Applications

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The Id to use for the new Application, which must be unique across all Tenants. If not specified a secure random UUID will be generated.

The Id of the IP Access Control List limiting access to this application.

Note: An Enterprise plan is required to utilize IP ACLs.

Determines if Users can have Authentication Tokens associated with this Application. This feature may not be enabled for the FusionAuth application.

An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.

This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.

The Id of the CleanSpeak application that usernames are sent to for moderation.

True if CleanSpeak username moderation is enabled.

An object that can hold any information about the Application that should be persisted.

The Id of the Email Template used to send emails to users to verify that their email address is valid.

The Id of the Email Template used to send emails to users when their email address is updated.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Email Template used to notify a user that their email address has been verified.

The Id of the Email Template that is used when a user is sent a forgot password email.

The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.

The Id of the Email Template used to send emails to users when they log in on a new device.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Email Template used to send emails to users when a suspicious login occurs.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Passwordless Email Template, sent to users when they start a passwordless login.

The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Email Template used to send emails to users when their password has been updated.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

The Id of the Email Template used to send emails to users when a MFA method has been added to their account.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.

Note: An Enterprise plan is required to utilize advanced threat detection emails.

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

When this value is not defined, the value defined by tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds is utilized. When this value is defined it will override the tenant configured value.

This configuration is only utilized when application.multiFactorConfiguration.loginPolicy is Enabled or Required.

When enabled a user will be required to provide their current password when changing their password on a self-service account form.

Note: A paid plan is required to utilize custom forms.

The unique Id of the form to enable authenticated users to manage their profile on the account page.

Note: A paid plan is required to utilize custom forms.

The Id of the signing key used to sign the access token.

The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.

• ES256 - ECDSA using P-256 curve and SHA-256 Available since 1.4.0
• ES384 - ECDSA using P-384 curve and SHA-384 Available since 1.4.0
• ES512 - ECDSA using P-521 curve and SHA-512 Available since 1.4.0
• HS256 - HMAC using SHA-256
• HS384 - HMAC using SHA-384
• HS512 - HMAC using SHA-512
• RS256 - RSASSA-PKCS1-v1_5 using SHA-256
• RS384 - RSASSA-PKCS1-v1_5 using SHA-384
• RS512 - RSASSA-PKCS1-v1_5 using SHA-512

Required when enabled is set to true.

When an HMAC algorithm is used such as HS256, HS384 or HS512, the OAuth client_secret will be used as the signing secret.

Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false the signing algorithm configured in the Tenant will be used. If true the signing algorithm defined in this application will be used.

The Id of the signing key used to sign the Id token.

The private key used when an RSA or ECDSA based signing algorithm has been selected. The private key will be used to sign the JWT. This key is expected to be presented in a PEM encoded format.

Required when enabled is set to true and algorithm is set to an RSA or ECDSA based value.

The public key used when an RSA or ECDSA signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key is expected to be presented in a PEM encoded format.

Required when enabled is set to true and algorithm is set to an RSA or ECDSA based value.

The Refresh Token expiration policy.

The possible values are:

• Fixed - the expiration is calculated from the time the token is issued.
• SlidingWindow - the expiration is calculated from the last time the token was used.
• SlidingWindowWithMaximumLifetime - the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0

The length of time specified in seconds that a one-time use token can be re-used.

This value must be greater than 0 and less than 86,400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.

Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.

The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime. Value must be greater than 0.

When refreshTokenExpirationPolicy is set to SlidingWindowWithMaximumLifetime, this value must be greater than or equal to refreshTokenTimeToLiveInMinutes .

The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.

Required when enabled is set to true.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.
• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The secret used when an HMAC based signing algorithm has been selected. This secret is used to sign and verify JWTs.

Required when enabled is set to true and algorithm is set to an HMAC based value.

The length of time in seconds the JWT will live before it is expired and no longer valid.

Required when enabled is set to true.

The Id of the lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.

The Id of the lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.

The Id of the lambda that will be invoked when a SAML response is generated during a SAML authentication request.

The Id of the lambda that will be used to perform additional validation on registration form steps.

Note: A paid plan is required to utilize custom forms.

The Id of the lambda that will be invoked when a UserInfo response is generated for this application.

Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.

If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to false to ensure Refresh Tokens cannot be used outside of the Refresh Token Grant.

Indicates if a Refresh Token should be issued from the Login API.

If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to false to ensure Refresh Tokens will not be issued outside of the OAuth grants.

Indicates if the Login API should require an API key. If you set this value to false and your FusionAuth API is on a public network, anyone may attempt to use the Login API.

If you do not intend to use the Login API, or will only be calling this API from a secure backend server, setting this value to true in order to require an API key is preferred.

The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.

When enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When required, the user will be required to complete a two-factor challenge during login.

When configured, this value overrides the value configured by the tenant.multiFactorConfiguration.loginPolicy .

Supported values include:

• Enabled - Require a two-factor challenge during login when an eligible method is available.
• Disabled - Do not require a two-factor challenge during login.
• Required - Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0

The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.

When application.multiFactorConfiguration.loginPolicy is set to Enabled or Required, this trust policy is utilized when determining if a user must complete a two-factor challenge during login.

For example, a normal two-factor login flow will result in a trust Id being returned if you set trustComputer equal to true when completing a Two Factor Login. The returned Trust identifier can be used on subsequent Login requests to keep from being required to complete a Two-Factor login. This configuration determines if that trust value can be utilized for another application.

