Tenants API
A FusionAuth Tenant is a named object that represents a discrete namespace for Users, Applications and Groups. A user is unique by email address or username within a tenant.
Tenants may be useful to support a multi-tenant application where you wish to use a single instance of FusionAuth but require the ability to have duplicate users across the tenants in your own application. In this scenario a user may exist multiple times with the same email address and different passwords across tenants.
Tenants may also be useful in a test or staging environment to allow multiple users to call APIs and create and modify users without possibility of collision.
The following APIs are provided to manage Tenants.
The following APIs provide a subset of the Tenant configuration without an API Key.
Create a Tenant#
This API is used to create a new Tenant.
Request#
Request Parameters#
tenantIdUUIDoptionalDefaults to secure random UUIDImmutableThe Id to use for the new Tenant. If not specified a secure random UUID will be generated.
Request Body#
tenant.accessControlConfiguration.uiIPAccessControlListIdUUIDoptionalAvailable since 1.30.0The Id of the IP Access Control List limiting access to all applications in this tenant.
Note: To use IP ACLs, you'll need an Enterprise plan.
tenant.baseURLStringoptionalAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenant.captchaConfiguration.captchaMethodStringoptionalAvailable since 1.30.0The type of CAPTCHA method to use. This field is required when tenant.captchaConfiguration.enabled is set to true. The possible values are:
GoogleRecaptchaV2- use Google reCAPTCHA v2GoogleRecaptchaV3- use Google reCAPTCHA v3HCaptcha- use HCaptchaHCaptchaEnterprise- use HCaptcha Enterprise - v25
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether CAPTCHA configuration is enabled.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.secretKeyStringoptionalAvailable since 1.30.0The secret key for this CAPTCHA method. This field is required when tenant.captchaConfiguration.enabled is set to true.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.siteKeyStringoptionalAvailable since 1.30.0The site key for this CAPTCHA method. This field is required when tenant.captchaConfiguration.enabled is set to true.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.thresholdFloatoptionalAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
The value must be between 0.0 and 1.0. Values outside of that range will result in an error.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.clientRiskConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.68.0Whether or not FusionAuth should use custom signal configuration calculating client risk. The score is available to MFA policies, and the MFA requirement lambda. Disabled signals are excluded from all risk calculations. Disabling all signals sets the risk score to HIGH.
tenant.clientRiskConfiguration.blocklistedIpBooleanoptionalDefaults to trueAvailable since 1.68.0Checks whether the client's IP address appears on a blocklist.
tenant.clientRiskConfiguration.botDetectedBooleanoptionalDefaults to trueAvailable since 1.68.0Detects bot interactions with the browser window.
tenant.clientRiskConfiguration.dormantAccountBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user has not logged in for a long period of time.
tenant.clientRiskConfiguration.dormantPasswordBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user's password has not been changed for a long period of time.
tenant.clientRiskConfiguration.impossibleTravelBooleanoptionalDefaults to trueAvailable since 1.68.0Tracks geographic locations for login attempts. Flags a login as high risk if it occurs sooner than it would take to physically travel from the previous location to the current location.
tenant.clientRiskConfiguration.recentIdentityChangeBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user's login ID has been changed recently.
tenant.clientRiskConfiguration.recentPasswordChangeBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user's password has been changed recently.
tenant.clientRiskConfiguration.suspiciousUserAgentBooleanoptionalDefaults to trueAvailable since 1.68.0Checks whether the client's user agent has been flagged as suspicious.
tenant.clientRiskConfiguration.unrecognizedDeviceBooleanoptionalDefaults to trueAvailable since 1.68.0Checks whether the request originates from an unrecognized device.
tenant.clientRiskConfiguration.untrustedDeviceBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the request originates from a device that is not in the user's trusted device list.
tenant.connectorPoliciesArrayoptionalAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenant.connectorPolicies[x].connectorIdUUIDoptionalAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenant.connectorPolicies[x].domainsArray<String>optionalAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenant.connectorPolicies[x].migrateBooleanoptionalDefaults to falseAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
Prior to version 1.28.0 this value was required.
tenant.dataObjectoptionalAn object that can hold any information about the Tenant that should be persisted.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.eventConfiguration.eventsObjectoptionalAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenant.eventConfiguration.events[type].enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenant.eventConfiguration.events[type].transactionTypeStringoptionalDefaults to NoneAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
Prior to version 1.36.0, this value did not have a default. This meant at runtime the when the transaction type was calculated, it would be assumed to be AbsoluteMajority even though this value was not set in the domain.
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegeroptionalDefaults to 30Available since 1.8.0The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegeroptionalDefaults to 600Available since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegeroptionalDefaults to 6Available since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 6Available since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegeroptionalDefaults to 1800Available since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegeroptionalDefaults to 1800Available since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegeroptionalDefaults to 60Available since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 32Available since 1.59.0The length of the secure generator used for generating the passwordless one-time code login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time code login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegeroptionalDefaults to 3600Available since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request. Value must be greater than 0.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegeroptionalDefaults to 86400Available since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 6Available since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 6Available since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegeroptionalDefaults to 2592000Available since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
Note: To use advanced OAuth scopes, you'll need an Essentials or Enterprise plan.
tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegeroptionalDefaults to 6Available since 1.27.0The length of the secure generator used for generating the the two-factor code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringoptionalDefaults to randomDigitsAvailable since 1.27.0The type of the secure generator used for generating the two-factor one time code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegeroptionalDefaults to 60Available since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
Note: To use WebAuthn, you'll need a license.
tenant.externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
Note: To use WebAuthn, you'll need a license.
tenant.failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanoptionalDefaults to falseAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenant.failedAuthenticationConfiguration.actionDurationLongoptionalDefaults to 3Available since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionDurationUnitStringoptionalAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenant.failedAuthenticationConfiguration.emailUserStringoptionalDefaults to falseAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
The email template configuration will be in the User Action.
tenant.failedAuthenticationConfiguration.resetCountInSecondsIntegeroptionalDefaults to 60Available since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenant.failedAuthenticationConfiguration.tooManyAttemptsIntegeroptionalDefaults to 5Available since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.userActionIdUUIDoptionalAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenant.familyConfiguration.allowChildRegistrationsBooleanoptionalDefaults to trueAvailable since 1.8.0Whether to allow child registrations.
tenant.familyConfiguration.confirmChildEmailTemplateIdUUIDoptionalAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenant.familyConfiguration.deleteOrphanedAccountsBooleanoptionalDefaults to falseAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.
tenant.familyConfiguration.deleteOrphanedAccountsDaysIntegeroptionalDefaults to 30Available since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenant.familyConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Whether family configuration is enabled.
tenant.familyConfiguration.familyRequestEmailTemplateIdUUIDoptionalAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenant.familyConfiguration.maximumChildAgeIntegeroptionalDefaults to 12Available since 1.8.0The maximum age of a child. Value must be greater than 0.
tenant.familyConfiguration.minimumOwnerAgeIntegeroptionalDefaults to 21Available since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenant.familyConfiguration.parentEmailRequiredBooleanoptionalDefaults to falseAvailable since 1.8.0Whether a parent email is required.
tenant.familyConfiguration.parentRegistrationEmailTemplateIdUUIDoptionalAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenant.formConfiguration.adminUserFormIdUUIDoptionalAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.
Note: To use custom forms, you'll need a paid plan.
tenant.httpSessionMaxInactiveIntervalIntegeroptionalDefaults to 3600Available since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenant.issuerStringoptionalDefaults to acme.comAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
Prior to version 1.30.0 this value was required.
tenant.jwtConfiguration.accessTokenKeyIdUUIDoptionalDefaults to key value of the FusionAuth applicationAvailable since 1.8.0The unique id of the signing key used to sign the access token.
Prior to version 1.30.0 this value was required.
tenant.jwtConfiguration.idTokenKeyIdUUIDoptionalDefaults to key value of the FusionAuth applicationAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
Prior to version 1.30.0 this value was required.
tenant.jwtConfiguration.refreshTokenExpirationPolicyStringoptionalDefaults to FixedAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenant.jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegeroptionalDefaults to 0Available since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanoptionalDefaults to trueAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanoptionalDefaults to falseAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when a user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanoptionalDefaults to falseAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanoptionalDefaults to trueAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenant.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegeroptionalAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime. Value must be greater than 0.
When refreshTokenExpirationPolicy is set to SlidingWindowWithMaximumLifetime, this value must be greater than or equal to refreshTokenTimeToLiveInMinutes.
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegeroptionalAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.jwtConfiguration.refreshTokenUsagePolicyStringoptionalDefaults to ReusableAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
Prior to version 1.28.0 this value was required.
tenant.jwtConfiguration.timeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.lambdaConfiguration.loginValidationIdUUIDoptionalAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenant.lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
Note: To use Multi-Factor Requirement Lambdas, you'll need an Enterprise plan.
tenant.lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Request lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Response lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimGroupRequestConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM Group Request lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimGroupResponseConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM Group Response lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimUserRequestConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Request lambda that will be used to convert the SCIM User request to a FusionAuth User.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimUserResponseConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Response lambda that will be used to convert a FusionAuth User to a SCIM Server response.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.logoutURLStringoptionalAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.loginConfiguration.requireAuthenticationBooleanoptionalDefaults to trueAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
In almost all cases, you will want to this to be true.
tenant.logoutURLStringoptionalAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.maximumPasswordAge.daysIntegeroptionalDefaults to 180Available since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenant.maximumPasswordAge.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenant.minimumPasswordAge.secondsIntegeroptionalDefaults to 30Available since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenant.minimumPasswordAge.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenant.multiFactorConfiguration.authenticator.enabledBooleanoptionalDefaults to trueAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenant.multiFactorConfiguration.debugBooleanoptionalDefaults to trueAvailable since 1.68.0Determines if debug should be enabled for this tenant to create an event log message to assist in tracing Intelligent MFA.
tenant.multiFactorConfiguration.email.enabledBooleanoptionalDefaults to falseAvailable since 1.26.0When enabled, users may utilize an email address to complete a multi-factor authentication request.
tenant.multiFactorConfiguration.email.templateIdUUIDoptionalAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.email.enabled is set to true.
tenant.multiFactorConfiguration.loginPolicyStringoptionalAvailable since 1.37.0When set to Enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When set to Disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When set to Required, a two-factor challenge will be required during login. If a user has not configured any two-factor methods, they will not be able to log in.
Risk-based policies use FusionAuth's Intelligent MFA, which combines multiple signals to decide when to issue an MFA challenge.
This value may be overridden by the value configured by the application.multiFactorConfiguration.loginPolicy.
Supported values include:
Enabled- Require a two-factor challenge during login when an eligible method is available.Disabled- Do not require a two-factor challenge during login.ChallengeOnMediumRisk- Only challenge on medium or high login risk Available since 1.68.0ChallengeOnHighRisk- Only challenge on high login risk Available since 1.68.0Required- Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0
Note: To use an Intelligent MFA Policy, you'll need a paid plan.
tenant.multiFactorConfiguration.sms.enabledBooleanoptionalDefaults to falseAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a multi-factor authentication request.
tenant.multiFactorConfiguration.sms.messengerIdUUIDoptionalAvailable since 1.26.0The messenger that is used to deliver a SMS multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.sms.enabled is set to true.
tenant.multiFactorConfiguration.sms.templateIdUUIDoptionalAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.sms.enabled is set to true.
tenant.multiFactorConfiguration.voice.enabledBooleanoptionalDefaults to falseAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenant.multiFactorConfiguration.voice.messengerIdUUIDoptionalAvailable since 1.65.0The messenger that is used to deliver a voice multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.voice.enabled is set to true.
tenant.multiFactorConfiguration.voice.templateIdUUIDoptionalAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.voice.enabled is set to true.
tenant.nameStringrequiredThe unique name of the Tenant.
tenant.oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDoptionalAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
Note: To use client credentials grant, you'll need a paid plan.
tenant.passwordEncryptionConfiguration.encryptionSchemeStringoptionalAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenant.passwordEncryptionConfiguration.encryptionSchemeFactorIntegeroptionalDefaults to 24000Available since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanoptionalDefaults to falseAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenant.passwordValidationRules.breachDetection.enabledBooleanoptionalDefaults to falseAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenant.passwordValidationRules.breachDetection.matchModeStringoptionalAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDoptionalAvailable since 1.15.0The Id of the email template to use when notifying user of breached password. Required if tenant.passwordValidationRules.breachDetection.onLogin is set to NotifyUser.
tenant.passwordValidationRules.breachDetection.onLoginStringoptionalAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenant.passwordValidationRules.disallowUserLoginIdBooleanoptionalDefaults to falseAvailable since 1.63.0Whether to reject passwords which contain the user's login Id.
tenant.passwordValidationRules.maxLengthIntegeroptionalDefaults to 256Available since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
This value must be greater than 0 and less than or equal to 256. When passwordEncryptionConfiguration.encryptionScheme is equal to bcrypt, the maximum will be limited to 50.
tenant.passwordValidationRules.minLengthIntegeroptionalDefaults to 8Available since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.rememberPreviousPasswords.countIntegeroptionalAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenant.passwordValidationRules.rememberPreviousPasswords.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenant.passwordValidationRules.requireMixedCaseBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenant.passwordValidationRules.requireNonAlphaBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenant.passwordValidationRules.requireNumberBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to force the user to use at least one number.
tenant.passwordValidationRules.validateOnLoginBooleanoptionalDefaults to falseAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.rateLimitConfiguration.failedLogin.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for failed login.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.failedLogin.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can fail login before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.forgotPassword.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for forgot password.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.forgotPassword.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendEmailVerification.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for send email verification.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendEmailVerification.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordless.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for sending passwordless login links/codes via email.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordless.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordlessPhone.enabledBooleanoptionalDefaults to falseAvailable since 1.59.0Whether rate limiting is enabled for sending passwordless login links/codes via SMS.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordlessPhone.limitIntegeroptionalDefaults to 5Available since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPhoneVerification.enabledBooleanoptionalDefaults to falseAvailable since 1.59.0Whether rate limiting is enabled for send phone verification.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPhoneVerification.limitIntegeroptionalDefaults to 5Available since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendRegistrationVerification.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for send registration verification.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendRegistrationVerification.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendTwoFactor.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for send two-factor.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendTwoFactor.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
Note: To use blocked domains, you'll need an Enterprise plan.
tenant.scimServerConfiguration.clientEntityTypeIdUUIDoptionalAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.scimServerConfiguration.enabledBooleanoptionalAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
Note: To use SCIM, you'll need an Enterprise plan.
tenant.scimServerConfiguration.schemasMapoptionalAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
When this parameter is not provided, it will default to EnterpriseUser, Group, and User schema definitions as defined by the SCIM core schemas spec.
Note: To use SCIM, you'll need an Enterprise plan.
tenant.scimServerConfiguration.serverEntityTypeIdUUIDoptionalAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegeroptionalAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenant.ssoConfiguration.allowAccessTokenBootstrapBooleanoptionalDefaults to falseAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenant.themeIdUUIDoptionalAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
Prior to version 1.30.0 this value was required.
tenant.userDeletePolicy.unverified.enabledBooleanoptionalDefaults to falseAvailable since 1.13.0Indicates that users with neither a verified email address nor a verified phone number will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.
tenant.userDeletePolicy.unverified.numberOfDaysToRetainIntegeroptionalAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email or phone number verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to true. Value must be greater than 0.
tenant.usernameConfiguration.unique.enabledBooleanoptionalDefaults to falseAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix.
Note: To use unique usernames, you'll need a paid plan.
tenant.usernameConfiguration.unique.numberOfDigitsIntegeroptionalDefaults to 5Available since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive. The value of this field must be greater than or equal to 3 and less than or equal to 10.
tenant.usernameConfiguration.unique.separatorStringoptionalAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non-alphanumeric ASCII character.
tenant.usernameConfiguration.unique.strategyStringoptionalDefaults to OnCollisionAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenant.webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringoptionalDefaults to crossPlatformAvailable since 1.41.0Determines the authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
The recommended value for the bootstrap workflow is any.
Note: To use WebAuthn, you'll need a license.
Note: To use WebAuthn cross-platform authenticators, you'll need an Enterprise plan.
tenant.webAuthnConfiguration.bootstrapWorkflow.enabledBooleanoptionalDefaults to falseAvailable since 1.41.0Whether or not this tenant has the WebAuthn bootstrap workflow enabled. The bootstrap workflow is used when the user must "bootstrap" the authentication process by identifying themselves prior to the WebAuthn ceremony and can be used to authenticate from a new device using WebAuthn.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringoptionalDefaults to requiredAvailable since 1.41.0Determines the user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
It is highly recommended to use the required option for the bootstrap workflow.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.41.0Determines if debug should be enabled for this tenant to create an event log to assist in debugging WebAuthn errors.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.41.0Whether or not this tenant has WebAuthn enabled globally.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringoptionalDefaults to crossPlatformAvailable since 1.41.0Determines the authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
The recommended value for the reauthentication workflow is platform.
Note: To use WebAuthn, you'll need a license.
