Tenant APIs

The Id to use for the new Tenant. If not specified a secure random UUID will be generated.

The optional Id of an existing Tenant to make a copy of. If present, the tenant.id and tenant.name values of the request body will be applied to the new Tenant, all other values will be copied from the source Tenant to the new Tenant.

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

The identifier of the Connector to which this policy refers.

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

An object that can hold any information about the Tenant that should be persisted.

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

The Id of the Email Template that is used when a user is sent a forgot password email.

The host name of the SMTP server that FusionAuth will use.

An optional password FusionAuth will use to authenticate with the SMTP server.

The Id of the Passwordless Email Template.

The port of the SMTP server that FusionAuth will use.

Additional Email Configuration in a properties file formatted String.

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

• NONE - no security will be used. All communications will be sent plaintext.

• SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

• TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

An optional username FusionAuth will to authenticate with the SMTP server.

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

Whether the user’s email addresses are verified when the registers with your application.

Whether the user’s email addresses are verified when the user changes them.

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

• user.action - When a user action is triggered

• user.bulk.create - When multiple users are created in bulk (i.e. during an import)

• user.create - When a user is created

• user.email.verified - When a user verifies their email address Available since 1.8.0

• user.update - When a user is updated

• user.deactivate - When a user is deactivated

• user.reactivate - When a user is reactivated

• user.login.success - When a user completes a login request Available since 1.6.0

• user.login.failed - When a user fails a login request Available since 1.6.0

• user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

• user.registration.create - When a user registration is created Available since 1.6.0

• user.registration.update - When a user registration is updated Available since 1.6.0

• user.registration.delete - When a user registration is deleted Available since 1.6.0

• user.registration.verified - When a user completes registration verification Available since 1.8.0

• user.delete - When a user is deleted

• jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

• jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

• jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

Whether or not FusionAuth should send these types of events to any configured Webhooks.

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

• None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

• Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

• SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the change password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the device code Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the email verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the passwordless login. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the registration verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the setup password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

The unit of time associated with a duration. The possible values are:

• MINUTES

• HOURS

• DAYS

• WEEKS

• MONTHS

• YEARS

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

Whether to allow child registrations.

The unique Id of the email template to use when confirming a child.

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

Whether family configuration is enabled.

The unique Id of the email template to use when a family request is made.

The maximum age of a child. Value must be greater than 0.

The minimum age to be an owner. Value must be greater than 0.

Whether a parent email is required.

The unique Id of the email template to use for parent registration.

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.

A paid edition of FusionAuth is required to utilize custom forms.

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

The named issuer used to sign tokens, this is generally your public fully qualified domain.

The unique id of the signing key used to sign the access token.

The unique id of the signing key used to sign the Id token.

The refresh token expiration policy. The following are valid values:

• Fixed - the expiration is calculated from the time the token is issued.

• SlidingWindow - the expiration is calculated from the last time the token was used.

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

When enabled, the refresh token will be revoked when a user changes their password.

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.

• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

Indicates that the maximum password age is enabled and being enforced.

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

Indicates that the minimum password age is enabled and being enforced.

The unique name of the Tenant.

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

• salted-md5

• salted-sha256

• salted-hmac-sha256

• salted-pbkdf2-hmac-sha256

• bcrypt

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

Whether to enable Reactor breach detection. Requires an activated license.

The level of severity where Reactor will consider a breach. The following are valid values:

• High Only requires a password match, this is the most secure and is recommended

• Medium Exact match on username, email address or email sub-address

• Low Exact match on an email or username, or the password is a common breached value

The Id of the email template to use when notifying user of breached password. Required if tenant.passwordValidationRules.breachDetection.onLogin is set to NotifyUser.

The behavior when detecting breaches at time of user login. The following are valid values:

• Off Do not perform breach detection at login

• RecordOnly Only record the result, take no action

• NotifyUser Notify the end user via email

• RequireChange Require immediate password change

The maximum length of a password when a new user is created or a user requests a password change.

The minimum length of a password when a new user is created or a user requests a password change.

The number of previous passwords to remember. Value must be greater than 0.

Whether to prevent a user from using any of their previous passwords.

