Concerned about Okta's acquisition of Auth0?   Learn how to migrate from Auth0 to FusionAuth

FusionAuth logo
FusionAuth logo
  • Features
    FusionAuth Reactor

    FusionAuth Reactor is a powerful suite of features developed to extend FusionAuth's core functionality.

    • Flexible Architecture   Flexible Architecture
    • Auth the Way You Want It   Auth the Way You Want It
    • Security & Compliance   Security & Compliance
    • Ultimate Password Control   Ultimate Password Control
    • Customizable User Experience   Customizable User Experience
    • Advanced Registration Forms   Advanced Registration Forms
    • Built for Devs   Built for Devs
    • User Management & Reporting   User Management & Reporting
    • Scalability   Scalability
    • Single Sign-on   Single Sign-on
    • Breached Password Detection   Breached Password Detection
    • Connectors   Connectors
    • FusionAuth Reactor   FusionAuth Reactor
  • Pricing
    Cloud Pricing

    Let us host, monitor, manage, and maintain your deployments in your own private cloud.

    SEE PRICING cloud pricing   See FusionAuth Cloud Pricing
    Editions Pricing

    A powerful set of features with available support that extends FusionAuth's core functionality.

    SEE PRICING edition pricing   See FusionAuth Edition Pricing
    Editions + Cloud

    FusionAuth will handle everything so you can get back to building something awesome.

    GET STARTED Get started
  • Docs
  • Downloads
  • Resources
    FusionAuth Resources
    • Upgrade from SaaS
    • Upgrade from Open Source
    • Upgrade from Home Grown
    • Blog   Blog
    • Forum   Forum
    • Community & Support   Community & Support
    • Customer & Partners   Customers & Partners
    • Video & Podcasts   Videos & Podcasts
    • Getting Started   Getting Started
    • Auth0 Migration   Migrate from Auth0
  • Expert Advice
    Expert Advice for Developers

    Learn everything you need to know about authentication, authorization, identity, and access management from our team of industry experts.

    • Authentication   Authentication
    • CIAM   CIAM
    • Identity Basics   Identity Basics
    • OAuth   OAuth
    • Security   Security
    • Tokens   Tokens
    • Dev Tools   Dev Tools
  • Account
Navigate to...
  • Welcome
  • Getting Started
  • 5-Minute Setup Guide
  • Reactor
  • Core Concepts
    • Overview
    • Users
    • Roles
    • Groups
    • Entity Management
    • Registrations
    • Applications
    • Tenants
    • Identity Providers
    • Search
    • Authentication and Authorization
    • Integration Points
    • Localization and Internationalization
    • Roadmap
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Securing
    • Upgrading
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consent
    • Emails
    • Entity Types
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Apple
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Twitter
      • OpenID Connect
      • SAML v2
      • External JWT
    • Integrations
    • JWT
    • Keys
    • Lambdas
    • Login
    • Passwordless
    • Registrations
    • Reports
    • System
    • Tenants
    • Themes
    • Two Factor
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Client Libraries
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • Node
    • PHP
    • Python
    • Ruby
    • Typescript
  • Themes
    • Overview
    • Localization
    • Examples
  • Email & Templates
    • Overview
    • Configure Email
    • Email Templates
  • Events & Webhooks
    • Overview
    • Events
    • Writing a Webhook
    • Securing Webhooks
  • Example Apps
    • Overview
    • Go
    • Java
    • JavaScript
    • .NET Core
    • PHP
    • Python
    • Ruby
  • Lambdas
    • Overview
    • Apple Reconcile
    • External JWT Reconcile
    • Facebook Reconcile
    • Google Reconcile
    • HYPR Reconcile
    • JWT Populate
    • LDAP Connector Reconcile
    • LinkedIn Reconcile
    • OpenID Connect Reconcile
    • SAML v2 Populate
    • SAML v2 Reconcile
    • Twitter Reconcile
  • Identity Providers
    • Overview
    • Apple
    • Facebook
    • Google
    • HYPR
    • LinkedIn
    • Twitter
    • OpenID Connect
      • Overview
      • Azure AD
      • Github
      • Discord
    • SAML v2
      • Overview
      • ADFS
    • External JWT
      • Overview
      • Example
  • Connectors
    • Overview
    • Generic Connector
    • LDAP Connector
    • FusionAuth Connector
  • Integrations
    • Overview
    • CleanSpeak
    • Kafka
    • Twilio
  • OpenID Connect & OAuth 2.0
    • Overview
    • Endpoints
    • Tokens
  • SAML v2 IdP
    • Overview
    • Google
    • Zendesk
  • Plugins
    • Writing a Plugin
    • Password Encryptors
  • Guides
    • Overview
    • Advanced Registration Forms
    • Breached Password Detection
    • Migration
    • Migration From Auth0
    • Passwordless
    • Securing Your APIs
    • Silent Mode
    • Single Sign-on
  • Tutorials
    • Overview
    • Setup Wizard & First Login
    • Register/Login a User
    • Migrate Users
    • JSON Web Tokens
    • Authentication Tokens
    • Start and Stop FusionAuth
    • Switch Search Engines
    • User Account Lockout
    • Two Factor
  • Reference
    • CORS
    • Configuration
    • Data Types
    • Known Limitations
    • Password Encryptors
  • Release Notes
  • Troubleshooting

Tenant APIs

Overview

A FusionAuth Tenant is a named object that represents a discrete namespace for Users, Applications and Groups. A user is unique by email address or username within a tenant.

Tenants may be useful to support a multi-tenant application where you wish to use a single instance of FusionAuth but require the ability to have duplicate users across the tenants in your own application. In this scenario a user may exist multiple times with the same email address and different passwords across tenants.

Tenants may also be useful in a test or staging environment to allow multiple users to call APIs and create and modify users without possibility of collision.

The following APIs are provided to manage Tenants.

  • Create a Tenant

  • Retrieve a Tenant

  • Update a Tenant

  • Delete a Tenant

The following APIs provide a subset of the Tenant configuration without an API Key.

  • Retrieve the Password Validation Rules

Related Posts

  • How To Use FusionAuth's Multi-Tenant Feature To Create A Private Label Offering
  • Multi-tenancy in a Single-tenant Architecture

Create a Tenant

This API is used to create a new Tenant.

Request

Create a Tenant with a randomly generated Id

URI

POST /api/tenant

Create a Tenant with the provided unique Id

URI

POST /api/tenant/{tenantId}

Request Parameters

tenantId [UUID] Optional defaults to secure random UUID

The Id to use for the new Tenant. If not specified a secure random UUID will be generated.

Request Body

sourceTenantId [UUID] Optional Available since 1.14.0

The optional Id of an existing Tenant to make a copy of. If present, the tenant.id and tenant.name values of the request body will be applied to the new Tenant, all other values will be copied from the source Tenant to the new Tenant.

tenant.connectorPolicies [Array] Optional Available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId [UUID] Required Available since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains [Array<String>] Optional defaults to ["*"] Available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate [Boolean] Optional defaults to false Available since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

tenant.data [Object] Optional

An object that can hold any information about the Tenant that should be persisted.

tenant.emailConfiguration.enabled [Boolean] Optional Deprecated

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

 

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

tenant.emailConfiguration.defaultFromEmail [String] Optional defaults to no-reply@fusionauth.io Available since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.defaultFromName [String] Optional Available since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional

The Id of the Email Template that is used when a user is sent a forgot password email.

tenant.emailConfiguration.host [String] Required Available since 1.8.0

The host name of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.password [String] Optional Available since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.8.0

The Id of the Passwordless Email Template.

tenant.emailConfiguration.port [Integer] Required Available since 1.8.0

The port of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.properties [String] Optional Available since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenant.emailConfiguration.security [String] Optional defaults to NONE Available since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

  • NONE - no security will be used. All communications will be sent plaintext.

  • SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

  • TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenant.emailConfiguration.username [String] Optional Available since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenant.emailConfiguration.verificationEmailTemplateId [UUID] Optional

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

tenant.emailConfiguration.verifyEmail [Boolean] Optional defaults to false

Whether the user’s email addresses are verified when the registers with your application.

tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] Optional defaults to false

Whether the user’s email addresses are verified when the user changes them.

tenant.eventConfiguration.events [Object] Optional defaults to {} Available since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

  • user.action - When a user action is triggered

  • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

  • user.create - When a user is created

  • user.email.verified - When a user verifies their email address Available since 1.8.0

  • user.update - When a user is updated

  • user.deactivate - When a user is deactivated

  • user.reactivate - When a user is reactivated

  • user.login.success - When a user completes a login request Available since 1.6.0

  • user.login.failed - When a user fails a login request Available since 1.6.0

  • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

  • user.registration.create - When a user registration is created Available since 1.6.0

  • user.registration.update - When a user registration is updated Available since 1.6.0

  • user.registration.delete - When a user registration is deleted Available since 1.6.0

  • user.registration.verified - When a user completes registration verification Available since 1.8.0

  • user.delete - When a user is deleted

  • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

  • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

  • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

tenant.eventConfiguration.events[type].enabled [Boolean] Optional defaults to false Available since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenant.eventConfiguration.events[type].transactionType [String] Optional Available since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

  • None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

  • SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds [Integer] Required Available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.length [Integer] Required Available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.type [String] Required Available since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds [Integer] Required Available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds [Integer] Optional 300 Available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDuration [Long] Required defaults to 3 Available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Required defaults to "MINUTES" Available since 1.8.0

The unit of time associated with a duration. The possible values are:

  • MINUTES

  • HOURS

  • DAYS

  • WEEKS

  • MONTHS

  • YEARS

tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Required defaults to 60 Available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Required defaults to 5 Available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.userActionId [UUID] Optional Available since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenant.familyConfiguration.allowChildRegistrations [Boolean] Optional defaults to true Available since 1.8.0

Whether to allow child registrations.

tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Optional Available since 1.8.0

The unique Id of the email template to use when confirming a child.

tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Optional defaults to false Available since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Optional defaults to 30 Available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenant.familyConfiguration.enabled [Boolean] Optional defaults to false Available since 1.8.0

Whether family configuration is enabled.

tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Optional Available since 1.8.0

The unique Id of the email template to use when a family request is made.

tenant.familyConfiguration.maximumChildAge [Integer] Optional defaults to 12 Available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenant.familyConfiguration.minimumOwnerAge [Integer] Optional defaults to 21 Available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenant.familyConfiguration.parentEmailRequired [Boolean] Optional defaults to false Available since 1.8.0

Whether a parent email is required.

tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Optional Available since 1.8.0

The unique Id of the email template to use for parent registration.

tenant.formConfiguration.adminUserFormId [UUID] Optional defaults to [see description] Available since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.