Supported values include:

• Any - Trust obtained from any application is sufficient to bypass the two-factor challenge.
• This - Only trust obtained for this application is sufficient to bypass the two-factor challenge.
• None - Never trusted. The user will be required to complete a two-factor challenge during each login attempt.

The name of the Application.

An array of URLs that are the authorized origins for FusionAuth OAuth.

For improved security, all FusionAuth hosted login pages add an HTTP response header of X-Frame-Options: DENY. This response header disallows loading the FusionAuth pages from an iframe. To utilize an iframe and load one or more of the FusionAuth hosted login pages, add the iframe page URLs to this property. For that host, FusionAuth will remove the X-Frame-Options header allowing the page to load in the iframe.

Examples of valid authorized origin URIs:

• https://example.com
• com.myApp://example
• com.myApp:/example

An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.

Examples of valid redirect URIs:

• https://example.com/redirect
• com.myApp://redirect
• com.myApp:/redirect

Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .

The possible values are:

• ExactMatch - Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.
• AllowWildcards - Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.

Determines the client authentication requirements for the OAuth 2.0 Token endpoint.

The possible values are:

• Required - The client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
• NotRequired - Providing client credentials is optional when using the Token endpoint.
• NotRequiredWhenUsingPKCE - The client must provide client credentials when using the Token endpoint unless a valid PCKE code_verifier has been provided in the request body using POST data.

The OAuth 2.0 client secret. If you leave this blank during a POST, a secure secret will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.

Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty.

The possible values are:

• AlwaysPrompt - Always prompt the user for consent.
• RememberDecision - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.
• NeverPrompt - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a FirstParty application. This configuration is meant for testing purposes only and should not be used in production.

Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.

The device verification URL to be used with the Device Code grant type, this field is required when device_code is enabled.

The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.

Supported values include:

• authorization_code
• implicit
• password
• refresh_token
• urn:ietf:params:oauth:grant-type:device_code Available since 1.11.0

Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access scope is requested.

Behavior when /oauth2/logout is called.

Valid values:

• RedirectOnly ** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
• AllApplications ** End the SSO session and make a GET request to all configured Logout URLs for every application in the tenant.

The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.

Determines the PKCE requirements when using the authorization code grant.

The possible values are:

• Required - The client must provide a valid code_verifier on the request body when completing the authorization code grant.
• NotRequired - Providing a code_verifier is optional when completing the authorization code grant.
• NotRequiredWhenUsingClientAuthentication - The client must provide a valid code_verifier on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

Whether the address OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the address OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the email OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the email OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the phone OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the phone OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the profile OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the profile OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

The application’s relationship to the OAuth server.

The possible values are:

• FirstParty - The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.
• ThirdParty - The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on the application object’s oauthConfiguration.consentMode value.

Note: An Essentials or Enterprise plan is required to utilize third-party applications.

Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.

Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.

The possible values are:

• Compatibility - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
• Strict - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.

Controls the policy for handling unknown scopes on an OAuth request.

The possible values are:

• Allow - Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.
• Remove - Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.
• Reject - Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.

Determines if passwordless login is enabled for this application.

Determines if the birthDate field will be included on the registration form.

Determines if the birthDate field is required when displayed on the registration form.

Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.

Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.

Self service registration cannot be enabled on the FusionAuth application.

If true, any user logging in to this application using hosted login pages will automatically have a registration created, if they are not already registered.

Determines if the firstName field will be included on the registration form.

Determines if the firstName field is required when displayed on the registration form.

The Id of an associated Form when using advanced registration configuration type. This field is required when application.registrationConfiguration.type is set to advanced.

Determines if the fullName field will be included on the registration form.

Determines if the fullName field is required when displayed on the registration form.

Determines if the lastName field will be included on the registration form.

Determines if the lastName field is required when displayed on the registration form.

The unique login Id that will be collected during registration, this value can be email or username. Leaving the default value of email is preferred because an email address is globally unique.

• email
• username

Determines if the middleName field will be included on the registration form.

Determines if the middleName field is required when displayed on the registration form.

Determines if the mobilePhone field will be included on the registration form.

Determines if the mobilePhone field is required when displayed on the registration form.

Determines if the preferredLanguages field will be included on the registration form. The default form control will display all available locales.

Determines if the preferredLanguages field is required when displayed on the registration form.

The type of registration flow.

Supported values include:

• basic - basic self registration options.
• advanced - advanced usage of custom forms and requires a paid plan. Available since 1.18.0

Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.

The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. This field is required when application.registrationDeletePolicy.enabled is set to true. Value must be greater than 0.

An array of Role objects.

A description for the role.

The Id of the Role.

The name of the Role.

Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.

Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.

The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:

• SHA1 - SHA-1 hashing algorithm
• SHA256 - SHA-256 hashing algorithm
• SHA384 - SHA-384 hashing algorithm
• SHA512 - SHA-512 hashing algorithm

Using SHA256 or higher is recommended.

Determines if SAML assertion encryption is enabled for this Application.

The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:

• AES128 - AES in CBC mode with a 128-bit key
• AES192 - AES in CBC mode with a 192-bit key
• AES256 - AES in CBC mode with a 256-bit key
• AES128GCM - AES using GCM with a 128-bit key
• AES192GCM - AES using GCM with a 192-bit key
• AES256GCM - AES using GCM with a 256-bit key
• TripleDES - Triple DES with a 192-bit key

Cryptography experts strongly recommend the use of AES using GCM if supported. Availability will depend on whether the SAML Service Provider (SP) supports those algorithms.

