Tenant APIs

Overview

A FusionAuth Tenant is a named object that represents a discrete namespace for Users, Applications and Groups. A user is unique by email address or username within a tenant.

Tenants may be useful to support a multi-tenant application where you wish to use a single instance of FusionAuth but require the ability to have duplicate users across the tenants in your own application. In this scenario a user may exist multiple times with the same email address and different passwords across tenants.

Tenants may also be useful in a test or staging environment to allow multiple users to call APIs and create and modify users without possibility of collision.

The following APIs are provided to manage Tenants.

The following APIs provide a subset of the Tenant configuration without an API Key.

Create a Tenant

This API is used to create a new Tenant.

Request

Create a Tenant with a randomly generated Id

URI

POST/api/tenant

Create a Tenant with the provided unique Id

URI

POST/api/tenant/{tenantId}

Request Parameters

tenantId[UUID]optionalDefaults to secure random UUID

The Id to use for the new Tenant. If not specified a secure random UUID will be generated.

Request Body

tenant.accessControlConfiguration.uiIPAccessControlListId[UUID]optionalavailable since 1.30.0

The Id of the IP Access Control List limiting access to all applications in this tenant.

Note: An Enterprise plan is required to utilize .

tenant.captchaConfiguration.captchaMethod[String]optionalavailable since 1.30.0

The type of captcha method to use. This field is required when tenant.captchaConfiguration.enabled is set to true. The possible values are:

GoogleRecaptchaV2 - use Google reCAPTCHA v2
GoogleRecaptchaV3 - use Google reCAPTCHA v3
HCaptcha - use HCaptcha
HCaptchaEnterprise - use HCaptcha Enterprise - v25

Note: An Enterprise plan is required to utilize .

tenant.captchaConfiguration.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether captcha configuration is enabled.

Note: An Enterprise plan is required to utilize .

tenant.captchaConfiguration.secretKey[String]optionalavailable since 1.30.0

The secret key for this captcha method. This field is required when tenant.captchaConfiguration.enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.captchaConfiguration.siteKey[String]optionalavailable since 1.30.0

The site key for this captcha method. This field is required when tenant.captchaConfiguration.enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.captchaConfiguration.threshold[Float]optionalavailable since 1.30.0

The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.

The value must be between 0.0 and 1.0. Values outside of that range will result in an error.

Note: An Enterprise plan is required to utilize .

tenant.connectorPolicies[Array]optionalavailable since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId[UUID]optionalavailable since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains[Array<String>]optionalavailable since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate[Boolean]optionalDefaults to falseavailable since 1.18.0

If true, the user’s data will be migrated to FusionAuth at first successful authentication; subsequent authentications will occur against the FusionAuth datastore. If false, the Connector’s source will be treated as authoritative.

Prior to version 1.28.0 this value was required.

tenant.data[Object]optional

An object that can hold any information about the Tenant that should be persisted.

tenant.emailConfiguration.additionalHeaders[Array<Object>]optionalavailable since 1.32.0

The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.

tenant.emailConfiguration.debug[Boolean]optionalDefaults to falseavailable since 1.37.0

Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.

tenant.emailConfiguration.defaultFromEmail[String]optionalavailable since 1.16.0

The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com).

tenant.emailConfiguration.defaultFromName[String]optionalavailable since 1.16.0

The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com).

tenant.emailConfiguration.emailVerificationEmailTemplateId[UUID]optionalavailable since 1.19.0

The Id of the Email Template used to send emails to users to verify that their email address is valid.

tenant.emailConfiguration.emailUpdateEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when their email address is updated.

tenant.emailConfiguration.emailVerifiedEmailTemplateId[UUID]optionalavailable since 1.19.0

The Id of the Email Template used to notify a user that their email address has been verified.

tenant.emailConfiguration.forgotPasswordEmailTemplateId[UUID]optionalavailable since 1.19.0

The Id of the Email Template that is used when a user is sent a forgot password email.

tenant.emailConfiguration.host[String]optionalDefaults to localhostavailable since 1.8.0

The host name of the SMTP server that FusionAuth will use.

Prior to version 1.28.0 this value was required.

tenant.emailConfiguration.implicitEmailVerificationAllowedoptionalDefaults to trueavailable since 1.32.0

When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.

tenant.emailConfiguration.loginIdInUseOnCreateEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.

tenant.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.

tenant.emailConfiguration.loginNewDeviceEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when they log in on a new device.

tenant.emailConfiguration.loginSuspiciousEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when a suspicious login occurs.

tenant.emailConfiguration.password[String]optionalavailable since 1.8.0

An optional password FusionAuth will use to authenticate with the SMTP server.

tenant.emailConfiguration.passwordlessEmailTemplateId[UUID]optionalavailable since 1.19.0

The Id of the Passwordless Email Template, sent to users when they start a passwordless login.

tenant.emailConfiguration.passwordResetSuccessEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset.

tenant.emailConfiguration.passwordUpdateEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when their password has been updated.

tenant.emailConfiguration.port[Integer]optionalDefaults to 25available since 1.8.0

The port of the SMTP server that FusionAuth will use.

