id":{"type":"integer"}}},{"type":"object","description":"Multiple roles response","properties":{"roles":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"access_group_fk_id":{"type":"integer"},"application_role_fk_id":{"type":"integer"}}}},"total":{"type":"integer"},"page":{"type":"integer"},"pageSize":{"type":"integer"},"totalPages":{"type":"integer"}}}]}}}},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"put":{"tags":["AccessGroupRoles"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_group_roles:update:assigned","description":"Permitted to update role assignments on access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_group_roles","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a role","description":"Updates an existing role by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Role UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","description":"Fields to update on the access group role (UUID-based)","properties":{"access_group_uuid":{"type":"string"},"application_role_uuid":{"type":"string"}}},"examples":{"changeAccessGroup":{"summary":"Update only access group","value":{"access_group_uuid":"11111111-1111-1111-1111-111111111111"}},"changeApplicationRole":{"summary":"Update only application role","value":{"application_role_uuid":"22222222-2222-2222-2222-222222222222"}}}}}},"responses":{"200":{"description":"Role updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"role":{"type":"object","properties":{"uuid":{"type":"string"},"access_group_fk_id":{"type":"integer"},"application_role_fk_id":{"type":"integer"}}}}}}}},"400":{"description":"Missing role UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["AccessGroupRoles"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_group_roles:delete:assigned","description":"Permitted to remove role assignments from access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_group_roles","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a role","description":"Deletes a role by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Role UUID to delete"}],"responses":{"200":{"description":"Role deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing role UUID"},"500":{"description":"Server error"}}}},"/api/organizations/access-groups":{"get":{"tags":["AccessGroups"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_groups:read:assigned","description":"Permitted to view organization access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_groups","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get access groups","description":"Retrieves access groups - either a specific group by UUID or all groups (paginated) optionally filtered by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional access group UUID to get a specific access group. If not provided, returns all access groups."},{"in":"query","name":"organization_fk_id","schema":{"type":"integer"},"description":"Optional organization ID to filter access groups by organization when listing"},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when getting all access groups)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when getting all access groups)"}],"responses":{"200":{"description":"Access groups retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single access group response","properties":{"uuid":{"type":"string"},"group_name":{"type":"string"},"group_description":{"type":"string","nullable":true},"access_type":{"type":"string"},"managed_by":{"type":"string"},"informational_object":{"nullable":true}}},{"type":"object","description":"Multiple access groups response","properties":{"accessGroups":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"group_name":{"type":"string"},"group_description":{"type":"string","nullable":true},"access_type":{"type":"string"},"managed_by":{"type":"string"},"informational_object":{"nullable":true}}}},"total":{"type":"integer"},"page":{"type":"integer"},"pageSize":{"type":"integer"},"totalPages":{"type":"integer"}}}]}}}},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"put":{"tags":["AccessGroups"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_groups:update:assigned","description":"Permitted to update organization access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_groups","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an access group","description":"Updates an existing access group by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Access group UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"group_name":{"type":"string"},"group_description":{"type":"string","nullable":true},"parent_access_group_fk_id":{"type":"integer","nullable":true,"description":"Internal ID of parent access group (subject to future UUID support)"}}}}}},"responses":{"200":{"description":"Access group updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"accessGroup":{"type":"object","properties":{"uuid":{"type":"string"},"group_name":{"type":"string"},"group_description":{"type":"string","nullable":true},"access_type":{"type":"string"},"managed_by":{"type":"string"},"informational_object":{"nullable":true}}}}}}}},"400":{"description":"Missing access group UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["AccessGroups"],"x-endpoint-category":"Access Groups","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"access_groups:delete:assigned","description":"Permitted to delete organization access groups","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"access_groups","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an access group","description":"Deletes an access group by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Access group UUID to delete"}],"responses":{"200":{"description":"Access group deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing access group UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/magic-links":{"get":{"tags":["MagicLinkPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"magic_link_policies:read:assigned","description":"Permitted to view magic link authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"magic_link_policies","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get magic link policies","description":"Retrieves a specific policy by UUID or lists policies by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional policy UUID to fetch a specific policy"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Policies retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["MagicLinkPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"magic_link_policies:create:assigned","description":"Permitted to create magic link authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"magic_link_policies","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create a magic link policy","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid","default","enabled","expiration_time","one_time_use","guest_use_only"],"properties":{"organization_uuid":{"type":"string"},"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"expiration_time":{"type":"integer"},"one_time_use":{"type":"boolean"},"guest_use_only":{"type":"boolean"}}},"examples":{"defaultPolicy":{"summary":"Create default magic link policy","value":{"organization_uuid":"11111111-1111-1111-1111-111111111111","policy_name":"Default Magic Link Policy","policy_description":"Email-based login","default":true,"enabled":true,"expiration_time":120,"one_time_use":true,"guest_use_only":false}}}}}},"responses":{"201":{"description":"Policy created"},"400":{"description":"Invalid policy data"},"500":{"description":"Server error"}}},"put":{"tags":["MagicLinkPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"magic_link_policies:update:assigned","description":"Permitted to update magic link authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"magic_link_policies","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a magic link policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"expiration_time":{"type":"integer"},"one_time_use":{"type":"boolean"},"guest_use_only":{"type":"boolean"}}}}}},"responses":{"200":{"description":"Policy updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["MagicLinkPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"magic_link_policies:delete:assigned","description":"Permitted to delete magic link authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"magic_link_policies","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a magic link policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Policy deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/passwords":{"get":{"tags":["PasswordPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"password_policies:read:assigned","description":"Permitted to view password authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"password_policies","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get password policies","description":"Retrieves a specific policy by UUID or lists policies by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional policy UUID to fetch a specific policy"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Policies retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["PasswordPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"password_policies:create:assigned","description":"Permitted to create password authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"password_policies","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create a password policy","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid","default","enabled","minimum_length","maxiumum_length","require_upper","require_lower","require_number","require_symbol","minimum_password_strength","password_history_count","password_age","failed_login_attempts","lockout_duration","require_admin_reset"],"properties":{"organization_uuid":{"type":"string"},"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"minimum_length":{"type":"integer"},"maxiumum_length":{"type":"integer"},"require_upper":{"type":"boolean"},"require_lower":{"type":"boolean"},"require_number":{"type":"boolean"},"require_symbol":{"type":"boolean"},"minimum_password_strength":{"type":"string"},"password_history_count":{"type":"integer"},"password_age":{"type":"integer"},"failed_login_attempts":{"type":"integer"},"lockout_duration":{"type":"integer"},"require_admin_reset":{"type":"boolean"}}},"examples":{"defaultPolicy":{"summary":"Create default password policy","value":{"organization_uuid":"11111111-1111-1111-1111-111111111111","policy_name":"Default Password Policy","policy_description":"Strong defaults","default":true,"enabled":true,"minimum_length":8,"maxiumum_length":128,"require_upper":true,"require_lower":true,"require_number":true,"require_symbol":true,"minimum_password_strength":"weak","password_history_count":5,"password_age":90,"failed_login_attempts":5,"lockout_duration":10,"require_admin_reset":false}}}}}},"responses":{"201":{"description":"Policy created"},"400":{"description":"Invalid policy data"},"500":{"description":"Server error"}}},"put":{"tags":["PasswordPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"password_policies:update:assigned","description":"Permitted to update password authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"password_policies","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a password policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"minimum_length":{"type":"integer"},"maxiumum_length":{"type":"integer"},"require_upper":{"type":"boolean"},"require_lower":{"type":"boolean"},"require_number":{"type":"boolean"},"require_symbol":{"type":"boolean"},"minimum_password_strength":{"type":"string"},"password_history_count":{"type":"integer"},"password_age":{"type":"integer"},"failed_login_attempts":{"type":"integer"},"lockout_duration":{"type":"integer"},"require_admin_reset":{"type":"boolean"}}}}}},"responses":{"200":{"description":"Policy updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["PasswordPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"password_policies:delete:assigned","description":"Permitted to delete password authentication policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"password_policies","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a password policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Policy deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/platform-mfa":{"get":{"tags":["PlatformMfaPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"platform_mfa_policies:read:assigned","description":"Permitted to view platform MFA policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"platform_mfa_policies","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get