The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData element containing the encrypted assertion value. The possible values are:

• Child - The EncryptedKey element will be wrapped in a KeyInfo element and added inside the EncryptedData
• Sibling - The EncryptedKey element will be added to the document as a sibling of EncryptedData

This value will be dictated by the SAML Service Provider (SP) and which options it supports.

The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:

• RSAv15 - RSA version 1.5
• RSA_OAEP - RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
• RSA_OAEP_MGF1P - RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash

Use of RSAv15 is not recommended but is available for backwards compatibility.

The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response. The selected Key must contain an RSA certificate.

This parameter is required when application.samlv2Configuration.assertionEncryptionConfiguration.enabled is set to true.

The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:

• MGF1_SHA1 - MGF1 mask generation function with SHA-1 hash
• MGF1_SHA224 - MGF1 mask generation function with SHA-224 hash
• MGF1_SHA256 - MGF1 mask generation function with SHA-256 hash
• MGF1_SHA384 - MGF1 mask generation function with SHA-384 hash
• MGF1_SHA512 - MGF1 mask generation function with SHA-512 hash

This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP. RSAv15 does not require a message digest function, and RSA_OAEP_MGF1P will always use MGF1_SHA1 regardless of this value.

The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer and this configuration option lets you change the audience in the response.

One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL] element. If a requested URL is not in this list the request will be rejected by FusionAuth.

This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL] element, the first URL found in this list will be used to send the SAML response back to the Service Provider.

If the application.samlv2Configuration.initiatedLogin.enabled is true, the particular URL where the user will end up after successful login can be configured by appending a parameter to the Initiate login URL. The parameter must be either redirect_uri or RelayState. The value should be a URL encoded URL present in this field. If both RelayState and redirect_uri are present redirect_uri will be ignored in favor of RelayState.

The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.

Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.

The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.

When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo] element is not found in the SAML AuthNRequest. If a [KeyInfo] element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.

This parameter is required when application.samlv2Configuration.requireSignedRequests is set to true.

Determines if the SAML IdP is enabled for this Application.

An issuer identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration. If you don’t know the issuer, you can put anything in this field and FusionAuth will display an error message with the issuer from the service provider when you test the SAML login.

Determines if SAML v2 IdP initiated login is enabled for this application. See application.samlv2Configuration.authorizedRedirectURLs for information on which destination URLs are allowed.

The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.

The unique Id of the Key used to sign the SAML response. If you do not specify this property, FusionAuth will create a new key and associate it with this Application.

When enabled, FusionAuth will accept a username or email address as a login hint on a custom HTTP request parameter.

The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.

The possible values are:

• AllParticipants - each session participant that has enabled single logout will be sent a Logout Request
• OnlyOriginator - no other session participants will be notified when a logout request is sent for this application

This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.

The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.

This parameter is required when application.samlv2Configuration.logout.requireSignedRequests is set to true.

The unique Id of the Key used to sign the SAML Logout response.

When this parameter is omitted, the key defined by application.samlv2Configuration.keyId will be used.

Set this parameter equal to true to require the SAML v2 Service Provider to sign the Logout request. When this value is true all Logout requests missing a signature will be rejected.

When set to true, the parameter application.samlv2Configuration.logout.defaultVerificationKeyId is required.

Whether or not SAML Single Logout for this SAML IdP is enabled.

The unique Id of the Key used to sign the SAML Single Logout response.

When this parameter is omitted, the key defined by application.samlv2Configuration.keyId will be used.

The URL at which you want to receive the LogoutRequest from FusionAuth.

Required if application.samlv2Configuration.logout.singleLogout.enabled is true.

The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The URL that the browser is taken to after the user logs out of the SAML service provider. Often service providers need this URL in order to correctly hook up single-logout.

This is also the URL that will be sent the SAML v2 LogoutResponse using the same bindings that were used to initiate the logout request with the IdP. For example, if POST bindings were used to initiate the logout request, POST bindings will be used for this LogoutResponse request.

Set this parameter equal to true to require the SAML v2 Service Provider to sign the request. When this value is true all requests missing a signature will be rejected.

When set to true, the parameter application.samlv2Configuration.defaultVerificationKeyId is required.

The XML signature canonicalization method used when digesting and signing the SAML response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The location to place the XML signature when signing a successful SAML response.

The possible values are:

• Assertion - The XML signature will be added as a child element of the Assertion.
• Response - The XML signature will be added as a child element of the Response.

In most cases the default configuration will be adequate. If you encounter a SAML v2 Service Provider that requires the signature to be a child of the Response, use this configuration to change the signature location. Prior to version 1.21.0, the XML signature was always located as a child element of the Assertion when the response was successful.

An array of OAuth Scope objects.

Note: An Essentials or Enterprise plan is required to utilize advanced OAuth scopes.

The default detail to display on the OAuth consent screen if one cannot be found in the theme.

The default message to display on the OAuth consent screen if one cannot be found in the theme.

A description of the OAuth Scope for internal use.

The Id of the OAuth Scope.

The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.

Determines if the OAuth Scope is required when requested in an OAuth workflow.

The unique Id of the theme to be used to style the login page and other end user templates.

Note: A paid plan is required to utilize application themes.

The Id of the Email Template that is used to send the Registration Verification emails to users. If the verifyRegistration field is true this field is required.

Whether or not registrations to this Application may be verified. When this is set to true the verificationEmailTemplateId parameter is also required.

Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.

Note: A license is required to utilize WebAuthn

Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false, WebAuthn workflows will be enabled based on the Tenant configuration. If true, WebAuthn workflows will be enabled according to the configuration of this application.

Note: A license is required to utilize WebAuthn

Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.