Prior to version 1.28.0 this value was required.

tenant.emailConfiguration.properties[String]optionalavailable since 1.8.0

Additional Email Configuration in a properties file formatted String.

tenant.emailConfiguration.security[String]optionalDefaults to NONEavailable since 1.8.0

The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:

NONE - no security will be used. All communications will be sent plaintext.
SSL - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.
TLS - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.

tenant.emailConfiguration.setPasswordEmailTemplateId[UUID]optionalavailable since 1.19.0

The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.

tenant.emailConfiguration.twoFactorMethodAddEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when a MFA method has been added to their account.

tenant.emailConfiguration.twoFactorMethodRemoveEmailTemplateId[UUID]optionalavailable since 1.30.0

The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.

tenant.emailConfiguration.unverified.allowEmailChangeWhenGated[Boolean]optionalDefaults to falseavailable since 1.27.0

When this value is set to true, the user is allowed to change their email address when they are gated because they haven’t verified their email address.

tenant.emailConfiguration.unverified.behavior[String]optionalDefaults to Allowavailable since 1.27.0

The desired behavior during login for a user that does not have a verified email. The possible values are:

Allow - the user will be allowed to complete login.
Gated - verification is required before a user can complete login. The use of this value will require a paid edition of FusionAuth.

tenant.emailConfiguration.username[String]optionalavailable since 1.8.0

An optional username FusionAuth will to authenticate with the SMTP server.

tenant.emailConfiguration.verificationEmailTemplateId[UUID]optional

The Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail or verifyEmailWhenChanged fields are true, this field is required.

tenant.emailConfiguration.verificationStrategy[String]optionalavailable since 1.27.0

The process by which the user will verify their email address. The possible values are:

ClickableLink - send the user a code with a clickable link.
FormField - send the user a short code intended to be manually entered into a form field. This is only available when tenant.emailConfiguration.unverified.behavior has the Gated value.

tenant.emailConfiguration.verifyEmail[Boolean]optionalDefaults to false

Whether the user’s email addresses are verified when the registers with your application.

tenant.emailConfiguration.verifyEmailWhenChanged[Boolean]optionalDefaults to false

Whether the user’s email addresses are verified when the user changes them.

tenant.eventConfiguration.events[Object]optionalavailable since 1.8.0

A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:

audit-log.createWhen an audit log is createdavailable since Available since 1.30.0
event-log.createWhen an event log is created available since Available since 1.30.0
jwt.public-key.updateWhen a JWT RSA Public / Private keypair may have been changed
jwt.refreshWhen an access token is refreshed using a refresh token available since Available since 1.16.0
jwt.refresh-token.revokeWhen a JWT Refresh Token is revoked
kickstart.successWhen kickstart has successfully completed available since Available since 1.30.0
user.actionWhen a user action is triggered
user.bulk.createWhen multiple users are created in bulk (i.e. during an import)
user.createWhen a user is created
user.create.completeWhen a user create transaction has completed available since Available since 1.30.0
user.deactivateWhen a user is deactivated
user.deleteWhen a user is deleted
user.delete.completeWhen a user delete transaction has completed available since Available since 1.30.0
user.email.updateWhen a user updates their email address available since Available since 1.30.0
user.email.verifiedWhen a user verifies their email address available since Available since 1.8.0
user.identity-provider.linkWhen a link is created from a user to an Identity Provider available since Available since 1.36.0
user.identity-provider.unlinkWhen an existing Identity Provider link is removed from a User available since Available since 1.36.0
user.loginId.duplicate.createWhen a request to create a user with a login Id (email or username) which is already in use has been received available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.loginId.duplicate.create event .
user.loginId.duplicate.updateWhen a request to update a user and change their login Id (email or username) to one that is already in use has been received available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.loginId.duplicate.update event .
user.login.failedWhen a user fails a login request available since Available since 1.6.0
user.login.new-deviceWhen a user begins a login request with a new device available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.login.new-device event .
user.login.successWhen a user completes a login request available since Available since 1.6.0
user.login.suspiciousWhen a user logs in and is considered to be a potential threat (requires an activated Enterprise license) available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.login.suspicious event .
user.password.breachWhen Reactor detects a user is using a potentially breached password (requires an activated license) available since Available since 1.15.0
Note: A paid plan is required to utilize the user.password.breach event .
user.password.reset.sendWhen a forgot password email has been sent to a user available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.password.reset.send event.
user.password.reset.startWhen the process to reset a user password has started available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.password.reset.start event.
user.password.reset.success When a user has successfully reset their password available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.password.reset.success event.
user.password.updateWhen a user has updated their password available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.password.update event.
user.reactivateWhen a user is reactivated
user.registration.createWhen a user registration is created available since Available since 1.6.0
user.registration.create.completeWhen a user registration create transaction has completed available since Available since 1.30.0
user.registration.deleteWhen a user registration is deleted available since Available since 1.6.0
user.registration.delete.completeWhen a user registration delete transaction has completed available since Available since 1.30.0
user.registration.updateWhen a user registration is updated available since Available since 1.6.0
user.registration.update.complete When a user registration update transaction has completed available since Available since 1.30.0
user.registration.verifiedWhen a user completes registration verification available since Available since 1.8.0
user.two-factor.method.addWhen a user has added a two-factor method available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.two-factor.method.add event.
user.two-factor.method.removeWhen a user has removed a two-factor method available since Available since 1.30.0
Note: An Enterprise plan is required to utilize the user.two-factor.method.remove event.
user.updateWhen a user is updated
user.update.completeWhen a user update transaction has completed available since Available since 1.30.0

tenant.eventConfiguration.events[type].enabled[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether or not FusionAuth should send these types of events to any configured Webhooks.

tenant.eventConfiguration.events[type].transactionType[String]optionalDefaults to Noneavailable since 1.8.0

The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:

None - No Webhooks are required to succeed for the FusionAuth transaction to be committed.
Any - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed.
SimpleMajority - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.
SuperMajority - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed.
AbsoluteMajority - Every Webhook must succeed for the FusionAuth transaction to be committed.