platform MFA policies","description":"Retrieves a specific policy by UUID or lists policies by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional policy UUID to fetch a specific policy"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Policies retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["PlatformMfaPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"platform_mfa_policies:create:assigned","description":"Permitted to create platform MFA policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"platform_mfa_policies","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create a platform MFA policy","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid","default","enabled","require_mfa","mfa_methods","remember_device_days","bypass_mfa_for_trusted_ips"],"properties":{"organization_uuid":{"type":"string"},"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"require_mfa":{"type":"boolean"},"mfa_methods":{"type":"array","items":{"type":"string"}},"remember_device_days":{"type":"integer"},"bypass_mfa_for_trusted_ips":{"type":"boolean"}}},"examples":{"defaultPolicy":{"summary":"Create default platform MFA policy","value":{"organization_uuid":"11111111-1111-1111-1111-111111111111","policy_name":"Default MFA Policy","policy_description":"Platform MFA","default":true,"enabled":true,"require_mfa":false,"mfa_methods":["authenticator","sms","email"],"remember_device_days":30,"bypass_mfa_for_trusted_ips":false}}}}}},"responses":{"201":{"description":"Policy created"},"400":{"description":"Invalid policy data"},"500":{"description":"Server error"}}},"put":{"tags":["PlatformMfaPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"platform_mfa_policies:update:assigned","description":"Permitted to update platform MFA policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"platform_mfa_policies","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a platform MFA policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"require_mfa":{"type":"boolean"},"mfa_methods":{"type":"array","items":{"type":"string"}},"remember_device_days":{"type":"integer"},"bypass_mfa_for_trusted_ips":{"type":"boolean"}}}}}},"responses":{"200":{"description":"Policy updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["PlatformMfaPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"platform_mfa_policies:delete:assigned","description":"Permitted to delete platform MFA policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"platform_mfa_policies","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a platform MFA policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Policy deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/restrictions/ip/ranges":{"get":{"tags":["IPRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_ranges:read:assigned","description":"Permitted to view IP ranges in restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_ranges","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get IP restriction ranges","description":"Retrieves a specific range by UUID or lists ranges by policy UUID.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional range UUID to fetch a specific range"},{"in":"query","name":"policy_uuid","schema":{"type":"string"},"description":"Policy UUID to list ranges for"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Ranges retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["IPRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_ranges:create:assigned","description":"Permitted to add IP ranges to restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_ranges","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create an IP restriction range","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["ip_restriction_policy_uuid","organization_uuid","restriction_name","cidrs","allowed"],"properties":{"ip_restriction_policy_uuid":{"type":"string"},"organization_uuid":{"type":"string"},"restriction_name":{"type":"string"},"restriction_description":{"type":"string"},"cidrs":{"type":"string","description":"Comma-separated CIDR list"},"allowed":{"type":"boolean"}}},"examples":{"allowCorpCIDRs":{"summary":"Allow corp networks","value":{"ip_restriction_policy_uuid":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb","organization_uuid":"11111111-1111-1111-1111-111111111111","restriction_name":"Corp networks","restriction_description":"Allow traffic from corp CIDRs","cidrs":"10.0.0.0/8,192.168.0.0/16","allowed":true}}}}}},"responses":{"201":{"description":"Range created"},"400":{"description":"Invalid data"},"500":{"description":"Server error"}}},"put":{"tags":["IPRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_ranges:update:assigned","description":"Permitted to update IP ranges in restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_ranges","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an IP restriction range","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"restriction_name":{"type":"string"},"restriction_description":{"type":"string"},"cidrs":{"type":"string"},"allowed":{"type":"boolean"}}}}}},"responses":{"200":{"description":"Range updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["IPRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_ranges:delete:assigned","description":"Permitted to remove IP ranges from restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_ranges","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an IP restriction range","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Range deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/restrictions/ip":{"get":{"tags":["IPRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_restriction_policies:read:assigned","description":"Permitted to view IP restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_restriction_policies","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get IP restriction policies","description":"Retrieves a specific policy by UUID or lists policies by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional policy UUID to fetch a specific policy"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Policies retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["IPRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_restriction_policies:create:assigned","description":"Permitted to create IP restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_restriction_policies","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create an IP restriction policy","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid","default","enabled","lock_token_to_issued_ip"],"properties":{"organization_uuid":{"type":"string"},"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"lock_token_to_issued_ip":{"type":"boolean"}}},"examples":{"defaultPolicy":{"summary":"Create default IP policy","value":{"organization_uuid":"11111111-1111-1111-1111-111111111111","policy_name":"Default IP Policy","policy_description":"Default IP restrictions","default":true,"enabled":false,"lock_token_to_issued_ip":false}}}}}},"responses":{"201":{"description":"Policy created"},"400":{"description":"Invalid policy data"},"500":{"description":"Server error"}}},"put":{"tags":["IPRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_restriction_policies:update:assigned","description":"Permitted to update IP restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_restriction_policies","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an IP restriction policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"lock_token_to_issued_ip":{"type":"boolean"}}}}}},"responses":{"200":{"description":"Policy updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["IPRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"ip_restriction_policies:delete:assigned","description":"Permitted to delete IP restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"ip_restriction_policies","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an IP restriction policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Policy deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/restrictions/time/ranges":{"get":{"tags":["TimeRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_ranges:read:assigned","description":"Permitted to view time ranges in restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_ranges","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get time restriction ranges","description":"Retrieves a specific range by UUID or lists ranges by policy UUID.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional range UUID to fetch a specific range"},{"in":"query","name":"policy_uuid","schema":{"type":"string"},"description":"Policy UUID to list ranges for"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Ranges retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["TimeRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_ranges:create:assigned","description":"Permitted to add time ranges to restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_ranges","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create a time restriction range","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["time_restriction_policy_uuid","organization_uuid","restriction_name","start_time_utc","end_time_utc"],"properties":{"time_restriction_policy_uuid":{"type":"string"},"organization_uuid":{"type":"string"},"restriction_name":{"type":"string"},"restriction_description":{"type":"string"},"start_time_utc":{"type":"string","description":"HH:MM:SS"},"end_time_utc":{"type":"string","description":"HH:MM:SS"},"weekday":{"type":"integer","nullable":true,"description":"0=Sunday..6=Saturday"}}},"examples":{"businessHours":{"summary":"Weekday business hours","value":{"time_restriction_policy_uuid":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa","organization_uuid":"11111111-1111-1111-1111-111111111111","restriction_name":"Business Hours","restriction_description":"9-5 on weekdays","start_time_utc":"09:00:00","end_time_utc":"17:00:00","weekday":null}}}}}},"responses":{"201":{"description":"Range created"},"400":{"description":"Invalid data"},"500":{"description":"Server error"}}},"put":{"tags":["TimeRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_ranges:update:assigned","description":"Permitted to update time ranges in restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_ranges","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a time restriction range","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"restriction_name":{"type":"string"},"restriction_description":{"type":"string"},"start_time_utc":{"type":"string","description":"HH:MM:SS"},"end_time_utc":{"type":"string","description":"HH:MM:SS"},"weekday":{"type":"integer","nullable":true}}}}}},"responses":{"200":{"description":"Range updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["TimeRestrictionRanges"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_ranges:delete:assigned","description":"Permitted to remove time ranges from restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_ranges","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a time restriction range","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Range deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies/restrictions/time":{"get":{"tags":["TimeRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_restriction_policies:read:assigned","description":"Permitted to view time restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_restriction_policies","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get time restriction policies","description":"Retrieves a specific policy by UUID or lists policies by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional policy UUID to fetch a specific policy"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Policies retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["TimeRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_restriction_policies:create:assigned","description":"Permitted to create time restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_restriction_policies","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create a time restriction policy","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid","default","enabled"],"properties":{"organization_uuid":{"type":"string"},"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"}}},"examples":{"defaultPolicy":{"summary":"Create default policy","value":{"organization_uuid":"11111111-1111-1111-1111-111111111111","policy_name":"Default Time Policy","policy_description":"Standard