Note: To use WebAuthn cross-platform authenticators, you'll need an Enterprise plan.
tenant.webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanoptionalDefaults to falseAvailable since 1.41.0Whether or not this tenant has the WebAuthn reauthentication workflow enabled. The reauthentication workflow will automatically prompt a user to authenticate using WebAuthn for repeated logins from the same device.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringoptionalDefaults to requiredAvailable since 1.41.0Determines the user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
It is highly recommended to use the required option for the reauthentication workflow.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.relyingPartyIdStringoptionalAvailable since 1.41.0The value this tenant will use for the Relying Party Id in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with. This value must match the browser origin or be a registrable domain suffix of the browser origin. For example, if your domain is auth.piedpiper.com, you could use auth.piedpiper.com or piedpiper.com but not m.auth.piedpiper.com or com.
When this parameter is omitted, FusionAuth will use null for the Relying Party Id in passkey creation and request options. A null value in the WebAuthn JavaScript API will use the browser origin.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.relyingPartyNameStringoptionalAvailable since 1.41.0The value this tenant will use for the Relying Party name in WebAuthn ceremonies. This value may be displayed by browser or operating system dialogs during WebAuthn ceremonies.
When this parameter is omitted, FusionAuth will use the tenant.issuer value.
Note: To use WebAuthn, you'll need a license.
webhookIdsArray<UUID>optionalAvailable since 1.37.0An array of Webhook Ids. For Webhooks that are not already configured for All Tenants, specifying an Id on this request will indicate the associated Webhook should handle events for this tenant.
Example Request JSON
{
"tenant": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"baseURL": "https://example.com",
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": true,
"secretKey": "6LdYWpMbAAAAAKhcksgk70us00012r66r96tt7rp",
"siteKey": "6LdYWpMbAAAAAKhcksgk75tz00022r66ombcfadr",
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Gated"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"trustTokenTimeToLiveInSeconds": 180,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionCancelPolicy": {
"onPasswordReset": false
},
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"emailUser": false,
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onMultiFactorEnable": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"enabled": true
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"loginPolicy": "Enabled",
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"rateLimitConfiguration": {
"failedLogin": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"forgotPassword": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendEmailVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordless": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordlessPhone": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPhoneVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendRegistrationVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendTwoFactor": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
}
},
"registrationConfiguration": {},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"deviceTrustTimeToLiveInSeconds": 31536000
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
},
"webhookIds": [
"00000000-0000-0000-0000-000000000042"
]
}
}
This API has been available since 1.14.0
This API has been available since 1.14.0
Request Parameters#
tenantIdUUIDoptionalDefaults to secure random UUIDThe Id to use for the new Tenant. If not specified a secure random UUID will be generated.
Request Body#
sourceTenantIdUUIDrequiredThe Id of an existing Tenant from which a copy will be made. All other values will be copied from the source Tenant to the new Tenant.
tenant.nameStringrequiredThe unique name of the Tenant.
Example request JSON
{
"sourceTenantId": "32306536-3036-6431-3865-646430303332",
"tenant": {
"name": "Playtronics Co. - copied"
}
}
Response#
The response for this API contains the Tenant that was created.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body#
tenant.accessControlConfiguration.uiIPAccessControlListIdUUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this all applications in this tenant.
tenant.baseURLStringAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenant.captchaConfiguration.captchaMethodStringAvailable since 1.30.0The type of captcha method to use.
tenant.captchaConfiguration.enabledBooleanAvailable since 1.30.0Whether captcha configuration is enabled.
tenant.captchaConfiguration.secretKeyStringAvailable since 1.30.0The secret key for this captcha method.
tenant.captchaConfiguration.siteKeyStringAvailable since 1.30.0The site key for this captcha method.
tenant.captchaConfiguration.thresholdFloatAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
tenant.configuredBooleanIndicates the tenant has been configured. It is always true, except for default tenant when the setup wizard has not been completed, in which case it is false.
tenant.connectorPoliciesArrayAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenant.connectorPolicies[x].connectorIdUUIDAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenant.connectorPolicies[x].domainsStringAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenant.connectorPolicies[x].migrateBooleanAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
tenant.dataObjectAn object that can hold any information about the Tenant that should be persisted.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.eventConfiguration.eventsObjectAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenant.eventConfiguration.events[type].enabledBooleanAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenant.eventConfiguration.events[type].transactionTypeStringAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an OAuth authorization code is no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegerAvailable since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegerAvailable since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegerAvailable since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegerAvailable since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegerAvailable since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the passwordless one-time login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegerAvailable since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegerAvailable since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegerAvailable since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegerAvailable since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the two-factor one time code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the two-factor code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegerAvailable since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
tenant.externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
tenant.externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenant.failedAuthenticationConfiguration.actionDurationLongAvailable since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionDurationUnitStringAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenant.failedAuthenticationConfiguration.emailUserStringoptionalAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
tenant.failedAuthenticationConfiguration.resetCountInSecondsIntegerAvailable since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenant.failedAuthenticationConfiguration.tooManyAttemptsIntegerAvailable since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.userActionIdUUIDAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenant.familyConfiguration.allowChildRegistrationsBooleanAvailable since 1.8.0Whether to allow child registrations.
tenant.familyConfiguration.confirmChildEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenant.familyConfiguration.deleteOrphanedAccountsBooleanAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.
tenant.familyConfiguration.deleteOrphanedAccountsDaysIntegerAvailable since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenant.familyConfiguration.enabledBooleanAvailable since 1.8.0Whether family configuration is enabled.
tenant.familyConfiguration.familyRequestEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenant.familyConfiguration.maximumChildAgeIntegerAvailable since 1.8.0The maximum age of a child. Value must be greater than 0.
tenant.familyConfiguration.minimumOwnerAgeIntegerAvailable since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenant.familyConfiguration.parentEmailRequiredBooleanAvailable since 1.8.0Whether a parent email is required.
tenant.familyConfiguration.parentRegistrationEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenant.formConfiguration.adminUserFormIdUUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
tenant.httpSessionMaxInactiveIntervalIntegerAvailable since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenant.idUUIDThe unique identifier for this Tenant.
tenant.insertInstantLongThe instant that the Tenant was added to the FusionAuth database.
tenant.issuerStringAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
tenant.jwtConfiguration.accessTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the access token.
tenant.jwtConfiguration.idTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
tenant.jwtConfiguration.refreshTokenExpirationPolicyStringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenant.jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegerAvailable since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when the user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenant.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegerAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
tenant.jwtConfiguration.refreshTokenUsagePolicyStringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
tenant.jwtConfiguration.timeToLiveInSecondsIntegerAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
tenant.lambdaConfiguration.loginValidationIdUUIDAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenant.lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
tenant.lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
tenant.lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
tenant.lambdaConfiguration.scimGroupRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM Group Request Lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
tenant.lambdaConfiguration.scimGroupResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM GroupResponse Lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
tenant.lambdaConfiguration.scimUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM User request to a FusionAuth User.
tenant.lambdaConfiguration.scimUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth User to a SCIM Server response.
tenant.lastUpdateInstantLongThe instant that the Tenant was last updated in the FusionAuth database.
tenant.loginConfiguration.requireAuthenticationBooleanAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
tenant.logoutURLStringAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.maximumPasswordAge.daysIntegerAvailable since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenant.maximumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenant.minimumPasswordAge.secondsIntegerAvailable since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenant.minimumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenant.multiFactorConfiguration.authenticator.algorithmStringAvailable since 1.26.0The algorithm used by the TOTP authenticator. This value is HmacSHA1 and read only.
tenant.multiFactorConfiguration.authenticator.codeLengthIntegerAvailable since 1.26.0The length of the code generated by the TOTP. This value is 6 and read only.
tenant.multiFactorConfiguration.authenticator.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenant.multiFactorConfiguration.authenticator.timeStepIntegerAvailable since 1.26.0The time-step size in seconds. This value is 30 and read only.
tenant.multiFactorConfiguration.email.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an email address to complete a two-factor authentication request.
tenant.multiFactorConfiguration.email.templateIdUUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a two-factor authentication request.
tenant.multiFactorConfiguration.sms.enabledBooleanAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a two-factor authentication request.
tenant.multiFactorConfiguration.sms.messengerIdUUIDAvailable since 1.26.0The messenger that is used to deliver a SMS two-factor authentication request.
tenant.multiFactorConfiguration.sms.templateIdUUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a two-factor authentication request.
tenant.multiFactorConfiguration.voice.enabledBooleanAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenant.multiFactorConfiguration.voice.messengerIdUUIDAvailable since 1.65.0The messenger that is used to deliver a voice two-factor authentication request.
tenant.multiFactorConfiguration.voice.templateIdUUIDAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a two-factor authentication request.
tenant.nameStringThe unique name of the Tenant.
tenant.oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
tenant.passwordEncryptionConfiguration.encryptionSchemeStringAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenant.passwordEncryptionConfiguration.encryptionSchemeFactorIntegerAvailable since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenant.passwordValidationRules.breachDetection.enabledBooleanAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenant.passwordValidationRules.breachDetection.matchModeStringAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDAvailable since 1.15.0The Id of the email template to use when notifying a user of a breached password.
tenant.passwordValidationRules.breachDetection.onLoginStringAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenant.passwordValidationRules.maxLengthIntegerAvailable since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.minLengthIntegerAvailable since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.rememberPreviousPasswords.countIntegerAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenant.passwordValidationRules.rememberPreviousPasswords.enabledBooleanAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenant.passwordValidationRules.requireMixedCaseBooleanAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenant.passwordValidationRules.requireNonAlphaBooleanAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenant.passwordValidationRules.requireNumberBooleanAvailable since 1.8.0Whether to force the user to use at least one number.
tenant.passwordValidationRules.validateOnLoginBooleanAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenant.phoneConfiguration.forgotPasswordTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template that is used when sending a user a forgot password message.
tenant.phoneConfiguration.identityUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their phone number has been updated. The message will be sent to both their new and old phone numbers.
tenant.phoneConfiguration.implicitPhoneVerificationAllowedBooleanoptionalDefaults to trueAvailable since 1.59.0When set to true, this allows a phone number to be verified as a result of completing a similar phone based workflow such as change password. When set to false, the user must explicitly complete the phone verification workflow even if the user has already completed a similar phone workflow such as change password.
tenant.phoneConfiguration.loginIdInUseOnCreateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to create an account with their login Id.
tenant.phoneConfiguration.loginIdInUseOnUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to update an existing account to use their login Id.
tenant.phoneConfiguration.loginNewDeviceTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they log in on a new device.
tenant.phoneConfiguration.loginSuspiciousTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a suspicious login using their login Id occurs.
tenant.phoneConfiguration.messengerIdUUIDAvailable since 1.59.0The messenger that is used to deliver SMS messages for phone number verification and passwordless logins.
tenant.phoneConfiguration.passwordlessTemplateIdUUIDAvailable since 1.59.0The Id of the Passwordless Message Template, sent to users when they start a passwordless login.
tenant.phoneConfiguration.passwordResetSuccessTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they have completed a 'forgot password' workflow and their password has been reset.
tenant.phoneConfiguration.passwordUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their password has been updated.
tenant.phoneConfiguration.setPasswordTemplateIdUUIDoptionalAvailable since 1.59.0The Id of the SMS Message Template used when a user must set their password manually after their account was created for them (by an admin, for example).
tenant.phoneConfiguration.adminTwoFactorMethodRemoveTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Message Template used to notify a user when an administrator removes one of their MFA methods.
tenant.phoneConfiguration.twoFactorMethodRemoveTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been removed from their account.
tenant.phoneConfiguration.twoFactorMethodAddTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been added to their account.
tenant.phoneConfiguration.unverified.allowPhoneNumberChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.59.0When this value is set to true, the user is allowed to change their phone number when they are gated because they haven't verified their phone number.
tenant.phoneConfiguration.unverified.behaviorStringAvailable since 1.59.0The desired behavior during login for a user that does not have a verified phone number. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.phoneConfiguration.verificationCompleteTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to notify a user that their phone number has been verified.
tenant.phoneConfiguration.verificationStrategyStringAvailable since 1.59.0The process by which the user will verify their phone number. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.phoneConfiguration.unverified.behavior has theGatedvalue.
tenant.phoneConfiguration.verificationTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send SMS messages to users to verify that their phone number is valid.
tenant.phoneConfiguration.verifyPhoneNumberBooleanAvailable since 1.59.0Whether a user's phone number is verified when they register with your application.
tenant.rateLimitConfiguration.failedLogin.limitIntegerAvailable since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
tenant.rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can fail login before being rate limited.
tenant.rateLimitConfiguration.forgotPassword.limitIntegerAvailable since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
tenant.rateLimitConfiguration.sendEmailVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
tenant.rateLimitConfiguration.sendPasswordless.limitIntegerAvailable since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
tenant.rateLimitConfiguration.sendPasswordlessPhone.limitIntegerAvailable since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
tenant.rateLimitConfiguration.sendPhoneVerification.limitIntegerAvailable since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
tenant.rateLimitConfiguration.sendRegistrationVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
tenant.rateLimitConfiguration.sendTwoFactor.limitIntegerAvailable since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
tenant.registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
tenant.scimServerConfiguration.clientEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
tenant.scimServerConfiguration.enabledBooleanAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
tenant.scimServerConfiguration.schemasMapAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
tenant.scimServerConfiguration.serverEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
tenant.ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegerAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenant.ssoConfiguration.allowAccessTokenBootstrapBooleanAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenant.stateStringAvailable since 1.22.0The current state of the tenant. The following are valid values:
Active- The tenant is active.PendingDelete- A delete request has been requested and is being processed.
tenant.themeIdUUIDAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
tenant.userDeletePolicy.unverified.enabledBooleanAvailable since 1.13.0Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.
tenant.userDeletePolicy.unverified.enabledInstantLongAvailable since 1.48.0The instant that this policy was enabled.
Users created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for users created after this policy was enabled. If you would like to delete users created prior to this policy being enabled that have an unverified email address, you can use the User Search API or User Bulk Delete API to search on the insertInstant and verified fields to identify users that you would like to delete.
For example, the following query string will return users that were created at least 7 days ago that have not verified their email address.
insertInstant:<now-7d AND verified:falsePlease note that prior to version 1.48.0, when enabling this policy all user's with an unverified email were eligible for deletion.
tenant.userDeletePolicy.unverified.numberOfDaysToRetainIntegerAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.
tenant.usernameConfiguration.unique.enabledBooleanAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix. Users with colliding usernames will be able to use the same one, but in the admin and API interfaces, a unique username will be displayed.
tenant.usernameConfiguration.unique.numberOfDigitsIntegerAvailable since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive.
tenant.usernameConfiguration.unique.separatorStringAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non alphanumeric ASCII character.
tenant.usernameConfiguration.unique.strategyStringAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenant.webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenant.webAuthnConfiguration.bootstrapWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled.
tenant.webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenant.webAuthnConfiguration.debugBooleanAvailable since 1.41.0Whether debug event log output is enabled for WebAuthn.
tenant.webAuthnConfiguration.enabledBooleanAvailable since 1.41.0Whether WebAuthn configuration is enabled.
tenant.webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenant.webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled.
tenant.webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenant.webAuthnConfiguration.relyingPartyIdStringAvailable since 1.41.0The Relying Party Id the tenant will use in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with.
The default value is null, which instructs the WebAuthn JavaScript API to use the browser origin.
tenant.webAuthnConfiguration.relyingPartyNameStringAvailable since 1.41.0The Relying Party name the tenant will use in WebAuthn ceremonies. This value is used only for display and may be shown by browser or OS dialogs during WebAuthn ceremonies.
If no value is configured, the tenant.issuer value will be used.
Example Response JSON
{
"tenant": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"baseURL": "https://example.com",
"configured": true,
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": true,
"secretKey": "6LdYWpMbAAAAAKhcksgk70us00012r66r96tt7rp",
"siteKey": "6LdYWpMbAAAAAKhcksgk75tz00022r66ombcfadr",
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Gated"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"trustTokenTimeToLiveInSeconds": 180,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionCancelPolicy": {
"onPasswordReset": false
},
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"emailUser": false,
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"insertInstant": 1572469040579,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onMultiFactorEnable": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"lastUpdateInstant": 1595361143101,
"loginConfiguration": {
"requireAuthentication": true
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"algorithm": "HmacSHA1",
"codeLength": 6,
"enabled": true,
"timeStep": 30
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"loginPolicy": "Enabled",
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"rateLimitConfiguration": {
"failedLogin": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"forgotPassword": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendEmailVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordless": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordlessPhone": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPhoneVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendRegistrationVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendTwoFactor": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
}
},
"registrationConfiguration": {},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"allowAccessTokenBootstrap": false,
"deviceTrustTimeToLiveInSeconds": 31536000
},
"state": "Active",
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#",
"strategy": "OnCollision"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
}
}
}
Retrieve a Tenant#
This API is used to retrieve a single Tenant by unique Id or all of the configured Tenants.