Prior to version 1.36.0, this value did not have a default. This meant at runtime the when the transaction type was calculated, it would be assumed to be AbsoluteMajority even though this value was not set in the domain.

tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds[Integer]optionalDefaults to 30available since 1.8.0

The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.

Value must be greater than 0 and less than or equal to 600.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length[Integer]optionalDefaults to 32available since 1.8.0

The length of the secure generator used for generating the change password Id.

If the changePasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the changePasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the changePasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the changePasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type[String]optionalDefaults to randomBytesavailable since 1.8.0

The type of the secure generator used for generating the change password Id. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds[Integer]optionalDefaults to 600available since 1.8.0

The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.deviceCodeTimeToLiveInSeconds[Integer]optionalDefaults to 300available since 1.11.0

The time in seconds until a device code Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.length[Integer]optionalDefaults to 6available since 1.11.0

The length of the secure generator used for generating the device code Id.

If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the deviceCodeTimeToLiveInSeconds.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the deviceCodeTimeToLiveInSeconds.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the deviceCodeTimeToLiveInSeconds.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.deviceUserCodeIdGenerator.type[String]optionalDefaults to randomAlphaNumericavailable since 1.11.0

The type of the secure generator used for generating the device code Id. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length[Integer]optionalDefaults to 32available since 1.8.0

The length of the secure generator used for generating the the email verification Id.

If the emailVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the emailVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the emailVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the emailVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type[String]optionalDefaults to randomBytesavailable since 1.8.0

The type of the secure generator used for generating the email verification Id. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds[Integer]optionalavailable since 1.8.0

The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.length[Integer]optionalDefaults to 6available since 1.27.0

The length of the secure generator used for generating the email verification one time code.

tenant.externalIdentifierConfiguration.emailVerificationOneTimeCodeGenerator.type[String]optionalDefaults to randomAlphaNumericavailable since 1.27.0

The type of the secure generator used for generating the email verification one time code. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

tenant.externalIdentifierConfiguration.externalAuthenticationIdTimeToLiveInSeconds[Integer]optionalDefaults to 300available since 1.12.0

The time in seconds until an external authentication Id is no longer valid and cannot be used by the Token API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds[Integer]optionalDefaults to 60available since 1.8.0

The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length[Integer]optionalDefaults to 32available since 1.8.0

The length of the secure generator used for generating the passwordless login.

If the passwordlessLoginGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the passwordlessLoginGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the passwordlessLoginGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the passwordlessLoginGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type[String]optionalDefaults to randomBytesavailable since 1.8.0

The type of the secure generator used for generating the passwordless login. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds[Integer]optionalDefaults to 180available since 1.8.0

The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.pendingAccountLinkTimeToLiveInSeconds[Integer]optionalDefaults to 3600available since 1.28.0

The number of seconds before the pending account link identifier is no longer valid to complete an account link request. Value must be greater than 0.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length[Integer]optionalDefaults to 32available since 1.8.0

The length of the secure generator used for generating the registration verification Id.

If the registrationVerificationIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the registrationVerificationIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the registrationVerificationIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the registrationVerificationIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type[String]optionalDefaults to randomBytesavailable since 1.8.0

The type of the secure generator used for generating the registration verification Id. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds[Integer]optionalavailable since 1.8.0

The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.length[Integer]optionalDefaults to 6available since 1.27.0

The length of the secure generator used for generating the registration verification one time code.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.registrationVerificationOneTimeCodeGenerator.type[String]optionalDefaults to randomAlphaNumericavailable since 1.27.0

The type of the secure generator used for generating the registration verification one time code. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.samlv2AuthNRequestIdTimeToLiveInSeconds[Integer]optionalDefaults to 300available since 1.19.0

The time in seconds that a SAML AuthN request Id returned by the Start SAML v2 Login Request API will be eligible to be used to complete a SAML v2 Login request.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length[Integer]optionalDefaults to 32available since 1.8.0

The length of the secure generator used for generating the setup password Id.

If the setupPasswordIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the setupPasswordIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the setupPasswordIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the setupPasswordIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type[String]optionalDefaults to randomBytesavailable since 1.8.0

The type of the secure generator used for generating the setup password Id. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds[Integer]optionalavailable since 1.8.0

The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.trustTokenTimeToLiveInSeconds[Integer]optionalDefaults to 180available since 1.33.0

The number of seconds before the Trust Token is no longer valid to complete a request that requires trust. Value must be greater than 0.

tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds[Integer]optionalDefaults to 300available since 1.8.0

The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.length[Integer]optionalDefaults to 6available since 1.27.0

The length of the secure generator used for generating the the two factor code Id.

If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlpha then the length must be greater or equal to 4 and less than or equal to 12. If the twoFactorOneTimeCodeIdGenerator.type is equal to randomAlphaNumeric then the length must be greater or equal to 4 and less than or equal to 12. If the twoFactorOneTimeCodeIdGenerator.type is equal to randomBytes then the length must be greater or equal to 16 and less than or equal to 128. If the twoFactorOneTimeCodeIdGenerator.type is equal to randomDigits then the length must be greater or equal to 4 and less than or equal to 12.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.type[String]optionalDefaults to randomDigitsavailable since 1.27.0

The type of the secure generator used for generating the two factor one time code Id. Possible values are:

randomAlpha
randomAlphaNumeric
randomBytes
randomDigits

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdTimeToLiveInSeconds[Integer]optionalDefaults to 60available since 1.26.0

The number of seconds before the Two-Factor One Time Code used to enable or disable a two-factor method is no longer valid. Must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds[Integer]optionalavailable since 1.8.0

The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.externalIdentifierConfiguration.webAuthnAuthenticationChallengeTimeToLiveInSeconds[Integer]optionalDefaults to 180available since 1.41.0