A paid edition of FusionAuth is required to utilize custom forms.

tenant.httpSessionMaxInactiveInterval [Integer] Optional default is 3600 Available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenant.issuer [String] Required Available since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

tenant.jwtConfiguration.accessTokenKeyId [UUID] Required Available since 1.8.0

The unique id of the signing key used to sign the access token.

tenant.jwtConfiguration.idTokenKeyId [UUID] Required Available since 1.8.0

The unique id of the signing key used to sign the Id token.

tenant.jwtConfiguration.refreshTokenExpirationPolicy [String] Optional default is Fixed Available since 1.17.0

The refresh token expiration policy. The following are valid values:

  • Fixed - the expiration is calculated from the time the token is issued.

  • SlidingWindow - the expiration is calculated from the last time the token was used.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented [Boolean] Optional default is true Available since 1.17.0

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged [Boolean] Optional default is true Available since 1.17.0

When enabled, the refresh token will be revoked when a user changes their password.

tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Required Available since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

tenant.jwtConfiguration.refreshTokenUsagePolicy [String] Optional Available since 1.17.0

The refresh token usage policy. The following are valid values:

  • Reusable - the token does not change after it was issued.

  • OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Required Available since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

tenant.logoutURL [String] Optional Available since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.maximumPasswordAge.days [Integer] Optional defaults to 180 Available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

tenant.maximumPasswordAge.enabled [Boolean] Optional defaults to false Available since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenant.minimumPasswordAge.seconds [Integer] Optional defaults to 30 Available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

tenant.minimumPasswordAge.enabled [Boolean] Optional defaults to false Available since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenant.name [String] Required

The unique name of the Tenant.

tenant.passwordEncryptionConfiguration.encryptionScheme [String] Optional defaults to "salted-pbkdf2-hmac-sha256" Available since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

  • salted-md5

  • salted-sha256

  • salted-hmac-sha256

  • salted-pbkdf2-hmac-sha256

  • bcrypt

tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Optional defaults to 24000 Available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Optional defaults to false Available since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

tenant.passwordValidationRules.breachDetection.enabled [Boolean] Optional defaults to false Available since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenant.passwordValidationRules.breachDetection.matchMode [String] Optional Available since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

  • High Only requires a password match, this is the most secure and is recommended

  • Medium Exact match on username, email address or email sub-address

  • Low Exact match on an email or username, or the password is a common breached value

tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateId [UUID] Optional Available since 1.15.0

The Id of the email template to use when notifying user of breached password. Required if tenant.passwordValidationRules.breachDetection.onLogin is set to NotifyUser.

tenant.passwordValidationRules.breachDetection.onLogin [String] Optional Available since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

  • Off Do not perform breach detection at login

  • RecordOnly Only record the result, take no action

  • NotifyUser Notify the end user via email

  • RequireChange Require immediate password change

tenant.passwordValidationRules.maxLength [Integer] Required defaults to 256 Available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.minLength [Integer] Required defaults to 8 Available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Optional Available since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Optional defaults to false Available since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenant.passwordValidationRules.requireMixedCase [Boolean] Optional defaults to false Available since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenant.passwordValidationRules.requireNonAlpha [Boolean] Optional defaults to false Available since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenant.passwordValidationRules.requireNumber [Boolean] Optional defaults to false Available since 1.8.0

Whether to force the user to use at least one number.

tenant.passwordValidationRules.validateOnLogin [Boolean] Optional defaults to false Available since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenant.themeId [UUID] Required Available since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

tenant.userDeletePolicy.unverified.enabled [Boolean] Optional defaults to false Available since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Optional Available since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to true. Value must be greater than 0.

Example Request JSON
{
  "tenant": {
    "data": {
      "description": "No more secrets, Marty."
    },
    "connectorPolicies": [
      {
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "domains": ["*"],
        "migrate": false
      },
      {
        "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
        "domains": ["*"],
        "migrate": true
      }
    ],
    "emailConfiguration": {
      "defaultFromEmail": "jared@piedpiper.com",
      "defaultFromName": "Jared Dunn",
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
      "port": 587,
      "properties": {
        "key": "value"
      },
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "events": {
        "user.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.deactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.bulk.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.reactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh-token.revoke": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.public-key.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.success": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.failed": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.password.breach": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.verified": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.email.verified": {
          "enabled": true,
          "transactionType": "None"
        }
      }
    },
    "externalIdentifierConfiguration": {
      "authorizationGrantIdTimeToLiveInSeconds": 30,
      "changePasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "changePasswordIdTimeToLiveInSeconds": 600,
      "deviceCodeTimeToLiveInSeconds": 1800,
      "deviceUserCodeIdGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "emailVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "emailVerificationIdTimeToLiveInSeconds": 86400,
      "externalAuthenticationIdTimeToLiveInSeconds": 300,
      "oneTimePasswordTimeToLiveInSeconds": 60,
      "passwordlessLoginGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "passwordlessLoginTimeToLiveInSeconds": 180,
      "registrationVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "registrationVerificationIdTimeToLiveInSeconds": 86400,
      "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
      "setupPasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "setupPasswordIdTimeToLiveInSeconds": 86400,
      "twoFactorIdTimeToLiveInSeconds": 300,
      "twoFactorTrustIdTimeToLiveInSeconds": 2592000
    },
    "failedAuthenticationConfiguration": {
      "actionDuration": 3,
      "actionDurationUnit": "MINUTES",
      "resetCountInSeconds": 60,
      "tooManyAttempts": 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "familyConfiguration": {
      "allowChildRegistrations": true,
      "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
      "deleteOrphanedAccounts": false,
      "deleteOrphanedAccountsDays": 30,
      "enabled": true,
      "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
      "maximumChildAge": 12,
      "minimumOwnerAge": 21,
      "parentEmailRequired": false,
      "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
    },
    "formConfiguration": {
      "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "issuer": "https://example.com",
    "jwtConfiguration": {
      "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
      "enabled": true,
      "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
      "refreshTokenExpirationPolicy": "Fixed",
      "refreshTokenRevocationPolicy": {
        "onLoginPrevented": true,
        "onPasswordChanged": true
      },
      "refreshTokenTimeToLiveInMinutes": 43200,
      "refreshTokenUsagePolicy": "Reusable",
      "timeToLiveInSeconds": 3600
    },
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": false
    },
    "minimumPasswordAge": {
      "enabled": false,
      "seconds": 30
    },
    "name": "Playtronics Co.",
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordValidationRules": {
      "breachDetection": {
        "enabled": true,
        "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
        "matchMode": "High",
        "onLogin": "Off"
      },
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true,
      "validateOnLogin": false
    },
    "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
    "userDeletePolicy": {
      "unverified": {
        "enabled": true,
        "numberOfDaysToRetain": 30
      }
    }
  }
}

Response

The response for this API contains the Tenant that was created.

Table 1. Response Codes
Code Description

200

The request was successful. The response will contain a JSON body.

400

The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

401

You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

500

There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

503

The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

tenant.connectorPolicies [Array] Available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId [UUID] Available since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains [String] Available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate [Boolean] # Available since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

tenant.data [Object]

An object that can hold any information about the Tenant that should be persisted.

tenant.emailConfiguration.enabled [Boolean] Deprecated

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

 

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

tenant.emailConfiguration.defaultFromEmail [String] Available since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.defaultFromName [String] Available since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user is sent a forgot password email.

tenant.emailConfiguration.host [String] Available since 1.8.0

The host name of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.password [String] Available since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Available since 1.8.0

The Id of the Passwordless Email Template.

tenant.emailConfiguration.port [Integer] Available since 1.8.0

The port of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.properties [String] Available since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenant.emailConfiguration.security [String] Available since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

  • NONE - no security will be used. All communications will be sent plaintext.

  • SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

  • TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenant.emailConfiguration.setPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenant.emailConfiguration.username [String] Available since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenant.emailConfiguration.verificationEmailTemplateId [UUID]

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

tenant.emailConfiguration.verifyEmail [Boolean]

Whether the user’s email addresses are verified when the registers with your application.

tenant.emailConfiguration.verifyEmailWhenChanged [Boolean]

Whether the user’s email addresses are verified when the user changes them.

tenant.eventConfiguration.events [Object] Available since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

  • user.action - When a user action is triggered

  • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

  • user.create - When a user is created

  • user.email.verified - When a user verifies their email address Available since 1.8.0

  • user.update - When a user is updated

  • user.deactivate - When a user is deactivated

  • user.reactivate - When a user is reactivated

  • user.login.success - When a user completes a login request Available since 1.6.0

  • user.login.failed - When a user fails a login request Available since 1.6.0

  • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

  • user.registration.create - When a user registration is created Available since 1.6.0

  • user.registration.update - When a user registration is updated Available since 1.6.0

  • user.registration.delete - When a user registration is deleted Available since 1.6.0

  • user.registration.verified - When a user completes registration verification Available since 1.8.0

  • user.delete - When a user is deleted

  • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

  • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

  • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

tenant.eventConfiguration.events[type].enabled [Boolean] Available since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenant.eventConfiguration.events[type].transactionType [String] Available since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

  • None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

  • SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds [Integer] Available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.length [Integer] Available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.type [String] Available since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds [Integer] Available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds [Integer] Available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDuration [Long] Available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Available since 1.8.0

The unit of time associated with a duration. The possible values are:

  • MINUTES

  • HOURS

  • DAYS

  • WEEKS

  • MONTHS

  • YEARS

tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.userActionId [UUID] Available since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenant.familyConfiguration.allowChildRegistrations [Boolean] Available since 1.8.0

Whether to allow child registrations.

tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when confirming a child.

tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Available since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenant.familyConfiguration.enabled [Boolean] Available since 1.8.0

Whether family configuration is enabled.

tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when a family request is made.

tenant.familyConfiguration.maximumChildAge [Integer] Available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenant.familyConfiguration.minimumOwnerAge [Integer] Available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenant.familyConfiguration.parentEmailRequired [Boolean] Available since 1.8.0

Whether a parent email is required.

tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use for parent registration.

tenant.formConfiguration.adminUserFormId [UUID] Available since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

tenant.httpSessionMaxInactiveInterval [Integer] Available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenant.id [UUID]

The unique identifier for this Tenant.

tenant.insertInstant [Long]

The instant that the Tenant was added to the FusionAuth database.

tenant.issuer [String] Available since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

tenant.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the access token.

tenant.jwtConfiguration.idTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the Id token.

tenant.jwtConfiguration.refreshTokenExpirationPolicy [String] Available since 1.17.0

The refresh token expiration policy. The following are valid values:

  • Fixed - the expiration is calculated from the time the token is issued.

  • SlidingWindow - the expiration is calculated from the last time the token was used.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user changes their password.

tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

tenant.jwtConfiguration.refreshTokenUsagePolicy [String] Available since 1.17.0

The refresh token usage policy. The following are valid values:

  • Reusable - the token does not change after it was issued.

  • OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Available since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

tenant.lastUpdateInstant [Long]

The instant that the Tenant was last updated in the FusionAuth database.

tenant.logoutURL [String] Available since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.maximumPasswordAge.days [Integer] Available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

tenant.maximumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenant.minimumPasswordAge.seconds [Integer] Available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

tenant.minimumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenant.name [String]

The unique name of the Tenant.

tenant.passwordEncryptionConfiguration.encryptionScheme [String] Available since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

  • salted-md5

  • salted-sha256

  • salted-hmac-sha256

  • salted-pbkdf2-hmac-sha256

  • bcrypt

tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

tenant.passwordValidationRules.breachDetection.enabled [Boolean] Available since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenant.passwordValidationRules.breachDetection.matchMode [String] Available since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

  • High Only requires a password match, this is the most secure and is recommended

  • Medium Exact match on username, email address or email sub-address

  • Low Exact match on an email or username, or the password is a common breached value

tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateId [UUID] Available since 1.15.0

The Id of the email template to use when notifying user of breached password.

tenant.passwordValidationRules.breachDetection.onLogin [String] Available since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

  • Off Do not perform breach detection at login

  • RecordOnly Only record the result, take no action

  • NotifyUser Notify the end user via email

  • RequireChange Require immediate password change

tenant.passwordValidationRules.maxLength [Integer] Available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.minLength [Integer] Available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Available since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenant.passwordValidationRules.requireMixedCase [Boolean] Available since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenant.passwordValidationRules.requireNonAlpha [Boolean] Available since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenant.passwordValidationRules.requireNumber [Boolean] Available since 1.8.0

Whether to force the user to use at least one number.

tenant.passwordValidationRules.validateOnLogin [Boolean] Available since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenant.state [String] Available since 1.22.0

The current state of the tenant. The following are valid values:

  • Active - The tenant is active.

  • PendingDelete - A delete request has been requested and is being processed.

tenant.themeId [UUID] Available since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

tenant.userDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

Example Response JSON
{
  "tenant": {
    "data": {
      "description": "No more secrets, Marty."
    },
    "connectorPolicies": [
      {
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "domains": ["*"],
        "migrate": false
      },
      {
        "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
        "domains": ["*"],
        "migrate": true
      }
    ],
    "emailConfiguration": {
      "defaultFromEmail": "jared@piedpiper.com",
      "defaultFromName": "Jared Dunn",
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
      "port": 587,
      "properties": {
        "key": "value"
      },
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "events": {
        "user.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.deactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.bulk.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.reactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh-token.revoke": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.public-key.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.success": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.failed": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.password.breach": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.verified": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.email.verified": {
          "enabled": true,
          "transactionType": "None"
        }
      }
    },
    "externalIdentifierConfiguration": {
      "authorizationGrantIdTimeToLiveInSeconds": 30,
      "changePasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "changePasswordIdTimeToLiveInSeconds": 600,
      "deviceCodeTimeToLiveInSeconds": 1800,
      "deviceUserCodeIdGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "emailVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "emailVerificationIdTimeToLiveInSeconds": 86400,
      "externalAuthenticationIdTimeToLiveInSeconds": 300,
      "oneTimePasswordTimeToLiveInSeconds": 60,
      "passwordlessLoginGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "passwordlessLoginTimeToLiveInSeconds": 180,
      "registrationVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "registrationVerificationIdTimeToLiveInSeconds": 86400,
      "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
      "setupPasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "setupPasswordIdTimeToLiveInSeconds": 86400,
      "twoFactorIdTimeToLiveInSeconds": 300,
      "twoFactorTrustIdTimeToLiveInSeconds": 2592000
    },
    "failedAuthenticationConfiguration": {
      "actionDuration": 3,
      "actionDurationUnit": "MINUTES",
      "resetCountInSeconds": 60,
      "tooManyAttempts": 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "familyConfiguration": {
      "allowChildRegistrations": true,
      "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
      "deleteOrphanedAccounts": false,
      "deleteOrphanedAccountsDays": 30,
      "enabled": true,
      "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
      "maximumChildAge": 12,
      "minimumOwnerAge": 21,
      "parentEmailRequired": false,
      "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
    },
    "formConfiguration": {
      "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "id": "32306536-3036-6431-3865-646430303332",
    "insertInstant": 1572469040579,
    "issuer": "https://example.com",
    "jwtConfiguration": {
      "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
      "enabled": true,
      "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
      "refreshTokenExpirationPolicy": "Fixed",
      "refreshTokenRevocationPolicy": {
        "onLoginPrevented": true,
        "onPasswordChanged": true
      },
      "refreshTokenTimeToLiveInMinutes": 43200,
      "refreshTokenUsagePolicy": "Reusable",
      "timeToLiveInSeconds": 3600
    },
    "lastUpdateInstant": 1595361143101,
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": false
    },
    "minimumPasswordAge": {
      "enabled": false,
      "seconds": 30
    },
    "name": "Playtronics Co.",
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordValidationRules": {
      "breachDetection": {
        "enabled": true,
        "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
        "matchMode": "High",
        "onLogin": "Off"
      },
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true,
      "validateOnLogin": false
    },
    "state": "Active",
    "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
    "userDeletePolicy": {
      "unverified": {
        "enabled": true,
        "numberOfDaysToRetain": 30
      }
    }
  }
}

Retrieve a Tenant

This API is used to retrieve a single Tenant by unique Id or all of the configured Tenants.

Request

Retrieve all of the Tenants

URI

GET /api/tenant

Retrieve a Tenant by Id

URI

GET /api/tenant/{tenantId}

Request Parameters

tenantId [UUID] Required

The unique Id of the Tenant to retrieve.

Request Headers

X-FusionAuth-TenantId [String] Optional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Response

The response for this API contains either a single Tenant or all of the Tenants. When you call this API with an Id the response will contain a single Tenant. When you call this API without an Id the response will contain all of the Tenants. Both response types are defined below along with an example JSON response.

Table 2. Response Codes
Code Description

200

The request was successful. The response will contain a JSON body.

400

The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

401

You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

404

The object you requested doesn’t exist. The response will be empty.

500

There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

503

The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

tenant.connectorPolicies [Array] Available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId [UUID] Available since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains [String] Available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate [Boolean] # Available since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

tenant.data [Object]

An object that can hold any information about the Tenant that should be persisted.

tenant.emailConfiguration.enabled [Boolean] Deprecated

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

 

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

tenant.emailConfiguration.defaultFromEmail [String] Available since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.defaultFromName [String] Available since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user is sent a forgot password email.

tenant.emailConfiguration.host [String] Available since 1.8.0

The host name of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.password [String] Available since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Available since 1.8.0

The Id of the Passwordless Email Template.

tenant.emailConfiguration.port [Integer] Available since 1.8.0

The port of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.properties [String] Available since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenant.emailConfiguration.security [String] Available since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

  • NONE - no security will be used. All communications will be sent plaintext.

  • SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

  • TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenant.emailConfiguration.setPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenant.emailConfiguration.username [String] Available since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenant.emailConfiguration.verificationEmailTemplateId [UUID]

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

tenant.emailConfiguration.verifyEmail [Boolean]

Whether the user’s email addresses are verified when the registers with your application.

tenant.emailConfiguration.verifyEmailWhenChanged [Boolean]

Whether the user’s email addresses are verified when the user changes them.

tenant.eventConfiguration.events [Object] Available since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

  • user.action - When a user action is triggered

  • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

  • user.create - When a user is created

  • user.email.verified - When a user verifies their email address Available since 1.8.0

  • user.update - When a user is updated

  • user.deactivate - When a user is deactivated

  • user.reactivate - When a user is reactivated

  • user.login.success - When a user completes a login request Available since 1.6.0

  • user.login.failed - When a user fails a login request Available since 1.6.0

  • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

  • user.registration.create - When a user registration is created Available since 1.6.0

  • user.registration.update - When a user registration is updated Available since 1.6.0

  • user.registration.delete - When a user registration is deleted Available since 1.6.0

  • user.registration.verified - When a user completes registration verification Available since 1.8.0

  • user.delete - When a user is deleted

  • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

  • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

  • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

tenant.eventConfiguration.events[type].enabled [Boolean] Available since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenant.eventConfiguration.events[type].transactionType [String] Available since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

  • None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

  • SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds [Integer] Available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.length [Integer] Available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.type [String] Available since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds [Integer] Available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds [Integer] Available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDuration [Long] Available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Available since 1.8.0

The unit of time associated with a duration. The possible values are:

  • MINUTES

  • HOURS

  • DAYS

  • WEEKS

  • MONTHS

  • YEARS

tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.userActionId [UUID] Available since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenant.familyConfiguration.allowChildRegistrations [Boolean] Available since 1.8.0

Whether to allow child registrations.

tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when confirming a child.

tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Available since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenant.familyConfiguration.enabled [Boolean] Available since 1.8.0

Whether family configuration is enabled.

tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when a family request is made.

tenant.familyConfiguration.maximumChildAge [Integer] Available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenant.familyConfiguration.minimumOwnerAge [Integer] Available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenant.familyConfiguration.parentEmailRequired [Boolean] Available since 1.8.0

Whether a parent email is required.

tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use for parent registration.

tenant.formConfiguration.adminUserFormId [UUID] Available since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

tenant.httpSessionMaxInactiveInterval [Integer] Available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenant.id [UUID]

The unique identifier for this Tenant.

tenant.insertInstant [Long]

The instant that the Tenant was added to the FusionAuth database.

tenant.issuer [String] Available since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

tenant.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the access token.

tenant.jwtConfiguration.idTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the Id token.

tenant.jwtConfiguration.refreshTokenExpirationPolicy [String] Available since 1.17.0

The refresh token expiration policy. The following are valid values:

  • Fixed - the expiration is calculated from the time the token is issued.

  • SlidingWindow - the expiration is calculated from the last time the token was used.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user changes their password.

tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

tenant.jwtConfiguration.refreshTokenUsagePolicy [String] Available since 1.17.0

The refresh token usage policy. The following are valid values:

  • Reusable - the token does not change after it was issued.

  • OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Available since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

tenant.lastUpdateInstant [Long]

The instant that the Tenant was last updated in the FusionAuth database.

tenant.logoutURL [String] Available since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.maximumPasswordAge.days [Integer] Available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

tenant.maximumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenant.minimumPasswordAge.seconds [Integer] Available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

tenant.minimumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenant.name [String]

The unique name of the Tenant.

tenant.passwordEncryptionConfiguration.encryptionScheme [String] Available since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

  • salted-md5

  • salted-sha256

  • salted-hmac-sha256

  • salted-pbkdf2-hmac-sha256

  • bcrypt

tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

tenant.passwordValidationRules.breachDetection.enabled [Boolean] Available since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenant.passwordValidationRules.breachDetection.matchMode [String] Available since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

  • High Only requires a password match, this is the most secure and is recommended

  • Medium Exact match on username, email address or email sub-address

  • Low Exact match on an email or username, or the password is a common breached value

tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateId [UUID] Available since 1.15.0

The Id of the email template to use when notifying user of breached password.

tenant.passwordValidationRules.breachDetection.onLogin [String] Available since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

  • Off Do not perform breach detection at login

  • RecordOnly Only record the result, take no action

  • NotifyUser Notify the end user via email

  • RequireChange Require immediate password change

tenant.passwordValidationRules.maxLength [Integer] Available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.minLength [Integer] Available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Available since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenant.passwordValidationRules.requireMixedCase [Boolean] Available since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenant.passwordValidationRules.requireNonAlpha [Boolean] Available since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenant.passwordValidationRules.requireNumber [Boolean] Available since 1.8.0

Whether to force the user to use at least one number.

tenant.passwordValidationRules.validateOnLogin [Boolean] Available since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenant.state [String] Available since 1.22.0

The current state of the tenant. The following are valid values:

  • Active - The tenant is active.

  • PendingDelete - A delete request has been requested and is being processed.

tenant.themeId [UUID] Available since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

tenant.userDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

Example Response JSON
{
  "tenant": {
    "data": {
      "description": "No more secrets, Marty."
    },
    "connectorPolicies": [
      {
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "domains": ["*"],
        "migrate": false
      },
      {
        "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
        "domains": ["*"],
        "migrate": true
      }
    ],
    "emailConfiguration": {
      "defaultFromEmail": "jared@piedpiper.com",
      "defaultFromName": "Jared Dunn",
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
      "port": 587,
      "properties": {
        "key": "value"
      },
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "events": {
        "user.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.deactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.bulk.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.reactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh-token.revoke": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.public-key.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.success": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.failed": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.password.breach": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.verified": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.email.verified": {
          "enabled": true,
          "transactionType": "None"
        }
      }
    },
    "externalIdentifierConfiguration": {
      "authorizationGrantIdTimeToLiveInSeconds": 30,
      "changePasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "changePasswordIdTimeToLiveInSeconds": 600,
      "deviceCodeTimeToLiveInSeconds": 1800,
      "deviceUserCodeIdGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "emailVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "emailVerificationIdTimeToLiveInSeconds": 86400,
      "externalAuthenticationIdTimeToLiveInSeconds": 300,
      "oneTimePasswordTimeToLiveInSeconds": 60,
      "passwordlessLoginGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "passwordlessLoginTimeToLiveInSeconds": 180,
      "registrationVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "registrationVerificationIdTimeToLiveInSeconds": 86400,
      "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
      "setupPasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "setupPasswordIdTimeToLiveInSeconds": 86400,
      "twoFactorIdTimeToLiveInSeconds": 300,
      "twoFactorTrustIdTimeToLiveInSeconds": 2592000
    },
    "failedAuthenticationConfiguration": {
      "actionDuration": 3,
      "actionDurationUnit": "MINUTES",
      "resetCountInSeconds": 60,
      "tooManyAttempts": 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "familyConfiguration": {
      "allowChildRegistrations": true,
      "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
      "deleteOrphanedAccounts": false,
      "deleteOrphanedAccountsDays": 30,
      "enabled": true,
      "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
      "maximumChildAge": 12,
      "minimumOwnerAge": 21,
      "parentEmailRequired": false,
      "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
    },
    "formConfiguration": {
      "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "id": "32306536-3036-6431-3865-646430303332",
    "insertInstant": 1572469040579,
    "issuer": "https://example.com",
    "jwtConfiguration": {
      "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
      "enabled": true,
      "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
      "refreshTokenExpirationPolicy": "Fixed",
      "refreshTokenRevocationPolicy": {
        "onLoginPrevented": true,
        "onPasswordChanged": true
      },
      "refreshTokenTimeToLiveInMinutes": 43200,
      "refreshTokenUsagePolicy": "Reusable",
      "timeToLiveInSeconds": 3600
    },
    "lastUpdateInstant": 1595361143101,
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": false
    },
    "minimumPasswordAge": {
      "enabled": false,
      "seconds": 30
    },
    "name": "Playtronics Co.",
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordValidationRules": {
      "breachDetection": {
        "enabled": true,
        "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
        "matchMode": "High",
        "onLogin": "Off"
      },
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true,
      "validateOnLogin": false
    },
    "state": "Active",
    "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
    "userDeletePolicy": {
      "unverified": {
        "enabled": true,
        "numberOfDaysToRetain": 30
      }
    }
  }
}

Response Body

tenants [Array]

The list of Tenant objects.

tenants[x].connectorPolicies [Array] Available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenants[x].connectorPolicies[x].connectorId [UUID] Available since 1.18.0

The identifier of the Connector to which this policy refers.

tenants[x].connectorPolicies[x].domains [String] Available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenants[x].connectorPolicies[x].migrate [Boolean] # Available since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

tenants[x].data [Object]

An object that can hold any information about the Tenant that should be persisted.

tenants[x].emailConfiguration.enabled [Boolean] Deprecated

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

 

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

tenants[x].emailConfiguration.defaultFromEmail [String] Available since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

tenants[x].emailConfiguration.defaultFromName [String] Available since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

tenants[x].emailConfiguration.forgotPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user is sent a forgot password email.

tenants[x].emailConfiguration.host [String] Available since 1.8.0

The host name of the SMTP server that FusionAuth will use.

tenants[x].emailConfiguration.password [String] Available since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenants[x].emailConfiguration.passwordlessEmailTemplateId [UUID] Available since 1.8.0

The Id of the Passwordless Email Template.

tenants[x].emailConfiguration.port [Integer] Available since 1.8.0

The port of the SMTP server that FusionAuth will use.

tenants[x].emailConfiguration.properties [String] Available since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenants[x].emailConfiguration.security [String] Available since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

  • NONE - no security will be used. All communications will be sent plaintext.

  • SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

  • TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenants[x].emailConfiguration.setPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenants[x].emailConfiguration.username [String] Available since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenants[x].emailConfiguration.verificationEmailTemplateId [UUID]

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

tenants[x].emailConfiguration.verifyEmail [Boolean]

Whether the user’s email addresses are verified when the registers with your application.

tenants[x].emailConfiguration.verifyEmailWhenChanged [Boolean]

Whether the user’s email addresses are verified when the user changes them.

tenants[x].eventConfiguration.events [Object] Available since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

  • user.action - When a user action is triggered

  • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

  • user.create - When a user is created

  • user.email.verified - When a user verifies their email address Available since 1.8.0

  • user.update - When a user is updated

  • user.deactivate - When a user is deactivated

  • user.reactivate - When a user is reactivated

  • user.login.success - When a user completes a login request Available since 1.6.0

  • user.login.failed - When a user fails a login request Available since 1.6.0

  • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

  • user.registration.create - When a user registration is created Available since 1.6.0

  • user.registration.update - When a user registration is updated Available since 1.6.0

  • user.registration.delete - When a user registration is deleted Available since 1.6.0

  • user.registration.verified - When a user completes registration verification Available since 1.8.0

  • user.delete - When a user is deleted

  • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

  • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

  • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

tenants[x].eventConfiguration.events[type].enabled [Boolean] Available since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenants[x].eventConfiguration.events[type].transactionType [String] Available since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

  • None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

  • SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

tenants[x].externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

tenants[x].externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenants[x].externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenants[x].externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds [Integer] Available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.deviceUserCodeIdGenerator.length [Integer] Available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenants[x].externalIdentifierConfiguration.deviceUserCodeIdGenerator.type [String] Available since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenants[x].externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenants[x].externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenants[x].externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds [Integer] Available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenants[x].externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenants[x].externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenants[x].externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenants[x].externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds [Integer] Available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenants[x].externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenants[x].externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenants[x].externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

tenants[x].externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

tenants[x].failedAuthenticationConfiguration.actionDuration [Long] Available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenants[x].failedAuthenticationConfiguration.actionDurationUnit [String] Available since 1.8.0

The unit of time associated with a duration. The possible values are:

  • MINUTES

  • HOURS

  • DAYS

  • WEEKS

  • MONTHS

  • YEARS

tenants[x].failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenants[x].failedAuthenticationConfiguration.tooManyAttempts [Integer] Available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenants[x].failedAuthenticationConfiguration.userActionId [UUID] Available since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenants[x].familyConfiguration.allowChildRegistrations [Boolean] Available since 1.8.0

Whether to allow child registrations.

tenants[x].familyConfiguration.confirmChildEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when confirming a child.

tenants[x].familyConfiguration.deleteOrphanedAccounts [Boolean] Available since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenants[x].familyConfiguration.deleteOrphanedAccountsDays days.

tenants[x].familyConfiguration.deleteOrphanedAccountsDays [Integer] Available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenants[x].familyConfiguration.enabled [Boolean] Available since 1.8.0

Whether family configuration is enabled.

tenants[x].familyConfiguration.familyRequestEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when a family request is made.

tenants[x].familyConfiguration.maximumChildAge [Integer] Available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenants[x].familyConfiguration.minimumOwnerAge [Integer] Available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenants[x].familyConfiguration.parentEmailRequired [Boolean] Available since 1.8.0

Whether a parent email is required.

tenants[x].familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use for parent registration.

tenants[x].formConfiguration.adminUserFormId [UUID] Available since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

tenants[x].httpSessionMaxInactiveInterval [Integer] Available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenants[x].id [UUID]

The unique identifier for this Tenant.

tenants[x].insertInstant [Long]

The instant that the Tenant was added to the FusionAuth database.

tenants[x].issuer [String] Available since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

tenants[x].jwtConfiguration.accessTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the access token.

tenants[x].jwtConfiguration.idTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the Id token.

tenants[x].jwtConfiguration.refreshTokenExpirationPolicy [String] Available since 1.17.0

The refresh token expiration policy. The following are valid values:

  • Fixed - the expiration is calculated from the time the token is issued.

  • SlidingWindow - the expiration is calculated from the last time the token was used.

tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user changes their password.

tenants[x].jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

tenants[x].jwtConfiguration.refreshTokenUsagePolicy [String] Available since 1.17.0

The refresh token usage policy. The following are valid values:

  • Reusable - the token does not change after it was issued.

  • OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

tenants[x].jwtConfiguration.timeToLiveInSeconds [Integer] Available since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

tenants[x].lastUpdateInstant [Long]

The instant that the Tenant was last updated in the FusionAuth database.

tenants[x].logoutURL [String] Available since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenants[x].maximumPasswordAge.days [Integer] Available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

tenants[x].maximumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenants[x].minimumPasswordAge.seconds [Integer] Available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

tenants[x].minimumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenants[x].name [String]

The unique name of the Tenant.

tenants[x].passwordEncryptionConfiguration.encryptionScheme [String] Available since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

  • salted-md5

  • salted-sha256

  • salted-hmac-sha256

  • salted-pbkdf2-hmac-sha256

  • bcrypt

tenants[x].passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenants[x].passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

tenants[x].passwordValidationRules.breachDetection.enabled [Boolean] Available since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenants[x].passwordValidationRules.breachDetection.matchMode [String] Available since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

  • High Only requires a password match, this is the most secure and is recommended

  • Medium Exact match on username, email address or email sub-address

  • Low Exact match on an email or username, or the password is a common breached value

tenants[x].passwordValidationRules.breachDetection.notifyUserEmailTemplateId [UUID] Available since 1.15.0

The Id of the email template to use when notifying user of breached password.

tenants[x].passwordValidationRules.breachDetection.onLogin [String] Available since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

  • Off Do not perform breach detection at login

  • RecordOnly Only record the result, take no action

  • NotifyUser Notify the end user via email

  • RequireChange Require immediate password change

tenants[x].passwordValidationRules.maxLength [Integer] Available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenants[x].passwordValidationRules.minLength [Integer] Available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenants[x].passwordValidationRules.rememberPreviousPasswords.count [Integer] Available since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenants[x].passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenants[x].passwordValidationRules.requireMixedCase [Boolean] Available since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenants[x].passwordValidationRules.requireNonAlpha [Boolean] Available since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenants[x].passwordValidationRules.requireNumber [Boolean] Available since 1.8.0

Whether to force the user to use at least one number.

tenants[x].passwordValidationRules.validateOnLogin [Boolean] Available since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenants[x].state [String] Available since 1.22.0

The current state of the tenant. The following are valid values:

  • Active - The tenant is active.

  • PendingDelete - A delete request has been requested and is being processed.

tenants[x].themeId [UUID] Available since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

tenants[x].userDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenants[x].userDeletePolicy.unverified.numberOfDaysToRetain days.