hours","default":true,"enabled":false}}}}}},"responses":{"201":{"description":"Policy created"},"400":{"description":"Invalid policy data"},"500":{"description":"Server error"}}},"put":{"tags":["TimeRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_restriction_policies:update:assigned","description":"Permitted to update time restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_restriction_policies","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a time restriction policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"}}}}}},"responses":{"200":{"description":"Policy updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["TimeRestrictionPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"time_restriction_policies:delete:assigned","description":"Permitted to delete time restriction policy","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"time_restriction_policies","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a time restriction policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Policy deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/authentication-policies":{"get":{"tags":["AuthenticationPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"auth_policies:read:assigned","description":"Permitted to view organization authentication policies","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"auth_policies","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get authentication policies","description":"Retrieves a specific policy by UUID (with sub-policies) or lists policies by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional policy UUID to fetch a specific policy"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID filter when listing"},{"in":"query","name":"page","schema":{"type":"integer","default":1}},{"in":"query","name":"pageSize","schema":{"type":"integer","default":10}}],"responses":{"200":{"description":"Policies retrieved"},"400":{"description":"Bad request"},"500":{"description":"Server error"}}},"post":{"tags":["AuthenticationPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"auth_policies:create:assigned","description":"Permitted to create organization authentication policies","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"auth_policies","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create an authentication policy","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["organization_uuid","default","enabled","block_login","guest_policy","restrict_to_saml","precedence"],"properties":{"organization_uuid":{"type":"string"},"policy_name":{"type":"string","nullable":true},"policy_description":{"type":"string","nullable":true},"default":{"type":"boolean"},"enabled":{"type":"boolean"},"block_login":{"type":"boolean"},"guest_policy":{"type":"boolean"},"restrict_to_saml":{"type":"boolean"},"precedence":{"type":"integer"},"password_policy_uuid":{"type":"string","nullable":true},"magic_link_policy_uuid":{"type":"string","nullable":true},"ip_restriction_policy_uuid":{"type":"string","nullable":true},"time_restriction_policy_uuid":{"type":"string","nullable":true},"platform_mfa_policy_uuid":{"type":"string","nullable":true}}},"examples":{"example":{"summary":"Create auth policy with selected sub-policies","value":{"organization_uuid":"11111111-1111-1111-1111-111111111111","policy_name":"Primary Auth Policy","policy_description":"Main login policy","default":false,"enabled":true,"block_login":false,"guest_policy":false,"restrict_to_saml":false,"precedence":5,"password_policy_uuid":null,"magic_link_policy_uuid":null,"ip_restriction_policy_uuid":null,"time_restriction_policy_uuid":null,"platform_mfa_policy_uuid":null}}}}}},"responses":{"201":{"description":"Policy created, returns { uuid }"},"400":{"description":"Invalid policy data"},"500":{"description":"Server error"}}},"put":{"tags":["AuthenticationPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"auth_policies:update:assigned","description":"Permitted to update organization authentication policies","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"auth_policies","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an authentication policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UpdateAuthenticationPolicy"}}}},"responses":{"200":{"description":"Policy updated"},"400":{"description":"Missing UUID or invalid data"},"500":{"description":"Server error"}}},"delete":{"tags":["AuthenticationPolicies"],"x-endpoint-category":"Authentication Policies","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"auth_policies:delete:assigned","description":"Permitted to delete organization authentication policies","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"auth_policies","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an authentication policy","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Policy deleted"},"400":{"description":"Missing UUID"},"500":{"description":"Server error"}}}},"/api/organizations/check-tenant-status":{"post":{"tags":["Organization Tenant Status"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"tenant_status:execute:all","description":"Permitted to check organization tenant provisioning status","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"tenant_status","operation":"execute","scope":"all","birthright":false,"type":"platform"}],"summary":"Poll tenant-manager to check provisioning state","responses":{"200":{"description":"Success"}}}},"/api/organizations/contacts":{"get":{"tags":["Organization Contacts"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_contacts:read:assigned","description":"Permitted to view organization contacts","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_contacts","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get organization contacts","responses":{"200":{"description":"Success"}}},"post":{"tags":["Organization Contacts"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_contacts:create:assigned","description":"Permitted to create organization contacts","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_contacts","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create an organization contact","responses":{"200":{"description":"Success"}}},"put":{"tags":["Organization Contacts"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_contacts:update:assigned","description":"Permitted to update organization contacts","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_contacts","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an organization contact","responses":{"200":{"description":"Success"}}},"delete":{"tags":["Organization Contacts"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_contacts:delete:assigned","description":"Permitted to delete organization contacts","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_contacts","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an organization contact","responses":{"200":{"description":"Success"}}}},"/api/organizations/cron/updateCount":{"post":{"tags":["Organizations"],"x-endpoint-category":"System","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_counts:create:all","description":"Permitted to trigger organization count updates via cron","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"org_counts","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Update organization counts","description":"Executes a database function to validate and update organization counts. If UUID is provided, updates a specific organization. If no UUID is provided, updates all organizations.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional organization UUID to update count for a specific organization. If not provided, updates all organizations."}],"responses":{"200":{"description":"Organization counts updated successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single organization update response","properties":{"success":{"type":"boolean","description":"Whether the operation was successful"},"message":{"type":"string","description":"Success message"},"organizationUuid":{"type":"string","description":"UUID of the updated organization"},"updatedCount":{"type":"integer","description":"Number of sub-organizations counted"}}},{"type":"object","description":"Bulk update response","properties":{"success":{"type":"boolean","description":"Whether the operation was successful"},"message":{"type":"string","description":"Success message"},"updatedCount":{"type":"integer","description":"Number of organizations updated"}}}]}}}},"400":{"description":"Bad request (e.g., invalid UUID format)"},"404":{"description":"Organization not found"},"500":{"description":"Server error or database function error","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","description":"Error message"}}}}}}}}},"/api/organizations/cron/updateHierarchy":{"post":{"tags":["Organizations"],"x-endpoint-category":"System","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_hierarchy:create:all","description":"Permitted to trigger organization hierarchy updates via cron","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"org_hierarchy","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Update organization hierarchy","description":"Executes a database function to validate and update organization hierarchy. If UUID is provided, updates a specific organization. If no UUID is provided, updates all organizations.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional organization UUID to update hierarchy for a specific organization. If not provided, updates all organizations."}],"responses":{"200":{"description":"Organization hierarchy updated successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single organization update response","properties":{"success":{"type":"boolean","description":"Whether the operation was successful"},"message":{"type":"string","description":"Success message"},"organizationUuid":{"type":"string","description":"UUID of the updated organization"},"updatedCount":{"type":"integer","description":"Number of hierarchy levels updated"}}},{"type":"object","description":"Bulk update response","properties":{"success":{"type":"boolean","description":"Whether the operation was successful"},"message":{"type":"string","description":"Success message"},"updatedCount":{"type":"integer","description":"Number of organizations updated"}}}]}}}},"400":{"description":"Bad request (e.g., invalid UUID format)"},"404":{"description":"Organization not found"},"500":{"description":"Server error or database function error","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","description":"Error message"}}}}}}}}},"/api/organizations/discovered-users":{"get":{"tags":["Organizations"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"discovered_users:read:assigned","description":"Permitted to view discovered users matching organization domain","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"discovered_users","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get discovered users for an organization","description":"Returns users whose email domain matches a validated managed domain for the organization, but who are not members and not managed by it.","parameters":[{"in":"query","name":"organization_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the organization"}],"responses":{"200":{"description":"Discovered users retrieved successfully"},"400":{"description":"Missing organization_uuid parameter"},"500":{"description":"Server error"}}}},"/api/organizations/members/mfa":{"delete":{"tags":["Member MFA Admin"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"member_mfa:manage:assigned","description":"Permitted to reset MFA for managed organization members","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"member_mfa","operation":"manage","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Admin reset MFA for managed organization members","responses":{"200":{"description":"Success"}}}},"/api/organizations/membership":{"get":{"tags":["OrganizationMembership"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_members:read:assigned","description":"Permitted to view organization membership list","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_members","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get members of an organization","description":"Retrieves all user memberships for a given organization by its UUID. Returns active members by default; set include_inactive=true to include inactive memberships. Each membership includes the user's UUID, email, first name, and last name.","parameters":[{"in":"query","name":"organization_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the organization to get members