The time in seconds until a WebAuthn authentication challenge is no longer valid and the User will be required to restart the WebAuthn authentication ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.get API call. Value must be greater than 0.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.externalIdentifierConfiguration.webAuthnRegistrationChallengeTimeToLiveInSeconds[Integer]optionalDefaults to 180available since 1.41.0

The time in seconds until a WebAuthn registration challenge is no longer valid and the User will be required to restart the WebAuthn registration ceremony by creating a new challenge. This value also controls the timeout for the client-side WebAuthn navigator.credentials.create API call. Value must be greater than 0.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.failedAuthenticationConfiguration.actionCancelPolicy.onPasswordReset[Boolean]optionalDefaults to falseavailable since 1.42.0

Indicates whether you want the user to be able to self-service unlock their account prior to the action duration by completing a password reset workflow.

tenant.failedAuthenticationConfiguration.actionDuration[Long]optionalDefaults to 3available since 1.8.0

The duration of the User Action. This value along with the actionDurationUnit will be used to set the duration of the User Action. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.actionDurationUnit[String]optionalavailable since 1.8.0

The unit of time associated with a duration. The possible values are:

MINUTES
HOURS
DAYS
WEEKS
MONTHS
YEARS

tenant.failedAuthenticationConfiguration.emailUser[String]optionalDefaults to falseavailable since 1.42.0

Indicates you would like to email the user when the user’s account is locked due to this action being taken. This requires the User Action specified by the tenant.failedAuthenticationConfiguration.userActionId to also be configured for email. If the User Action is not configured to be able to email the user, this configuration will be ignored. See userEmailingEnabled on the User Action.

The email template configuration will be in the User Action.

tenant.failedAuthenticationConfiguration.resetCountInSeconds[Integer]optionalDefaults to 60available since 1.8.0

The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.

For example, if tooManyAttempts is set to 5 and you fail to authenticate 4 times in a row, waiting for the duration specified here will cause your fifth attempt to start back at 1.

tenant.failedAuthenticationConfiguration.tooManyAttempts[Integer]optionalDefaults to 5available since 1.8.0

The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0.

tenant.failedAuthenticationConfiguration.userActionId[UUID]optionalavailable since 1.8.0

The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.

tenant.familyConfiguration.allowChildRegistrations[Boolean]optionalDefaults to trueavailable since 1.8.0

Whether to allow child registrations.

tenant.familyConfiguration.confirmChildEmailTemplateId[UUID]optionalavailable since 1.8.0

The unique Id of the email template to use when confirming a child.

tenant.familyConfiguration.deleteOrphanedAccounts[Boolean]optionalDefaults to falseavailable since 1.8.0

Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days.

tenant.familyConfiguration.deleteOrphanedAccountsDays[Integer]optionalDefaults to 30available since 1.8.0

The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0.

tenant.familyConfiguration.enabled[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether family configuration is enabled.

tenant.familyConfiguration.familyRequestEmailTemplateId[UUID]optionalavailable since 1.8.0

The unique Id of the email template to use when a family request is made.

tenant.familyConfiguration.maximumChildAge[Integer]optionalDefaults to 12available since 1.8.0

The maximum age of a child. Value must be greater than 0.

tenant.familyConfiguration.minimumOwnerAge[Integer]optionalDefaults to 21available since 1.8.0

The minimum age to be an owner. Value must be greater than 0.

tenant.familyConfiguration.parentEmailRequired[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether a parent email is required.

tenant.familyConfiguration.parentRegistrationEmailTemplateId[UUID]optionalavailable since 1.8.0

The unique Id of the email template to use for parent registration.

tenant.formConfiguration.adminUserFormId[UUID]optionalavailable since 1.20.0

The unique Id of the form to use for the Add and Edit User form when used in the FusionAuth admin UI.

When this parameter is not provided, it will default to the form Id currently assigned to the Default tenant.

Note: A paid plan is required to utilize .

tenant.httpSessionMaxInactiveInterval[Integer]optionalDefaults to 3600available since 1.8.0

Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend.

tenant.issuer[String]optionalavailable since 1.8.0

The named issuer used to sign tokens, this is generally your public fully qualified domain.

Prior to version 1.30.0 this value was required.

tenant.jwtConfiguration.accessTokenKeyId[UUID]optionalDefaults to key value of the FusionAuth applicationavailable since 1.8.0

The unique id of the signing key used to sign the access token.

Prior to version 1.30.0 this value was required.

tenant.jwtConfiguration.idTokenKeyId[UUID]optionalDefaults to key value of the FusionAuth applicationavailable since 1.8.0

The unique id of the signing key used to sign the Id token.

Prior to version 1.30.0 this value was required.

tenant.jwtConfiguration.refreshTokenExpirationPolicy[String]optionalDefaults to Fixedavailable since 1.17.0

The Refresh Token expiration policy.

The possible values are:

Fixed - the expiration is calculated from the time the token is issued.
SlidingWindow - the expiration is calculated from the last time the token was used.
SlidingWindowWithMaximumLifetime - the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. [since]#Available since 1.46.0#

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onLoginPrevented[Boolean]optionalDefaults to trueavailable since 1.17.0

When enabled, all refresh tokens will be revoked when a user action, such as locking an account based on a number of failed login attempts, prevents user login.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onMultiFactorEnable[Boolean]optionalDefaults to falseavailable since 1.42.0

When enabled, all refresh tokens will be revoked when a user enables multi-factor authentication for the first time. This policy will not be applied when adding subsequent multi-factor methods to the user.

tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged[Boolean]optionalDefaults to trueavailable since 1.17.0

When enabled, all refresh tokens will be revoked when a user changes their password.

tenant.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes[Integer]optionalavailable since 1.46.0

The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime. Value must be greater than 0.