tenants[x].userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

Example Response JSON for all the Tenants
{
  "tenants": [
    {
      "data": {
        "description": "No more secrets, Marty."
      },
      "connectorPolicies": [
        {
          "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
          "domains": ["*"],
          "migrate": false
        },
        {
          "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
          "domains": ["*"],
          "migrate": true
        }
      ],
      "emailConfiguration": {
        "defaultFromEmail": "jared@piedpiper.com",
        "defaultFromName": "Jared Dunn",
        "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
        "host": "smtp.sendgrid.net",
        "password": "password",
        "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
        "port": 587,
        "properties": {
          "key": "value"
        },
        "security": "TLS",
        "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
        "username": "username",
        "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
        "verifyEmail": true,
        "verifyEmailWhenChanged": true
      },
      "eventConfiguration": {
        "events": {
          "user.delete": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.create": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.update": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.deactivate": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.bulk.create": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.reactivate": {
            "enabled": true,
            "transactionType": "None"
          },
          "jwt.refresh": {
            "enabled": true,
            "transactionType": "None"
          },
          "jwt.refresh-token.revoke": {
            "enabled": true,
            "transactionType": "None"
          },
          "jwt.public-key.update": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.login.success": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.login.failed": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.password.breach": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.registration.create": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.registration.update": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.registration.delete": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.registration.verified": {
            "enabled": true,
            "transactionType": "None"
          },
          "user.email.verified": {
            "enabled": true,
            "transactionType": "None"
          }
        }
      },
      "externalIdentifierConfiguration": {
        "authorizationGrantIdTimeToLiveInSeconds": 30,
        "changePasswordIdGenerator": {
          "length": 32,
          "type": "randomBytes"
        },
        "changePasswordIdTimeToLiveInSeconds": 600,
        "emailVerificationIdGenerator": {
          "length": 32,
          "type": "randomBytes"
        },
        "emailVerificationIdTimeToLiveInSeconds": 86400,
        "oneTimePasswordTimeToLiveInSeconds": 60,
        "passwordlessLoginGenerator": {
          "length": 32,
          "type": "randomBytes"
        },
        "passwordlessLoginTimeToLiveInSeconds": 180,
        "registrationVerificationIdGenerator": {
          "length": 32,
          "type": "randomBytes"
        },
        "registrationVerificationIdTimeToLiveInSeconds": 86400,
        "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
        "setupPasswordIdGenerator": {
          "length": 32,
          "type": "randomBytes"
        },
        "setupPasswordIdTimeToLiveInSeconds": 86400,
        "twoFactorIdTimeToLiveInSeconds": 300,
        "twoFactorTrustIdTimeToLiveInSeconds": 2592000
      },
      "failedAuthenticationConfiguration": {
        "actionDuration": 3,
        "actionDurationUnit": "MINUTES",
        "resetCountInSeconds": 60,
        "tooManyAttempts": 5,
        "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
      },
      "familyConfiguration": {
        "allowChildRegistrations": true,
        "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
        "deleteOrphanedAccounts": false,
        "deleteOrphanedAccountsDays": 30,
        "enabled": true,
        "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
        "maximumChildAge": 12,
        "minimumOwnerAge": 21,
        "parentEmailRequired": false,
        "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
      },
      "formConfiguration": {
        "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
      },
      "httpSessionMaxInactiveInterval": 3600,
      "id": "32306536-3036-6431-3865-646430303332",
      "insertInstant": 1572469040579,
      "issuer": "https://example.com",
      "jwtConfiguration": {
        "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
        "enabled": true,
        "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
        "refreshTokenExpirationPolicy": "Fixed",
        "refreshTokenRevocationPolicy": {
          "onLoginPrevented": true,
          "onPasswordChanged": true
        },
        "refreshTokenTimeToLiveInMinutes": 43200,
        "refreshTokenUsagePolicy": "Reusable",
        "timeToLiveInSeconds": 3600
      },
      "lastUpdateInstant": 1595361143101,
      "logoutURL": "http://example.com/logout",
      "maximumPasswordAge": {
        "days": 180,
        "enabled": false
      },
      "minimumPasswordAge": {
        "enabled": false,
        "seconds": 30
      },
      "name": "Playtronics Co.",
      "passwordEncryptionConfiguration": {
        "encryptionScheme": "salted-pbkdf2-hmac-sha256",
        "encryptionSchemeFactor": 24000,
        "modifyEncryptionSchemeOnLogin": false
      },
      "passwordValidationRules": {
        "breachDetection": {
          "enabled": true,
          "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
          "matchMode": "High",
          "onLogin": "Off"
        },
        "maxLength": 256,
        "minLength": 8,
        "rememberPreviousPasswords": {
          "count": 2,
          "enabled": true
        },
        "requireMixedCase": true,
        "requireNonAlpha": true,
        "requireNumber": true,
        "validateOnLogin": false
      },
      "state": "Active",
      "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
      "userDeletePolicy": {
        "unverified": {
          "enabled": true,
          "numberOfDaysToRetain": 30
        }
      }
    }
  ]
}

Update a Tenant

This API is used to update an existing Tenant. You must specify the Id of the Tenant you are updating on the URI. You must specify all of the properties of the Tenant when calling this API. This API does not merge the existing Tenant and your new data. It replaces the existing Tenant with your new data.

Request

Update the Tenant with the given Id

URI

PUT /api/tenant/{tenantId}

PATCH /api/tenant/{tenantId}

Available since 1.12.0

When using the PATCH method, use the same request body documentation that is provided for the PUT request. The PATCH method will merge the provided request parameters into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A null value can be used to remove a value. Patching an Array will result in all values from the new list being appended to the existing list, this is a known limitation to the current implementation of PATCH.

 

Request Parameters

tenantId [UUID] Required

The Id of the Tenant to update.

Request Headers

X-FusionAuth-TenantId [String] Optional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Body

sourceTenantId [UUID] Optional Available since 1.14.0

The optional Id of an existing Tenant to make a copy of. If present, the tenant.id and tenant.name values of the request body will be applied to the new Tenant, all other values will be copied from the source Tenant to the new Tenant.

tenant.connectorPolicies [Array] Optional Available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId [UUID] Required Available since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains [Array<String>] Optional defaults to ["*"] Available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate [Boolean] Optional defaults to false Available since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

tenant.data [Object] Optional

An object that can hold any information about the Tenant that should be persisted.

tenant.emailConfiguration.enabled [Boolean] Optional Deprecated

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

 

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

tenant.emailConfiguration.defaultFromEmail [String] Optional defaults to no-reply@fusionauth.io Available since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.defaultFromName [String] Optional Available since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional

The Id of the Email Template that is used when a user is sent a forgot password email.

tenant.emailConfiguration.host [String] Required Available since 1.8.0

The host name of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.password [String] Optional Available since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.8.0

The Id of the Passwordless Email Template.

tenant.emailConfiguration.port [Integer] Required Available since 1.8.0

The port of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.properties [String] Optional Available since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenant.emailConfiguration.security [String] Optional defaults to NONE Available since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

  • NONE - no security will be used. All communications will be sent plaintext.

  • SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

  • TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenant.emailConfiguration.username [String] Optional Available since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenant.emailConfiguration.verificationEmailTemplateId [UUID] Optional

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

tenant.emailConfiguration.verifyEmail [Boolean] Optional defaults to false

Whether the user’s email addresses are verified when the registers with your application.

tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] Optional defaults to false

Whether the user’s email addresses are verified when the user changes them.

tenant.eventConfiguration.events [Object] Optional defaults to {} Available since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

  • user.action - When a user action is triggered

  • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

  • user.create - When a user is created

  • user.email.verified - When a user verifies their email address Available since 1.8.0

  • user.update - When a user is updated

  • user.deactivate - When a user is deactivated

  • user.reactivate - When a user is reactivated

  • user.login.success - When a user completes a login request Available since 1.6.0

  • user.login.failed - When a user fails a login request Available since 1.6.0

  • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

  • user.registration.create - When a user registration is created Available since 1.6.0

  • user.registration.update - When a user registration is updated Available since 1.6.0

  • user.registration.delete - When a user registration is deleted Available since 1.6.0

  • user.registration.verified - When a user completes registration verification Available since 1.8.0

  • user.delete - When a user is deleted

  • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

  • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

  • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

tenant.eventConfiguration.events[type].enabled [Boolean] Optional defaults to false Available since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenant.eventConfiguration.events[type].transactionType [String] Optional Available since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

  • None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

  • SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds [Integer] Required Available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.length [Integer] Required Available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.type [String] Required Available since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds [Integer] Required Available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds [Integer] Optional 300 Available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Required Available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Required Available since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Required Available since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDuration [Long] Required defaults to 3 Available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Required defaults to "MINUTES" Available since 1.8.0

The unit of time associated with a duration. The possible values are:

  • MINUTES

  • HOURS

  • DAYS

  • WEEKS

  • MONTHS

  • YEARS

tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Required defaults to 60 Available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Required defaults to 5 Available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.userActionId [UUID] Optional Available since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenant.familyConfiguration.allowChildRegistrations [Boolean] Optional defaults to true Available since 1.8.0

Whether to allow child registrations.

tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Optional Available since 1.8.0

The unique Id of the email template to use when confirming a child.

tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Optional defaults to false Available since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Optional defaults to 30 Available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenant.familyConfiguration.enabled [Boolean] Optional defaults to false Available since 1.8.0

Whether family configuration is enabled.

tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Optional Available since 1.8.0

The unique Id of the email template to use when a family request is made.

tenant.familyConfiguration.maximumChildAge [Integer] Optional defaults to 12 Available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenant.familyConfiguration.minimumOwnerAge [Integer] Optional defaults to 21 Available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenant.familyConfiguration.parentEmailRequired [Boolean] Optional defaults to false Available since 1.8.0

Whether a parent email is required.

tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Optional Available since 1.8.0

The unique Id of the email template to use for parent registration.

tenant.formConfiguration.adminUserFormId [UUID] Optional defaults to [see description] Available since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.

A paid edition of FusionAuth is required to utilize custom forms.

tenant.httpSessionMaxInactiveInterval [Integer] Optional default is 3600 Available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenant.issuer [String] Required Available since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

tenant.jwtConfiguration.accessTokenKeyId [UUID] Required Available since 1.8.0

The unique id of the signing key used to sign the access token.

tenant.jwtConfiguration.idTokenKeyId [UUID] Required Available since 1.8.0

The unique id of the signing key used to sign the Id token.

tenant.jwtConfiguration.refreshTokenExpirationPolicy [String] Optional default is Fixed Available since 1.17.0

The refresh token expiration policy. The following are valid values:

  • Fixed - the expiration is calculated from the time the token is issued.

  • SlidingWindow - the expiration is calculated from the last time the token was used.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented [Boolean] Optional default is true Available since 1.17.0

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged [Boolean] Optional default is true Available since 1.17.0

When enabled, the refresh token will be revoked when a user changes their password.

tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Required Available since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

tenant.jwtConfiguration.refreshTokenUsagePolicy [String] Optional Available since 1.17.0

The refresh token usage policy. The following are valid values:

  • Reusable - the token does not change after it was issued.

  • OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Required Available since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

tenant.logoutURL [String] Optional Available since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.maximumPasswordAge.days [Integer] Optional defaults to 180 Available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

tenant.maximumPasswordAge.enabled [Boolean] Optional defaults to false Available since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenant.minimumPasswordAge.seconds [Integer] Optional defaults to 30 Available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

tenant.minimumPasswordAge.enabled [Boolean] Optional defaults to false Available since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenant.name [String] Required

The unique name of the Tenant.

tenant.passwordEncryptionConfiguration.encryptionScheme [String] Optional defaults to "salted-pbkdf2-hmac-sha256" Available since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

  • salted-md5

  • salted-sha256

  • salted-hmac-sha256

  • salted-pbkdf2-hmac-sha256

  • bcrypt

tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Optional defaults to 24000 Available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Optional defaults to false Available since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

tenant.passwordValidationRules.breachDetection.enabled [Boolean] Optional defaults to false Available since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenant.passwordValidationRules.breachDetection.matchMode [String] Optional Available since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

  • High Only requires a password match, this is the most secure and is recommended

  • Medium Exact match on username, email address or email sub-address

  • Low Exact match on an email or username, or the password is a common breached value

tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateId [UUID] Optional Available since 1.15.0

The Id of the email template to use when notifying user of breached password. Required if tenant.passwordValidationRules.breachDetection.onLogin is set to NotifyUser.

tenant.passwordValidationRules.breachDetection.onLogin [String] Optional Available since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

  • Off Do not perform breach detection at login

  • RecordOnly Only record the result, take no action

  • NotifyUser Notify the end user via email

  • RequireChange Require immediate password change

tenant.passwordValidationRules.maxLength [Integer] Required defaults to 256 Available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.minLength [Integer] Required defaults to 8 Available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Optional Available since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Optional defaults to false Available since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenant.passwordValidationRules.requireMixedCase [Boolean] Optional defaults to false Available since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenant.passwordValidationRules.requireNonAlpha [Boolean] Optional defaults to false Available since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenant.passwordValidationRules.requireNumber [Boolean] Optional defaults to false Available since 1.8.0

Whether to force the user to use at least one number.

tenant.passwordValidationRules.validateOnLogin [Boolean] Optional defaults to false Available since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenant.themeId [UUID] Required Available since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

tenant.userDeletePolicy.unverified.enabled [Boolean] Optional defaults to false Available since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Optional Available since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to true. Value must be greater than 0.

Example Request JSON
{
  "tenant": {
    "data": {
      "description": "No more secrets, Marty."
    },
    "connectorPolicies": [
      {
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "domains": ["*"],
        "migrate": false
      },
      {
        "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
        "domains": ["*"],
        "migrate": true
      }
    ],
    "emailConfiguration": {
      "defaultFromEmail": "jared@piedpiper.com",
      "defaultFromName": "Jared Dunn",
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
      "port": 587,
      "properties": {
        "key": "value"
      },
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "events": {
        "user.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.deactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.bulk.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.reactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh-token.revoke": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.public-key.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.success": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.failed": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.password.breach": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.verified": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.email.verified": {
          "enabled": true,
          "transactionType": "None"
        }
      }
    },
    "externalIdentifierConfiguration": {
      "authorizationGrantIdTimeToLiveInSeconds": 30,
      "changePasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "changePasswordIdTimeToLiveInSeconds": 600,
      "deviceCodeTimeToLiveInSeconds": 1800,
      "deviceUserCodeIdGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "emailVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "emailVerificationIdTimeToLiveInSeconds": 86400,
      "externalAuthenticationIdTimeToLiveInSeconds": 300,
      "oneTimePasswordTimeToLiveInSeconds": 60,
      "passwordlessLoginGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "passwordlessLoginTimeToLiveInSeconds": 180,
      "registrationVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "registrationVerificationIdTimeToLiveInSeconds": 86400,
      "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
      "setupPasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "setupPasswordIdTimeToLiveInSeconds": 86400,
      "twoFactorIdTimeToLiveInSeconds": 300,
      "twoFactorTrustIdTimeToLiveInSeconds": 2592000
    },
    "failedAuthenticationConfiguration": {
      "actionDuration": 3,
      "actionDurationUnit": "MINUTES",
      "resetCountInSeconds": 60,
      "tooManyAttempts": 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "familyConfiguration": {
      "allowChildRegistrations": true,
      "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
      "deleteOrphanedAccounts": false,
      "deleteOrphanedAccountsDays": 30,
      "enabled": true,
      "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
      "maximumChildAge": 12,
      "minimumOwnerAge": 21,
      "parentEmailRequired": false,
      "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
    },
    "formConfiguration": {
      "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "issuer": "https://example.com",
    "jwtConfiguration": {
      "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
      "enabled": true,
      "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
      "refreshTokenExpirationPolicy": "Fixed",
      "refreshTokenRevocationPolicy": {
        "onLoginPrevented": true,
        "onPasswordChanged": true
      },
      "refreshTokenTimeToLiveInMinutes": 43200,
      "refreshTokenUsagePolicy": "Reusable",
      "timeToLiveInSeconds": 3600
    },
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": false
    },
    "minimumPasswordAge": {
      "enabled": false,
      "seconds": 30
    },
    "name": "Playtronics Co.",
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordValidationRules": {
      "breachDetection": {
        "enabled": true,
        "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
        "matchMode": "High",
        "onLogin": "Off"
      },
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true,
      "validateOnLogin": false
    },
    "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
    "userDeletePolicy": {
      "unverified": {
        "enabled": true,
        "numberOfDaysToRetain": 30
      }
    }
  }
}

Response

The response for this API contains the Tenant that was updated.

Table 3. Response Codes
Code Description

200

The request was successful. The response will contain a JSON body.

400

The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

401

You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

404

The object you are trying to updated doesn’t exist. The response will be empty.

500

There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

503

The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

tenant.connectorPolicies [Array] Available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId [UUID] Available since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains [String] Available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate [Boolean] # Available since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

tenant.data [Object]

An object that can hold any information about the Tenant that should be persisted.

tenant.emailConfiguration.enabled [Boolean] Deprecated

When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration.

 

Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration.

tenant.emailConfiguration.defaultFromEmail [String] Available since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.defaultFromName [String] Available since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user is sent a forgot password email.

tenant.emailConfiguration.host [String] Available since 1.8.0

The host name of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.password [String] Available since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Available since 1.8.0

The Id of the Passwordless Email Template.

tenant.emailConfiguration.port [Integer] Available since 1.8.0

The port of the SMTP server that FusionAuth will use.

tenant.emailConfiguration.properties [String] Available since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenant.emailConfiguration.security [String] Available since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

  • NONE - no security will be used. All communications will be sent plaintext.

  • SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.

  • TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenant.emailConfiguration.setPasswordEmailTemplateId [UUID]

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenant.emailConfiguration.username [String] Available since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenant.emailConfiguration.verificationEmailTemplateId [UUID]

The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true this field is required.

tenant.emailConfiguration.verifyEmail [Boolean]

Whether the user’s email addresses are verified when the registers with your application.

tenant.emailConfiguration.verifyEmailWhenChanged [Boolean]

Whether the user’s email addresses are verified when the user changes them.

tenant.eventConfiguration.events [Object] Available since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

  • user.action - When a user action is triggered

  • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

  • user.create - When a user is created

  • user.email.verified - When a user verifies their email address Available since 1.8.0

  • user.update - When a user is updated

  • user.deactivate - When a user is deactivated

  • user.reactivate - When a user is reactivated

  • user.login.success - When a user completes a login request Available since 1.6.0

  • user.login.failed - When a user fails a login request Available since 1.6.0

  • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

  • user.registration.create - When a user registration is created Available since 1.6.0

  • user.registration.update - When a user registration is updated Available since 1.6.0

  • user.registration.delete - When a user registration is deleted Available since 1.6.0

  • user.registration.verified - When a user completes registration verification Available since 1.8.0

  • user.delete - When a user is deleted

  • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

  • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

  • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

tenant.eventConfiguration.events[type].enabled [Boolean] Available since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenant.eventConfiguration.events[type].transactionType [String] Available since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

  • None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.

  • SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.

  • AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds [Integer] Available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.length [Integer] Available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.type [String] Available since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds [Integer] Available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds [Integer] Available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

  • randomAlpha

  • randomAlphaNumeric

  • randomBytes

  • randomDigits

tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDuration [Long] Available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Available since 1.8.0

The unit of time associated with a duration. The possible values are:

  • MINUTES

  • HOURS

  • DAYS

  • WEEKS

  • MONTHS

  • YEARS

tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.userActionId [UUID] Available since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenant.familyConfiguration.allowChildRegistrations [Boolean] Available since 1.8.0

Whether to allow child registrations.

tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when confirming a child.

tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Available since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenant.familyConfiguration.enabled [Boolean] Available since 1.8.0

Whether family configuration is enabled.

tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use when a family request is made.

tenant.familyConfiguration.maximumChildAge [Integer] Available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenant.familyConfiguration.minimumOwnerAge [Integer] Available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenant.familyConfiguration.parentEmailRequired [Boolean] Available since 1.8.0

Whether a parent email is required.

tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available since 1.8.0

The unique Id of the email template to use for parent registration.

tenant.formConfiguration.adminUserFormId [UUID] Available since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

tenant.httpSessionMaxInactiveInterval [Integer] Available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenant.id [UUID]

The unique identifier for this Tenant.

tenant.insertInstant [Long]

The instant that the Tenant was added to the FusionAuth database.

tenant.issuer [String] Available since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

tenant.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the access token.

tenant.jwtConfiguration.idTokenKeyId [UUID] Available since 1.8.0

The unique id of the signing key used to sign the Id token.

tenant.jwtConfiguration.refreshTokenExpirationPolicy [String] Available since 1.17.0

The refresh token expiration policy. The following are valid values:

  • Fixed - the expiration is calculated from the time the token is issued.