Request#
Request Parameters#
tenantIdUUIDrequiredThe unique Id of the Tenant to retrieve.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response#
The response for this API contains either a single Tenant or all of the Tenants. When you call this API with an Id the response will contain a single Tenant. When you call this API without an Id the response will contain all of the Tenants. Both response types are defined below along with an example JSON response.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 404 | The object you requested doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body#
tenant.accessControlConfiguration.uiIPAccessControlListIdUUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this all applications in this tenant.
tenant.baseURLStringAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenant.captchaConfiguration.captchaMethodStringAvailable since 1.30.0The type of captcha method to use.
tenant.captchaConfiguration.enabledBooleanAvailable since 1.30.0Whether captcha configuration is enabled.
tenant.captchaConfiguration.secretKeyStringAvailable since 1.30.0The secret key for this captcha method.
tenant.captchaConfiguration.siteKeyStringAvailable since 1.30.0The site key for this captcha method.
tenant.captchaConfiguration.thresholdFloatAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
tenant.configuredBooleanIndicates the tenant has been configured. It is always true, except for default tenant when the setup wizard has not been completed, in which case it is false.
tenant.connectorPoliciesArrayAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenant.connectorPolicies[x].connectorIdUUIDAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenant.connectorPolicies[x].domainsStringAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenant.connectorPolicies[x].migrateBooleanAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
tenant.dataObjectAn object that can hold any information about the Tenant that should be persisted.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.eventConfiguration.eventsObjectAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenant.eventConfiguration.events[type].enabledBooleanAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenant.eventConfiguration.events[type].transactionTypeStringAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an OAuth authorization code is no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegerAvailable since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegerAvailable since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegerAvailable since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegerAvailable since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegerAvailable since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the passwordless one-time login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegerAvailable since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegerAvailable since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegerAvailable since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegerAvailable since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the two-factor one time code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the two-factor code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegerAvailable since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
tenant.externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
tenant.externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenant.failedAuthenticationConfiguration.actionDurationLongAvailable since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionDurationUnitStringAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenant.failedAuthenticationConfiguration.emailUserStringoptionalAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
tenant.failedAuthenticationConfiguration.resetCountInSecondsIntegerAvailable since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenant.failedAuthenticationConfiguration.tooManyAttemptsIntegerAvailable since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.userActionIdUUIDAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenant.familyConfiguration.allowChildRegistrationsBooleanAvailable since 1.8.0Whether to allow child registrations.
tenant.familyConfiguration.confirmChildEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenant.familyConfiguration.deleteOrphanedAccountsBooleanAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.
tenant.familyConfiguration.deleteOrphanedAccountsDaysIntegerAvailable since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenant.familyConfiguration.enabledBooleanAvailable since 1.8.0Whether family configuration is enabled.
tenant.familyConfiguration.familyRequestEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenant.familyConfiguration.maximumChildAgeIntegerAvailable since 1.8.0The maximum age of a child. Value must be greater than 0.
tenant.familyConfiguration.minimumOwnerAgeIntegerAvailable since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenant.familyConfiguration.parentEmailRequiredBooleanAvailable since 1.8.0Whether a parent email is required.
tenant.familyConfiguration.parentRegistrationEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenant.formConfiguration.adminUserFormIdUUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
tenant.httpSessionMaxInactiveIntervalIntegerAvailable since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenant.idUUIDThe unique identifier for this Tenant.
tenant.insertInstantLongThe instant that the Tenant was added to the FusionAuth database.
tenant.issuerStringAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
tenant.jwtConfiguration.accessTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the access token.
tenant.jwtConfiguration.idTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
tenant.jwtConfiguration.refreshTokenExpirationPolicyStringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenant.jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegerAvailable since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when the user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenant.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegerAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
tenant.jwtConfiguration.refreshTokenUsagePolicyStringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
tenant.jwtConfiguration.timeToLiveInSecondsIntegerAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
tenant.lambdaConfiguration.loginValidationIdUUIDAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenant.lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
tenant.lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
tenant.lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
tenant.lambdaConfiguration.scimGroupRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM Group Request Lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
tenant.lambdaConfiguration.scimGroupResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM GroupResponse Lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
tenant.lambdaConfiguration.scimUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM User request to a FusionAuth User.
tenant.lambdaConfiguration.scimUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth User to a SCIM Server response.
tenant.lastUpdateInstantLongThe instant that the Tenant was last updated in the FusionAuth database.
tenant.loginConfiguration.requireAuthenticationBooleanAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
tenant.logoutURLStringAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.maximumPasswordAge.daysIntegerAvailable since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenant.maximumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenant.minimumPasswordAge.secondsIntegerAvailable since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenant.minimumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenant.multiFactorConfiguration.authenticator.algorithmStringAvailable since 1.26.0The algorithm used by the TOTP authenticator. This value is HmacSHA1 and read only.
tenant.multiFactorConfiguration.authenticator.codeLengthIntegerAvailable since 1.26.0The length of the code generated by the TOTP. This value is 6 and read only.
tenant.multiFactorConfiguration.authenticator.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenant.multiFactorConfiguration.authenticator.timeStepIntegerAvailable since 1.26.0The time-step size in seconds. This value is 30 and read only.
tenant.multiFactorConfiguration.email.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an email address to complete a two-factor authentication request.
tenant.multiFactorConfiguration.email.templateIdUUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a two-factor authentication request.
tenant.multiFactorConfiguration.sms.enabledBooleanAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a two-factor authentication request.
tenant.multiFactorConfiguration.sms.messengerIdUUIDAvailable since 1.26.0The messenger that is used to deliver a SMS two-factor authentication request.
tenant.multiFactorConfiguration.sms.templateIdUUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a two-factor authentication request.
tenant.multiFactorConfiguration.voice.enabledBooleanAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenant.multiFactorConfiguration.voice.messengerIdUUIDAvailable since 1.65.0The messenger that is used to deliver a voice two-factor authentication request.
tenant.multiFactorConfiguration.voice.templateIdUUIDAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a two-factor authentication request.
tenant.nameStringThe unique name of the Tenant.
tenant.oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
tenant.passwordEncryptionConfiguration.encryptionSchemeStringAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenant.passwordEncryptionConfiguration.encryptionSchemeFactorIntegerAvailable since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenant.passwordValidationRules.breachDetection.enabledBooleanAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenant.passwordValidationRules.breachDetection.matchModeStringAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDAvailable since 1.15.0The Id of the email template to use when notifying a user of a breached password.
tenant.passwordValidationRules.breachDetection.onLoginStringAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenant.passwordValidationRules.maxLengthIntegerAvailable since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.minLengthIntegerAvailable since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.rememberPreviousPasswords.countIntegerAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenant.passwordValidationRules.rememberPreviousPasswords.enabledBooleanAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenant.passwordValidationRules.requireMixedCaseBooleanAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenant.passwordValidationRules.requireNonAlphaBooleanAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenant.passwordValidationRules.requireNumberBooleanAvailable since 1.8.0Whether to force the user to use at least one number.
tenant.passwordValidationRules.validateOnLoginBooleanAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenant.phoneConfiguration.forgotPasswordTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template that is used when sending a user a forgot password message.
tenant.phoneConfiguration.identityUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their phone number has been updated. The message will be sent to both their new and old phone numbers.
tenant.phoneConfiguration.implicitPhoneVerificationAllowedBooleanoptionalDefaults to trueAvailable since 1.59.0When set to true, this allows a phone number to be verified as a result of completing a similar phone based workflow such as change password. When set to false, the user must explicitly complete the phone verification workflow even if the user has already completed a similar phone workflow such as change password.
tenant.phoneConfiguration.loginIdInUseOnCreateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to create an account with their login Id.
tenant.phoneConfiguration.loginIdInUseOnUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to update an existing account to use their login Id.
tenant.phoneConfiguration.loginNewDeviceTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they log in on a new device.
tenant.phoneConfiguration.loginSuspiciousTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a suspicious login using their login Id occurs.
tenant.phoneConfiguration.messengerIdUUIDAvailable since 1.59.0The messenger that is used to deliver SMS messages for phone number verification and passwordless logins.
tenant.phoneConfiguration.passwordlessTemplateIdUUIDAvailable since 1.59.0The Id of the Passwordless Message Template, sent to users when they start a passwordless login.
tenant.phoneConfiguration.passwordResetSuccessTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they have completed a 'forgot password' workflow and their password has been reset.
tenant.phoneConfiguration.passwordUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their password has been updated.
tenant.phoneConfiguration.setPasswordTemplateIdUUIDoptionalAvailable since 1.59.0The Id of the SMS Message Template used when a user must set their password manually after their account was created for them (by an admin, for example).
tenant.phoneConfiguration.adminTwoFactorMethodRemoveTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Message Template used to notify a user when an administrator removes one of their MFA methods.
tenant.phoneConfiguration.twoFactorMethodRemoveTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been removed from their account.
tenant.phoneConfiguration.twoFactorMethodAddTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been added to their account.
tenant.phoneConfiguration.unverified.allowPhoneNumberChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.59.0When this value is set to true, the user is allowed to change their phone number when they are gated because they haven't verified their phone number.
tenant.phoneConfiguration.unverified.behaviorStringAvailable since 1.59.0The desired behavior during login for a user that does not have a verified phone number. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.phoneConfiguration.verificationCompleteTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to notify a user that their phone number has been verified.
tenant.phoneConfiguration.verificationStrategyStringAvailable since 1.59.0The process by which the user will verify their phone number. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.phoneConfiguration.unverified.behavior has theGatedvalue.
tenant.phoneConfiguration.verificationTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send SMS messages to users to verify that their phone number is valid.
tenant.phoneConfiguration.verifyPhoneNumberBooleanAvailable since 1.59.0Whether a user's phone number is verified when they register with your application.
tenant.rateLimitConfiguration.failedLogin.limitIntegerAvailable since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
tenant.rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can fail login before being rate limited.
tenant.rateLimitConfiguration.forgotPassword.limitIntegerAvailable since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
tenant.rateLimitConfiguration.sendEmailVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
tenant.rateLimitConfiguration.sendPasswordless.limitIntegerAvailable since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
tenant.rateLimitConfiguration.sendPasswordlessPhone.limitIntegerAvailable since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
tenant.rateLimitConfiguration.sendPhoneVerification.limitIntegerAvailable since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
tenant.rateLimitConfiguration.sendRegistrationVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
tenant.rateLimitConfiguration.sendTwoFactor.limitIntegerAvailable since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
tenant.registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
tenant.scimServerConfiguration.clientEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
tenant.scimServerConfiguration.enabledBooleanAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
tenant.scimServerConfiguration.schemasMapAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
tenant.scimServerConfiguration.serverEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
tenant.ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegerAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenant.ssoConfiguration.allowAccessTokenBootstrapBooleanAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenant.stateStringAvailable since 1.22.0The current state of the tenant. The following are valid values:
Active- The tenant is active.PendingDelete- A delete request has been requested and is being processed.
tenant.themeIdUUIDAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
tenant.userDeletePolicy.unverified.enabledBooleanAvailable since 1.13.0Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.
tenant.userDeletePolicy.unverified.enabledInstantLongAvailable since 1.48.0The instant that this policy was enabled.
Users created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for users created after this policy was enabled. If you would like to delete users created prior to this policy being enabled that have an unverified email address, you can use the User Search API or User Bulk Delete API to search on the insertInstant and verified fields to identify users that you would like to delete.
For example, the following query string will return users that were created at least 7 days ago that have not verified their email address.
insertInstant:<now-7d AND verified:falsePlease note that prior to version 1.48.0, when enabling this policy all user's with an unverified email were eligible for deletion.
tenant.userDeletePolicy.unverified.numberOfDaysToRetainIntegerAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.
tenant.usernameConfiguration.unique.enabledBooleanAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix. Users with colliding usernames will be able to use the same one, but in the admin and API interfaces, a unique username will be displayed.
tenant.usernameConfiguration.unique.numberOfDigitsIntegerAvailable since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive.
tenant.usernameConfiguration.unique.separatorStringAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non alphanumeric ASCII character.
tenant.usernameConfiguration.unique.strategyStringAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenant.webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenant.webAuthnConfiguration.bootstrapWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled.
tenant.webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenant.webAuthnConfiguration.debugBooleanAvailable since 1.41.0Whether debug event log output is enabled for WebAuthn.
tenant.webAuthnConfiguration.enabledBooleanAvailable since 1.41.0Whether WebAuthn configuration is enabled.
tenant.webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenant.webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled.
tenant.webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenant.webAuthnConfiguration.relyingPartyIdStringAvailable since 1.41.0The Relying Party Id the tenant will use in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with.
The default value is null, which instructs the WebAuthn JavaScript API to use the browser origin.
tenant.webAuthnConfiguration.relyingPartyNameStringAvailable since 1.41.0The Relying Party name the tenant will use in WebAuthn ceremonies. This value is used only for display and may be shown by browser or OS dialogs during WebAuthn ceremonies.
If no value is configured, the tenant.issuer value will be used.
Example Response JSON
{
"tenant": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"baseURL": "https://example.com",
"configured": true,
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": true,
"secretKey": "6LdYWpMbAAAAAKhcksgk70us00012r66r96tt7rp",
"siteKey": "6LdYWpMbAAAAAKhcksgk75tz00022r66ombcfadr",
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Gated"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"trustTokenTimeToLiveInSeconds": 180,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionCancelPolicy": {
"onPasswordReset": false
},
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"emailUser": false,
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"insertInstant": 1572469040579,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onMultiFactorEnable": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"lastUpdateInstant": 1595361143101,
"loginConfiguration": {
"requireAuthentication": true
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"algorithm": "HmacSHA1",
"codeLength": 6,
"enabled": true,
"timeStep": 30
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"loginPolicy": "Enabled",
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"rateLimitConfiguration": {
"failedLogin": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"forgotPassword": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendEmailVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordless": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordlessPhone": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPhoneVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendRegistrationVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendTwoFactor": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
}
},
"registrationConfiguration": {},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"allowAccessTokenBootstrap": false,
"deviceTrustTimeToLiveInSeconds": 31536000
},
"state": "Active",
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#",
"strategy": "OnCollision"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
}
}
}
Response Body#
tenantsArrayThe list of Tenant objects.
tenants[x].accessControlConfiguration.uiIPAccessControlListIdUUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this all applications in this tenant.
tenants[x].baseURLStringAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenants[x].captchaConfiguration.captchaMethodStringAvailable since 1.30.0The type of captcha method to use.
tenants[x].captchaConfiguration.enabledBooleanAvailable since 1.30.0Whether captcha configuration is enabled.
tenants[x].captchaConfiguration.secretKeyStringAvailable since 1.30.0The secret key for this captcha method.
tenants[x].captchaConfiguration.siteKeyStringAvailable since 1.30.0The site key for this captcha method.
tenants[x].captchaConfiguration.thresholdFloatAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
tenants[x].configuredBooleanIndicates the tenant has been configured. It is always true, except for default tenant when the setup wizard has not been completed, in which case it is false.
tenants[x].connectorPoliciesArrayAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenants[x].connectorPolicies[x].connectorIdUUIDAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenants[x].connectorPolicies[x].domainsStringAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenants[x].connectorPolicies[x].migrateBooleanAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
tenants[x].dataObjectAn object that can hold any information about the Tenant that should be persisted.
tenants[x].emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenants[x].emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenants[x].emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenants[x].emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenants[x].emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenants[x].emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenants[x].emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenants[x].emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenants[x].emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenants[x].emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenants[x].emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenants[x].emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenants[x].emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenants[x].emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenants[x].emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenants[x].emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenants[x].emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenants[x].emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenants[x].emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenants[x].emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenants[x].emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenants[x].emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenants[x].emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenants[x].emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenants[x].emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenants[x].emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenants[x].emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenants[x].emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenants[x].emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenants[x].emailConfiguration.unverified.behavior has theGatedvalue.
tenants[x].emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenants[x].emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenants[x].eventConfiguration.eventsObjectAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenants[x].eventConfiguration.events[type].enabledBooleanAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenants[x].eventConfiguration.events[type].transactionTypeStringAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
tenants[x].externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an OAuth authorization code is no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
tenants[x].externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.changePasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegerAvailable since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegerAvailable since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegerAvailable since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegerAvailable since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegerAvailable since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenants[x].externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the passwordless one-time login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegerAvailable since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request.
tenants[x].externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API.
tenants[x].externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegerAvailable since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegerAvailable since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenants[x].externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegerAvailable since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the two-factor one time code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the two-factor code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegerAvailable since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
tenants[x].externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
tenants[x].failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenants[x].failedAuthenticationConfiguration.actionDurationLongAvailable since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenants[x].failedAuthenticationConfiguration.actionDurationUnitStringAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenants[x].failedAuthenticationConfiguration.emailUserStringoptionalAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
tenants[x].failedAuthenticationConfiguration.resetCountInSecondsIntegerAvailable since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenants[x].failedAuthenticationConfiguration.tooManyAttemptsIntegerAvailable since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenants[x].failedAuthenticationConfiguration.userActionIdUUIDAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenants[x].familyConfiguration.allowChildRegistrationsBooleanAvailable since 1.8.0Whether to allow child registrations.
tenants[x].familyConfiguration.confirmChildEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenants[x].familyConfiguration.deleteOrphanedAccountsBooleanAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenants[x].familyConfiguration.deleteOrphanedAccountsDays days.
tenants[x].familyConfiguration.deleteOrphanedAccountsDaysIntegerAvailable since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenants[x].familyConfiguration.enabledBooleanAvailable since 1.8.0Whether family configuration is enabled.
tenants[x].familyConfiguration.familyRequestEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenants[x].familyConfiguration.maximumChildAgeIntegerAvailable since 1.8.0The maximum age of a child. Value must be greater than 0.
tenants[x].familyConfiguration.minimumOwnerAgeIntegerAvailable since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenants[x].familyConfiguration.parentEmailRequiredBooleanAvailable since 1.8.0Whether a parent email is required.
tenants[x].familyConfiguration.parentRegistrationEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenants[x].formConfiguration.adminUserFormIdUUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
tenants[x].httpSessionMaxInactiveIntervalIntegerAvailable since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenants[x].idUUIDThe unique identifier for this Tenant.