When refreshTokenExpirationPolicy is set to SlidingWindowWithMaximumLifetime, this value must be greater than or equal to refreshTokenTimeToLiveInMinutes.

tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes[Integer]optionalavailable since 1.8.0

The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.jwtConfiguration.refreshTokenUsagePolicy[String]optionalDefaults to Reusableavailable since 1.17.0

The refresh token usage policy. The following are valid values:

Reusable - the token does not change after it was issued.
OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.

Prior to version 1.28.0 this value was required.

tenant.jwtConfiguration.timeToLiveInSeconds[Integer]optionalavailable since 1.8.0

The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0.

Prior to version 1.28.0 this value was required.

tenant.lambdaConfiguration.scimEnterpriseUserRequestConverterId[UUID]optionalavailable since 1.36.0

The Id of a SCIM User Request Lambda that will be used to convert the SCIM Enterprise User request to a FusionAuth User.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.lambdaConfiguration.scimEnterpriseUserResponseConverterId[UUID]optionalavailable since 1.36.0

The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth Enterprise User to a SCIM Server response.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.lambdaConfiguration.scimGroupRequestConverterId[UUID]optionalavailable since 1.36.0

The Id of a SCIM Group Request Lambda that will be used to convert the SCIM Group request to a FusionAuth Group.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.lambdaConfiguration.scimGroupResponseConverterId[UUID]optionalavailable since 1.36.0

The Id of a SCIM Group Response Lambda that will be used to convert a FusionAuth Group to a SCIM Server response.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.lambdaConfiguration.scimUserRequestConverterId[UUID]optionalavailable since 1.36.0

The Id of a SCIM User Request Lambda that will be used to convert the SCIM User request to a FusionAuth User.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.lambdaConfiguration.scimUserResponseConverterId[UUID]optionalavailable since 1.36.0

The Id of a SCIM User Response Lambda that will be used to convert a FusionAuth User to a SCIM Server response.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.logoutURL[String]optionalavailable since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.loginConfiguration.requireAuthentication[Boolean]optionalDefaults to trueavailable since 1.26.0

Indicates whether to require an API key for the Login API when an applicationId is not provided. When an applicationId is provided to the Login API call, the application configuration will take precedence.

In almost all cases, you will want to this to be true.

tenant.logoutURL[String]optionalavailable since 1.8.0

The logout redirect URL when sending the user’s browser to the /oauth2/logout URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.

tenant.maximumPasswordAge.days[Integer]optionalDefaults to 180available since 1.8.0

The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when tenant.maximumPasswordAge.enabled is set to true.

tenant.maximumPasswordAge.enabled[Boolean]optionalDefaults to falseavailable since 1.8.0

Indicates that the maximum password age is enabled and being enforced.

tenant.minimumPasswordAge.seconds[Integer]optionalDefaults to 30available since 1.8.0

The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when tenant.minimumPasswordAge.enabled is set to true.

tenant.minimumPasswordAge.enabled[Boolean]optionalDefaults to falseavailable since 1.8.0

Indicates that the minimum password age is enabled and being enforced.

tenant.multiFactorConfiguration.authenticator.enabled[Boolean]optionalDefaults to trueavailable since 1.26.0

When enabled, users may utilize an authenticator application to complete a multi-factor authentication request. This method uses TOTP (Time-Based One-Time Password) as defined in RFC 6238 and often uses an native mobile app such as Google Authenticator.

tenant.multiFactorConfiguration.email.enabled[Boolean]optionalDefaults to falseavailable since 1.26.0

When enabled, users may utilize an email address to complete a multi-factor authentication request.

tenant.multiFactorConfiguration.email.templateId[UUID]optionalavailable since 1.26.0

The Id of the email template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.email.enabled is set to true.

tenant.multiFactorConfiguration.loginPolicy[String]optionalavailable since 1.37.0

When set to Enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When set to Disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When set to Required, a two-factor challenge will be required during login. If a user has not configured any two-factor methods, they will not be able to log in.

This value may be overridden by the value configured by the application.multiFactorConfiguration.loginPolicy.

Supported values include:

Enabled - Require a two-factor challenge during login when an eligible method is available.
Disabled - Do not require a two-factor challenge during login.
Required - Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. [since]#Available since 1.42.0#

tenant.multiFactorConfiguration.sms.enabled[Boolean]optionalDefaults to falseavailable since 1.26.0

When enabled, users may utilize a mobile phone number to complete a multi-factor authentication request.

tenant.multiFactorConfiguration.sms.messengerId[UUID]optionalavailable since 1.26.0

The messenger that is used to deliver a SMS multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.sms.enabled is set to true.

tenant.multiFactorConfiguration.sms.templateId[UUID]optionalavailable since 1.26.0

The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request. This field is required when tenant.multiFactorConfiguration.sms.enabled is set to true.

tenant.name[String]required

The unique name of the Tenant.

tenant.oauthConfiguration.clientCredentialsAccessTokenPopulateLambdaId[UUID]optionalavailable since 1.26.0

The Id of a lambda that will be called to populate the JWT during a client credentials grant.

Note: A paid plan is required to utilize .

tenant.passwordEncryptionConfiguration.encryptionScheme[String]optionalavailable since 1.8.0

The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

salted-md5
salted-sha256
salted-hmac-sha256
salted-pbkdf2-hmac-sha256
salted-pbkdf2-hmac-sha256-512available since 1.34.0
salted-pbkdf2-hmac-sha512-512available since 1.43.0
bcrypt`
phpass-md5available since 1.45.0
phpass-sha512available since 1.45.0

tenant.passwordEncryptionConfiguration.encryptionSchemeFactor[Integer]optionalDefaults to 24000available since 1.8.0

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin[Boolean]optionalDefaults to falseavailable since 1.8.0

When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.