Note: A license is required to utilize WebAuthn

An array of Webhook Ids. For Webhooks that are not already configured for All Applications, specifying an Id on this request will indicate the associated Webhook should handle events for this application.

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The Id to use for the new Application. If not specified a secure random UUID will be generated.

The name of the Application.

The Id of an existing Application from which a copy will be made.

The oauthConfiguration.clientSecret and each role Id will be cleared so new values can be generated. All other values will be copied from the source Application.

The Id of the IP Access Control List limiting access to this application.

Whether or not the Application is active.

Whether or not Users can have Authentication Tokens associated with this Application.

An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.

This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.

True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.

The Id of the CleanSpeak application that usernames are sent to for moderation.

True if CleanSpeak username moderation is enabled.

An object that can hold any information about the Application that should be persisted.

The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.

When enabled a user will be required to provide their current password when changing their password on a self-service account form.

The unique Id of the form to enable authenticated users to manage their profile on the account page.

The unique identifier for this Application.

The instant that the Application was added to the FusionAuth database.

The Id of the signing key used to sign the access token.

The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.

• ES256 - ECDSA using P-256 curve and SHA-256 Available since 1.4.0
• ES384 - ECDSA using P-384 curve and SHA-384 Available since 1.4.0
• ES512 - ECDSA using P-521 curve and SHA-512 Available since 1.4.0
• HS256 - HMAC using SHA-256
• HS384 - HMAC using SHA-384
• HS512 - HMAC using SHA-512
• RS256 - RSASSA-PKCS1-v1_5 using SHA-256
• RS384 - RSASSA-PKCS1-v1_5 using SHA-384
• RS512 - RSASSA-PKCS1-v1_5 using SHA-512

Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false the signing algorithm configured in the Tenant will be used. If true the signing algorithm defined in this application will be used.

The Id of the signing key used to sign the Id token.

The private key used when an RSA signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.

The public key used when an RSA signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.

The Refresh Token expiration policy.

The possible values are:

• Fixed - the expiration is calculated from the time the token is issued.
• SlidingWindow - the expiration is calculated from the last time the token was used.
• SlidingWindowWithMaximumLifetime - the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0

The length of time specified in seconds that a one-time use token can be reused.

This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.

Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.

The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.

The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.
• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The secret used when an HMAC based signing algorithm has been selected. This secret is used to sign and verify JWTs.

The length of time in seconds the JWT will live before it is expired and no longer valid.

The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.

The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.

The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.

The unique Id of the lambda that will be used to perform additional validation on registration form steps.

The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.

The instant that the Application was last updated in the FusionAuth database.

The name of the Application.

Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.

Indicates if a Refresh Token should be issued from the Login API.

Indicates if the Login API should require an API key. If you set this value to false and your FusionAuth API is on a public network, anyone may attempt to use the Login API.

The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.

The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.

An array of URLs that are the authorized origins for this Application.

When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY will be added to each response to disallow iframe loading.

An array of URLs that are the authorized redirect URLs for this Application.

Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .

The possible values are:

• ExactMatch - Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.
• AllowWildcards - Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.

Determines the client authentication requirements for the OAuth 2.0 Token endpoint.

The possible values are:

• Required - The client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
• NotRequired - Providing client credentials is optional when using the Token endpoint.
• NotRequiredWhenUsingPKCE - The client must provide client credentials when using the Token endpoint unless a valid PCKE code_verifier has been provided in the request body using POST data.

The OAuth client Id of the Application.

The OAuth client secret.

Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty.

The possible values are:

• AlwaysPrompt - Always prompt the user for consent.
• RememberDecision - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.
• NeverPrompt - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a FirstParty application. This configuration is meant for testing purposes only and should not be used in production.

Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.

The device verification URL to be used with the Device Code grant type.

The enabled grants for this application.

Supported values include:

• authorization_code
• implicit
• password
• refresh_token
• urn:ietf:params:oauth:grant-type:device_code Available since 1.11.0

Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access scope is requested.

Behavior when /oauth2/logout is called.

Valid values:

• RedirectOnly ** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
• AllApplications ** End the SSO session and make a GET request to all configured Logout URLs for every application in the tenant.

The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.

Determines the PKCE requirements when using the authorization code grant.

The possible values are:

• Required - The client must provide a valid code_verifier on the request body when completing the authorization code grant.
• NotRequired - Providing a code_verifier is optional when completing the authorization code grant.
• NotRequiredWhenUsingClientAuthentication - The client must provide a valid code_verifier on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

Whether the address OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the address OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the email OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the email OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the phone OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the phone OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the profile OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the profile OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

The application’s relationship to the OAuth server.

The possible values are:

• FirstParty - The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.
• ThirdParty - The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on application.oauthConfiguration.consentMode .

Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .

Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.

Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.

The possible values are:

• Compatibility - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
• Strict - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.

Controls the policy for handling unknown scopes on an OAuth request.

The possible values are:

• Allow - Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.
• Remove - Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.
• Reject - Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.

Determines if passwordless login is enabled for this application.

Determines if the birthDate field will be included on the registration form.

Determines if the birthDate field is required when displayed on the registration form.

Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.

Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.

Determines if the firstName field will be included on the registration form.

Determines if the firstName field is required when displayed on the registration form.

The Id of an associated Form when using advanced registration configuration type.

Determines if the fullName field will be included on the registration form.

Determines if the fullName field is required when displayed on the registration form.

Determines if the lastName field will be included on the registration form.

Determines if the lastName field is required when displayed on the registration form.