for"},{"in":"query","name":"include_inactive","schema":{"type":"boolean","default":false},"description":"Whether to include inactive memberships"}],"responses":{"200":{"description":"Organization memberships retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"memberships":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string","description":"Membership UUID"},"user_uuid":{"type":"string","description":"UUID of the member user"},"user_email":{"type":"string","description":"Email address of the member"},"user_first_name":{"type":"string","nullable":true,"description":"First name of the member"},"user_last_name":{"type":"string","nullable":true,"description":"Last name of the member"},"is_enabled":{"type":"boolean"},"expires":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true},"last_seen_date":{"type":"string","format":"date-time","nullable":true}}}},"total":{"type":"integer"}}}}}},"400":{"description":"Missing organization_uuid parameter"},"404":{"description":"Organization not found"},"500":{"description":"Server error"}}},"post":{"tags":["OrganizationMembership"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_members:create:assigned","description":"Permitted to add users to an organization","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_members","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Add a user to an organization","description":"Creates a new membership associating a user with an organization. Accepts UUIDs and resolves them to internal IDs.","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["user_uuid","organization_uuid"],"properties":{"user_uuid":{"type":"string","description":"UUID of the user to add"},"organization_uuid":{"type":"string","description":"UUID of the organization"},"is_enabled":{"type":"boolean","description":"Whether the membership is enabled","default":true},"expires":{"type":"boolean","description":"Whether the membership expires","default":false},"expires_at":{"type":"string","format":"date-time","nullable":true,"description":"Optional expiration timestamp (ISO 8601)"}}},"examples":{"basic":{"summary":"Basic membership","value":{"user_uuid":"11111111-1111-1111-1111-111111111111","organization_uuid":"22222222-2222-2222-2222-222222222222"}},"withExpiration":{"summary":"Membership with expiration","value":{"user_uuid":"11111111-1111-1111-1111-111111111111","organization_uuid":"22222222-2222-2222-2222-222222222222","expires":true,"expires_at":"2026-12-31T23:59:59.000Z"}}}}}},"responses":{"201":{"description":"Membership created successfully","content":{"application/json":{"schema":{"type":"object","properties":{"membershipUuid":{"type":"string","description":"UUID of the created membership"}}}}}},"400":{"description":"Missing required fields or invalid data"},"404":{"description":"User or organization not found"},"500":{"description":"Server error"}}},"patch":{"tags":["OrganizationMembership"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_members:manage:assigned","description":"Permitted to toggle managed status on organization members","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_members","operation":"manage","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Toggle managed status for a user in an organization","description":"Sets or clears the managed_organization_fk_id on a user to toggle their managed status within an organization.","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the user to update"},{"in":"query","name":"organization_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the organization"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["is_managed"],"properties":{"is_managed":{"type":"boolean","description":"Whether the user should be managed by this organization"}}}}}},"responses":{"200":{"description":"Managed status updated successfully"},"400":{"description":"Missing required parameters"},"404":{"description":"User or organization not found"},"500":{"description":"Server error"}}},"delete":{"tags":["Organization Membership"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_members:delete:assigned","description":"Permitted to remove users from an organization","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_members","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Remove a membership by UUID","description":"Removes an organization membership. Blocks deletion if the member is the sole owner of the organization.","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Membership UUID to delete"}],"responses":{"200":{"description":"Membership removed successfully"},"403":{"description":"Cannot remove sole owner"},"404":{"description":"Membership not found"}}},"put":{"tags":["Organization Membership"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_members:update:assigned","description":"Permitted to update organization membership details","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_members","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update a membership","description":"Updates an organization membership (toggle enabled, set expiration)","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Membership UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"is_enabled":{"type":"boolean"},"expires_at":{"type":"string","format":"date-time","nullable":true}}}}}},"responses":{"200":{"description":"Membership updated successfully"},"400":{"description":"Missing uuid parameter"},"404":{"description":"Membership not found"}}}},"/api/organizations":{"get":{"tags":["Organizations"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Get organizations","description":"Retrieves organizations - either all organizations (paginated) or a specific organization by UUID","x-permissions":[{"name":"organizations:read:own","description":"Permitted to get details of organization with membership","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"organizations","operation":"read","scope":"own","birthright":false,"type":"platform"},{"name":"organizations:read:all","description":"Permitted to get details of all organizations without membership","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"organizations","operation":"read","scope":"all","birthright":false,"type":"platform"}],"parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional organization UUID to get a specific organization. If not provided, returns all organizations."},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when getting all organizations)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when getting all organizations)"}],"responses":{"200":{"description":"Organizations retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single organization response","properties":{"organization":{"type":"object","properties":{"uuid":{"type":"string"},"name":{"type":"string"},"description":{"type":"string"},"address":{"type":"string"},"is_service_provider":{"type":"boolean"},"is_archive":{"type":"boolean"}}}}},{"type":"object","description":"Multiple organizations response","properties":{"organizations":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"name":{"type":"string"},"description":{"type":"string"},"address":{"type":"string"},"is_service_provider":{"type":"boolean"},"is_archive":{"type":"boolean"}}}},"total":{"type":"integer","description":"Total number of organizations"},"page":{"type":"integer","description":"Current page number"},"pageSize":{"type":"integer","description":"Number of items per page"},"totalPages":{"type":"integer","description":"Total number of pages"}}}]}}}},"400":{"description":"Bad request (e.g., missing required parameters)"},"500":{"description":"Server error"}}},"post":{"tags":["Organizations"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Create a new organization","description":"Creates a new organization with the provided details","x-permissions":[{"name":"organizations:create:all","description":"Permitted to create new organizations","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"organizations","operation":"create","scope":"all","birthright":false,"type":"platform"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["name"],"properties":{"name":{"type":"string","description":"Organization name"},"description":{"type":"string","description":"Organization description"},"address":{"type":"string","description":"Organization address"},"is_service_provider":{"type":"boolean","description":"Whether the organization is a service provider"},"is_archive":{"type":"boolean","description":"Whether the organization is archived"}}}}}},"responses":{"201":{"description":"Organization created successfully","content":{"application/json":{"schema":{"type":"object","properties":{"organizationId":{"type":"integer","description":"ID of the created organization"},"organizationUuid":{"type":"string","description":"UUID of the created organization"}}}}}},"400":{"description":"Invalid organization data"},"500":{"description":"Server error"}}},"delete":{"tags":["Organizations"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Delete an organization","description":"Deletes an organization by its UUID","x-permissions":[{"name":"organizations:delete:own","description":"Permitted to delete organizations with membership","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"organizations","operation":"delete","scope":"own","birthright":false,"type":"platform"},{"name":"organizations:delete:all","description":"Permitted to delete any organization","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"organizations","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Organization UUID to delete"}],"responses":{"200":{"description":"Organization deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing organization UUID"},"500":{"description":"Server error"}}}},"/api/organizations/sessions":{"get":{"tags":["Organization Sessions"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_sessions:read:all","description":"Permitted to view session history for organization members","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_sessions","operation":"read","scope":"all","birthright":false,"type":"tenant"}],"summary":"Get managed user sessions and organization sessions for an organization","responses":{"200":{"description":"Success"}}},"delete":{"tags":["Organization Sessions"],"x-endpoint-category":"Organization Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"org_sessions:delete:all","description":"Permitted to revoke sessions for organization members","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"org_sessions","operation":"delete","scope":"all","birthright":false,"type":"tenant"}],"summary":"Revoke a platform or organization session (org admin)","responses":{"200":{"description":"Success"}}}},"/api/organizations/validated-domains":{"get":{"tags":["Validated Domains"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"validated_domains:read:assigned","description":"Permitted to view organization validated domains","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"validated_domains","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get validated domains","description":"Retrieves validated domains - either all domains for an organization or a specific domain by name","parameters":[{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Organization UUID to get domains for (required if domain not provided)"},{"in":"query","name":"domain","schema":{"type":"string"},"description":"Specific domain name to retrieve (optional)"}],"responses":{"200":{"description":"Domains retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single domain response","properties":{"domain":{"type":"object","properties":{"uuid":{"type":"string"},"organization_fk_id":{"type":"integer"},"domain":{"type":"string"},"validation_text":{"type":"object","properties":{"name":{"type":"string"},"content":{"type":"string"}}},"validated":{"type":"boolean"},"validated_on":{"type":"string","format":"date-time"}}}}},{"type":"object","description":"Multiple domains response","properties":{"domains":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"organization_fk_id":{"type":"integer"},"domain":{"type":"string"},"validation_text":{"type":"object"},"validated":{"type":"boolean"},"validated_on":{"type":"string","format":"date-time"}}}}}}]}}}},"400":{"description":"Bad request (e.g., missing required parameters)"},"404":{"description":"Domain or organization not found"},"500":{"description":"Server error"}}},"post":{"tags":["Validated Domains"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"validated_domains:create:assigned","description":"Permitted to add validated domains to an organization","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"validated_domains","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Add a domain to an organization","description":"Adds a new domain to an organization for validation. The validation_text will be automatically generated.","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["domain","organization_uuid"],"properties":{"domain":{"type":"string","description":"Domain name to add (e.g., example.com)","pattern":"^[A-Za-z0-9._-]+\\\\.