Beginning in version 1.42.0 when this configuration is enabled, in addition to re-hashing on login, the password will be re-hashed on password change as well.

tenant.passwordValidationRules.breachDetection.enabled[Boolean]optionalDefaults to falseavailable since 1.15.0

Whether to enable Reactor breach detection. Requires an activated license.

tenant.passwordValidationRules.breachDetection.matchMode[String]optionalavailable since 1.15.0

The level of severity where Reactor will consider a breach. The following are valid values:

High Only requires a password match, this is the most secure and is recommended
Medium Exact match on username, email address or email sub-address
Low Exact match on an email or username, or the password is a common breached value

tenant.passwordValidationRules.breachDetection.notifyUserEmailTemplateId[UUID]optionalavailable since 1.15.0

The Id of the email template to use when notifying user of breached password. Required if tenant.passwordValidationRules.breachDetection.onLogin is set to NotifyUser.

tenant.passwordValidationRules.breachDetection.onLogin[String]optionalavailable since 1.15.0

The behavior when detecting breaches at time of user login. The following are valid values:

Off Do not perform breach detection at login
RecordOnly Only record the result, take no action
NotifyUser Notify the end user via email
RequireChange Require immediate password change

tenant.passwordValidationRules.maxLength[Integer]optionalDefaults to 256available since 1.8.0

The maximum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.minLength[Integer]optionalDefaults to 8available since 1.8.0

The minimum length of a password when a new user is created or a user requests a password change.

tenant.passwordValidationRules.rememberPreviousPasswords.count[Integer]optionalavailable since 1.8.0

The number of previous passwords to remember. Value must be greater than 0.

tenant.passwordValidationRules.rememberPreviousPasswords.enabled[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether to prevent a user from using any of their previous passwords.

tenant.passwordValidationRules.requireMixedCase[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether to force the user to use at least one uppercase and one lowercase character.

tenant.passwordValidationRules.requireNonAlpha[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether to force the user to use at least one non-alphanumeric character.

tenant.passwordValidationRules.requireNumber[Boolean]optionalDefaults to falseavailable since 1.8.0

Whether to force the user to use at least one number.

tenant.passwordValidationRules.validateOnLogin[Boolean]optionalDefaults to falseavailable since 1.15.0

When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

tenant.rateLimitConfiguration.failedLogin.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether rate limiting is enabled for failed login.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.failedLogin.limit[Integer]optionalDefaults to 5available since 1.30.0

The number of times a user can fail to login within the configured timePeriodInSeconds duration. If a Failed authentication action has been configured then it will take precedence.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.failedLogin.timePeriodInSeconds[Integer]optionalDefaults to 60available since 1.30.0

The duration for the number of times a user can fail login before being rate limited.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.forgotPassword.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether rate limiting is enabled for forgot password.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.forgotPassword.limit[Integer]optionalDefaults to 5available since 1.30.0

The number of times a user can request a forgot password email within the configured timePeriodInSeconds duration.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.forgotPassword.timePeriodInSeconds[Integer]optionalDefaults to 60available since 1.30.0

The duration for the number of times a user can request a forgot password email before being rate limited.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendEmailVerification.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether rate limiting is enabled for send email verification.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendEmailVerification.limit[Integer]optionalDefaults to 5available since 1.30.0

The number of times a user can request a verification email within the configured timePeriodInSeconds duration.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendEmailVerification.timePeriodInSeconds[Integer]optionalDefaults to 60available since 1.30.0

The duration for the number of times a user can request a verification email before being rate limited.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendPasswordless.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether rate limiting is enabled for send passwordless.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendPasswordless.limit[Integer]optionalDefaults to 5available since 1.30.0

The number of times a user can request a passwordless login email within the configured timePeriodInSeconds duration.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendPasswordless.timePeriodInSeconds[Integer]optionalDefaults to 60available since 1.30.0

The duration for the number of times a user can request a passwordless login email before being rate limited.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendRegistrationVerification.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether rate limiting is enabled for send registration verification.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendRegistrationVerification.limit[Integer]optionalDefaults to 5available since 1.30.0

The number of times a user can request a registration verification email within the configured timePeriodInSeconds duration.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendRegistrationVerification.timePeriodInSeconds[Integer]optionalDefaults to 60available since 1.30.0

The duration for the number of times a user can request a registration verification email before being rate limited.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendTwoFactor.enabled[Boolean]optionalDefaults to falseavailable since 1.30.0

Whether rate limiting is enabled for send two factor.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendTwoFactor.limit[Integer]optionalDefaults to 5available since 1.30.0

The number of times a user can request a two-factor code by email or SMS within the configured timePeriodInSeconds duration.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.rateLimitConfiguration.sendTwoFactor.timePeriodInSeconds[Integer]optionalDefaults to 60available since 1.30.0

The duration for the number of times a user can request a two-factor code by email or SMS before being rate limited.

Required when enabled is set to true.

Note: An Enterprise plan is required to utilize .

tenant.registrationConfiguration.blockedDomains[Array<String>]optionalavailable since 1.30.0

A list of unique domains that are not allowed to register when self service is enabled.

Note: An Enterprise plan is required to utilize .

tenant.scimServerConfiguration.clientEntityTypeId[UUID]optionalavailable since 1.36.0

The Entity Type that will be used to represent SCIM Clients for this tenant.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.scimServerConfiguration.enabled[Boolean]optionalavailable since 1.36.0

Whether or not this tenant has the SCIM endpoints enabled.