The unique login Id that will be collected during registration, this value can be email or username. Leaving the default value of email is preferred because an email address is globally unique.

• email
• username

Determines if the middleName field will be included on the registration form.

Determines if the middleName field is required when displayed on the registration form.

Determines if the mobilePhone field will be included on the registration form.

Determines if the mobilePhone field is required when displayed on the registration form.

Determines if the preferredLanguages field will be included on the registration form.

Determines if the preferredLanguages field is required when displayed on the registration form.

The type of registration flow.

Supported values include:

• basic - the basic self registration options available prior to version 1.18.0.
• advanced - advanced usage of custom forms, requires a paid plan.

Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.

The instant that this policy was enabled.

User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.

Please note that prior to version 1.48.0, when enabling this policy all unverified user registrations are eligible for deletion.

The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.

An array of Role objects.

A description of the role.

The Id of the Role.

The name of the Role.

Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.

Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.

The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:

• SHA1 - SHA-1 hashing algorithm
• SHA256 - SHA-256 hashing algorithm
• SHA384 - SHA-384 hashing algorithm
• SHA512 - SHA-512 hashing algorithm

Whether or SAML assertion encryption is enabled for this Application.

The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:

• AES128 - AES in CBC mode with a 128-bit key
• AES192 - AES in CBC mode with a 192-bit key
• AES256 - AES in CBC mode with a 256-bit key
• AES128GCM - AES using GCM with a 128-bit key
• AES192GCM - AES using GCM with a 192-bit key
• AES256GCM - AES using GCM with a 256-bit key
• TripleDES - Triple DES with a 192-bit key

The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData element containing the encrypted assertion value. The possible values are:

• Child - The EncryptedKey element will be wrapped in a KeyInfo element and added inside the EncryptedData
• Sibling - The EncryptedKey element will be added to the document as a sibling of EncryptedData

The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:

• RSAv15 - RSA version 1.5
• RSA_OAEP - RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
• RSA_OAEP_MGF1P - RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash

The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.

The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:

• MGF1_SHA1 - MGF1 mask generation function with SHA-1 hash
• MGF1_SHA224 - MGF1 mask generation function with SHA-224 hash
• MGF1_SHA256 - MGF1 mask generation function with SHA-256 hash
• MGF1_SHA384 - MGF1 mask generation function with SHA-384 hash
• MGF1_SHA512 - MGF1 mask generation function with SHA-512 hash

This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP. RSAv15 does not require a message digest function, and RSA_OAEP_MGF1P will always use MGF1_SHA1 regardless of this value.

The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer and this configuration option lets you change the audience in the response.

One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL] element. If a requested URL is not in this list the request will be rejected by FusionAuth.

This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL] element, the first URL found in this list will be used to send the SAML response back to the Service Provider.

The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.

This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.

Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.

The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.

When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo] element is not found in the SAML AuthNRequest. If a [KeyInfo] element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.

Whether or not the SAML IdP for this Application is enabled or not.

Determines if SAML v2 IdP initiated login is enabled for this application.

The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.

The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.

The unique Id of the Key used to sign the SAML response.

Determines if support for a login hint sent by a SAML service provider is enabled for this application.

The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.

The possible values are:

• AllParticipants - each session participant that has enabled single logout will be sent a Logout Request
• OnlyOriginator - no other session participants will be notified when a logout request is sent for this application

This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.

The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.

The unique Id of the Key used to sign the SAML Logout response.

When this value is true all Logout requests missing a signature will be rejected.

Whether or not SAML Single Logout for this SAML IdP is enabled.

The unique Id of the Key used to sign the SAML Single Logout response.

The URL at which you want to receive the LogoutRequest from FusionAuth.

The XML signature canonicalization method used when digesting and signing the Single Logout response.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The XML signature canonicalization method used when digesting and signing the Logout response.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The URL that the browser is taken to after the user logs out of the SAML service provider.

When this value is true all requests missing a signature will be rejected.

The XML signature canonicalization method used when digesting and signing the SAML response.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The location to place the XML signature when signing the SAML response.

The possible values are:

• Assertion - The XML signature will be added as a child element of the Assertion.
• Response - The XML signature will be added as a child element of the Response.

An array of OAuth Scope objects.

The default detail to display on the OAuth consent screen if one cannot be found in the theme.

The default message to display on the OAuth consent screen if one cannot be found in the theme.

A description of the OAuth Scope for internal use.

The Id of the OAuth Scope.

The instant that the OAuth Scope was added to the FusionAuth database.

The instant that the OAuth Scope was last updated in the FusionAuth database.

The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.

Determines if the OAuth Scope is required when requested in an OAuth workflow.

The current state of the application. The following are valid values:

• Active - The Application is active.
• Inactive - The Application is not active. An Application can not be modified or authenticated against when inactive.

The unique Id of the Tenant.

The unique Id of the theme to be used to style the login page and other end user templates.

The Id of the Email Template that is used to send the Registration Verification emails to users.

Whether or not registrations to this Application may be verified.

Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.

Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false, WebAuthn workflows are enabled based on the Tenant configuration. If true, WebAuthn workflows are enabled according to the configuration of this application.

Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Set this parameter to true in order to retrieve only inactive Applications. Setting this parameter to false is equivalent omitting the inactive parameter.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The Id of the Application to retrieve. This request will return the Application if it exists regardless if the Application is active or not.

The Id of the IP Access Control List limiting access to this application.

Whether or not the Application is active.

Whether or not Users can have Authentication Tokens associated with this Application.

An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.

This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.

True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.

The Id of the CleanSpeak application that usernames are sent to for moderation.