Whether to force the user to use at least one uppercase and one lowercase character.

Whether to force the user to use at least one non-alphanumeric character.

Whether to force the user to use at least one number.

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

The unique Id of the theme to be used to style the login page and other end user templates.

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

The number of days from creation users will be retained before being deleted for not completing email verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to true. Value must be greater than 0.

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

The identifier of the Connector to which this policy refers.

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

An object that can hold any information about the Tenant that should be persisted.

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

The Id of the Email Template that is used when a user is sent a forgot password email.

The host name of the SMTP server that FusionAuth will use.

An optional password FusionAuth will use to authenticate with the SMTP server.

The Id of the Passwordless Email Template.

The port of the SMTP server that FusionAuth will use.

Additional Email Configuration in a properties file formatted String.

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

• NONE - no security will be used. All communications will be sent plaintext.

• SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

• TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

An optional username FusionAuth will to authenticate with the SMTP server.

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

Whether the user’s email addresses are verified when the registers with your application.

Whether the user’s email addresses are verified when the user changes them.

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

• user.action - When a user action is triggered

• user.bulk.create - When multiple users are created in bulk (i.e. during an import)

• user.create - When a user is created

• user.email.verified - When a user verifies their email address Available since 1.8.0

• user.update - When a user is updated

• user.deactivate - When a user is deactivated

• user.reactivate - When a user is reactivated

• user.login.success - When a user completes a login request Available since 1.6.0

• user.login.failed - When a user fails a login request Available since 1.6.0

• user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

• user.registration.create - When a user registration is created Available since 1.6.0

• user.registration.update - When a user registration is updated Available since 1.6.0

• user.registration.delete - When a user registration is deleted Available since 1.6.0

• user.registration.verified - When a user completes registration verification Available since 1.8.0

• user.delete - When a user is deleted

• jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

• jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

• jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

Whether or not FusionAuth should send these types of events to any configured Webhooks.

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

• None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

• Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

• SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the change password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the device code Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the email verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the passwordless login. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the registration verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the setup password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

The unit of time associated with a duration. The possible values are:

• MINUTES

• HOURS

• DAYS

• WEEKS

• MONTHS

• YEARS

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

Whether to allow child registrations.

The unique Id of the email template to use when confirming a child.

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

Whether family configuration is enabled.

The unique Id of the email template to use when a family request is made.

The maximum age of a child. Value must be greater than 0.

The minimum age to be an owner. Value must be greater than 0.

Whether a parent email is required.

The unique Id of the email template to use for parent registration.

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

The unique identifier for this Tenant.

The instant that the Tenant was added to the FusionAuth database.

The named issuer used to sign tokens, this is generally your public fully qualified domain.

The unique id of the signing key used to sign the access token.

The unique id of the signing key used to sign the Id token.

The refresh token expiration policy. The following are valid values:

• Fixed - the expiration is calculated from the time the token is issued.

• SlidingWindow - the expiration is calculated from the last time the token was used.

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

When enabled, the refresh token will be revoked when a user changes their password.

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.

• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

The instant that the Tenant was last updated in the FusionAuth database.

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

Indicates that the maximum password age is enabled and being enforced.

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

Indicates that the minimum password age is enabled and being enforced.

The unique name of the Tenant.

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

• salted-md5

• salted-sha256

• salted-hmac-sha256

• salted-pbkdf2-hmac-sha256

• bcrypt

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

Whether to enable Reactor breach detection. Requires an activated license.

The level of severity where Reactor will consider a breach. The following are valid values:

• High Only requires a password match, this is the most secure and is recommended

• Medium Exact match on username, email address or email sub-address

• Low Exact match on an email or username, or the password is a common breached value

The Id of the email template to use when notifying user of breached password.

The behavior when detecting breaches at time of user login. The following are valid values:

• Off Do not perform breach detection at login

• RecordOnly Only record the result, take no action

• NotifyUser Notify the end user via email

• RequireChange Require immediate password change

The maximum length of a password when a new user is created or a user requests a password change.

The minimum length of a password when a new user is created or a user requests a password change.

The number of previous passwords to remember. Value must be greater than 0.