tenants[x].insertInstantLongThe instant that the Tenant was added to the FusionAuth database.
tenants[x].issuerStringAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
tenants[x].jwtConfiguration.accessTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the access token.
tenants[x].jwtConfiguration.idTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
tenants[x].jwtConfiguration.refreshTokenExpirationPolicyStringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenants[x].jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegerAvailable since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when the user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenants[x].jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.
tenants[x].jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegerAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
tenants[x].jwtConfiguration.refreshTokenUsagePolicyStringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
tenants[x].jwtConfiguration.timeToLiveInSecondsIntegerAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
tenants[x].lambdaConfiguration.loginValidationIdUUIDAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenants[x].lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
tenants[x].lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
tenants[x].lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
tenants[x].lambdaConfiguration.scimGroupRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM Group Request Lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
tenants[x].lambdaConfiguration.scimGroupResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM GroupResponse Lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
tenants[x].lambdaConfiguration.scimUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM User request to a FusionAuth User.
tenants[x].lambdaConfiguration.scimUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth User to a SCIM Server response.
tenants[x].lastUpdateInstantLongThe instant that the Tenant was last updated in the FusionAuth database.
tenants[x].loginConfiguration.requireAuthenticationBooleanAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
tenants[x].logoutURLStringAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenants[x].maximumPasswordAge.daysIntegerAvailable since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenants[x].maximumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenants[x].minimumPasswordAge.secondsIntegerAvailable since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenants[x].minimumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenants[x].multiFactorConfiguration.authenticator.algorithmStringAvailable since 1.26.0The algorithm used by the TOTP authenticator. This value is HmacSHA1 and read only.
tenants[x].multiFactorConfiguration.authenticator.codeLengthIntegerAvailable since 1.26.0The length of the code generated by the TOTP. This value is 6 and read only.
tenants[x].multiFactorConfiguration.authenticator.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenants[x].multiFactorConfiguration.authenticator.timeStepIntegerAvailable since 1.26.0The time-step size in seconds. This value is 30 and read only.
tenants[x].multiFactorConfiguration.email.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an email address to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.email.templateIdUUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.sms.enabledBooleanAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.sms.messengerIdUUIDAvailable since 1.26.0The messenger that is used to deliver a SMS two-factor authentication request.
tenants[x].multiFactorConfiguration.sms.templateIdUUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.voice.enabledBooleanAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenants[x].multiFactorConfiguration.voice.messengerIdUUIDAvailable since 1.65.0The messenger that is used to deliver a voice two-factor authentication request.
tenants[x].multiFactorConfiguration.voice.templateIdUUIDAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a two-factor authentication request.
tenants[x].nameStringThe unique name of the Tenant.
tenants[x].oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
tenants[x].passwordEncryptionConfiguration.encryptionSchemeStringAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenants[x].passwordEncryptionConfiguration.encryptionSchemeFactorIntegerAvailable since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenants[x].passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenants[x].passwordValidationRules.breachDetection.enabledBooleanAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenants[x].passwordValidationRules.breachDetection.matchModeStringAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenants[x].passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDAvailable since 1.15.0The Id of the email template to use when notifying a user of a breached password.
tenants[x].passwordValidationRules.breachDetection.onLoginStringAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenants[x].passwordValidationRules.maxLengthIntegerAvailable since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
tenants[x].passwordValidationRules.minLengthIntegerAvailable since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenants[x].passwordValidationRules.rememberPreviousPasswords.countIntegerAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenants[x].passwordValidationRules.rememberPreviousPasswords.enabledBooleanAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenants[x].passwordValidationRules.requireMixedCaseBooleanAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenants[x].passwordValidationRules.requireNonAlphaBooleanAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenants[x].passwordValidationRules.requireNumberBooleanAvailable since 1.8.0Whether to force the user to use at least one number.
tenants[x].passwordValidationRules.validateOnLoginBooleanAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenants[x].phoneConfiguration.forgotPasswordTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template that is used when sending a user a forgot password message.
tenants[x].phoneConfiguration.identityUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their phone number has been updated. The message will be sent to both their new and old phone numbers.
tenants[x].phoneConfiguration.implicitPhoneVerificationAllowedBooleanoptionalDefaults to trueAvailable since 1.59.0When set to true, this allows a phone number to be verified as a result of completing a similar phone based workflow such as change password. When set to false, the user must explicitly complete the phone verification workflow even if the user has already completed a similar phone workflow such as change password.
tenants[x].phoneConfiguration.loginIdInUseOnCreateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to create an account with their login Id.
tenants[x].phoneConfiguration.loginIdInUseOnUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to update an existing account to use their login Id.
tenants[x].phoneConfiguration.loginNewDeviceTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they log in on a new device.
tenants[x].phoneConfiguration.loginSuspiciousTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a suspicious login using their login Id occurs.
tenants[x].phoneConfiguration.messengerIdUUIDAvailable since 1.59.0The messenger that is used to deliver SMS messages for phone number verification and passwordless logins.
tenants[x].phoneConfiguration.passwordlessTemplateIdUUIDAvailable since 1.59.0The Id of the Passwordless Message Template, sent to users when they start a passwordless login.
tenants[x].phoneConfiguration.passwordResetSuccessTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they have completed a 'forgot password' workflow and their password has been reset.
tenants[x].phoneConfiguration.passwordUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their password has been updated.
tenants[x].phoneConfiguration.setPasswordTemplateIdUUIDoptionalAvailable since 1.59.0The Id of the SMS Message Template used when a user must set their password manually after their account was created for them (by an admin, for example).
tenants[x].phoneConfiguration.adminTwoFactorMethodRemoveTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Message Template used to notify a user when an administrator removes one of their MFA methods.
tenants[x].phoneConfiguration.twoFactorMethodRemoveTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been removed from their account.
tenants[x].phoneConfiguration.twoFactorMethodAddTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been added to their account.
tenants[x].phoneConfiguration.unverified.allowPhoneNumberChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.59.0When this value is set to true, the user is allowed to change their phone number when they are gated because they haven't verified their phone number.
tenants[x].phoneConfiguration.unverified.behaviorStringAvailable since 1.59.0The desired behavior during login for a user that does not have a verified phone number. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenants[x].phoneConfiguration.verificationCompleteTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to notify a user that their phone number has been verified.
tenants[x].phoneConfiguration.verificationStrategyStringAvailable since 1.59.0The process by which the user will verify their phone number. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenants[x].phoneConfiguration.unverified.behavior has theGatedvalue.
tenants[x].phoneConfiguration.verificationTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send SMS messages to users to verify that their phone number is valid.
tenants[x].phoneConfiguration.verifyPhoneNumberBooleanAvailable since 1.59.0Whether a user's phone number is verified when they register with your application.
tenants[x].rateLimitConfiguration.failedLogin.limitIntegerAvailable since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
tenants[x].rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can fail login before being rate limited.
tenants[x].rateLimitConfiguration.forgotPassword.limitIntegerAvailable since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
tenants[x].rateLimitConfiguration.sendEmailVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
tenants[x].rateLimitConfiguration.sendPasswordless.limitIntegerAvailable since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
tenants[x].rateLimitConfiguration.sendPasswordlessPhone.limitIntegerAvailable since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
tenants[x].rateLimitConfiguration.sendPhoneVerification.limitIntegerAvailable since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
tenants[x].rateLimitConfiguration.sendRegistrationVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
tenants[x].rateLimitConfiguration.sendTwoFactor.limitIntegerAvailable since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
tenants[x].registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
tenants[x].scimServerConfiguration.clientEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
tenants[x].scimServerConfiguration.enabledBooleanAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
tenants[x].scimServerConfiguration.schemasMapAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
tenants[x].scimServerConfiguration.serverEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
tenants[x].ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegerAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenants[x].ssoConfiguration.allowAccessTokenBootstrapBooleanAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenants[x].stateStringAvailable since 1.22.0The current state of the tenant. The following are valid values:
Active- The tenant is active.PendingDelete- A delete request has been requested and is being processed.
tenants[x].themeIdUUIDAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
tenants[x].userDeletePolicy.unverified.enabledBooleanAvailable since 1.13.0Indicates that users without a verified email address will be permanently deleted after tenants[x].userDeletePolicy.unverified.numberOfDaysToRetain days.
tenants[x].userDeletePolicy.unverified.enabledInstantLongAvailable since 1.48.0The instant that this policy was enabled.
Users created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for users created after this policy was enabled. If you would like to delete users created prior to this policy being enabled that have an unverified email address, you can use the User Search API or User Bulk Delete API to search on the insertInstant and verified fields to identify users that you would like to delete.
For example, the following query string will return users that were created at least 7 days ago that have not verified their email address.
insertInstant:<now-7d AND verified:falsePlease note that prior to version 1.48.0, when enabling this policy all user's with an unverified email were eligible for deletion.
tenants[x].userDeletePolicy.unverified.numberOfDaysToRetainIntegerAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.
tenants[x].usernameConfiguration.unique.enabledBooleanAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix. Users with colliding usernames will be able to use the same one, but in the admin and API interfaces, a unique username will be displayed.
tenants[x].usernameConfiguration.unique.numberOfDigitsIntegerAvailable since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive.
tenants[x].usernameConfiguration.unique.separatorStringAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non alphanumeric ASCII character.
tenants[x].usernameConfiguration.unique.strategyStringAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenants[x].webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenants[x].webAuthnConfiguration.bootstrapWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled.
tenants[x].webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenants[x].webAuthnConfiguration.debugBooleanAvailable since 1.41.0Whether debug event log output is enabled for WebAuthn.
tenants[x].webAuthnConfiguration.enabledBooleanAvailable since 1.41.0Whether WebAuthn configuration is enabled.
tenants[x].webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenants[x].webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled.
tenants[x].webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenants[x].webAuthnConfiguration.relyingPartyIdStringAvailable since 1.41.0The Relying Party Id the tenant will use in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with.
The default value is null, which instructs the WebAuthn JavaScript API to use the browser origin.
tenants[x].webAuthnConfiguration.relyingPartyNameStringAvailable since 1.41.0The Relying Party name the tenant will use in WebAuthn ceremonies. This value is used only for display and may be shown by browser or OS dialogs during WebAuthn ceremonies.
If no value is configured, the tenant.issuer value will be used.
Example Response JSON for all the Tenants
{
"tenants": [
{
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"baseURL": "https://example.com",
"configured": true,
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": false,
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Gated"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionCancelPolicy": {
"onPasswordReset": false
},
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"emailUser": false,
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"insertInstant": 1572469040579,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onMultiFactorEnable": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"lastUpdateInstant": 1595361143101,
"loginConfiguration": {
"requireAuthentication": true
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"algorithm": "HmacSHA1",
"codeLength": 6,
"enabled": true,
"timeStep": 30
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"loginPolicy": "Enabled",
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"rateLimitConfiguration": {
"failedLogin": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"forgotPassword": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendEmailVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordless": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordlessPhone": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPhoneVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendRegistrationVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendTwoFactor": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
}
},
"registrationConfiguration": {},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"allowAccessTokenBootstrap": false,
"deviceTrustTimeToLiveInSeconds": 31536000
},
"state": "Active",
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#",
"strategy": "OnCollision"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
}
}
]
}
Search for Tenants#
This API has been available since 1.45.0
This API is used to search for Tenants and may be called using the GET or POST HTTP methods. Examples of each are provided below. The POST method is provided to allow for a richer request object without worrying about exceeding the maximum length of a URL. Calling this API with either the GET or POST HTTP method will provide the same search results given the same query parameters.
Note: API key authentication must be made using a global API key. The request may not contain the X-FusionAuth-TenantId request header. Requests made using an API key scoped to a specific tenant, or containing the X-FusionAuth-TenantId request header will fail with a 401 status code.
Request#
Request Parameters#
nameStringoptionalThe case-insensitive string to search for in the Tenant name. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.
numberOfResultsIntegeroptionalDefaults to 25The number of results to return from the search.
orderByStringoptionalDefaults to name ASCThe database field to order the search results as well as an order direction.
The possible values are:
id- the unique Id of the TenantinsertInstant- the instant when the Tenant was createdname- the Tenant name
The order direction is optional. Possible values of the order direction are ASC or DESC. If omitted, the default sort order is ASC.
For example, to order the results by the insert instant in a descending order, use insertInstant DESC.
startRowIntegeroptionalDefaults to 0The offset into the total results. In order to paginate the results, increment this value by the numberOfResults for subsequent requests.
For example, if the total search results are greater than the page size designated by numberOfResults, set this value to 25 to retrieve results 26-50, assuming the default page size.
When calling the API using a POST request you will send the search criteria in a JSON request body.
Request Body#
search.nameStringoptionalThe case-insensitive string to search for in the Tenant name. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.
search.numberOfResultsIntegeroptionalDefaults to 25The number of results to return from the search.
search.orderByStringoptionalDefaults to name ASCThe database field to order the search results as well as an order direction.
The possible values are:
id- the unique Id of the TenantinsertInstant- the instant when the Tenant was createdname- the Tenant name
The order direction is optional. Possible values of the order direction are ASC or DESC. If omitted, the default sort order is ASC.
For example, to order the results by the insert instant in a descending order, use insertInstant DESC.
search.startRowIntegeroptionalDefaults to 0The offset into the total results. In order to paginate the results, increment this value by the numberOfResults for subsequent requests.
For example, if the total search results are greater than the page size designated by numberOfResults, set this value to 25 to retrieve results 26-50, assuming the default page size.
Example JSON Request
{
"search": {
"name": "Playtronics",
"numberOfResults": 10,
"orderBy": "insertInstant",
"startRow": 0
}
}
Response#
The response for this API contains the Tenants matching the search criteria in paginated format.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted, your API key was not valid, your API key is scoped to a single tenant, or the request contains a `X-FusionAuth-TenantId` header. The response will be empty. See <a href='/docs/apis/authentication'>Authentication</a>. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body#
tenantsArrayThe list of Tenant objects.
tenants[x].accessControlConfiguration.uiIPAccessControlListIdUUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this all applications in this tenant.
tenants[x].baseURLStringAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenants[x].captchaConfiguration.captchaMethodStringAvailable since 1.30.0The type of captcha method to use.
tenants[x].captchaConfiguration.enabledBooleanAvailable since 1.30.0Whether captcha configuration is enabled.
tenants[x].captchaConfiguration.secretKeyStringAvailable since 1.30.0The secret key for this captcha method.
tenants[x].captchaConfiguration.siteKeyStringAvailable since 1.30.0The site key for this captcha method.
tenants[x].captchaConfiguration.thresholdFloatAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
tenants[x].configuredBooleanIndicates the tenant has been configured. It is always true, except for default tenant when the setup wizard has not been completed, in which case it is false.
tenants[x].connectorPoliciesArrayAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenants[x].connectorPolicies[x].connectorIdUUIDAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenants[x].connectorPolicies[x].domainsStringAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenants[x].connectorPolicies[x].migrateBooleanAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
tenants[x].dataObjectAn object that can hold any information about the Tenant that should be persisted.
tenants[x].emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenants[x].emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenants[x].emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenants[x].emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenants[x].emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenants[x].emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenants[x].emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenants[x].emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenants[x].emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenants[x].emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenants[x].emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenants[x].emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenants[x].emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenants[x].emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenants[x].emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenants[x].emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenants[x].emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenants[x].emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenants[x].emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenants[x].emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenants[x].emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenants[x].emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenants[x].emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenants[x].emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenants[x].emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenants[x].emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenants[x].emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenants[x].emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenants[x].emailConfiguration.unverified.behavior has theGatedvalue.
tenants[x].emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenants[x].emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenants[x].eventConfiguration.eventsObjectAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenants[x].eventConfiguration.events[type].enabledBooleanAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenants[x].eventConfiguration.events[type].transactionTypeStringAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
tenants[x].externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an OAuth authorization code is no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
tenants[x].externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.changePasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegerAvailable since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegerAvailable since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegerAvailable since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegerAvailable since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegerAvailable since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenants[x].externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the passwordless one-time login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegerAvailable since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request.
tenants[x].externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API.
tenants[x].externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegerAvailable since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegerAvailable since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenants[x].externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegerAvailable since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the two-factor one time code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenants[x].externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the two-factor code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenants[x].externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegerAvailable since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
tenants[x].externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
tenants[x].externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
tenants[x].failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenants[x].failedAuthenticationConfiguration.actionDurationLongAvailable since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenants[x].failedAuthenticationConfiguration.actionDurationUnitStringAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenants[x].failedAuthenticationConfiguration.emailUserStringoptionalAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
tenants[x].failedAuthenticationConfiguration.resetCountInSecondsIntegerAvailable since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenants[x].failedAuthenticationConfiguration.tooManyAttemptsIntegerAvailable since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenants[x].failedAuthenticationConfiguration.userActionIdUUIDAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenants[x].familyConfiguration.allowChildRegistrationsBooleanAvailable since 1.8.0Whether to allow child registrations.
tenants[x].familyConfiguration.confirmChildEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenants[x].familyConfiguration.deleteOrphanedAccountsBooleanAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenants[x].familyConfiguration.deleteOrphanedAccountsDays days.
tenants[x].familyConfiguration.deleteOrphanedAccountsDaysIntegerAvailable since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenants[x].familyConfiguration.enabledBooleanAvailable since 1.8.0Whether family configuration is enabled.