True if CleanSpeak username moderation is enabled.

An object that can hold any information about the Application that should be persisted.

The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.

When enabled a user will be required to provide their current password when changing their password on a self-service account form.

The unique Id of the form to enable authenticated users to manage their profile on the account page.

The unique identifier for this Application.

The instant that the Application was added to the FusionAuth database.

The Id of the signing key used to sign the access token.

The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.

• ES256 - ECDSA using P-256 curve and SHA-256 Available since 1.4.0
• ES384 - ECDSA using P-384 curve and SHA-384 Available since 1.4.0
• ES512 - ECDSA using P-521 curve and SHA-512 Available since 1.4.0
• HS256 - HMAC using SHA-256
• HS384 - HMAC using SHA-384
• HS512 - HMAC using SHA-512
• RS256 - RSASSA-PKCS1-v1_5 using SHA-256
• RS384 - RSASSA-PKCS1-v1_5 using SHA-384
• RS512 - RSASSA-PKCS1-v1_5 using SHA-512

Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false the signing algorithm configured in the Tenant will be used. If true the signing algorithm defined in this application will be used.

The Id of the signing key used to sign the Id token.

The private key used when an RSA signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.

The public key used when an RSA signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.

The Refresh Token expiration policy.

The possible values are:

• Fixed - the expiration is calculated from the time the token is issued.
• SlidingWindow - the expiration is calculated from the last time the token was used.
• SlidingWindowWithMaximumLifetime - the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0

The length of time specified in seconds that a one-time use token can be reused.

This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.

Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.

The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.

The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.
• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The secret used when an HMAC based signing algorithm has been selected. This secret is used to sign and verify JWTs.

The length of time in seconds the JWT will live before it is expired and no longer valid.

The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.

The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.

The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.

The unique Id of the lambda that will be used to perform additional validation on registration form steps.

The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.

The instant that the Application was last updated in the FusionAuth database.

The name of the Application.

Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.

Indicates if a Refresh Token should be issued from the Login API.

Indicates if the Login API should require an API key. If you set this value to false and your FusionAuth API is on a public network, anyone may attempt to use the Login API.

The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.

The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.

An array of URLs that are the authorized origins for this Application.

When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY will be added to each response to disallow iframe loading.

An array of URLs that are the authorized redirect URLs for this Application.

Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .

The possible values are:

• ExactMatch - Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.
• AllowWildcards - Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.

Determines the client authentication requirements for the OAuth 2.0 Token endpoint.

The possible values are:

• Required - The client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
• NotRequired - Providing client credentials is optional when using the Token endpoint.
• NotRequiredWhenUsingPKCE - The client must provide client credentials when using the Token endpoint unless a valid PCKE code_verifier has been provided in the request body using POST data.

The OAuth client Id of the Application.

The OAuth client secret.

Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty.

The possible values are:

• AlwaysPrompt - Always prompt the user for consent.
• RememberDecision - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.
• NeverPrompt - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a FirstParty application. This configuration is meant for testing purposes only and should not be used in production.

Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.

The device verification URL to be used with the Device Code grant type.

The enabled grants for this application.

Supported values include:

• authorization_code
• implicit
• password
• refresh_token
• urn:ietf:params:oauth:grant-type:device_code Available since 1.11.0

Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access scope is requested.

Behavior when /oauth2/logout is called.

Valid values:

• RedirectOnly ** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
• AllApplications ** End the SSO session and make a GET request to all configured Logout URLs for every application in the tenant.

The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.

Determines the PKCE requirements when using the authorization code grant.

The possible values are:

• Required - The client must provide a valid code_verifier on the request body when completing the authorization code grant.
• NotRequired - Providing a code_verifier is optional when completing the authorization code grant.
• NotRequiredWhenUsingClientAuthentication - The client must provide a valid code_verifier on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

Whether the address OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the address OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the email OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the email OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the phone OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the phone OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the profile OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the profile OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

The application’s relationship to the OAuth server.

The possible values are:

• FirstParty - The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.
• ThirdParty - The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on application.oauthConfiguration.consentMode .

Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .

Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.

Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.

The possible values are:

• Compatibility - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
• Strict - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.

Controls the policy for handling unknown scopes on an OAuth request.

The possible values are:

• Allow - Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.
• Remove - Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.
• Reject - Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.

Determines if passwordless login is enabled for this application.

Determines if the birthDate field will be included on the registration form.

Determines if the birthDate field is required when displayed on the registration form.

Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.

Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.

Determines if the firstName field will be included on the registration form.

Determines if the firstName field is required when displayed on the registration form.

The Id of an associated Form when using advanced registration configuration type.

Determines if the fullName field will be included on the registration form.

Determines if the fullName field is required when displayed on the registration form.

Determines if the lastName field will be included on the registration form.

Determines if the lastName field is required when displayed on the registration form.

The unique login Id that will be collected during registration, this value can be email or username. Leaving the default value of email is preferred because an email address is globally unique.

• email
• username

Determines if the middleName field will be included on the registration form.

Determines if the middleName field is required when displayed on the registration form.

Determines if the mobilePhone field will be included on the registration form.

Determines if the mobilePhone field is required when displayed on the registration form.

Determines if the preferredLanguages field will be included on the registration form.

Determines if the preferredLanguages field is required when displayed on the registration form.

The type of registration flow.

Supported values include:

• basic - the basic self registration options available prior to version 1.18.0.
• advanced - advanced usage of custom forms, requires a paid plan.

Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.

The instant that this policy was enabled.

User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.

Please note that prior to version 1.48.0, when enabling this policy all unverified user registrations are eligible for deletion.