Whether to prevent a user from using any of their previous passwords.

Whether to force the user to use at least one uppercase and one lowercase character.

Whether to force the user to use at least one non-alphanumeric character.

Whether to force the user to use at least one number.

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

The current state of the tenant. The following are valid values:

• Active - The tenant is active.

• PendingDelete - A delete request has been requested and is being processed.

The unique Id of the theme to be used to style the login page and other end user templates.

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

The unique Id of the Tenant to retrieve.

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

The identifier of the Connector to which this policy refers.

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

An object that can hold any information about the Tenant that should be persisted.

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

The Id of the Email Template that is used when a user is sent a forgot password email.

The host name of the SMTP server that FusionAuth will use.

An optional password FusionAuth will use to authenticate with the SMTP server.

The Id of the Passwordless Email Template.

The port of the SMTP server that FusionAuth will use.

Additional Email Configuration in a properties file formatted String.

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

• NONE - no security will be used. All communications will be sent plaintext.

• SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

• TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

An optional username FusionAuth will to authenticate with the SMTP server.

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

Whether the user’s email addresses are verified when the registers with your application.

Whether the user’s email addresses are verified when the user changes them.

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

• user.action - When a user action is triggered

• user.bulk.create - When multiple users are created in bulk (i.e. during an import)

• user.create - When a user is created

• user.email.verified - When a user verifies their email address Available since 1.8.0

• user.update - When a user is updated

• user.deactivate - When a user is deactivated

• user.reactivate - When a user is reactivated

• user.login.success - When a user completes a login request Available since 1.6.0

• user.login.failed - When a user fails a login request Available since 1.6.0

• user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

• user.registration.create - When a user registration is created Available since 1.6.0

• user.registration.update - When a user registration is updated Available since 1.6.0

• user.registration.delete - When a user registration is deleted Available since 1.6.0

• user.registration.verified - When a user completes registration verification Available since 1.8.0

• user.delete - When a user is deleted

• jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

• jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

• jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

Whether or not FusionAuth should send these types of events to any configured Webhooks.

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

• None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

• Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

• SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the change password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the device code Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the email verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the passwordless login. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the registration verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the setup password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

The unit of time associated with a duration. The possible values are:

• MINUTES

• HOURS

• DAYS

• WEEKS

• MONTHS

• YEARS

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

Whether to allow child registrations.

The unique Id of the email template to use when confirming a child.

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

Whether family configuration is enabled.

The unique Id of the email template to use when a family request is made.

The maximum age of a child. Value must be greater than 0.

The minimum age to be an owner. Value must be greater than 0.

Whether a parent email is required.

The unique Id of the email template to use for parent registration.

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

The unique identifier for this Tenant.

The instant that the Tenant was added to the FusionAuth database.

The named issuer used to sign tokens, this is generally your public fully qualified domain.

The unique id of the signing key used to sign the access token.

The unique id of the signing key used to sign the Id token.

The refresh token expiration policy. The following are valid values:

• Fixed - the expiration is calculated from the time the token is issued.

• SlidingWindow - the expiration is calculated from the last time the token was used.

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

When enabled, the refresh token will be revoked when a user changes their password.

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.

• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

The instant that the Tenant was last updated in the FusionAuth database.

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

Indicates that the maximum password age is enabled and being enforced.

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

Indicates that the minimum password age is enabled and being enforced.

The unique name of the Tenant.

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

• salted-md5

• salted-sha256

• salted-hmac-sha256

• salted-pbkdf2-hmac-sha256

• bcrypt

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

Whether to enable Reactor breach detection. Requires an activated license.

The level of severity where Reactor will consider a breach. The following are valid values:

• High Only requires a password match, this is the most secure and is recommended

• Medium Exact match on username, email address or email sub-address

• Low Exact match on an email or username, or the password is a common breached value

The Id of the email template to use when notifying user of breached password.

The behavior when detecting breaches at time of user login. The following are valid values:

• Off Do not perform breach detection at login

• RecordOnly Only record the result, take no action

• NotifyUser Notify the end user via email

• RequireChange Require immediate password change

The maximum length of a password when a new user is created or a user requests a password change.