tenants[x].familyConfiguration.familyRequestEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenants[x].familyConfiguration.maximumChildAgeIntegerAvailable since 1.8.0The maximum age of a child. Value must be greater than 0.
tenants[x].familyConfiguration.minimumOwnerAgeIntegerAvailable since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenants[x].familyConfiguration.parentEmailRequiredBooleanAvailable since 1.8.0Whether a parent email is required.
tenants[x].familyConfiguration.parentRegistrationEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenants[x].formConfiguration.adminUserFormIdUUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
tenants[x].httpSessionMaxInactiveIntervalIntegerAvailable since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenants[x].idUUIDThe unique identifier for this Tenant.
tenants[x].insertInstantLongThe instant that the Tenant was added to the FusionAuth database.
tenants[x].issuerStringAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
tenants[x].jwtConfiguration.accessTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the access token.
tenants[x].jwtConfiguration.idTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
tenants[x].jwtConfiguration.refreshTokenExpirationPolicyStringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenants[x].jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegerAvailable since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when the user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenants[x].jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenants[x].jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.
tenants[x].jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegerAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
tenants[x].jwtConfiguration.refreshTokenUsagePolicyStringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
tenants[x].jwtConfiguration.timeToLiveInSecondsIntegerAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
tenants[x].lambdaConfiguration.loginValidationIdUUIDAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenants[x].lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
tenants[x].lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
tenants[x].lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
tenants[x].lambdaConfiguration.scimGroupRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM Group Request Lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
tenants[x].lambdaConfiguration.scimGroupResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM GroupResponse Lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
tenants[x].lambdaConfiguration.scimUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM User request to a FusionAuth User.
tenants[x].lambdaConfiguration.scimUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth User to a SCIM Server response.
tenants[x].lastUpdateInstantLongThe instant that the Tenant was last updated in the FusionAuth database.
tenants[x].loginConfiguration.requireAuthenticationBooleanAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
tenants[x].logoutURLStringAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenants[x].maximumPasswordAge.daysIntegerAvailable since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenants[x].maximumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenants[x].minimumPasswordAge.secondsIntegerAvailable since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenants[x].minimumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenants[x].multiFactorConfiguration.authenticator.algorithmStringAvailable since 1.26.0The algorithm used by the TOTP authenticator. This value is HmacSHA1 and read only.
tenants[x].multiFactorConfiguration.authenticator.codeLengthIntegerAvailable since 1.26.0The length of the code generated by the TOTP. This value is 6 and read only.
tenants[x].multiFactorConfiguration.authenticator.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenants[x].multiFactorConfiguration.authenticator.timeStepIntegerAvailable since 1.26.0The time-step size in seconds. This value is 30 and read only.
tenants[x].multiFactorConfiguration.email.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an email address to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.email.templateIdUUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.sms.enabledBooleanAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.sms.messengerIdUUIDAvailable since 1.26.0The messenger that is used to deliver a SMS two-factor authentication request.
tenants[x].multiFactorConfiguration.sms.templateIdUUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a two-factor authentication request.
tenants[x].multiFactorConfiguration.voice.enabledBooleanAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenants[x].multiFactorConfiguration.voice.messengerIdUUIDAvailable since 1.65.0The messenger that is used to deliver a voice two-factor authentication request.
tenants[x].multiFactorConfiguration.voice.templateIdUUIDAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a two-factor authentication request.
tenants[x].nameStringThe unique name of the Tenant.
tenants[x].oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
tenants[x].passwordEncryptionConfiguration.encryptionSchemeStringAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenants[x].passwordEncryptionConfiguration.encryptionSchemeFactorIntegerAvailable since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenants[x].passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenants[x].passwordValidationRules.breachDetection.enabledBooleanAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenants[x].passwordValidationRules.breachDetection.matchModeStringAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenants[x].passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDAvailable since 1.15.0The Id of the email template to use when notifying a user of a breached password.
tenants[x].passwordValidationRules.breachDetection.onLoginStringAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenants[x].passwordValidationRules.maxLengthIntegerAvailable since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
tenants[x].passwordValidationRules.minLengthIntegerAvailable since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenants[x].passwordValidationRules.rememberPreviousPasswords.countIntegerAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenants[x].passwordValidationRules.rememberPreviousPasswords.enabledBooleanAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenants[x].passwordValidationRules.requireMixedCaseBooleanAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenants[x].passwordValidationRules.requireNonAlphaBooleanAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenants[x].passwordValidationRules.requireNumberBooleanAvailable since 1.8.0Whether to force the user to use at least one number.
tenants[x].passwordValidationRules.validateOnLoginBooleanAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenants[x].phoneConfiguration.forgotPasswordTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template that is used when sending a user a forgot password message.
tenants[x].phoneConfiguration.identityUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their phone number has been updated. The message will be sent to both their new and old phone numbers.
tenants[x].phoneConfiguration.implicitPhoneVerificationAllowedBooleanoptionalDefaults to trueAvailable since 1.59.0When set to true, this allows a phone number to be verified as a result of completing a similar phone based workflow such as change password. When set to false, the user must explicitly complete the phone verification workflow even if the user has already completed a similar phone workflow such as change password.
tenants[x].phoneConfiguration.loginIdInUseOnCreateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to create an account with their login Id.
tenants[x].phoneConfiguration.loginIdInUseOnUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to update an existing account to use their login Id.
tenants[x].phoneConfiguration.loginNewDeviceTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they log in on a new device.
tenants[x].phoneConfiguration.loginSuspiciousTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a suspicious login using their login Id occurs.
tenants[x].phoneConfiguration.messengerIdUUIDAvailable since 1.59.0The messenger that is used to deliver SMS messages for phone number verification and passwordless logins.
tenants[x].phoneConfiguration.passwordlessTemplateIdUUIDAvailable since 1.59.0The Id of the Passwordless Message Template, sent to users when they start a passwordless login.
tenants[x].phoneConfiguration.passwordResetSuccessTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they have completed a 'forgot password' workflow and their password has been reset.
tenants[x].phoneConfiguration.passwordUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their password has been updated.
tenants[x].phoneConfiguration.setPasswordTemplateIdUUIDoptionalAvailable since 1.59.0The Id of the SMS Message Template used when a user must set their password manually after their account was created for them (by an admin, for example).
tenants[x].phoneConfiguration.adminTwoFactorMethodRemoveTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Message Template used to notify a user when an administrator removes one of their MFA methods.
tenants[x].phoneConfiguration.twoFactorMethodRemoveTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been removed from their account.
tenants[x].phoneConfiguration.twoFactorMethodAddTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been added to their account.
tenants[x].phoneConfiguration.unverified.allowPhoneNumberChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.59.0When this value is set to true, the user is allowed to change their phone number when they are gated because they haven't verified their phone number.
tenants[x].phoneConfiguration.unverified.behaviorStringAvailable since 1.59.0The desired behavior during login for a user that does not have a verified phone number. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenants[x].phoneConfiguration.verificationCompleteTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to notify a user that their phone number has been verified.
tenants[x].phoneConfiguration.verificationStrategyStringAvailable since 1.59.0The process by which the user will verify their phone number. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenants[x].phoneConfiguration.unverified.behavior has theGatedvalue.
tenants[x].phoneConfiguration.verificationTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send SMS messages to users to verify that their phone number is valid.
tenants[x].phoneConfiguration.verifyPhoneNumberBooleanAvailable since 1.59.0Whether a user's phone number is verified when they register with your application.
tenants[x].rateLimitConfiguration.failedLogin.limitIntegerAvailable since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
tenants[x].rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can fail login before being rate limited.
tenants[x].rateLimitConfiguration.forgotPassword.limitIntegerAvailable since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
tenants[x].rateLimitConfiguration.sendEmailVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
tenants[x].rateLimitConfiguration.sendPasswordless.limitIntegerAvailable since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
tenants[x].rateLimitConfiguration.sendPasswordlessPhone.limitIntegerAvailable since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
tenants[x].rateLimitConfiguration.sendPhoneVerification.limitIntegerAvailable since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
tenants[x].rateLimitConfiguration.sendRegistrationVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
tenants[x].rateLimitConfiguration.sendTwoFactor.limitIntegerAvailable since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
tenants[x].rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
tenants[x].registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
tenants[x].scimServerConfiguration.clientEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
tenants[x].scimServerConfiguration.enabledBooleanAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
tenants[x].scimServerConfiguration.schemasMapAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
tenants[x].scimServerConfiguration.serverEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
tenants[x].ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegerAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenants[x].ssoConfiguration.allowAccessTokenBootstrapBooleanAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenants[x].stateStringAvailable since 1.22.0The current state of the tenant. The following are valid values:
Active- The tenant is active.PendingDelete- A delete request has been requested and is being processed.
tenants[x].themeIdUUIDAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
tenants[x].userDeletePolicy.unverified.enabledBooleanAvailable since 1.13.0Indicates that users without a verified email address will be permanently deleted after tenants[x].userDeletePolicy.unverified.numberOfDaysToRetain days.
tenants[x].userDeletePolicy.unverified.enabledInstantLongAvailable since 1.48.0The instant that this policy was enabled.
Users created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for users created after this policy was enabled. If you would like to delete users created prior to this policy being enabled that have an unverified email address, you can use the User Search API or User Bulk Delete API to search on the insertInstant and verified fields to identify users that you would like to delete.
For example, the following query string will return users that were created at least 7 days ago that have not verified their email address.
insertInstant:<now-7d AND verified:falsePlease note that prior to version 1.48.0, when enabling this policy all user's with an unverified email were eligible for deletion.
tenants[x].userDeletePolicy.unverified.numberOfDaysToRetainIntegerAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.
tenants[x].usernameConfiguration.unique.enabledBooleanAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix. Users with colliding usernames will be able to use the same one, but in the admin and API interfaces, a unique username will be displayed.
tenants[x].usernameConfiguration.unique.numberOfDigitsIntegerAvailable since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive.
tenants[x].usernameConfiguration.unique.separatorStringAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non alphanumeric ASCII character.
tenants[x].usernameConfiguration.unique.strategyStringAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenants[x].webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenants[x].webAuthnConfiguration.bootstrapWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled.
tenants[x].webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenants[x].webAuthnConfiguration.debugBooleanAvailable since 1.41.0Whether debug event log output is enabled for WebAuthn.
tenants[x].webAuthnConfiguration.enabledBooleanAvailable since 1.41.0Whether WebAuthn configuration is enabled.
tenants[x].webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenants[x].webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled.
tenants[x].webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenants[x].webAuthnConfiguration.relyingPartyIdStringAvailable since 1.41.0The Relying Party Id the tenant will use in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with.
The default value is null, which instructs the WebAuthn JavaScript API to use the browser origin.
tenants[x].webAuthnConfiguration.relyingPartyNameStringAvailable since 1.41.0The Relying Party name the tenant will use in WebAuthn ceremonies. This value is used only for display and may be shown by browser or OS dialogs during WebAuthn ceremonies.
If no value is configured, the tenant.issuer value will be used.
totalIntegerThe total number of Tenants matching the search criteria. Use this value along with the numberOfResults and startRow in the Search request to perform pagination.
Example Response JSON for Tenant Search
{
"tenants": [
{
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"configured": true,
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": false,
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Allow"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"insertInstant": 1572469040579,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"lastUpdateInstant": 1595361143101,
"loginConfiguration": {
"requireAuthentication": true
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"algorithm": "HmacSHA1",
"codeLength": 6,
"enabled": true,
"timeStep": 30
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"allowAccessTokenBootstrap": false,
"deviceTrustTimeToLiveInSeconds": 31536000
},
"state": "Active",
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#",
"strategy": "OnCollision"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
}
}
],
"total": 1
}
Update a Tenant#
This API is used to update an existing Tenant.
You must specify all of the properties of the Tenant when calling this API with the PUT HTTP method. When used with PUT, this API doesn't merge the existing Tenant and your new data. It replaces the existing Tenant with your new data.
Utilize the PATCH HTTP method to send specific changes to merge into an existing Tenant.
Request#
For backward compatibility, the PATCH method accepts the same media type (specified by a Content-Type of application/json) and body as the PUT request. You can also use the following media types for different behavior:
- JSON Patch/RFC 6902:
application/json-patch+json - JSON Merge Patch/RFC 7396:
merge-patch+json
For details, see the PATCH documentation.
Using a media type of application/json merges the provided request parameters into the existing object. As a result, all parameters are optional with PATCH: only provide the values you want to change. To remove a value, provide a null value. Patching an Array appends all values in the new list to the old list.
Request Parameters#
tenantIdUUIDrequiredImmutableThe Id of the Tenant to update.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body#
tenant.accessControlConfiguration.uiIPAccessControlListIdUUIDoptionalAvailable since 1.30.0The Id of the IP Access Control List limiting access to all applications in this tenant.
Note: To use IP ACLs, you'll need an Enterprise plan.
tenant.baseURLStringoptionalAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenant.captchaConfiguration.captchaMethodStringoptionalAvailable since 1.30.0The type of CAPTCHA method to use. This field is required when tenant.captchaConfiguration.enabled is set to true. The possible values are:
GoogleRecaptchaV2- use Google reCAPTCHA v2GoogleRecaptchaV3- use Google reCAPTCHA v3HCaptcha- use HCaptchaHCaptchaEnterprise- use HCaptcha Enterprise - v25
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether CAPTCHA configuration is enabled.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.secretKeyStringoptionalAvailable since 1.30.0The secret key for this CAPTCHA method. This field is required when tenant.captchaConfiguration.enabled is set to true.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.siteKeyStringoptionalAvailable since 1.30.0The site key for this CAPTCHA method. This field is required when tenant.captchaConfiguration.enabled is set to true.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.captchaConfiguration.thresholdFloatoptionalAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
The value must be between 0.0 and 1.0. Values outside of that range will result in an error.
Note: To use CAPTCHA, you'll need an Enterprise plan.
tenant.clientRiskConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.68.0Whether or not FusionAuth should use custom signal configuration calculating client risk. The score is available to MFA policies, and the MFA requirement lambda. Disabled signals are excluded from all risk calculations. Disabling all signals sets the risk score to HIGH.
tenant.clientRiskConfiguration.blocklistedIpBooleanoptionalDefaults to trueAvailable since 1.68.0Checks whether the client's IP address appears on a blocklist.
tenant.clientRiskConfiguration.botDetectedBooleanoptionalDefaults to trueAvailable since 1.68.0Detects bot interactions with the browser window.
tenant.clientRiskConfiguration.dormantAccountBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user has not logged in for a long period of time.
tenant.clientRiskConfiguration.dormantPasswordBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user's password has not been changed for a long period of time.
tenant.clientRiskConfiguration.impossibleTravelBooleanoptionalDefaults to trueAvailable since 1.68.0Tracks geographic locations for login attempts. Flags a login as high risk if it occurs sooner than it would take to physically travel from the previous location to the current location.
tenant.clientRiskConfiguration.recentIdentityChangeBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user's login ID has been changed recently.
tenant.clientRiskConfiguration.recentPasswordChangeBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the user's password has been changed recently.
tenant.clientRiskConfiguration.suspiciousUserAgentBooleanoptionalDefaults to trueAvailable since 1.68.0Checks whether the client's user agent has been flagged as suspicious.
tenant.clientRiskConfiguration.unrecognizedDeviceBooleanoptionalDefaults to trueAvailable since 1.68.0Checks whether the request originates from an unrecognized device.
tenant.clientRiskConfiguration.untrustedDeviceBooleanoptionalDefaults to trueAvailable since 1.68.0Checks if the request originates from a device that is not in the user's trusted device list.
tenant.connectorPoliciesArrayoptionalAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenant.connectorPolicies[x].connectorIdUUIDoptionalAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenant.connectorPolicies[x].domainsArray<String>optionalAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenant.connectorPolicies[x].migrateBooleanoptionalDefaults to falseAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
Prior to version 1.28.0 this value was required.
tenant.dataObjectoptionalAn object that can hold any information about the Tenant that should be persisted.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.eventConfiguration.eventsObjectoptionalAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenant.eventConfiguration.events[type].enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenant.eventConfiguration.events[type].transactionTypeStringoptionalDefaults to NoneAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
Prior to version 1.36.0, this value did not have a default. This meant at runtime the when the transaction type was calculated, it would be assumed to be AbsoluteMajority even though this value was not set in the domain.