[A-Za-z]{2,}$"},"organization_uuid":{"type":"string","description":"Organization UUID to add the domain to","format":"uuid"}}}}}},"responses":{"201":{"description":"Domain added successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":true},"domain":{"type":"object","properties":{"uuid":{"type":"string"},"organization_fk_id":{"type":"integer"},"domain":{"type":"string"},"validation_text":{"type":"object","properties":{"name":{"type":"string","example":"_auditbeam_domain_validation.example.com"},"content":{"type":"string","example":"550e8400-e29b-41d4-a716-44665544000020241201143022"}}},"validated":{"type":"boolean","example":false},"validated_on":{"type":"string","format":"date-time","nullable":true}}}}}}}},"400":{"description":"Invalid domain data or domain already exists","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":false},"error":{"type":"string","example":"Domain 'example.com' is already in use by another organization."}}}}}},"500":{"description":"Server error"}}},"delete":{"tags":["Validated Domains"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"validated_domains:delete:assigned","description":"Permitted to remove validated domains from an organization","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"validated_domains","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete a validated domain","description":"Deletes a domain validation record by domain name","parameters":[{"in":"query","name":"domain","required":true,"schema":{"type":"string"},"description":"Domain name to delete (e.g., example.com)"}],"responses":{"200":{"description":"Domain deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":true},"domain":{"type":"object","description":"The deleted domain record"}}}}}},"400":{"description":"Missing domain parameter"},"404":{"description":"Domain not found"},"500":{"description":"Server error"}}},"patch":{"tags":["Validated Domains"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"validated_domains:execute:assigned","description":"Permitted to update domain validation status","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"validated_domains","operation":"execute","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update domain validation status","description":"Updates the validation status of a domain","parameters":[{"in":"query","name":"domain","required":true,"schema":{"type":"string"},"description":"Domain name to update (e.g., example.com)"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["validated"],"properties":{"validated":{"type":"boolean","description":"New validation status"},"validated_on":{"type":"string","format":"date-time","description":"Optional validation date (defaults to current time)"}}}}}},"responses":{"200":{"description":"Domain validation status updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":true},"domain":{"type":"object","description":"The updated domain record"}}}}}},"400":{"description":"Missing domain parameter or invalid data"},"404":{"description":"Domain not found"},"500":{"description":"Server error"}}},"put":{"tags":["Validated Domains"],"x-endpoint-category":"Organization Management","x-admin-endpoint":true,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"validated_domains:update:assigned","description":"Permitted to update organization validated domains","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"validated_domains","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Validate a domain by checking TXT records","description":"Validates a domain by checking if the required TXT record exists and matches the expected content","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Domain validation record UUID to validate"}],"responses":{"200":{"description":"Domain validated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":true},"domain":{"type":"object","description":"The validated domain record","properties":{"uuid":{"type":"string"},"organization_fk_id":{"type":"integer"},"domain":{"type":"string"},"validation_text":{"type":"object","properties":{"name":{"type":"string","example":"_auditbeam_domain_validation.example.com"},"content":{"type":"string","example":"550e8400-e29b-41d4-a716-44665544000020241201143022"}}},"validated":{"type":"boolean","example":true},"validated_on":{"type":"string","format":"date-time"}}},"status":{"type":"string","example":"VALIDATED"}}}}}},"400":{"description":"Missing UUID parameter or invalid domain validation record"},"404":{"description":"Domain validation record not found"},"422":{"description":"Domain validation failed (TXT record not found or doesn't match)","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":false},"error":{"type":"string","example":"TXT record validation failed. Expected content '550e8400-e29b-41d4-a716-44665544000020241201143022' not found in TXT records: []"},"status":{"type":"string","example":"VALIDATION_FAILED"}}}}}},"500":{"description":"Server error or DNS lookup failed"}}}},"/api/roles/assignments/bulk":{"post":{"tags":["Role Assignments"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"role_assignments_bulk:manage:assigned","description":"Permitted to create role assignments in bulk","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"role_assignments_bulk","operation":"manage","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Bulk assign permissions to a role or roles to a permission"}},"/api/roles/assignments":{"post":{"tags":["Role Assignments"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"role_assignments:create:assigned","description":"Permitted to create role assignments","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"role_assignments","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Assign permission(s) to an application role","description":"Assigns permissions to roles via permission groups. Accepts single or bulk assignments."},"delete":{"tags":["Role Assignments"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"role_assignments:delete:assigned","description":"Permitted to delete role assignments","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"role_assignments","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Remove a permission from an application role","description":"Removes a permission from a role by role_uuid and permission_uuid","parameters":[{"in":"query","name":"role_uuid","required":true,"schema":{"type":"string"}},{"in":"query","name":"permission_uuid","required":true,"schema":{"type":"string"}}]}},"/api/roles/permissions-view":{"get":{"tags":["Role Permissions View"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"role_permissions_view:read:assigned","description":"Permitted to view roles with resolved permissions","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"role_permissions_view","operation":"read","scope":"assigned","birthright":false,"type":"platform"}],"summary":"Get role permissions view","description":"Returns role(s) with fully resolved permissions grouped by object type. Supports three modes: single role detail, role comparison, or paginated list with summaries.\n","parameters":[{"in":"query","name":"role_uuid","schema":{"type":"string"},"description":"UUID of a single role to view with full permission details"},{"in":"query","name":"compare","schema":{"type":"string"},"description":"Two role UUIDs separated by comma for side-by-side comparison"},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Optional organization UUID to filter roles"},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (list mode only)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":50},"description":"Number of items per page (list mode only)"}],"responses":{"200":{"description":"Role permissions retrieved successfully"},"400":{"description":"Bad request (invalid parameters)"},"404":{"description":"Role not found"},"500":{"description":"Server error"}}}},"/api/roles":{"get":{"tags":["Application Roles"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"roles:read:assigned","description":"Permitted to view roles","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"roles","operation":"read","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Get application roles","description":"Retrieves application roles - either all roles (paginated) or a specific role by UUID. Can filter by organization.","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional application role UUID to get a specific role. If not provided, returns all roles."},{"in":"query","name":"organization_uuid","schema":{"type":"string"},"description":"Optional organization UUID to filter roles by organization"},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when getting all roles)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when getting all roles)"}],"responses":{"200":{"description":"Application roles retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single application role response","properties":{"applicationRole":{"type":"object","properties":{"uuid":{"type":"string","description":"Application role UUID"},"organization_uuid":{"type":"string","nullable":true,"description":"UUID of the organization this role belongs to (null for platform-level roles)"},"role_name":{"type":"string","description":"Role name"},"role_description":{"type":"string","nullable":true,"description":"Role description"},"role_group":{"type":"string","nullable":true,"description":"Role group"},"role_type":{"type":"string","nullable":true,"description":"Role type"},"individual_assignment_only":{"type":"boolean","description":"Whether the role can only be assigned to individuals"},"is_hidden":{"type":"boolean","description":"Whether the role is hidden from assignment"},"default":{"type":"boolean","description":"Whether this is the default role"},"enabled":{"type":"boolean","description":"Whether the role is enabled"}}}}},{"type":"object","description":"Multiple application roles response","properties":{"applicationRoles":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string","description":"Application role UUID"},"organization_uuid":{"type":"string","description":"UUID of the organization this role belongs to"},"role_name":{"type":"string","description":"Role name"},"role_description":{"type":"string","nullable":true,"description":"Role description"},"role_group":{"type":"string","nullable":true,"description":"Role group"},"role_type":{"type":"string","nullable":true,"description":"Role type"},"individual_assignment_only":{"type":"boolean","description":"Whether the role can only be assigned to individuals"},"is_hidden":{"type":"boolean","description":"Whether the role is hidden from assignment"},"default":{"type":"boolean","description":"Whether this is the default role"},"enabled":{"type":"boolean","description":"Whether the role is enabled"}}}},"total":{"type":"integer","description":"Total number of application roles"},"page":{"type":"integer","description":"Current page number"},"pageSize":{"type":"integer","description":"Number of items per page"},"totalPages":{"type":"integer","description":"Total number of pages"}}}]}}}},"400":{"description":"Bad request (e.g., missing required parameters)"},"500":{"description":"Server error"}}},"post":{"tags":["Application Roles"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"roles:create:assigned","description":"Permitted to create roles","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"roles","operation":"create","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Create application role(s)","description":"Creates a new application role or multiple roles. Accepts either a single role object or an array of roles for bulk creation.","requestBody":{"required":true,"content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single application role creation","required":["role_name"],"properties":{"organization_uuid":{"type":"string","description":"Optional UUID of the organization this role belongs to (null for platform-level roles)"},"role_name":{"type":"string","description":"Role name"},"role_description":{"type":"string","nullable":true,"description":"Role description"},"role_group":{"type":"string","nullable":true,"description":"Role