The minimum length of a password when a new user is created or a user requests a password change.

The number of previous passwords to remember. Value must be greater than 0.

Whether to prevent a user from using any of their previous passwords.

Whether to force the user to use at least one uppercase and one lowercase character.

Whether to force the user to use at least one non-alphanumeric character.

Whether to force the user to use at least one number.

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

The current state of the tenant. The following are valid values:

• Active - The tenant is active.

• PendingDelete - A delete request has been requested and is being processed.

The unique Id of the theme to be used to style the login page and other end user templates.

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

The list of Tenant objects.

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

The identifier of the Connector to which this policy refers.

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

An object that can hold any information about the Tenant that should be persisted.

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

The Id of the Email Template that is used when a user is sent a forgot password email.

The host name of the SMTP server that FusionAuth will use.

An optional password FusionAuth will use to authenticate with the SMTP server.

The Id of the Passwordless Email Template.

The port of the SMTP server that FusionAuth will use.

Additional Email Configuration in a properties file formatted String.

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

• NONE - no security will be used. All communications will be sent plaintext.

• SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

• TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

An optional username FusionAuth will to authenticate with the SMTP server.

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

Whether the user’s email addresses are verified when the registers with your application.

Whether the user’s email addresses are verified when the user changes them.

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

• user.action - When a user action is triggered

• user.bulk.create - When multiple users are created in bulk (i.e. during an import)

• user.create - When a user is created

• user.email.verified - When a user verifies their email address Available since 1.8.0

• user.update - When a user is updated

• user.deactivate - When a user is deactivated

• user.reactivate - When a user is reactivated

• user.login.success - When a user completes a login request Available since 1.6.0

• user.login.failed - When a user fails a login request Available since 1.6.0

• user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

• user.registration.create - When a user registration is created Available since 1.6.0

• user.registration.update - When a user registration is updated Available since 1.6.0

• user.registration.delete - When a user registration is deleted Available since 1.6.0

• user.registration.verified - When a user completes registration verification Available since 1.8.0

• user.delete - When a user is deleted

• jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

• jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

• jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

Whether or not FusionAuth should send these types of events to any configured Webhooks.

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

• None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

• Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

• SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the change password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the device code Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the email verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the passwordless login. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the registration verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the setup password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

The unit of time associated with a duration. The possible values are:

• MINUTES

• HOURS

• DAYS

• WEEKS

• MONTHS

• YEARS

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

Whether to allow child registrations.

The unique Id of the email template to use when confirming a child.

Indicates that child users without parental verification will be permanently deleted after tenants[x].familyConfiguration.deleteOrphanedAccountsDays days.

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

Whether family configuration is enabled.

The unique Id of the email template to use when a family request is made.

The maximum age of a child. Value must be greater than 0.

The minimum age to be an owner. Value must be greater than 0.

Whether a parent email is required.

The unique Id of the email template to use for parent registration.

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

The unique identifier for this Tenant.

The instant that the Tenant was added to the FusionAuth database.

The named issuer used to sign tokens, this is generally your public fully qualified domain.

The unique id of the signing key used to sign the access token.

The unique id of the signing key used to sign the Id token.

The refresh token expiration policy. The following are valid values:

• Fixed - the expiration is calculated from the time the token is issued.

• SlidingWindow - the expiration is calculated from the last time the token was used.

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

When enabled, the refresh token will be revoked when a user changes their password.

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.

• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

The instant that the Tenant was last updated in the FusionAuth database.

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

Indicates that the maximum password age is enabled and being enforced.

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

Indicates that the minimum password age is enabled and being enforced.

The unique name of the Tenant.

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

• salted-md5

• salted-sha256

• salted-hmac-sha256

• salted-pbkdf2-hmac-sha256

• bcrypt

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

Whether to enable Reactor breach detection. Requires an activated license.

The level of severity where Reactor will consider a breach. The following are valid values:

• High Only requires a password match, this is the most secure and is recommended

• Medium Exact match on username, email address or email sub-address

• Low Exact match on an email or username, or the password is a common breached value

The Id of the email template to use when notifying user of breached password.