Note: An Enterprise plan is required to utilize .

tenant.scimServerConfiguration.schemas[Map]optionalavailable since 1.36.0

JSON formatted as a SCIM Schemas endpoint response. Because the SCIM lambdas may modify the JSON response, ensure the Schema’s response matches that generated by the response lambdas. More about Schema definitions.

When this parameter is not provided, it will default to EnterpriseUser, Group, and User schema definitions as defined by the SCIM core schemas spec.

Note: An Enterprise plan is required to utilize .

tenant.scimServerConfiguration.serverEntityTypeId[UUID]optionalavailable since 1.36.0

The Entity Type that will be used to represent SCIM Servers for this tenant.

Note: An Enterprise plan is required to utilize .

Required when tenant.scimServerConfiguration.enabled is true.

tenant.ssoConfiguration.deviceTrustTimeToLiveInSeconds[Integer]optionalavailable since 1.30.2

The number of seconds before a trusted device is reset. When reset, a user is forced to complete captcha during login and complete two factor authentication if applicable.

tenant.themeId[UUID]optionalavailable since 1.8.0

The unique Id of the theme to be used to style the login page and other end user templates.

Prior to version 1.30.0 this value was required.

tenant.userDeletePolicy.unverified.enabled[Boolean]optionalDefaults to falseavailable since 1.13.0

Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days.

tenant.userDeletePolicy.unverified.numberOfDaysToRetain[Integer]optionalavailable since 1.13.0

The number of days from creation users will be retained before being deleted for not completing email verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to true. Value must be greater than 0.

tenant.usernameConfiguration.unique.enabled[Boolean]optionalDefaults to falseavailable since 1.27.0

When true, FusionAuth will handle username collisions by generating a random suffix.

Note: A paid plan is required to utilize .

tenant.usernameConfiguration.unique.numberOfDigits[Integer]optionalDefaults to 5available since 1.27.0

The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and will be 1 or more digits up to this configured value in length. For example, if this value is 5, the suffix will be a number between 00001 and 99999, inclusive. The value of this field must be greater than or equal to 3 and less than or equal to 10.

tenant.usernameConfiguration.unique.separator[String]optionalavailable since 1.27.0

A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non-alphanumeric ASCII character.

tenant.usernameConfiguration.unique.strategy[String]optionalDefaults to OnCollisionavailable since 1.29.0

This strategy instructions FusionAuth when to append a unique suffix to the username. The possible values are:

Always - Always append a unique suffix even when the requested username is not in use.
OnCollision - Only append a unique suffix when the requested username is in use.

tenant.webAuthnConfiguration.bootstrapWorkflow.authenticatorAttachmentPreference[String]optionalDefaults to crossPlatformavailable since 1.41.0

Determines the authenticator attachment requirement for WebAuthn passkey registration when using the bootstrap workflow. The possible values are:

any - An authenticator with any attachment modality will be allowed during registration.
crossPlatform - Only authenticators with the cross-platform attachment modality will be allowed during registration. These are also referred to as “roaming” authenticators.
platform - Only authenticators with the platform attachment modality will be allowed during registration.

The recommended value for the bootstrap workflow is any.

Note: An Essentials or Enterprise plan is required to utilize .Note: An Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.bootstrapWorkflow.enabled[Boolean]optionalDefaults to falseavailable since 1.41.0

Whether or not this tenant has the WebAuthn bootstrap workflow enabled. The bootstrap workflow is used when the user must “bootstrap” the authentication process by identifying themselves prior to the WebAuthn ceremony and can be used to authenticate from a new device using WebAuthn.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.bootstrapWorkflow.userVerificationRequirement[String]optionalDefaults to requiredavailable since 1.41.0

Determines the user verification requirement for WebAuthn passkey registration and authentication when using the bootstrap workflow. The possible values are:

discouraged - If possible, do not require user verification during registration and authentication.
preferred - Prefer authenticators that support user verification during registration and authentication but allow others.
required - Only authenticators that support user verification will be allowed.

It is highly recommended to use the required option for the bootstrap workflow.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.debug[Boolean]optionalDefaults to falseavailable since 1.41.0

Determines if debug should be enabled for this tenant to create an event log to assist in debugging WebAuthn errors.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.enabled[Boolean]optionalDefaults to falseavailable since 1.41.0

Whether or not this tenant has WebAuthn enabled globally.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.reauthenticationWorkflow.authenticatorAttachmentPreference[String]optionalDefaults to crossPlatformavailable since 1.41.0

Determines the authenticator attachment requirement for WebAuthn passkey registration when using the reauthentication workflow. The possible values are:

any - An authenticator with any attachment modality will be allowed during registration.
crossPlatform - Only authenticators with the cross-platform attachment modality will be allowed during registration. These are also referred to as “roaming” authenticators.
platform - Only authenticators with the platform attachment modality will be allowed during registration.

The recommended value for the reauthentication workflow is platform.

Note: A paid plan is required to utilize .Note: An Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.reauthenticationWorkflow.enabled[Boolean]optionalDefaults to falseavailable since 1.41.0

Whether or not this tenant has the WebAuthn reauthentication workflow enabled. The reauthentication workflow will automatically prompt a user to authenticate using WebAuthn for repeated logins from the same device.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.reauthenticationWorkflow.userVerificationRequirement[String]optionalDefaults to requiredavailable since 1.41.0

Determines the user verification requirement for WebAuthn passkey registration and authentication when using the reauthentication workflow. The possible values are:

discouraged - If possible, do not require user verification during registration and authentication.
preferred - Prefer authenticators that support user verification during registration and authentication but allow others.
required - Only authenticators that support user verification will be allowed.