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegeroptionalDefaults to 30Available since 1.8.0The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegeroptionalDefaults to 600Available since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegeroptionalDefaults to 6Available since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 6Available since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegeroptionalDefaults to 1800Available since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegeroptionalDefaults to 1800Available since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegeroptionalDefaults to 60Available since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 32Available since 1.59.0The length of the secure generator used for generating the passwordless one-time code login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time code login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegeroptionalDefaults to 3600Available since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request. Value must be greater than 0.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegeroptionalDefaults to 86400Available since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 6Available since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegeroptionalDefaults to 6Available since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringoptionalDefaults to randomAlphaNumericAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegeroptionalDefaults to 2592000Available since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
Note: To use advanced OAuth scopes, you'll need an Essentials or Enterprise plan.
tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegeroptionalDefaults to 32Available since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringoptionalDefaults to randomBytesAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegeroptionalDefaults to 300Available since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegeroptionalDefaults to 6Available since 1.27.0The length of the secure generator used for generating the the two-factor code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringoptionalDefaults to randomDigitsAvailable since 1.27.0The type of the secure generator used for generating the two-factor one time code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegeroptionalDefaults to 60Available since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
Note: To use WebAuthn, you'll need a license.
tenant.externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegeroptionalDefaults to 180Available since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
Note: To use WebAuthn, you'll need a license.
tenant.failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanoptionalDefaults to falseAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenant.failedAuthenticationConfiguration.actionDurationLongoptionalDefaults to 3Available since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionDurationUnitStringoptionalAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenant.failedAuthenticationConfiguration.emailUserStringoptionalDefaults to falseAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
The email template configuration will be in the User Action.
tenant.failedAuthenticationConfiguration.resetCountInSecondsIntegeroptionalDefaults to 60Available since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenant.failedAuthenticationConfiguration.tooManyAttemptsIntegeroptionalDefaults to 5Available since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.userActionIdUUIDoptionalAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenant.familyConfiguration.allowChildRegistrationsBooleanoptionalDefaults to trueAvailable since 1.8.0Whether to allow child registrations.
tenant.familyConfiguration.confirmChildEmailTemplateIdUUIDoptionalAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenant.familyConfiguration.deleteOrphanedAccountsBooleanoptionalDefaults to falseAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.
tenant.familyConfiguration.deleteOrphanedAccountsDaysIntegeroptionalDefaults to 30Available since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenant.familyConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Whether family configuration is enabled.
tenant.familyConfiguration.familyRequestEmailTemplateIdUUIDoptionalAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenant.familyConfiguration.maximumChildAgeIntegeroptionalDefaults to 12Available since 1.8.0The maximum age of a child. Value must be greater than 0.
tenant.familyConfiguration.minimumOwnerAgeIntegeroptionalDefaults to 21Available since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenant.familyConfiguration.parentEmailRequiredBooleanoptionalDefaults to falseAvailable since 1.8.0Whether a parent email is required.
tenant.familyConfiguration.parentRegistrationEmailTemplateIdUUIDoptionalAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenant.formConfiguration.adminUserFormIdUUIDoptionalAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.
Note: To use custom forms, you'll need a paid plan.
tenant.httpSessionMaxInactiveIntervalIntegeroptionalDefaults to 3600Available since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenant.issuerStringoptionalDefaults to acme.comAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
Prior to version 1.30.0 this value was required.
tenant.jwtConfiguration.accessTokenKeyIdUUIDoptionalDefaults to key value of the FusionAuth applicationAvailable since 1.8.0The unique id of the signing key used to sign the access token.
Prior to version 1.30.0 this value was required.
tenant.jwtConfiguration.idTokenKeyIdUUIDoptionalDefaults to key value of the FusionAuth applicationAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
Prior to version 1.30.0 this value was required.
tenant.jwtConfiguration.refreshTokenExpirationPolicyStringoptionalDefaults to FixedAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenant.jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegeroptionalDefaults to 0Available since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanoptionalDefaults to trueAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanoptionalDefaults to falseAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when a user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanoptionalDefaults to falseAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanoptionalDefaults to trueAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenant.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegeroptionalAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime. Value must be greater than 0.
When refreshTokenExpirationPolicy is set to SlidingWindowWithMaximumLifetime, this value must be greater than or equal to refreshTokenTimeToLiveInMinutes.
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegeroptionalAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.jwtConfiguration.refreshTokenUsagePolicyStringoptionalDefaults to ReusableAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
Prior to version 1.28.0 this value was required.
tenant.jwtConfiguration.timeToLiveInSecondsIntegeroptionalAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
Prior to version 1.28.0 this value was required.
tenant.lambdaConfiguration.loginValidationIdUUIDoptionalAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenant.lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
Note: To use Multi-Factor Requirement Lambdas, you'll need an Enterprise plan.
tenant.lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Request lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Response lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimGroupRequestConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM Group Request lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimGroupResponseConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM Group Response lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimUserRequestConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Request lambda that will be used to convert the SCIM User request to a FusionAuth User.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.lambdaConfiguration.scimUserResponseConverterIdUUIDoptionalAvailable since 1.36.0The Id of a SCIM User Response lambda that will be used to convert a FusionAuth User to a SCIM Server response.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.logoutURLStringoptionalAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.loginConfiguration.requireAuthenticationBooleanoptionalDefaults to trueAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
In almost all cases, you will want to this to be true.
tenant.logoutURLStringoptionalAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.maximumPasswordAge.daysIntegeroptionalDefaults to 180Available since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenant.maximumPasswordAge.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenant.minimumPasswordAge.secondsIntegeroptionalDefaults to 30Available since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenant.minimumPasswordAge.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenant.multiFactorConfiguration.authenticator.enabledBooleanoptionalDefaults to trueAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenant.multiFactorConfiguration.debugBooleanoptionalDefaults to trueAvailable since 1.68.0Determines if debug should be enabled for this tenant to create an event log message to assist in tracing Intelligent MFA.
tenant.multiFactorConfiguration.email.enabledBooleanoptionalDefaults to falseAvailable since 1.26.0When enabled, users may utilize an email address to complete a multi-factor authentication request.
tenant.multiFactorConfiguration.email.templateIdUUIDoptionalAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.email.enabled is set to true.
tenant.multiFactorConfiguration.loginPolicyStringoptionalAvailable since 1.37.0When set to Enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When set to Disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When set to Required, a two-factor challenge will be required during login. If a user has not configured any two-factor methods, they will not be able to log in.
Risk-based policies use FusionAuth's Intelligent MFA, which combines multiple signals to decide when to issue an MFA challenge.
This value may be overridden by the value configured by the application.multiFactorConfiguration.loginPolicy.
Supported values include:
Enabled- Require a two-factor challenge during login when an eligible method is available.Disabled- Do not require a two-factor challenge during login.ChallengeOnMediumRisk- Only challenge on medium or high login risk Available since 1.68.0ChallengeOnHighRisk- Only challenge on high login risk Available since 1.68.0Required- Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0
Note: To use an Intelligent MFA Policy, you'll need a paid plan.
tenant.multiFactorConfiguration.sms.enabledBooleanoptionalDefaults to falseAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a multi-factor authentication request.
tenant.multiFactorConfiguration.sms.messengerIdUUIDoptionalAvailable since 1.26.0The messenger that is used to deliver a SMS multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.sms.enabled is set to true.
tenant.multiFactorConfiguration.sms.templateIdUUIDoptionalAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.sms.enabled is set to true.
tenant.multiFactorConfiguration.voice.enabledBooleanoptionalDefaults to falseAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenant.multiFactorConfiguration.voice.messengerIdUUIDoptionalAvailable since 1.65.0The messenger that is used to deliver a voice multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.voice.enabled is set to true.
tenant.multiFactorConfiguration.voice.templateIdUUIDoptionalAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.voice.enabled is set to true.
tenant.nameStringrequiredThe unique name of the Tenant.
tenant.oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDoptionalAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
Note: To use client credentials grant, you'll need a paid plan.
tenant.passwordEncryptionConfiguration.encryptionSchemeStringoptionalAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenant.passwordEncryptionConfiguration.encryptionSchemeFactorIntegeroptionalDefaults to 24000Available since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanoptionalDefaults to falseAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenant.passwordValidationRules.breachDetection.enabledBooleanoptionalDefaults to falseAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenant.passwordValidationRules.breachDetection.matchModeStringoptionalAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDoptionalAvailable since 1.15.0The Id of the email template to use when notifying user of breached password. Required if tenant.passwordValidationRules.breachDetection.onLogin is set to NotifyUser.
tenant.passwordValidationRules.breachDetection.onLoginStringoptionalAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenant.passwordValidationRules.disallowUserLoginIdBooleanoptionalDefaults to falseAvailable since 1.63.0Whether to reject passwords which contain the user's login Id.
tenant.passwordValidationRules.maxLengthIntegeroptionalDefaults to 256Available since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
This value must be greater than 0 and less than or equal to 256. When passwordEncryptionConfiguration.encryptionScheme is equal to bcrypt, the maximum will be limited to 50.
tenant.passwordValidationRules.minLengthIntegeroptionalDefaults to 8Available since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.rememberPreviousPasswords.countIntegeroptionalAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenant.passwordValidationRules.rememberPreviousPasswords.enabledBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenant.passwordValidationRules.requireMixedCaseBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenant.passwordValidationRules.requireNonAlphaBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenant.passwordValidationRules.requireNumberBooleanoptionalDefaults to falseAvailable since 1.8.0Whether to force the user to use at least one number.
tenant.passwordValidationRules.validateOnLoginBooleanoptionalDefaults to falseAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
Note: To use advanced threat detection emails, you'll need an Enterprise plan.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.rateLimitConfiguration.failedLogin.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for failed login.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.failedLogin.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can fail login before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.forgotPassword.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for forgot password.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.forgotPassword.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendEmailVerification.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for send email verification.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendEmailVerification.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordless.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for sending passwordless login links/codes via email.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordless.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordlessPhone.enabledBooleanoptionalDefaults to falseAvailable since 1.59.0Whether rate limiting is enabled for sending passwordless login links/codes via SMS.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordlessPhone.limitIntegeroptionalDefaults to 5Available since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPhoneVerification.enabledBooleanoptionalDefaults to falseAvailable since 1.59.0Whether rate limiting is enabled for send phone verification.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPhoneVerification.limitIntegeroptionalDefaults to 5Available since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendRegistrationVerification.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for send registration verification.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendRegistrationVerification.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendTwoFactor.enabledBooleanoptionalDefaults to falseAvailable since 1.30.0Whether rate limiting is enabled for send two-factor.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendTwoFactor.limitIntegeroptionalDefaults to 5Available since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegeroptionalDefaults to 60Available since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
Required when enabled is set to true.
Note: To use rate limiting, you'll need an Enterprise plan.
tenant.registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
Note: To use blocked domains, you'll need an Enterprise plan.
tenant.scimServerConfiguration.clientEntityTypeIdUUIDoptionalAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.scimServerConfiguration.enabledBooleanoptionalAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
Note: To use SCIM, you'll need an Enterprise plan.
tenant.scimServerConfiguration.schemasMapoptionalAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
When this parameter is not provided, it will default to EnterpriseUser, Group, and User schema definitions as defined by the SCIM core schemas spec.
Note: To use SCIM, you'll need an Enterprise plan.
tenant.scimServerConfiguration.serverEntityTypeIdUUIDoptionalAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
Note: To use SCIM, you'll need an Enterprise plan.
Required when tenant.scimServerConfiguration.enabled is true.
tenant.ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegeroptionalAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenant.ssoConfiguration.allowAccessTokenBootstrapBooleanoptionalDefaults to falseAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenant.themeIdUUIDoptionalAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
Prior to version 1.30.0 this value was required.
tenant.userDeletePolicy.unverified.enabledBooleanoptionalDefaults to falseAvailable since 1.13.0Indicates that users with neither a verified email address nor a verified phone number will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.
tenant.userDeletePolicy.unverified.numberOfDaysToRetainIntegeroptionalAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email or phone number verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to true. Value must be greater than 0.
tenant.usernameConfiguration.unique.enabledBooleanoptionalDefaults to falseAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix.
Note: To use unique usernames, you'll need a paid plan.
tenant.usernameConfiguration.unique.numberOfDigitsIntegeroptionalDefaults to 5Available since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive. The value of this field must be greater than or equal to 3 and less than or equal to 10.
tenant.usernameConfiguration.unique.separatorStringoptionalAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non-alphanumeric ASCII character.
tenant.usernameConfiguration.unique.strategyStringoptionalDefaults to OnCollisionAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenant.webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringoptionalDefaults to crossPlatformAvailable since 1.41.0Determines the authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
The recommended value for the bootstrap workflow is any.
Note: To use WebAuthn, you'll need a license.
Note: To use WebAuthn cross-platform authenticators, you'll need an Enterprise plan.
tenant.webAuthnConfiguration.bootstrapWorkflow.enabledBooleanoptionalDefaults to falseAvailable since 1.41.0Whether or not this tenant has the WebAuthn bootstrap workflow enabled. The bootstrap workflow is used when the user must "bootstrap" the authentication process by identifying themselves prior to the WebAuthn ceremony and can be used to authenticate from a new device using WebAuthn.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringoptionalDefaults to requiredAvailable since 1.41.0Determines the user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
It is highly recommended to use the required option for the bootstrap workflow.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.41.0Determines if debug should be enabled for this tenant to create an event log to assist in debugging WebAuthn errors.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.enabledBooleanoptionalDefaults to falseAvailable since 1.41.0Whether or not this tenant has WebAuthn enabled globally.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringoptionalDefaults to crossPlatformAvailable since 1.41.0Determines the authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
The recommended value for the reauthentication workflow is platform.
Note: To use WebAuthn, you'll need a license.
Note: To use WebAuthn cross-platform authenticators, you'll need an Enterprise plan.
tenant.webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanoptionalDefaults to falseAvailable since 1.41.0Whether or not this tenant has the WebAuthn reauthentication workflow enabled. The reauthentication workflow will automatically prompt a user to authenticate using WebAuthn for repeated logins from the same device.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringoptionalDefaults to requiredAvailable since 1.41.0Determines the user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
It is highly recommended to use the required option for the reauthentication workflow.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.relyingPartyIdStringoptionalAvailable since 1.41.0The value this tenant will use for the Relying Party Id in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with. This value must match the browser origin or be a registrable domain suffix of the browser origin. For example, if your domain is auth.piedpiper.com, you could use auth.piedpiper.com or piedpiper.com but not m.auth.piedpiper.com or com.
When this parameter is omitted, FusionAuth will use null for the Relying Party Id in passkey creation and request options. A null value in the WebAuthn JavaScript API will use the browser origin.
Note: To use WebAuthn, you'll need a license.
tenant.webAuthnConfiguration.relyingPartyNameStringoptionalAvailable since 1.41.0The value this tenant will use for the Relying Party name in WebAuthn ceremonies. This value may be displayed by browser or operating system dialogs during WebAuthn ceremonies.
When this parameter is omitted, FusionAuth will use the tenant.issuer value.
Note: To use WebAuthn, you'll need a license.
webhookIdsArray<UUID>optionalAvailable since 1.37.0An array of Webhook Ids. For Webhooks that are not already configured for All Tenants, specifying an Id on this request will indicate the associated Webhook should handle events for this tenant.
Example Request JSON
{
"tenant": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"baseURL": "https://example.com",
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": true,
"secretKey": "6LdYWpMbAAAAAKhcksgk70us00012r66r96tt7rp",
"siteKey": "6LdYWpMbAAAAAKhcksgk75tz00022r66ombcfadr",
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Gated"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"trustTokenTimeToLiveInSeconds": 180,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionCancelPolicy": {
"onPasswordReset": false
},
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"emailUser": false,
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onMultiFactorEnable": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"enabled": true
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"loginPolicy": "Enabled",
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"rateLimitConfiguration": {
"failedLogin": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"forgotPassword": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendEmailVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordless": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordlessPhone": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPhoneVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendRegistrationVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendTwoFactor": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
}
},
"registrationConfiguration": {},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"deviceTrustTimeToLiveInSeconds": 31536000
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
},
"webhookIds": [
"00000000-0000-0000-0000-000000000042"
]
}
}
Response#
The response for this API contains the Tenant that was updated.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 404 | The object you are trying to update doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body#
tenant.accessControlConfiguration.uiIPAccessControlListIdUUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this all applications in this tenant.
tenant.baseURLStringAvailable since 1.68.0The default base URL used when rendering links in templates for this Tenant. This value is used when application.baseURL is not defined.
tenant.captchaConfiguration.captchaMethodStringAvailable since 1.30.0The type of captcha method to use.
tenant.captchaConfiguration.enabledBooleanAvailable since 1.30.0Whether captcha configuration is enabled.
tenant.captchaConfiguration.secretKeyStringAvailable since 1.30.0The secret key for this captcha method.
tenant.captchaConfiguration.siteKeyStringAvailable since 1.30.0The site key for this captcha method.
tenant.captchaConfiguration.thresholdFloatAvailable since 1.30.0The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.
tenant.configuredBooleanIndicates the tenant has been configured. It is always true, except for default tenant when the setup wizard has not been completed, in which case it is false.
tenant.connectorPoliciesArrayAvailable since 1.18.0A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.
tenant.connectorPolicies[x].connectorIdUUIDAvailable since 1.18.0The identifier of the Connector to which this policy refers.
tenant.connectorPolicies[x].domainsStringAvailable since 1.18.0An list of email domains to which this connector should apply.
A value of ["*"] indicates this connector applies to all users.
tenant.connectorPolicies[x].migrateBooleanAvailable since 1.18.0If true, the user's data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector's source will be treated as authoritative.
tenant.dataObjectAn object that can hold any information about the Tenant that should be persisted.
tenant.emailConfiguration.additionalHeadersArray<Object>optionalAvailable since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
tenant.emailConfiguration.debugBooleanoptionalDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
tenant.emailConfiguration.defaultFromEmailStringoptionalAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.defaultFromNameStringoptionalAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).
tenant.emailConfiguration.emailUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
tenant.emailConfiguration.emailVerifiedEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
tenant.emailConfiguration.forgotPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
tenant.emailConfiguration.hostStringoptionalDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
tenant.emailConfiguration.loginNewDeviceEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
tenant.emailConfiguration.loginSuspiciousEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
tenant.emailConfiguration.passwordStringoptionalAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
tenant.emailConfiguration.passwordlessEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
tenant.emailConfiguration.passwordResetSuccessEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset.
tenant.emailConfiguration.passwordUpdateEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
tenant.emailConfiguration.portIntegeroptionalDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0 this value was required.
tenant.emailConfiguration.propertiesStringoptionalAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocolshas a default value ofTLSv1 TLSv1.1 TLSv1.2.