The behavior when detecting breaches at time of user login. The following are valid values:

• Off Do not perform breach detection at login

• RecordOnly Only record the result, take no action

• NotifyUser Notify the end user via email

• RequireChange Require immediate password change

The maximum length of a password when a new user is created or a user requests a password change.

The minimum length of a password when a new user is created or a user requests a password change.

The number of previous passwords to remember. Value must be greater than 0.

Whether to prevent a user from using any of their previous passwords.

Whether to force the user to use at least one uppercase and one lowercase character.

Whether to force the user to use at least one non-alphanumeric character.

Whether to force the user to use at least one number.

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

The current state of the tenant. The following are valid values:

• Active - The tenant is active.

• PendingDelete - A delete request has been requested and is being processed.

The unique Id of the theme to be used to style the login page and other end user templates.

Indicates that users without a verified email address will be permanently deleted after tenants[x].userDeletePolicy.unverified.numberOfDaysToRetain days.

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

The Id of the Tenant to update.

The optional Id of an existing Tenant to make a copy of. If present, the tenant.id and tenant.name values of the request body will be applied to the new Tenant, all other values will be copied from the source Tenant to the new Tenant.

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

The identifier of the Connector to which this policy refers.

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

An object that can hold any information about the Tenant that should be persisted.

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

The Id of the Email Template that is used when a user is sent a forgot password email.

The host name of the SMTP server that FusionAuth will use.

An optional password FusionAuth will use to authenticate with the SMTP server.

The Id of the Passwordless Email Template.

The port of the SMTP server that FusionAuth will use.

Additional Email Configuration in a properties file formatted String.

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

• NONE - no security will be used. All communications will be sent plaintext.

• SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

• TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

An optional username FusionAuth will to authenticate with the SMTP server.

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

Whether the user’s email addresses are verified when the registers with your application.

Whether the user’s email addresses are verified when the user changes them.

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

• user.action - When a user action is triggered

• user.bulk.create - When multiple users are created in bulk (i.e. during an import)

• user.create - When a user is created

• user.email.verified - When a user verifies their email address Available since 1.8.0

• user.update - When a user is updated

• user.deactivate - When a user is deactivated

• user.reactivate - When a user is reactivated

• user.login.success - When a user completes a login request Available since 1.6.0

• user.login.failed - When a user fails a login request Available since 1.6.0

• user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

• user.registration.create - When a user registration is created Available since 1.6.0

• user.registration.update - When a user registration is updated Available since 1.6.0

• user.registration.delete - When a user registration is deleted Available since 1.6.0

• user.registration.verified - When a user completes registration verification Available since 1.8.0

• user.delete - When a user is deleted

• jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

• jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

• jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

Whether or not FusionAuth should send these types of events to any configured Webhooks.

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

• None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

• Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

• SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

• AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the change password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the device code Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the email verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the passwordless login. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the registration verification Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

The type of the secure generator used for generating the setup password Id. Possible values are:

• randomAlpha

• randomAlphaNumeric

• randomBytes

• randomDigits

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

The unit of time associated with a duration. The possible values are:

• MINUTES

• HOURS

• DAYS

• WEEKS

• MONTHS

• YEARS

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

Whether to allow child registrations.

The unique Id of the email template to use when confirming a child.

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

Whether family configuration is enabled.

The unique Id of the email template to use when a family request is made.

The maximum age of a child. Value must be greater than 0.

The minimum age to be an owner. Value must be greater than 0.

Whether a parent email is required.

The unique Id of the email template to use for parent registration.

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.

A paid edition of FusionAuth is required to utilize custom forms.

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

The named issuer used to sign tokens, this is generally your public fully qualified domain.

The unique id of the signing key used to sign the access token.

The unique id of the signing key used to sign the Id token.

The refresh token expiration policy. The following are valid values:

• Fixed - the expiration is calculated from the time the token is issued.

• SlidingWindow - the expiration is calculated from the last time the token was used.

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

When enabled, the refresh token will be revoked when a user changes their password.

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.

• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

Indicates that the maximum password age is enabled and being enforced.

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

Indicates that the minimum password age is enabled and being enforced.