The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.

An array of Role objects.

A description of the role.

The Id of the Role.

The name of the Role.

Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.

Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.

The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:

• SHA1 - SHA-1 hashing algorithm
• SHA256 - SHA-256 hashing algorithm
• SHA384 - SHA-384 hashing algorithm
• SHA512 - SHA-512 hashing algorithm

Whether or SAML assertion encryption is enabled for this Application.

The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:

• AES128 - AES in CBC mode with a 128-bit key
• AES192 - AES in CBC mode with a 192-bit key
• AES256 - AES in CBC mode with a 256-bit key
• AES128GCM - AES using GCM with a 128-bit key
• AES192GCM - AES using GCM with a 192-bit key
• AES256GCM - AES using GCM with a 256-bit key
• TripleDES - Triple DES with a 192-bit key

The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData element containing the encrypted assertion value. The possible values are:

• Child - The EncryptedKey element will be wrapped in a KeyInfo element and added inside the EncryptedData
• Sibling - The EncryptedKey element will be added to the document as a sibling of EncryptedData

The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:

• RSAv15 - RSA version 1.5
• RSA_OAEP - RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
• RSA_OAEP_MGF1P - RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash

The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.

The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:

• MGF1_SHA1 - MGF1 mask generation function with SHA-1 hash
• MGF1_SHA224 - MGF1 mask generation function with SHA-224 hash
• MGF1_SHA256 - MGF1 mask generation function with SHA-256 hash
• MGF1_SHA384 - MGF1 mask generation function with SHA-384 hash
• MGF1_SHA512 - MGF1 mask generation function with SHA-512 hash

This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP. RSAv15 does not require a message digest function, and RSA_OAEP_MGF1P will always use MGF1_SHA1 regardless of this value.

The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer and this configuration option lets you change the audience in the response.

One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL] element. If a requested URL is not in this list the request will be rejected by FusionAuth.

This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL] element, the first URL found in this list will be used to send the SAML response back to the Service Provider.

The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.

This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.

Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.

The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.

When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo] element is not found in the SAML AuthNRequest. If a [KeyInfo] element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.

Whether or not the SAML IdP for this Application is enabled or not.

Determines if SAML v2 IdP initiated login is enabled for this application.

The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.

The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.

The unique Id of the Key used to sign the SAML response.

Determines if support for a login hint sent by a SAML service provider is enabled for this application.

The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.

The possible values are:

• AllParticipants - each session participant that has enabled single logout will be sent a Logout Request
• OnlyOriginator - no other session participants will be notified when a logout request is sent for this application

This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.

The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.

The unique Id of the Key used to sign the SAML Logout response.

When this value is true all Logout requests missing a signature will be rejected.

Whether or not SAML Single Logout for this SAML IdP is enabled.

The unique Id of the Key used to sign the SAML Single Logout response.

The URL at which you want to receive the LogoutRequest from FusionAuth.

The XML signature canonicalization method used when digesting and signing the Single Logout response.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The XML signature canonicalization method used when digesting and signing the Logout response.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The URL that the browser is taken to after the user logs out of the SAML service provider.

When this value is true all requests missing a signature will be rejected.

The XML signature canonicalization method used when digesting and signing the SAML response.

The possible values are:

• exclusive: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
• exclusive_with_comments: The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• inclusive: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• inclusive_with_comments: The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

The location to place the XML signature when signing the SAML response.

The possible values are:

• Assertion - The XML signature will be added as a child element of the Assertion.
• Response - The XML signature will be added as a child element of the Response.

An array of OAuth Scope objects.

The default detail to display on the OAuth consent screen if one cannot be found in the theme.

The default message to display on the OAuth consent screen if one cannot be found in the theme.

A description of the OAuth Scope for internal use.

The Id of the OAuth Scope.

The instant that the OAuth Scope was added to the FusionAuth database.

The instant that the OAuth Scope was last updated in the FusionAuth database.

The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.

Determines if the OAuth Scope is required when requested in an OAuth workflow.

The current state of the application. The following are valid values:

• Active - The Application is active.
• Inactive - The Application is not active. An Application can not be modified or authenticated against when inactive.

The unique Id of the Tenant.

The unique Id of the theme to be used to style the login page and other end user templates.

The Id of the Email Template that is used to send the Registration Verification emails to users.

Whether or not registrations to this Application may be verified.

Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.

Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false, WebAuthn workflows are enabled based on the Tenant configuration. If true, WebAuthn workflows are enabled according to the configuration of this application.

Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.

The list of Application objects.

The Id of the IP Access Control List limiting access to this application.

Whether or not the Application is active.

Whether or not Users can have Authentication Tokens associated with this Application.

An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.

This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.

True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.

The Id of the CleanSpeak application that usernames are sent to for moderation.

True if CleanSpeak username moderation is enabled.

An object that can hold any information about the Application that should be persisted.

The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.

The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.

When enabled a user will be required to provide their current password when changing their password on a self-service account form.

The unique Id of the form to enable authenticated users to manage their profile on the account page.

The unique identifier for this Application.

The instant that the Application was added to the FusionAuth database.

The Id of the signing key used to sign the access token.

The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.

• ES256 - ECDSA using P-256 curve and SHA-256 Available since 1.4.0
• ES384 - ECDSA using P-384 curve and SHA-384 Available since 1.4.0
• ES512 - ECDSA using P-521 curve and SHA-512 Available since 1.4.0
• HS256 - HMAC using SHA-256
• HS384 - HMAC using SHA-384
• HS512 - HMAC using SHA-512
• RS256 - RSASSA-PKCS1-v1_5 using SHA-256
• RS384 - RSASSA-PKCS1-v1_5 using SHA-384
• RS512 - RSASSA-PKCS1-v1_5 using SHA-512

Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false the signing algorithm configured in the Tenant will be used. If true the signing algorithm defined in this application will be used.