Since version 1.44.0, the following two properties have default values:
mail.smtp.timeouthas a default value of2000.mail.smtp.connectiontimeouthas a default value of2000.
Here's an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000tenant.emailConfiguration.securityStringoptionalDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE- no security will be used. All communications will be sent plaintext.SSL- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
tenant.emailConfiguration.setPasswordEmailTemplateIdUUIDoptionalAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
tenant.emailConfiguration.twoFactorMethodAddEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
tenant.emailConfiguration.adminTwoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Email Template used to notify a user when an administrator removes one of their MFA methods.
tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateIdUUIDoptionalAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
tenant.emailConfiguration.unverified.allowEmailChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.27.0When this value is set to true, the user is allowed to change their email address when they are gated because they haven't verified their email address.
tenant.emailConfiguration.unverified.behaviorStringoptionalDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.emailConfiguration.usernameStringoptionalAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
tenant.emailConfiguration.verificationEmailTemplateIdUUIDoptionalThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.
tenant.emailConfiguration.verificationStrategyStringoptionalAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has theGatedvalue.
tenant.emailConfiguration.verifyEmailBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the registers with your application.
tenant.emailConfiguration.verifyEmailWhenChangedBooleanoptionalDefaults to falseWhether the user's email addresses are verified when the user changes them.
tenant.eventConfiguration.eventsObjectAvailable since 1.8.0A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
audit-log.create- When an audit log is created Available since 1.30.0event-log.create- When an event log is created Available since 1.30.0jwt.public-key.update- When a JWT signing Public / Private keypair may have been changedjwt.refresh- When an access token is refreshed using a refresh token Available since 1.16.0jwt.refresh-token.revoke- When a JWT Refresh Token is revokedkickstart.success- When kickstart has successfully completed Available since 1.30.0user.action- When a user action is triggereduser.bulk.create- When multiple users are created in bulk (i.e. during an import)user.create- When a user is createduser.create.complete- When a user create transaction has completed Available since 1.30.0user.deactivate- When a user is deactivateduser.delete- When a user is deleteduser.delete.complete- When a user delete transaction has completed Available since 1.30.0user.email.update- When a user updates their email address Available since 1.30.0user.email.verified- When a user verifies their email address Available since 1.8.0user.identity-provider.link- When a link is created from a user to an Identity Provider Available since 1.36.0user.identity-provider.unlink- When an existing Identity Provider link is removed from a User Available since 1.36.0user.identity.verified- When a user's identity is verified Available since 1.59.0user.loginId.duplicate.create- When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.loginId.duplicate.update- When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.failed- When a user fails a login request Available since 1.6.0user.login.new-device- When a user begins a login request with a new device Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.login.success- When a user completes a login request Available since 1.6.0user.login.suspicious- When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.breach- When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0Note: To use
, you'll need a paid plan. user.password.reset.send- When a forgot password email has been sent to a user Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.start- When the process to reset a user password has started Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.reset.success- When a user has successfully reset their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.password.update- When a user has updated their password Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.reactivate- When a user is reactivateduser.registration.create- When a user registration is created Available since 1.6.0user.registration.create.complete- When a user registration create transaction has completed Available since 1.30.0user.registration.delete- When a user registration is deleted Available since 1.6.0user.registration.delete.complete- When a user registration delete transaction has completed Available since 1.30.0user.registration.update- When a user registration is updated Available since 1.6.0user.registration.update.complete- When a user registration update transaction has completed Available since 1.30.0user.registration.verified- When a user completes registration verification Available since 1.8.0user.two-factor.challenge- When a user is presented a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.failed-attempt- When a user submits an incorrect answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.add- When a user has added a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.method.remove- When a user has removed a two-factor method Available since 1.30.0Note: To use
, you'll need an Enterprise plan. user.two-factor.success- When a user submits a correct answer to a two-factor challenge Available since 1.68.0Note: To use
, you'll need an Enterprise plan. user.update- When a user is updateduser.update.complete- When a user update transaction has completed Available since 1.30.0
tenant.eventConfiguration.events[type].enabledBooleanAvailable since 1.8.0Whether or not FusionAuth should send these types of events to any configured Webhooks.
tenant.eventConfiguration.events[type].transactionTypeStringAvailable since 1.8.0The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
None- No Webhooks are required to succeed for the FusionAuth transaction to be committed.Any- Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.SimpleMajority- A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.SuperMajority- A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.AbsoluteMajority- Every Webhook must succeed for the FusionAuth transaction to be committed.
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an OAuth authorization code is no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
Value must be greater than 0 and less than or equal to 600.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the change password Id.
If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the change password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSecondsIntegerAvailable since 1.11.0The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.lengthIntegerAvailable since 1.11.0The length of the secure generator used for generating the device code Id.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.typeStringAvailable since 1.11.0The type of the secure generator used for generating the device code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the email verification Id.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the email verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the email verification one time code.
If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the email verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSecondsIntegerAvailable since 1.12.0The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.identityProviderConnectionTestTimeToLiveInSecondsIntegerAvailable since 1.65.0The time in seconds until an identity provider connection test Id is no longer valid and cannot be used by the Identity Provider Test API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.loginIntentTimeToLiveInSecondsIntegerAvailable since 1.53.0The time in seconds until a Login Timeout identifier is no longer valid to complete post-authentication steps in the OAuth workflow. Must be greater than 0.
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the passwordless login.
If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the passwordless login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the passwordless one-time login.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the passwordlessLoginOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.passwordlessLoginOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the passwordless one-time login. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSecondsIntegerAvailable since 1.28.0The number of seconds before the pending account link identifier is no longer valid to complete an account link request.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the the phone verification Id.
If the phoneVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationIdGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.phoneVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.59.0The time in seconds until a phone verification Id is no longer valid and cannot be used by the Verify Phone API.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.59.0The length of the secure generator used for generating the phone verification one time code.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the phoneVerificationOneTimeCodeGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.phoneVerificationOneTimeCodeGenerator.typeStringAvailable since 1.59.0The type of the secure generator used for generating the phone verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the registration verification Id.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the registration verification Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.lengthIntegerAvailable since 1.27.0The length of the secure generator used for generating the registration verification one time code.
If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.typeStringAvailable since 1.27.0The type of the secure generator used for generating the registration verification one time code. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSecondsIntegerAvailable since 1.50.0The time in seconds until remembered OAuth scope consent choices are no longer valid, and the User will be prompted to consent to requested OAuth scopes even if they have not changed. Applies only when application.oauthConfiguration.consentMode is set to RememberDecision. Value must be greater than 0.
tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSecondsIntegerAvailable since 1.19.0The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the setup password Id.
If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the setup password Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.trustTokenTimeToLiveInSecondsIntegerAvailable since 1.33.0The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until a two-factor Id is no longer valid and cannot be used by the Two-Factor Login API. Value must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.lengthIntegerAvailable since 1.8.0The length of the secure generator used for generating the the two-factor one time code Id.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128.
If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.typeStringAvailable since 1.8.0The type of the secure generator used for generating the two-factor code Id. Possible values are:
randomAlpharandomAlphaNumericrandomBytesrandomDigits
tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSecondsIntegerAvailable since 1.26.0The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSecondsIntegerAvailable since 1.8.0The time in seconds until an issued Two-Factor trust Id is no longer valid and the User will be required to complete Two-Factor authentication during the next authentication attempt. Value must be greater than 0.
tenant.externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.
tenant.externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSecondsIntegerAvailable since 1.41.0The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionCancelPolicy.onPasswordResetBooleanAvailable since 1.42.0Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.
tenant.failedAuthenticationConfiguration.actionDurationLongAvailable since 1.8.0The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.actionDurationUnitStringAvailable since 1.8.0The unit of time associated with a duration. The possible values are:
MINUTESHOURSDAYSWEEKSMONTHSYEARS
tenant.failedAuthenticationConfiguration.emailUserStringoptionalAvailable since 1.42.0Indicates you would like to email the user when the user's account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.
tenant.failedAuthenticationConfiguration.resetCountInSecondsIntegerAvailable since 1.8.0The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.
tenant.failedAuthenticationConfiguration.tooManyAttemptsIntegerAvailable since 1.8.0The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.
tenant.failedAuthenticationConfiguration.userActionIdUUIDAvailable since 1.8.0The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
tenant.familyConfiguration.allowChildRegistrationsBooleanAvailable since 1.8.0Whether to allow child registrations.
tenant.familyConfiguration.confirmChildEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when confirming a child.
tenant.familyConfiguration.deleteOrphanedAccountsBooleanAvailable since 1.8.0Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.
tenant.familyConfiguration.deleteOrphanedAccountsDaysIntegerAvailable since 1.8.0The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.
tenant.familyConfiguration.enabledBooleanAvailable since 1.8.0Whether family configuration is enabled.
tenant.familyConfiguration.familyRequestEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use when a family request is made.
tenant.familyConfiguration.maximumChildAgeIntegerAvailable since 1.8.0The maximum age of a child. Value must be greater than 0.
tenant.familyConfiguration.minimumOwnerAgeIntegerAvailable since 1.8.0The minimum age to be an owner. Value must be greater than 0.
tenant.familyConfiguration.parentEmailRequiredBooleanAvailable since 1.8.0Whether a parent email is required.
tenant.familyConfiguration.parentRegistrationEmailTemplateIdUUIDAvailable since 1.8.0The unique Id of the email template to use for parent registration.
tenant.formConfiguration.adminUserFormIdUUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.
tenant.httpSessionMaxInactiveIntervalIntegerAvailable since 1.8.0Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.
tenant.idUUIDThe unique identifier for this Tenant.
tenant.insertInstantLongThe instant that the Tenant was added to the FusionAuth database.
tenant.issuerStringAvailable since 1.8.0The named issuer used to sign tokens. This is generally your public fully qualified domain with the https:// protocol prefix. For example, https://example.com.
tenant.jwtConfiguration.accessTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the access token.
tenant.jwtConfiguration.idTokenKeyIdUUIDAvailable since 1.8.0The unique id of the signing key used to sign the Id token.
tenant.jwtConfiguration.refreshTokenExpirationPolicyStringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed- the expiration is calculated from the time the token is issued.SlidingWindow- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Â Available since 1.46.0
tenant.jwtConfiguration.refreshTokenOneTimeUseConfiguration.gracePeriodInSecondsIntegerAvailable since 1.55.1The length of time specified in seconds that a one-time use token can be reused.
This value must be greater than 0 and less than 86400 which is equal to 24 hours. Setting this value to 0 effectively disables the grace period which means a one-time token may not be reused. For security reasons, you should keep this value as small as possible, and only increase past 0 to improve reliability for an asynchronous or clustered integration that may require a brief grace period.
Note that one-time use tokens refreshed within a grace period are not considered for revocation when tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuse is true. When a token is reused within the grace period the current token will be returned on the API response and the token will not be rotated.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPreventedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnableBooleanAvailable since 1.42.0When enabled, all of a user's refresh tokens will be revoked when the user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onOneTimeTokenReuseBooleanAvailable since 1.55.1When enabled, if a one-time use refresh token is reused, the token will be revoked. This does not cause all refresh tokens to be revoked, only the reused token is revoked.
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChangedBooleanAvailable since 1.17.0When enabled, all of a user's refresh tokens will be revoked when a user changes their password.
tenant.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutesIntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime.
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutesIntegerAvailable since 1.8.0The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.
tenant.jwtConfiguration.refreshTokenUsagePolicyStringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable- the token does not change after it was issued.OneTimeUse- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
tenant.jwtConfiguration.timeToLiveInSecondsIntegerAvailable since 1.8.0The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.
tenant.lambdaConfiguration.loginValidationIdUUIDAvailable since 1.53.0The Id of the lambda that will be invoked at the end of a successful login request in order to extend custom validation of a login request.
tenant.lambdaConfiguration.multiFactorRequirementIdUUIDoptionalAvailable since 1.62.0The Id of the lambda that will be invoked during logins, password changes, and MFA Status API calls to perform various validations to decide whether to challenge the user on one of their MFA methods.
tenant.lambdaConfiguration.scimEnterpriseUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.
tenant.lambdaConfiguration.scimEnterpriseUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.
tenant.lambdaConfiguration.scimGroupRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM Group Request Lambda that will be used to convert the SCIM Group request to a FusionAuth Group.
tenant.lambdaConfiguration.scimGroupResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM GroupResponse Lambda that will be used to convert a FusionAuth Group to a SCIM Server response.
tenant.lambdaConfiguration.scimUserRequestConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Request Lambda that will be used to convert the SCIM User request to a FusionAuth User.
tenant.lambdaConfiguration.scimUserResponseConverterIdUUIDAvailable since 1.36.0The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth User to a SCIM Server response.
tenant.lastUpdateInstantLongThe instant that the Tenant was last updated in the FusionAuth database.
tenant.loginConfiguration.requireAuthenticationBooleanAvailable since 1.26.0Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.
tenant.logoutURLStringAvailable since 1.8.0The logout redirect URL when sending the user's browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
tenant.maximumPasswordAge.daysIntegerAvailable since 1.8.0The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.
tenant.maximumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the maximum password age is enabled and being enforced.
tenant.minimumPasswordAge.secondsIntegerAvailable since 1.8.0The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.
tenant.minimumPasswordAge.enabledBooleanAvailable since 1.8.0Indicates that the minimum password age is enabled and being enforced.
tenant.multiFactorConfiguration.authenticator.algorithmStringAvailable since 1.26.0The algorithm used by the TOTP authenticator. This value is HmacSHA1 and read only.
tenant.multiFactorConfiguration.authenticator.codeLengthIntegerAvailable since 1.26.0The length of the code generated by the TOTP. This value is 6 and read only.
tenant.multiFactorConfiguration.authenticator.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.
tenant.multiFactorConfiguration.authenticator.timeStepIntegerAvailable since 1.26.0The time-step size in seconds. This value is 30 and read only.
tenant.multiFactorConfiguration.email.enabledBooleanAvailable since 1.26.0When enabled, users may utilize an email address to complete a two-factor authentication request.
tenant.multiFactorConfiguration.email.templateIdUUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a two-factor authentication request.
tenant.multiFactorConfiguration.sms.enabledBooleanAvailable since 1.26.0When enabled, users may utilize a mobile phone number to complete a two-factor authentication request.
tenant.multiFactorConfiguration.sms.messengerIdUUIDAvailable since 1.26.0The messenger that is used to deliver a SMS two-factor authentication request.
tenant.multiFactorConfiguration.sms.templateIdUUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a two-factor authentication request.
tenant.multiFactorConfiguration.voice.enabledBooleanAvailable since 1.65.0When enabled, users can receive a spoken multi-factor authentication code over a phone call.
tenant.multiFactorConfiguration.voice.messengerIdUUIDAvailable since 1.65.0The messenger that is used to deliver a voice two-factor authentication request.
tenant.multiFactorConfiguration.voice.templateIdUUIDAvailable since 1.65.0The Id of the voice template that is used when notifying a user to complete a two-factor authentication request.
tenant.nameStringThe unique name of the Tenant.
tenant.oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaIdUUIDAvailable since 1.26.0The Id of a lambda that will be called to populate the JWT during a client credentials grant.
tenant.passwordEncryptionConfiguration.encryptionSchemeStringAvailable since 1.8.0The default method for encrypting the User's password. The following encryptors are provided with FusionAuth:
tenant.passwordEncryptionConfiguration.encryptionSchemeFactorIntegerAvailable since 1.8.0The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLoginBooleanAvailable since 1.8.0When enabled a user's hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.
tenant.passwordValidationRules.breachDetection.enabledBooleanAvailable since 1.15.0Whether to enable Reactor breach detection. Requires an activated license.
tenant.passwordValidationRules.breachDetection.matchModeStringAvailable since 1.15.0The level of severity where Reactor will consider a breach. The following are valid values:
HighOnly requires a password match, this is the most secure and is recommendedMediumExact match on username, email address or email sub-addressLowExact match on an email or username, or the password is a common breached value
tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateIdUUIDAvailable since 1.15.0The Id of the email template to use when notifying a user of a breached password.
tenant.passwordValidationRules.breachDetection.onLoginStringAvailable since 1.15.0The behavior when detecting breaches at time of user login. The following are valid values:
OffDo not perform breach detection at loginRecordOnlyOnly record the result, take no actionNotifyUserNotify the end user via emailRequireChangeRequire immediate password change
tenant.passwordValidationRules.maxLengthIntegerAvailable since 1.8.0The maximum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.minLengthIntegerAvailable since 1.8.0The minimum length of a password when a new user is created or a user requests a password change.
tenant.passwordValidationRules.rememberPreviousPasswords.countIntegerAvailable since 1.8.0The number of previous passwords to remember. Value must be greater than 0.
tenant.passwordValidationRules.rememberPreviousPasswords.enabledBooleanAvailable since 1.8.0Whether to prevent a user from using any of their previous passwords.
tenant.passwordValidationRules.requireMixedCaseBooleanAvailable since 1.8.0Whether to force the user to use at least one uppercase and one lowercase character.
tenant.passwordValidationRules.requireNonAlphaBooleanAvailable since 1.8.0Whether to force the user to use at least one non-alphanumeric character.