  • SlidingWindow - the expiration is calculated from the last time the token was used.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged [Boolean] Available since 1.17.0

When enabled, the refresh token will be revoked when a user changes their password.

tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

tenant.jwtConfiguration.refreshTokenUsagePolicy [String] Available since 1.17.0

The refresh token usage policy. The following are valid values:

  • Reusable - the token does not change after it was issued.

  • OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Available since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

tenant.lastUpdateInstant [Long]

The instant that the Tenant was last updated in the FusionAuth database.

tenant.logoutURL [String] Available since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.maximumPasswordAge.days [Integer] Available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when systemConfiguration.maximumPasswordAge.enabled is set to true.

tenant.maximumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenant.minimumPasswordAge.seconds [Integer] Available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when systemConfiguration.minimumPasswordAge.enabled is set to true.

tenant.minimumPasswordAge.enabled [Boolean] Available since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenant.name [String]

The unique name of the Tenant.

tenant.passwordEncryptionConfiguration.encryptionScheme [String] Available since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

  • salted-md5

  • salted-sha256

  • salted-hmac-sha256

  • salted-pbkdf2-hmac-sha256

  • bcrypt

tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

tenant.passwordValidationRules.breachDetection.enabled [Boolean] Available since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenant.passwordValidationRules.breachDetection.matchMode [String] Available since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

  • High Only requires a password match, this is the most secure and is recommended

  • Medium Exact match on username, email address or email sub-address

  • Low Exact match on an email or username, or the password is a common breached value

tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateId [UUID] Available since 1.15.0

The Id of the email template to use when notifying user of breached password.

tenant.passwordValidationRules.breachDetection.onLogin [String] Available since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

  • Off Do not perform breach detection at login

  • RecordOnly Only record the result, take no action

  • NotifyUser Notify the end user via email

  • RequireChange Require immediate password change

tenant.passwordValidationRules.maxLength [Integer] Available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.minLength [Integer] Available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Available since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenant.passwordValidationRules.requireMixedCase [Boolean] Available since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenant.passwordValidationRules.requireNonAlpha [Boolean] Available since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenant.passwordValidationRules.requireNumber [Boolean] Available since 1.8.0

Whether to force the user to use at least one number.

tenant.passwordValidationRules.validateOnLogin [Boolean] Available since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenant.state [String] Available since 1.22.0

The current state of the tenant. The following are valid values:

  • Active - The tenant is active.

  • PendingDelete - A delete request has been requested and is being processed.

tenant.themeId [UUID] Available since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

tenant.userDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.

Example Response JSON
{
  "tenant": {
    "data": {
      "description": "No more secrets, Marty."
    },
    "connectorPolicies": [
      {
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "domains": ["*"],
        "migrate": false
      },
      {
        "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
        "domains": ["*"],
        "migrate": true
      }
    ],
    "emailConfiguration": {
      "defaultFromEmail": "jared@piedpiper.com",
      "defaultFromName": "Jared Dunn",
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
      "port": 587,
      "properties": {
        "key": "value"
      },
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "events": {
        "user.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.deactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.bulk.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.reactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh-token.revoke": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.public-key.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.success": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.failed": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.password.breach": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.verified": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.email.verified": {
          "enabled": true,
          "transactionType": "None"
        }
      }
    },
    "externalIdentifierConfiguration": {
      "authorizationGrantIdTimeToLiveInSeconds": 30,
      "changePasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "changePasswordIdTimeToLiveInSeconds": 600,
      "deviceCodeTimeToLiveInSeconds": 1800,
      "deviceUserCodeIdGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "emailVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "emailVerificationIdTimeToLiveInSeconds": 86400,
      "externalAuthenticationIdTimeToLiveInSeconds": 300,
      "oneTimePasswordTimeToLiveInSeconds": 60,
      "passwordlessLoginGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "passwordlessLoginTimeToLiveInSeconds": 180,
      "registrationVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "registrationVerificationIdTimeToLiveInSeconds": 86400,
      "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
      "setupPasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "setupPasswordIdTimeToLiveInSeconds": 86400,
      "twoFactorIdTimeToLiveInSeconds": 300,
      "twoFactorTrustIdTimeToLiveInSeconds": 2592000
    },
    "failedAuthenticationConfiguration": {
      "actionDuration": 3,
      "actionDurationUnit": "MINUTES",
      "resetCountInSeconds": 60,
      "tooManyAttempts": 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "familyConfiguration": {
      "allowChildRegistrations": true,
      "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
      "deleteOrphanedAccounts": false,
      "deleteOrphanedAccountsDays": 30,
      "enabled": true,
      "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
      "maximumChildAge": 12,
      "minimumOwnerAge": 21,
      "parentEmailRequired": false,
      "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
    },
    "formConfiguration": {
      "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "id": "32306536-3036-6431-3865-646430303332",
    "insertInstant": 1572469040579,
    "issuer": "https://example.com",
    "jwtConfiguration": {
      "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
      "enabled": true,
      "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
      "refreshTokenExpirationPolicy": "Fixed",
      "refreshTokenRevocationPolicy": {
        "onLoginPrevented": true,
        "onPasswordChanged": true
      },
      "refreshTokenTimeToLiveInMinutes": 43200,
      "refreshTokenUsagePolicy": "Reusable",
      "timeToLiveInSeconds": 3600
    },
    "lastUpdateInstant": 1595361143101,
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": false
    },
    "minimumPasswordAge": {
      "enabled": false,
      "seconds": 30
    },
    "name": "Playtronics Co.",
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordValidationRules": {
      "breachDetection": {
        "enabled": true,
        "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
        "matchMode": "High",
        "onLogin": "Off"
      },
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true,
      "validateOnLogin": false
    },
    "state": "Active",
    "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
    "userDeletePolicy": {
      "unverified": {
        "enabled": true,
        "numberOfDaysToRetain": 30
      }
    }
  }
}

Delete a Tenant

This API is used to permanently delete a Tenant. Deleting a Tenant will delete all Users, Applications and Groups that belong to this tenant. Proceed with caution.

Request

Delete a Tenant by Id

URI

DELETE /api/tenant/{tenantId}

Request Parameters

tenantId [UUID] Required

The unique Id of the Tenant to delete.

async [Boolean] Optional defaults to false

Set this value to true to perform this request asynchronously, this means the API will return a response indicating the request has been accepted and will not wait for the operation to complete.

Request Headers

X-FusionAuth-TenantId [String] Optional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Response

This API does not return a JSON response body.

Table 4. Response Codes
Code Description

200

The request was successful. The response will be empty.

202

The request has been accepted but not completed. The response will be empty.

400

The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

401

You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

404

The object you are trying to delete doesn’t exist. The response will be empty.

500

There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

503

The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Retrieve the Password Validation Rules

This API has been available since 1.8.0

This API is used to retrieve the Password Validation Rules. This configuration is a subset of the Tenant configuration.

Request

Retrieve the Password Validation Rules

URI

GET /api/tenant/password-validation-rules/{tenantId}

Request Parameters

tenantId [UUID] Required

The Id of the tenant.

Request Headers

X-FusionAuth-TenantId [String] Optional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Response

The response for this API contains the Password Validation Rules.

Table 5. Response Codes
Code Description

200

The request was successful. The response will contain a JSON body.

500

There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

Response Body

tenant.passwordValidationRules.maxLength [Integer]

The maximum number of characters that are allowed for user passwords.

tenant.passwordValidationRules.minLength [Integer]

The minimum number of characters that are required for user passwords.

tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer]

The number of previous passwords that should be remembered so they are not re-used by the User.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean]

Indicates that the remember previous password validation is enabled and being enforced.

tenant.passwordValidationRules.requireMixedCase [Boolean]

Indicates that passwords require an uppercase and lowercase character to be valid.

tenant.passwordValidationRules.requireNonAlpha [Boolean]

Indicates that passwords require a non-alphanumeric character to be valid.

tenant.passwordValidationRules.requireNumber [Boolean]

Indicates that passwords require at least one number to be valid.

Example Response JSON
{
  "passwordValidationRules": {
    "maxLength": 256,
    "minLength": 8,
    "rememberPreviousPasswords": {
      "count": 2,
      "enabled": true
    },
    "requireMixedCase": true,
    "requireNonAlpha": true,
    "requireNumber": true
  }
}

Feedback

How helpful was this page?

See a problem?

File an issue in our docs repo

Quick Links

  • Download
  • Cloud Pricing
  • Editions Pricing
  • Contact Us
  • Jobs (come work with us)
  • My Account

Resources

  • Docs
  • Blog
  • Community & Support
  • Upgrade from SaaS
  • Upgrade from Homegrown
  • Upgrade from Open Source

Everything Else

  • Privacy Policy
  • Product Privacy Policy
  • License
  • License FAQ
  • Security (contact, bug bounty, etc)
  • Technical Support

Connect with Us

logo
Subscribe for Updates
We only send dev friendly newsletters. No marketing fluff!
© 2021 FusionAuth