group"},"role_type":{"type":"string","nullable":true,"description":"Role type"},"individual_assignment_only":{"type":"boolean","default":false,"description":"Whether the role can only be assigned to individuals"},"is_hidden":{"type":"boolean","default":false,"description":"Whether the role is hidden from assignment"},"default":{"type":"boolean","default":false,"description":"Whether this is the default role"},"enabled":{"type":"boolean","default":true,"description":"Whether the role is enabled"}}},{"type":"array","description":"Bulk application role creation","items":{"type":"object","required":["role_name"],"properties":{"organization_uuid":{"type":"string","description":"Optional UUID of the organization this role belongs to (null for platform-level roles)"},"role_name":{"type":"string","description":"Role name"},"role_description":{"type":"string","nullable":true,"description":"Role description"},"role_group":{"type":"string","nullable":true,"description":"Role group"},"role_type":{"type":"string","nullable":true,"description":"Role type"},"individual_assignment_only":{"type":"boolean","default":false,"description":"Whether the role can only be assigned to individuals"},"is_hidden":{"type":"boolean","default":false,"description":"Whether the role is hidden from assignment"},"default":{"type":"boolean","default":false,"description":"Whether this is the default role"},"enabled":{"type":"boolean","default":true,"description":"Whether the role is enabled"}}}}]}}}},"responses":{"201":{"description":"Application role(s) created successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single application role response","properties":{"applicationRoleUuid":{"type":"string","description":"UUID of the created application role"}}},{"type":"object","description":"Bulk application roles response","properties":{"results":{"type":"array","items":{"type":"object","properties":{"success":{"type":"boolean","description":"Whether the application role was created successfully"},"applicationRoleUuid":{"type":"string","description":"UUID of the created application role (only present if success is true)"},"error":{"type":"string","description":"Error message (only present if success is false)"},"data":{"type":"object","description":"The original application role data that was processed"}}}},"summary":{"type":"object","properties":{"total":{"type":"integer","description":"Total number of application roles processed"},"successful":{"type":"integer","description":"Number of application roles created successfully"},"failed":{"type":"integer","description":"Number of application roles that failed to create"}}}}}]}}}},"400":{"description":"Invalid application role data"},"500":{"description":"Server error"}}},"put":{"tags":["Application Roles"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"roles:update:assigned","description":"Permitted to update roles","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"roles","operation":"update","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Update an application role","description":"Updates an existing application role by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Application role UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"role_name":{"type":"string","description":"Role name"},"role_description":{"type":"string","nullable":true,"description":"Role description"},"role_group":{"type":"string","nullable":true,"description":"Role group"},"role_type":{"type":"string","nullable":true,"description":"Role type"},"individual_assignment_only":{"type":"boolean","description":"Whether the role can only be assigned to individuals"},"is_hidden":{"type":"boolean","description":"Whether the role is hidden from assignment"},"default":{"type":"boolean","description":"Whether this is the default role"},"enabled":{"type":"boolean","description":"Whether the role is enabled"}}}}}},"responses":{"200":{"description":"Application role updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"applicationRole":{"type":"object","description":"The updated application role"}}}}}},"400":{"description":"Missing application role UUID or invalid application role data"},"500":{"description":"Server error"}}},"delete":{"tags":["Application Roles"],"x-endpoint-category":"Role Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"roles:delete:assigned","description":"Permitted to delete roles","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"roles","operation":"delete","scope":"assigned","birthright":false,"type":"tenant"}],"summary":"Delete an application role","description":"Deletes an application role by its UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Application role UUID to delete"}],"responses":{"200":{"description":"Application role deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing application role UUID"},"500":{"description":"Server error"}}}},"/api/scim/v2/Groups/{id}":{"get":{"tags":["SCIM Groups"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Get a single group (SCIM)"},"patch":{"tags":["SCIM Groups"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Partial update group (SCIM)","description":"Handles member add/remove, displayName update, and role sync."},"delete":{"tags":["SCIM Groups"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Remove SCIM group (demote to manual)","description":"Demotes the group to 'manual', clears SCIM fields.\nDoes NOT remove group members — the group continues to exist as a manual group.\nThis is the safest default to prevent accidental mass access revocation.\n"}},"/api/scim/v2/Groups":{"post":{"tags":["SCIM Groups"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Create a group from IDP (SCIM)","description":"Creates a new access group with type='scim'. Idempotent upsert by scim_external_id."},"get":{"tags":["SCIM Groups"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"List groups (SCIM)","description":"Returns paginated group list for the org."}},"/api/scim/v2/ResourceTypes":{"get":{"summary":"SCIM Resource Types","description":"Returns the resource types supported by this SCIM service provider.","tags":["SCIM Discovery"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"responses":{"200":{"description":"List of resource types"}}}},"/api/scim/v2/Schemas":{"get":{"summary":"SCIM Schemas","description":"Returns all SCIM 2.0 schema definitions supported by this service provider.","tags":["SCIM Discovery"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"responses":{"200":{"description":"List of schemas"}}}},"/api/scim/v2/ServiceProviderConfig":{"get":{"summary":"SCIM Service Provider Configuration","description":"Returns the SCIM 2.0 capabilities supported by this service provider.","tags":["SCIM Discovery"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"responses":{"200":{"description":"Service provider configuration"}}}},"/api/scim/v2/Users/{id}":{"get":{"tags":["SCIM Users"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Get a single user (SCIM)"},"patch":{"tags":["SCIM Users"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Partial update user (SCIM)","description":"Primary update mechanism for Entra ID. Handles active flag for disable/enable."},"put":{"tags":["SCIM Users"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Full replace user (SCIM)","description":"Okta uses PUT for full syncs. Same managed-check logic as PATCH."},"delete":{"tags":["SCIM Users"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Deprovision user (SCIM)","description":"Soft disable only — never hard deletes. Revokes active sessions."}},"/api/scim/v2/Users":{"post":{"tags":["SCIM Users"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Provision a new user (SCIM)","description":"Creates a new user from IDP push. Handles duplicates gracefully (200, not 500)."},"get":{"tags":["SCIM Users"],"x-endpoint-category":"SCIM Provisioning","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"List users (SCIM)","description":"Returns paginated user list. Supports filter=userName eq \"...\". Updates last_scim_at for returned users."}},"/api/signup/organization":{"post":{"tags":["User Signup"],"x-endpoint-category":"Registration","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"signup:create:all","description":"Register a new user and create an organization","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"signup","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Self-service organization creation","description":"Creates a new organization for an authenticated user who has no org yet. Assigns the user as a permanent owner member.","security":[{"cookieAuth":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["name"],"properties":{"name":{"type":"string","description":"Organization name"},"description":{"type":"string","description":"Organization description"},"address":{"type":"string","description":"Organization address"}}}}}},"responses":{"201":{"description":"Organization created successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"organizationId":{"type":"integer"},"organizationUuid":{"type":"string"}}}}}},"400":{"description":"Invalid request data"},"401":{"description":"Unauthorized - invalid or missing session"},"500":{"description":"Server error"}}}},"/api/signup":{"post":{"tags":["User Signup"],"x-endpoint-category":"Registration","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"signup:create:all","description":"Register a new user account","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"signup","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Create new user account","description":"Creates a new user account and sends a verification email with human verification","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["email","first_name","last_name","password","turnstileToken"],"properties":{"email":{"type":"string","format":"email","description":"User's email address"},"first_name":{"type":"string","description":"User's first name"},"last_name":{"type":"string","description":"User's last name"},"password":{"type":"string","minLength":8,"description":"User's password (minimum 8 characters, must contain uppercase, lowercase, number, and special character)"},"turnstileToken":{"type":"string","description":"Cloudflare Turnstile token for human verification"}}}}}},"responses":{"201":{"description":"User created successfully and verification email sent","content":{"application/json":{"schema":{"type":"object","properties":{"userUuid":{"type":"string","description":"UUID of the created user"}}}}}},"400":{"description":"Invalid user data","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string"},"details":{"type":"array","items":{"type":"object"}}}}}}},"403":{"description":"Human verification failed","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","example":"Human verification failed"}}}}}},"409":{"description":"Conflict - User with this email already exists","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","example":"An account with this email address already exists"}}}}}},"500":{"description":"Server error","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string"}}}}}}}}},"/api/signup/verification":{"get":{"tags":["Email Verification"],"x-endpoint-category":"Registration","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"signup_verification:execute:all","description":"Verify email address during signup via token","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"signup_verification","operation":"execute","scope":"all","birthright":false,"type":"platform"}],"summary":"Verify user email address","description":"Verifies a user's email address using a magic link token","parameters":[{"in":"query","name":"token","required":true,"schema":{"type":"string"},"description":"The magic link verification token"}],"responses":{"200":{"description":"Email verification result","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Successful verification","properties":{"success":{"type":"boolean","example":true},"message":{"type":"string","example":"Email verified successfully"},"userUuid":{"type":"string","description":"UUID of the verified user"},"email":{"type":"string","description":"Email address that was verified"}}},{"type":"object","description":"Failed verification","properties":{"success":{"type":"boolean","example":false},"message":{"type":"string","example":"Invalid verification token"}}}]}}}},"400":{"description":"Missing or invalid token","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","example":"Verification token is required"}}}}}}}}},"/api/user/mfa/devices":{"get":{"tags":["User MFA