The Id of the signing key used to sign the Id token.

The private key used when an RSA signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.

The public key used when an RSA signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.

The Refresh Token expiration policy.

The possible values are:

• Fixed - the expiration is calculated from the time the token is issued.
• SlidingWindow - the expiration is calculated from the last time the token was used.
• SlidingWindowWithMaximumLifetime - the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0

The length of time specified in seconds that a one-time use token can be reused.

This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.

Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.

The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.

The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.

The refresh token usage policy. The following are valid values:

• Reusable - the token does not change after it was issued.
• OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

The secret used when an HMAC based signing algorithm has been selected. This secret is used to sign and verify JWTs.

The length of time in seconds the JWT will live before it is expired and no longer valid.

The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.

The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.

The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.

The unique Id of the lambda that will be used to perform additional validation on registration form steps.

The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.

The instant that the Application was last updated in the FusionAuth database.

The name of the Application.

Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.

Indicates if a Refresh Token should be issued from the Login API.

Indicates if the Login API should require an API key. If you set this value to false and your FusionAuth API is on a public network, anyone may attempt to use the Login API.

The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.

The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.

An array of URLs that are the authorized origins for this Application.

When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY will be added to each response to disallow iframe loading.

An array of URLs that are the authorized redirect URLs for this Application.

Controls the validation policy for applications[x].oauthConfiguration.authorizedOriginURLs and applications[x].oauthConfiguration.authorizedRedirectURLs .

The possible values are:

• ExactMatch - Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.
• AllowWildcards - Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.

Determines the client authentication requirements for the OAuth 2.0 Token endpoint.

The possible values are:

• Required - The client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
• NotRequired - Providing client credentials is optional when using the Token endpoint.
• NotRequiredWhenUsingPKCE - The client must provide client credentials when using the Token endpoint unless a valid PCKE code_verifier has been provided in the request body using POST data.

The OAuth client Id of the Application.

The OAuth client secret.

Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when applications[x].oauthConfiguration.relationship is ThirdParty.

The possible values are:

• AlwaysPrompt - Always prompt the user for consent.
• RememberDecision - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.
• NeverPrompt - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a FirstParty application. This configuration is meant for testing purposes only and should not be used in production.

Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.

The device verification URL to be used with the Device Code grant type.

The enabled grants for this application.

Supported values include:

• authorization_code
• implicit
• password
• refresh_token
• urn:ietf:params:oauth:grant-type:device_code Available since 1.11.0

Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access scope is requested.

Behavior when /oauth2/logout is called.

Valid values:

• RedirectOnly ** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
• AllApplications ** End the SSO session and make a GET request to all configured Logout URLs for every application in the tenant.

The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.

Determines the PKCE requirements when using the authorization code grant.

The possible values are:

• Required - The client must provide a valid code_verifier on the request body when completing the authorization code grant.
• NotRequired - Providing a code_verifier is optional when completing the authorization code grant.
• NotRequiredWhenUsingClientAuthentication - The client must provide a valid code_verifier on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

Whether the address OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the address OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the email OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the email OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the phone OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the phone OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

Whether the profile OAuth scope provided by FusionAuth is enabled for this application.

Whether consent to the profile OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.

The application’s relationship to the OAuth server.

The possible values are:

• FirstParty - The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.
• ThirdParty - The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on applications[x].oauthConfiguration.consentMode .

Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.

In version 1.28.0 and beyond, client authentication can be managed via applications[x].oauthConfiguration.clientAuthenticationPolicy .

Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.

Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.

The possible values are:

• Compatibility - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
• Strict - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.

Controls the policy for handling unknown scopes on an OAuth request.

The possible values are:

• Allow - Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.
• Remove - Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.
• Reject - Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.

Determines if passwordless login is enabled for this application.

Determines if the birthDate field will be included on the registration form.

Determines if the birthDate field is required when displayed on the registration form.

Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.

Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.

Determines if the firstName field will be included on the registration form.

Determines if the firstName field is required when displayed on the registration form.

The Id of an associated Form when using advanced registration configuration type.

Determines if the fullName field will be included on the registration form.

Determines if the fullName field is required when displayed on the registration form.

Determines if the lastName field will be included on the registration form.

Determines if the lastName field is required when displayed on the registration form.

The unique login Id that will be collected during registration, this value can be email or username. Leaving the default value of email is preferred because an email address is globally unique.

• email
• username

Determines if the middleName field will be included on the registration form.

Determines if the middleName field is required when displayed on the registration form.

Determines if the mobilePhone field will be included on the registration form.

Determines if the mobilePhone field is required when displayed on the registration form.

Determines if the preferredLanguages field will be included on the registration form.

Determines if the preferredLanguages field is required when displayed on the registration form.

The type of registration flow.

Supported values include:

• basic - the basic self registration options available prior to version 1.18.0.
• advanced - advanced usage of custom forms, requires a paid plan.

Indicates that users without a verified registration for this application will have their registration permanently deleted after applications[x].registrationDeletePolicy.unverified.numberOfDaysToRetain days.

The instant that this policy was enabled.

User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.

Please note that prior to version 1.48.0, when enabling this policy all unverified user registrations are eligible for deletion.

The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.

An array of Role objects.

A description of the role.