tenant.passwordValidationRules.requireNumberBooleanAvailable since 1.8.0Whether to force the user to use at least one number.
tenant.passwordValidationRules.validateOnLoginBooleanAvailable since 1.15.0When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.
tenant.phoneConfiguration.forgotPasswordTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template that is used when sending a user a forgot password message.
tenant.phoneConfiguration.identityUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their phone number has been updated. The message will be sent to both their new and old phone numbers.
tenant.phoneConfiguration.implicitPhoneVerificationAllowedBooleanoptionalDefaults to trueAvailable since 1.59.0When set to true, this allows a phone number to be verified as a result of completing a similar phone based workflow such as change password. When set to false, the user must explicitly complete the phone verification workflow even if the user has already completed a similar phone workflow such as change password.
tenant.phoneConfiguration.loginIdInUseOnCreateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to create an account with their login Id.
tenant.phoneConfiguration.loginIdInUseOnUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when another user attempts to update an existing account to use their login Id.
tenant.phoneConfiguration.loginNewDeviceTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they log in on a new device.
tenant.phoneConfiguration.loginSuspiciousTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a suspicious login using their login Id occurs.
tenant.phoneConfiguration.messengerIdUUIDAvailable since 1.59.0The messenger that is used to deliver SMS messages for phone number verification and passwordless logins.
tenant.phoneConfiguration.passwordlessTemplateIdUUIDAvailable since 1.59.0The Id of the Passwordless Message Template, sent to users when they start a passwordless login.
tenant.phoneConfiguration.passwordResetSuccessTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when they have completed a 'forgot password' workflow and their password has been reset.
tenant.phoneConfiguration.passwordUpdateTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when their password has been updated.
tenant.phoneConfiguration.setPasswordTemplateIdUUIDoptionalAvailable since 1.59.0The Id of the SMS Message Template used when a user must set their password manually after their account was created for them (by an admin, for example).
tenant.phoneConfiguration.adminTwoFactorMethodRemoveTemplateIdUUIDoptionalAvailable since 1.68.0The Id of the Message Template used to notify a user when an administrator removes one of their MFA methods.
tenant.phoneConfiguration.twoFactorMethodRemoveTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been removed from their account.
tenant.phoneConfiguration.twoFactorMethodAddTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send a message to a user when a MFA method has been added to their account.
tenant.phoneConfiguration.unverified.allowPhoneNumberChangeWhenGatedBooleanoptionalDefaults to falseAvailable since 1.59.0When this value is set to true, the user is allowed to change their phone number when they are gated because they haven't verified their phone number.
tenant.phoneConfiguration.unverified.behaviorStringAvailable since 1.59.0The desired behavior during login for a user that does not have a verified phone number. The possible values are:
Allow- the user will be allowed to complete login.Gated- verification is required before a user can complete login. The use of this value will require a paid plan.
tenant.phoneConfiguration.verificationCompleteTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to notify a user that their phone number has been verified.
tenant.phoneConfiguration.verificationStrategyStringAvailable since 1.59.0The process by which the user will verify their phone number. The possible values are:
ClickableLink- send the user a code with a clickable link.FormField- send the user a short code intended to be manually entered into a form field. This is only available when tenant.phoneConfiguration.unverified.behavior has theGatedvalue.
tenant.phoneConfiguration.verificationTemplateIdUUIDAvailable since 1.59.0The Id of the Message Template used to send SMS messages to users to verify that their phone number is valid.
tenant.phoneConfiguration.verifyPhoneNumberBooleanAvailable since 1.59.0Whether a user's phone number is verified when they register with your application.
tenant.rateLimitConfiguration.failedLogin.limitIntegerAvailable since 1.30.0The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.
tenant.rateLimitConfiguration.failedLogin.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can fail login before being rate limited.
tenant.rateLimitConfiguration.forgotPassword.limitIntegerAvailable since 1.30.0The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.forgotPassword.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a forgot password email before being rate limited.
tenant.rateLimitConfiguration.sendEmailVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a verification email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendEmailVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a verification email before being rate limited.
tenant.rateLimitConfiguration.sendPasswordless.limitIntegerAvailable since 1.30.0The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPasswordless.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a passwordless login email before being rate limited.
tenant.rateLimitConfiguration.sendPasswordlessPhone.limitIntegerAvailable since 1.59.0The number of times a user can request a passwordless login SMS message within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPasswordlessPhone.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a passwordless login SMS message before being rate limited.
tenant.rateLimitConfiguration.sendPhoneVerification.limitIntegerAvailable since 1.59.0The number of times a user can request a phone verification message within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendPhoneVerification.timePeriodInSecondsIntegerAvailable since 1.59.0The duration for the number of times a user can request a phone verification message before being rate limited.
tenant.rateLimitConfiguration.sendRegistrationVerification.limitIntegerAvailable since 1.30.0The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendRegistrationVerification.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a registration verification email before being rate limited.
tenant.rateLimitConfiguration.sendTwoFactor.limitIntegerAvailable since 1.30.0The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.
tenant.rateLimitConfiguration.sendTwoFactor.timePeriodInSecondsIntegerAvailable since 1.30.0The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.
tenant.registrationConfiguration.blockedDomainsArray<String>optionalAvailable since 1.30.0A list of unique domains that are not allowed to register when self service is enabled.
tenant.scimServerConfiguration.clientEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Clients for this tenant.
tenant.scimServerConfiguration.enabledBooleanAvailable since 1.36.0Whether or not this tenant has the SCIM endpoints enabled.
tenant.scimServerConfiguration.schemasMapAvailable since 1.36.0JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema's response matches that generated by the response lambdas. More about Schema definitions.
tenant.scimServerConfiguration.serverEntityTypeIdUUIDAvailable since 1.36.0The Entity Type that will be used to represent SCIM Servers for this tenant.
tenant.ssoConfiguration.deviceTrustTimeToLiveInSecondsIntegerAvailable since 1.30.2The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two-factor authentication if applicable.
tenant.ssoConfiguration.allowAccessTokenBootstrapBooleanAvailable since 1.56.0When enabled, an SSO session can be created after login by providing an access token as a bearer token in a request to the OAuth2 Authorize endpoint.
tenant.stateStringAvailable since 1.22.0The current state of the tenant. The following are valid values:
Active- The tenant is active.PendingDelete- A delete request has been requested and is being processed.
tenant.themeIdUUIDAvailable since 1.8.0The unique Id of the theme to be used to style the login page and other end user templates.
tenant.userDeletePolicy.unverified.enabledBooleanAvailable since 1.13.0Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.
tenant.userDeletePolicy.unverified.enabledInstantLongAvailable since 1.48.0The instant that this policy was enabled.
Users created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for users created after this policy was enabled. If you would like to delete users created prior to this policy being enabled that have an unverified email address, you can use the User Search API or User Bulk Delete API to search on the insertInstant and verified fields to identify users that you would like to delete.
For example, the following query string will return users that were created at least 7 days ago that have not verified their email address.
insertInstant:<now-7d AND verified:falsePlease note that prior to version 1.48.0, when enabling this policy all user's with an unverified email were eligible for deletion.
tenant.userDeletePolicy.unverified.numberOfDaysToRetainIntegerAvailable since 1.13.0The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0.
tenant.usernameConfiguration.unique.enabledBooleanAvailable since 1.27.0When true, FusionAuth will handle username collisions by generating a random suffix. Users with colliding usernames will be able to use the same one, but in the admin and API interfaces, a unique username will be displayed.
tenant.usernameConfiguration.unique.numberOfDigitsIntegerAvailable since 1.27.0The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive.
tenant.usernameConfiguration.unique.separatorStringAvailable since 1.27.0A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non alphanumeric ASCII character.
tenant.usernameConfiguration.unique.strategyStringAvailable since 1.29.0This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:
Always- Always append a unique suffix even when the requested username is not in use.OnCollision- Only append a unique suffix when the requested username is in use.
tenant.webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenant.webAuthnConfiguration.bootstrapWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled.
tenant.webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenant.webAuthnConfiguration.debugBooleanAvailable since 1.41.0Whether debug event log output is enabled for WebAuthn.
tenant.webAuthnConfiguration.enabledBooleanAvailable since 1.41.0Whether WebAuthn configuration is enabled.
tenant.webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreferenceStringAvailable since 1.41.0The authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:
any- An authenticator with any attachment modality will be allowed during registration.crossPlatform- Only authenticators with thecross-platformattachment modality will be allowed during registration. These are also referred to as "roaming" authenticators.platform- Only authenticators with theplatformattachment modality will be allowed during registration.
tenant.webAuthnConfiguration.reauthenticationWorkflow.enabledBooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled.
tenant.webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirementStringAvailable since 1.41.0The user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:
discouraged- If possible, do not require user verification during registration and authentication.preferred- Prefer authenticators that support user verification during registration and authentication but allow others.required- Only authenticators that support user verification will be allowed.
tenant.webAuthnConfiguration.relyingPartyIdStringAvailable since 1.41.0The Relying Party Id the tenant will use in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with.
The default value is null, which instructs the WebAuthn JavaScript API to use the browser origin.
tenant.webAuthnConfiguration.relyingPartyNameStringAvailable since 1.41.0The Relying Party name the tenant will use in WebAuthn ceremonies. This value is used only for display and may be shown by browser or OS dialogs during WebAuthn ceremonies.
If no value is configured, the tenant.issuer value will be used.
Example Response JSON
{
"tenant": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"baseURL": "https://example.com",
"configured": true,
"captchaConfiguration": {
"captchaMethod": "GoogleRecaptchaV3",
"enabled": true,
"secretKey": "6LdYWpMbAAAAAKhcksgk70us00012r66r96tt7rp",
"siteKey": "6LdYWpMbAAAAAKhcksgk75tz00022r66ombcfadr",
"threshold": 0.5
},
"connectorPolicies": [
{
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"domains": [
"*"
],
"migrate": false
},
{
"connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
"domains": [
"*"
],
"migrate": true
}
],
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"additionalHeaders": [
{
"name": "X-SES-CONFIGURATION-SET",
"value": "example_configuration_set_name"
}
],
"defaultFromEmail": "jared@piedpiper.com",
"defaultFromName": "Jared Dunn",
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"implicitEmailVerificationAllowed": true,
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
"unverified": {
"allowEmailChangeWhenGated": false,
"behavior": "Gated"
},
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verificationStrategy": "FormField",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.password.breach": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"deviceCodeTimeToLiveInSeconds": 1800,
"deviceUserCodeIdGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"emailVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"externalAuthenticationIdTimeToLiveInSeconds": 300,
"loginIntentTimeToLiveInSeconds": 1800,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"pendingAccountLinkTimeToLiveInSeconds": 3600,
"phoneVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"phoneVerificationIdTimeToLiveInSeconds": 86400,
"phoneVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"registrationVerificationOneTimeCodeGenerator": {
"length": 6,
"type": "randomAlphaNumeric"
},
"rememberOAuthScopeConsentChoiceTimeToLiveInSeconds": 2592000,
"samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"trustTokenTimeToLiveInSeconds": 180,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorOneTimeCodeIdGenerator": {
"length": 6,
"type": "randomDigits"
},
"twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000,
"webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
"webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
},
"failedAuthenticationConfiguration": {
"actionCancelPolicy": {
"onPasswordReset": false
},
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"emailUser": false,
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"formConfiguration": {
"adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"insertInstant": 1572469040579,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenExpirationPolicy": "Fixed",
"refreshTokenRevocationPolicy": {
"onLoginPrevented": true,
"onMultiFactorEnable": true,
"onPasswordChanged": true
},
"refreshTokenTimeToLiveInMinutes": 43200,
"refreshTokenUsagePolicy": "Reusable",
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"loginValidationId": "c0dd79db-38dd-424b-b77a-4dccaad71052",
"scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
"scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
"scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
"scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
"scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
"scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
},
"lastUpdateInstant": 1595361143101,
"loginConfiguration": {
"requireAuthentication": true
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"multiFactorConfiguration": {
"authenticator": {
"algorithm": "HmacSHA1",
"codeLength": 6,
"enabled": true,
"timeStep": 30
},
"email": {
"enabled": true,
"templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
},
"loginPolicy": "Enabled",
"sms": {
"enabled": true,
"messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
"templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
}
},
"name": "Playtronics Co.",
"oauthConfiguration": {
"clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
},
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"breachDetection": {
"enabled": true,
"notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"matchMode": "High",
"onLogin": "Off"
},
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true,
"validateOnLogin": false
},
"phoneConfiguration": {
"forgotPasswordTemplateId": "f90c8a8f-db77-4f2f-a3dd-5f692faf5d55",
"identityUpdateTemplateId": "77df7e94-2dbf-44ab-b58c-06ac4224c449",
"implicitPhoneVerificationAllowed": false,
"loginIdInUseOnCreateTemplateId": "7880dac6-809b-489e-8a69-363b043dd0f4",
"loginIdInUseOnUpdateTemplateId": "de14b495-a358-4941-bb6b-0ddce04370ef",
"loginNewDeviceTemplateId": "d77ac611-ddff-4a06-903c-fafe5c1f9f7a",
"loginSuspiciousTemplateId": "73a8408a-e857-4ce2-82bb-d15b94d7c709",
"messengerId": "22a2ec45-39de-439a-a41c-eb7666b3b051",
"passwordResetSuccessTemplateId": "6a0f3a7a-3511-4936-a546-3bd8f68dbdd3",
"passwordUpdateTemplateId": "3ca81208-5678-434f-92b8-7fcc3b62bc7a",
"passwordlessTemplateId": "e8449783-60a7-483f-8c66-bcdf0d05705f",
"setPasswordTemplateId": "a6655c95-d94c-4dea-8191-0190f562bc39",
"twoFactorMethodAddTemplateId": "c450521d-7f39-4a21-ba02-ced83225efcc",
"twoFactorMethodRemoveTemplateId": "fba4fe64-3a29-45f8-895f-520d73d93659",
"unverified": {
"allowPhoneNumberChangeWhenGated": false,
"behavior": "Allow"
},
"verificationCompleteTemplateId": "7b6b80bd-e3a5-42ff-b333-93ef37c192df",
"verificationStrategy": "ClickableLink",
"verificationTemplateId": "c96ed02d-fbc6-4b27-9e74-54444747d18a",
"verifyPhoneNumber": true
},
"rateLimitConfiguration": {
"failedLogin": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"forgotPassword": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendEmailVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordless": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPasswordlessPhone": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendPhoneVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendRegistrationVerification": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
},
"sendTwoFactor": {
"enabled": false,
"limit": 5,
"timePeriodInSeconds": 60
}
},
"registrationConfiguration": {},
"scimServerConfiguration": {
"clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
"enabled": true,
"serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
"schemas": {}
},
"ssoConfiguration": {
"allowAccessTokenBootstrap": false,
"deviceTrustTimeToLiveInSeconds": 31536000
},
"state": "Active",
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"usernameConfiguration": {
"unique": {
"enabled": false,
"numberOfDigits": 5,
"separator": "#",
"strategy": "OnCollision"
}
},
"webAuthnConfiguration": {
"enabled": true,
"bootstrapWorkflow": {
"authenticatorAttachmentPreference": "crossPlatform",
"enabled": true,
"userVerificationRequirement": "required"
},
"debug": false,
"reauthenticationWorkflow": {
"authenticatorAttachmentPreference": "platform",
"enabled": true,
"userVerificationRequirement": "required"
},
"relyingPartyId": "piedpiper.com",
"relyingPartyName": "Pied Piper"
}
}
}
Delete a Tenant#
This API is used to permanently delete a Tenant. Deleting a Tenant will delete all Users, Applications and Groups that belong to this tenant. Proceed with caution.
Request#
Request Parameters#
tenantIdUUIDrequiredThe unique Id of the Tenant to delete.
asyncBooleanoptionalDefaults to falseSet this value to true to perform this request asynchronously, this means the API will return a response indicating the request has been accepted and will not wait for the operation to complete.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response#
This API does not return a JSON response body.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. |
| 202 | The request has been accepted but not completed. The response will be empty. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 404 | The object you requested doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Retrieve the Password Validation Rules#
This API has been available since 1.8.0
This API is used to retrieve the Password Validation Rules. This configuration is a subset of the Tenant configuration.
Request#
Request Parameters#
tenantIdUUIDrequiredThe Id of the tenant.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response#
The response for this API contains the Password Validation Rules.
Response Codes
| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body#
tenant.passwordValidationRules.disallowUserLoginIdBooleanIndicates that passwords containing the user's login Id will not be allowed.
tenant.passwordValidationRules.maxLengthIntegerThe maximum number of characters that are allowed for user passwords.
tenant.passwordValidationRules.minLengthIntegerThe minimum number of characters that are required for user passwords.
tenant.passwordValidationRules.rememberPreviousPasswords.countIntegerThe number of previous passwords that should be remembered so they are not re-used by the User.
tenant.passwordValidationRules.rememberPreviousPasswords.enabledBooleanIndicates that the remember previous password validation is enabled and being enforced.
tenant.passwordValidationRules.requireMixedCaseBooleanIndicates that passwords require an uppercase and lowercase character to be valid.
tenant.passwordValidationRules.requireNonAlphaBooleanIndicates that passwords require a non-alphanumeric character to be valid.
tenant.passwordValidationRules.requireNumberBooleanIndicates that passwords require at least one number to be valid.
Example Response JSON
{
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
}
}