Devices"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_trusted_devices:read:own","description":"Permitted to view own trusted devices","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_trusted_devices","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get trusted devices for authenticated user","responses":{"200":{"description":"Success"}}},"delete":{"tags":["User MFA Devices"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_trusted_devices:delete:own","description":"Permitted to remove own trusted devices","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_trusted_devices","operation":"delete","scope":"own","birthright":true,"type":"platform"}],"summary":"Remove a trusted device","responses":{"200":{"description":"Success"}}}},"/api/user/mfa/enable":{"post":{"tags":["User MFA"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_mfa:manage:own","description":"Permitted to enable MFA on own account","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_mfa","operation":"manage","scope":"own","birthright":true,"type":"platform"}],"summary":"Enable MFA for authenticated user","responses":{"200":{"description":"Success"}}}},"/api/user/mfa/recovery-codes":{"get":{"tags":["User MFA Recovery Codes"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_recovery_codes:read:own","description":"Permitted to view own MFA recovery codes","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_recovery_codes","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get MFA recovery codes","responses":{"200":{"description":"Success"}}},"post":{"tags":["User MFA Recovery Codes"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_recovery_codes:manage:own","description":"Permitted to regenerate own MFA recovery codes","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_recovery_codes","operation":"manage","scope":"own","birthright":true,"type":"platform"}],"summary":"Regenerate MFA recovery codes","responses":{"200":{"description":"Success"}}}},"/api/user/mfa/status":{"get":{"tags":["User MFA"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_mfa_status:read:own","description":"Permitted to check own MFA enrollment status","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_mfa_status","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get MFA status for authenticated user","responses":{"200":{"description":"Success"}}}},"/api/user/mfa/totp":{"get":{"tags":["User MFA TOTP"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_totp_setup:read:own","description":"Permitted to retrieve TOTP setup details","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_totp_setup","operation":"read","scope":"own","birthright":true,"type":"platform"}],"summary":"Get TOTP setup for authenticated user","responses":{"200":{"description":"Success"}}},"post":{"tags":["User MFA TOTP"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_totp:create:own","description":"Permitted to register a TOTP authenticator","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_totp","operation":"create","scope":"own","birthright":true,"type":"platform"}],"summary":"Register TOTP authenticator for authenticated user","responses":{"200":{"description":"Success"}}},"delete":{"tags":["User MFA TOTP"],"x-endpoint-category":"MFA","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_totp:delete:own","description":"Permitted to remove TOTP authenticator from account","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_totp","operation":"delete","scope":"own","birthright":true,"type":"platform"}],"summary":"Remove TOTP authenticator for authenticated user","responses":{"200":{"description":"Success"}}}},"/api/user/passkey":{"get":{"tags":["Passkeys"],"x-endpoint-category":"Authentication Data","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"summary":"Get user's passkeys or registration status","description":"Retrieves passkeys for a user or registration status information.\n- If no parameters: returns current user's passkeys\n- If user_uuid provided: returns registration status for that user\n","x-permissions":[{"name":"my_passkeys:read:own","description":"Permitted to view own registered passkeys","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"read","scope":"own","birthright":true,"type":"platform"},{"name":"my_passkeys:read:assigned","description":"Permitted to view passkeys of users managed by the organization","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"read","scope":"assigned","birthright":false,"type":"platform"},{"name":"my_passkeys:read:all","description":"Admin - Permitted to view all users' registered passkeys","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"read","scope":"all","birthright":false,"type":"platform"}],"parameters":[{"in":"query","name":"user_uuid","schema":{"type":"string","format":"uuid"},"description":"User UUID to check registration status (optional)"},{"in":"query","name":"userId","schema":{"type":"integer"},"description":"User ID to get passkeys for (temporary - use auth context later)"}],"responses":{"200":{"description":"Passkeys or status retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"User's passkeys","properties":{"passkeys":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"nickname":{"type":"string","nullable":true},"device_type":{"type":"string","nullable":true},"last_used_at":{"type":"string","format":"date-time","nullable":true},"rp_id":{"type":"string","nullable":true}}}},"count":{"type":"integer","description":"Total number of passkeys"},"maxAllowed":{"type":"integer","description":"Maximum passkeys allowed"}}},{"type":"object","description":"Registration status","properties":{"canRegister":{"type":"boolean"},"canAuthenticate":{"type":"boolean"},"currentCount":{"type":"integer"},"maxAllowed":{"type":"integer"},"user":{"type":"object","properties":{"email":{"type":"string"},"uuid":{"type":"string"},"isActive":{"type":"boolean"},"isEmailValidated":{"type":"boolean"}}}}}]}}}},"400":{"description":"Bad request"},"404":{"description":"User not found"},"500":{"description":"Server error"}}},"post":{"tags":["Passkeys"],"x-endpoint-category":"Authentication Data","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_passkeys:create:own","description":"Permitted to register new passkeys on own account","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"create","scope":"own","birthright":true,"type":"platform"},{"name":"my_passkeys:create:all","description":"Admin - Permitted to register passkeys for all users'","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Begin or complete passkey registration","description":"Two-phase passkey registration:\n1. Begin registration: Send email, rpId, etc. → Get challenge and options\n2. Complete registration: Send challengeId + client response → Create passkey\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Begin registration","required":["action","user_uuid","rpId"],"properties":{"action":{"type":"string","enum":["begin"]},"user_uuid":{"type":"string","format":"uuid"},"rpId":{"type":"string"},"origin":{"type":"string"},"nickname":{"type":"string"}}},{"type":"object","description":"Complete registration","required":["action","challengeId","credentialId","publicKey"],"properties":{"action":{"type":"string","enum":["complete"]},"challengeId":{"type":"string"},"credentialId":{"type":"string"},"publicKey":{"type":"string"},"aaguid":{"type":"string"},"transports":{"type":"array","items":{"type":"string"}},"deviceType":{"type":"string","enum":["platform","cross-platform"]},"backupEligible":{"type":"boolean"},"backedUp":{"type":"boolean"},"uvCapable":{"type":"boolean"},"uvPerformed":{"type":"boolean"}}}]}}}},"responses":{"200":{"description":"Registration phase completed successfully"},"201":{"description":"Passkey registered successfully"},"400":{"description":"Invalid request data"},"409":{"description":"Conflict (e.g., max passkeys reached)"},"500":{"description":"Server error"}}},"delete":{"tags":["Passkeys"],"x-endpoint-category":"Authentication Data","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"my_passkeys:delete:own","description":"Permitted to remove passkeys from own account","admin_privilege":false,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"delete","scope":"own","birthright":true,"type":"platform"},{"name":"my_passkeys:delete:assigned","description":"Permitted to delete passkeys of users managed by the organization","admin_privilege":true,"super_admin":false,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"delete","scope":"assigned","birthright":false,"type":"platform"},{"name":"my_passkeys:delete:all","description":"Admin - Permitted to delete passkeys on all users'","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"my_passkeys","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Delete a user's passkey","description":"Removes a specific passkey by UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"Passkey UUID to delete"}],"responses":{"200":{"description":"Passkey deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"},"passkeyId":{"type":"integer","description":"Internal ID of deleted passkey"}}}}}},"400":{"description":"Missing passkey UUID"},"404":{"description":"Passkey not found"},"500":{"description":"Server error"}}}},"/api/user/profile":{"get":{"tags":["User Profile"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"user_profiles:read:all","description":"Permitted to view user profile details","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"user_profiles","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get current user profile","description":"Retrieves the profile information for the authenticated user","security":[{"session":[]}],"responses":{"200":{"description":"User profile retrieved successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"user":{"type":"object","properties":{"id":{"type":"integer"},"uuid":{"type":"string"},"email":{"type":"string"},"firstName":{"type":"string"},"lastName":{"type":"string"},"displayName":{"type":"string"},"department":{"type":"string"},"jobTitle":{"type":"string"},"lastSeenDate":{"type":"string"},"createdAt":{"type":"string"}}}}}}}},"401":{"description":"Unauthorized - invalid or expired session"},"500":{"description":"Server error"}}},"put":{"tags":["User Profile"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"user_profiles:update:all","description":"Permitted to update user profile details","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"user_profiles","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Update current user profile","description":"Updates the profile information for the authenticated user","security":[{"session":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"firstName":{"type":"string"},"lastName":{"type":"string"},"displayName":{"type":"string"},"department":{"type":"string"},"jobTitle":{"type":"string"}}}}}},"responses":{"200":{"description":"Profile updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"},"message":{"type":"string"},"user":{"type":"object"}}}}}},"400":{"description":"Bad request - invalid data"},"401":{"description":"Unauthorized - invalid or expired session"},"500":{"description":"Server error"}}}},"/api/user/reset-password":{"post":{"tags":["Password Reset"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"password_resets:manage:all","description":"Reset password using a reset token","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"password_resets","operation":"manage","scope":"all","birthright":false,"type":"platform"}],"summary":"Reset user password with token","responses":{"200":{"description":"Success"}}}},"/api/user":{"get":{"tags":["Users"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"users:read:all","description":"Permitted to view user account details","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"users","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get users","description":"Retrieves users - either all users (paginated) or a specific user by UUID","parameters":[{"in":"query","name":"uuid","schema":{"type":"string"},"description":"Optional user UUID to get a specific user. If not provided, returns all users."},{"in":"query","name":"page","schema":{"type":"integer","minimum":1,"default":1},"description":"Page number for pagination (only used when getting all users)"},{"in":"query","name":"pageSize","schema":{"type":"integer","minimum":1,"maximum":100,"default":10},"description":"Number of items per page (only used when getting all users)"}],"responses":{"200":{"description":"Users retrieved successfully","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Single user response","properties":{"uuid":{"type":"string","description":"User UUID"},"email":{"type":"string","description":"User email address"},"first_name":{"type":"string","nullable":true,"description":"User's first name"},"last_name":{"type":"string","nullable":true,"description":"User's last name"},"display_name":{"type":"string","nullable":true,"description":"User's display name"},"department":{"type":"string","nullable":true,"description":"User's department"},"job_title":{"type":"string","nullable":true,"description":"User's job title"},"manager_email":{"type":"string","nullable":true,"description":"User's manager's email"},"is_disabled":{"type":"boolean","description":"Whether the user account is disabled"},"is_managed":{"type":"boolean","description":"Whether the user account is managed by an organization"}}},{"type":"object","description":"Multiple users response","properties":{"users":{"type":"array","items":{"type":"object","properties":{"uuid":{"type":"string"},"email":{"type":"string"},"first_name":{"type":"string","nullable":true},"last_name":{"type":"string","nullable":true},"display_name":{"type":"string","nullable":true},"department":{"type":"string","nullable":true},"job_title":{"type":"string","nullable":true},"manager_email":{"type":"string","nullable":true},"is_disabled":{"type":"boolean"},"is_managed":{"type":"boolean","description":"Whether the user account is managed by an organization"}}}},"total":{"type":"integer","description":"Total number of users"},"page":{"type":"integer","description":"Current page number"},"pageSize":{"type":"integer","description":"Number of items per page"},"totalPages":{"type":"integer","description":"Total number of pages"}}}]}}}},"400":{"description":"Bad request (e.g., missing required parameters)"},"500":{"description":"Server error"}}},"put":{"tags":["Users"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"users:update:all","description":"Permitted to update user account details","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"users","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Update a user","description":"Updates an existing user by their UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"User UUID to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"email":{"type":"string","format":"email","description":"User's email address"},"first_name":{"type":"string","nullable":true,"description":"User's first name"},"last_name":{"type":"string","nullable":true,"description":"User's last name"},"display_name":{"type":"string","nullable":true,"description":"User's display name"},"department":{"type":"string","nullable":true,"description":"User's department"},"job_title":{"type":"string","nullable":true,"description":"User's job title"},"manager_email":{"type":"string","format":"email","nullable":true,"description":"User's manager's email"},"is_disabled":{"type":"boolean","description":"Whether the user account is disabled"},"informational_object":{"type":"object","nullable":true,"description":"Additional user information"},"format_object":{"type":"object","nullable":true,"description":"User formatting preferences"}}}}}},"responses":{"200":{"description":"User updated successfully","content":{"application/json":{"schema":{"type":"object","properties":{"user":{"type":"object","description":"The updated user"}}}}}},"400":{"description":"Missing user UUID or invalid user data"},"500":{"description":"Server error"}}},"delete":{"tags":["Users"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"users:delete:all","description":"Permitted to delete own user account","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"users","operation":"delete","scope":"all","birthright":false,"type":"platform"}],"summary":"Delete a user","description":"Deletes a user by their UUID","parameters":[{"in":"query","name":"uuid","required":true,"schema":{"type":"string"},"description":"User UUID to delete"}],"responses":{"200":{"description":"User deleted successfully","content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}}},"400":{"description":"Missing user UUID"},"500":{"description":"Server error"}}}},"/api/user/verification":{"get":{"tags":["Email Verification"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"verification_status:read:all","description":"Check user email verification status","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"verification_status","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Verify user email address using token","description":"Verifies a user's email address using a magic link token","parameters":[{"in":"query","name":"token","required":true,"schema":{"type":"string"},"description":"The magic link verification token"}],"responses":{"200":{"description":"Email verification result","content":{"application/json":{"schema":{"oneOf":[{"type":"object","description":"Successful verification","properties":{"success":{"type":"boolean","example":true},"message":{"type":"string","example":"Email verified successfully"},"userUuid":{"type":"string","description":"UUID of the verified user"},"email":{"type":"string","description":"Email address that was verified"}}},{"type":"object","description":"Failed verification","properties":{"success":{"type":"boolean","example":false},"message":{"type":"string","example":"Invalid verification token"}}}]}}}},"400":{"description":"Missing or invalid token","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","example":"Verification token is required"}}}}}}}},"post":{"tags":["Email Verification"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"verification:create:all","description":"Submit email verification code","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"verification","operation":"create","scope":"all","birthright":false,"type":"platform"}],"summary":"Request new verification email","description":"Sends a new verification email to the specified address.\nReturns conflict if account is already verified or doesn't exist.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["email"],"properties":{"email":{"type":"string","format":"email","description":"Email address to send verification to"}}}}}},"responses":{"200":{"description":"Verification email sent successfully","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":true},"message":{"type":"string","example":"Verification email sent successfully. Please check your inbox."}}}}}},"400":{"description":"Invalid request data","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"string","example":"Email is required"}}}}}},"409":{"description":"Account already verified or doesn't exist","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":false},"message":{"type":"string","example":"Account is already verified or does not exist. Please try logging in."}}}}}},"500":{"description":"Internal server error","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":false},"message":{"type":"string","example":"An error occurred while processing your request."}}}}}}}}},"/api/users/authentication-policy":{"get":{"tags":["UserAuthenticationPolicy"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"user_auth_policies:read:all","description":"Permitted to view a user's applicable authentication policy","super_admin":true,"admin_privilege":true,"version":1,"deprecated":false,"object_type":"user_auth_policies","operation":"read","scope":"all","birthright":false,"type":"platform"}],"summary":"Get a user's assigned authentication policy","description":"Returns the authentication policy specifically assigned to a user, or null if the user is using the organization default.","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the user"}],"responses":{"200":{"description":"Current authentication policy assignment","content":{"application/json":{"schema":{"type":"object","properties":{"policy_uuid":{"type":"string","nullable":true},"policy_name":{"type":"string","nullable":true}}}}}},"400":{"description":"Missing user_uuid parameter"},"404":{"description":"User not found"},"500":{"description":"Server error"}}},"patch":{"tags":["UserAuthenticationPolicy"],"x-endpoint-category":"User Management","x-admin-endpoint":false,"x-endpoint-version":1,"x-deprecated_endpoint":false,"x-permissions":[{"name":"user_auth_policies:update:all","description":"Permitted to assign or unassign authentication policies for users","admin_privilege":true,"super_admin":true,"version":1,"deprecated":false,"object_type":"user_auth_policies","operation":"update","scope":"all","birthright":false,"type":"platform"}],"summary":"Assign or unassign an authentication policy for a user","description":"Sets a specific authentication policy for a user, overriding the organization default. Pass policy_uuid as null to revert to the org default.","parameters":[{"in":"query","name":"user_uuid","required":true,"schema":{"type":"string"},"description":"UUID of the user to update"}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["policy_uuid"],"properties":{"policy_uuid":{"type":"string","nullable":true,"description":"UUID of the authentication policy to assign, or null to revert to org default"}}}}}},"responses":{"200":{"description":"Authentication policy assignment updated successfully"},"400":{"description":"Missing required parameters or invalid body"},"404":{"description":"User or authentication policy not found"},"500":{"description":"Server error"}}}}},"components":{},"tags":[{"name":"SCIM Config","description":"SCIM provisioning configuration management (admin only)"},{"name":"Admin Sessions"},{"name":"SCIM Admin","description":"SCIM managed flag administration"},{"name":"Admin User MFA Enrollments"},{"name":"Admin User Trusted Devices"},{"name":"API Key Management","description":"Create, list, update, disable, and rotate user API keys for programmatic access"},{"name":"Applications","description":"Application management endpoints"},{"name":"Organization Session"},{"name":"AuthorizationEvaluation","description":"Post-authentication authorization evaluation endpoints. Used to resolve a user's full permission set for dashboard-level access control."},{"name":"Examples","description":"Example API endpoints"},{"name":"IndividualAccess","description":"Individual access role management endpoints"},{"name":"Internal Tenant Link"},{"name":"Internal Tenant State"},{"name":"AuthContext","description":"Temporary endpoints to inspect and modify authentication token stored in KV"},{"name":"Authentication","description":"Passkey authentication endpoints for login flow"},{"name":"Login Token"},{"name":"Logout"},{"name":"My Account Password"},{"name":"My Account Session History"},{"name":"My Account Sessions"},{"name":"AccessGroupMemberships","description":"Access group membership management endpoints"},{"name":"AccessGroupRoles","description":"Access group role management endpoints"},{"name":"AccessGroups","description":"Access group management endpoints"},{"name":"MagicLinkPolicies","description":"Magic Link policy management endpoints"},{"name":"PasswordPolicies","description":"Password policy management endpoints"},{"name":"PlatformMfaPolicies","description":"Platform MFA policy management endpoints"},{"name":"IPRestrictionRanges","description":"IP restriction range management endpoints"},{"name":"IPRestrictionPolicies","description":"IP restriction policy management endpoints"},{"name":"TimeRestrictionRanges","description":"Time restriction range management endpoints"},{"name":"TimeRestrictionPolicies","description":"Time restriction policy management endpoints"},{"name":"AuthenticationPolicies","description":"Authentication policy management endpoints"},{"name":"Organization Tenant Status"},{"name":"Organization Contacts"},{"name":"Organizations","description":"Organization management endpoints"},{"name":"Member MFA Admin"},{"name":"OrganizationMembership","description":"Organization membership management endpoints"},{"name":"Organization Sessions"},{"name":"Validated Domains","description":"Domain validation management endpoints"},{"name":"Role Permissions View","description":"Read-only endpoints for viewing roles with resolved permissions"},{"name":"Application Roles","description":"Application role management endpoints"},{"name":"User Signup","description":"User registration and signup"},{"name":"Email Verification","description":"Email verification endpoints"},{"name":"User MFA Devices"},{"name":"User MFA"},{"name":"User MFA Recovery Codes"},{"name":"User MFA TOTP"},{"name":"Passkeys","description":"User passkey management endpoints"},{"name":"Password Reset"},{"name":"Users","description":"User management endpoints"},{"name":"UserAuthenticationPolicy","description":"User-specific authentication policy assignment"}]}