It is highly recommended to use the required option for the reauthentication workflow.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.relyingPartyId[String]optionalavailable since 1.41.0

The value this tenant will use for the Relying Party Id in WebAuthn ceremonies. Passkeys can only be used to authenticate on sites using the same Relying Party Id they were registered with. This value must match the browser origin or be a registrable domain suffix of the browser origin. For example, if your domain is auth.piedpiper.com, you could use auth.piedpiper.com or piedpiper.com but not m.auth.piedpiper.com or com.

When this parameter is omitted, FusionAuth will use null for the Relying Party Id in passkey creation and request options. A null value in the WebAuthn JavaScript API will use the browser origin.

Note: An Essentials or Enterprise plan is required to utilize .

tenant.webAuthnConfiguration.relyingPartyName[String]optionalavailable since 1.41.0

The value this tenant will use for the Relying Party name in WebAuthn ceremonies. This value may be displayed by browser or operating system dialogs during WebAuthn ceremonies.

When this parameter is omitted, FusionAuth will use the tenant.issuer value.

Note: An Essentials or Enterprise plan is required to utilize .

webhookIds[Array<UUID>]optionalavailable since 1.37.0

An array of Webhook Ids. For Webhooks that are not already configured for All Tenants, specifying an Id on this request will indicate the associated Webhook should handle events for this tenant.

Example Request JSON

{
  "tenant": {
    "accessControlConfiguration": {
      "uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
    },
    "captchaConfiguration": {
      "captchaMethod": "GoogleRecaptchaV3",
      "enabled": true,
      "secretKey": "6LdYWpMbAAAAAKhcksgk70us00012r66r96tt7rp",
      "siteKey": "6LdYWpMbAAAAAKhcksgk75tz00022r66ombcfadr",
      "threshold": 0.5
    },
    "connectorPolicies": [
      {
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "domains": [
          "*"
        ],
        "migrate": false
      },
      {
        "connectorId": "27f22280-7e55-4d1c-b9f8-239bf9cc1a5e",
        "domains": [
          "*"
        ],
        "migrate": true
      }
    ],
    "data": {
      "description": "No more secrets, Marty."
    },
    "emailConfiguration": {
      "additionalHeaders": [
        {
          "name": "X-SES-CONFIGURATION-SET",
          "value": "example_configuration_set_name"
        }
      ],
      "defaultFromEmail": "jared@piedpiper.com",
      "defaultFromName": "Jared Dunn",
      "emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
      "emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "implicitEmailVerificationAllowed": true,
      "loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
      "loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
      "loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
      "loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
      "password": "password",
      "passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
      "passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
      "passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
      "port": 587,
      "properties": {
        "key": "value"
      },
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
      "twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d",
      "unverified": {
        "allowEmailChangeWhenGated": false,
        "behavior": "Allow"
      },
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
      "verificationStrategy": "FormField",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "events": {
        "user.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.deactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.bulk.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.reactivate": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.refresh-token.revoke": {
          "enabled": true,
          "transactionType": "None"
        },
        "jwt.public-key.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.success": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.login.failed": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.password.breach": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.create": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.update": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.delete": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.registration.verified": {
          "enabled": true,
          "transactionType": "None"
        },
        "user.email.verified": {
          "enabled": true,
          "transactionType": "None"
        }
      }
    },
    "externalIdentifierConfiguration": {
      "authorizationGrantIdTimeToLiveInSeconds": 30,
      "changePasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "changePasswordIdTimeToLiveInSeconds": 600,
      "deviceCodeTimeToLiveInSeconds": 1800,
      "deviceUserCodeIdGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "emailVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "emailVerificationIdTimeToLiveInSeconds": 86400,
      "emailVerificationOneTimeCodeGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "externalAuthenticationIdTimeToLiveInSeconds": 300,
      "oneTimePasswordTimeToLiveInSeconds": 60,
      "passwordlessLoginGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "passwordlessLoginTimeToLiveInSeconds": 180,
      "pendingAccountLinkTimeToLiveInSeconds": 3600,
      "registrationVerificationIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "registrationVerificationIdTimeToLiveInSeconds": 86400,
      "registrationVerificationOneTimeCodeGenerator": {
        "length": 6,
        "type": "randomAlphaNumeric"
      },
      "samlv2AuthNRequestIdTimeToLiveInSeconds": 300,
      "setupPasswordIdGenerator": {
        "length": 32,
        "type": "randomBytes"
      },
      "setupPasswordIdTimeToLiveInSeconds": 86400,
      "trustTokenTimeToLiveInSeconds": 180,
      "twoFactorIdTimeToLiveInSeconds": 300,
      "twoFactorOneTimeCodeIdGenerator": {
        "length": 6,
        "type": "randomDigits"
      },
      "twoFactorOneTimeCodeIdTimeToLiveInSeconds": 60,
      "twoFactorTrustIdTimeToLiveInSeconds": 2592000,
      "webAuthnAuthenticationChallengeTimeToLiveInSeconds": 180,
      "webAuthnRegistrationChallengeTimeToLiveInSeconds": 180
    },
    "failedAuthenticationConfiguration": {
      "actionCancelPolicy": {
        "onPasswordReset": false
      },
      "actionDuration": 3,
      "actionDurationUnit": "MINUTES",
      "emailUser": false,
      "resetCountInSeconds": 60,
      "tooManyAttempts": 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "familyConfiguration": {
      "allowChildRegistrations": true,
      "confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
      "deleteOrphanedAccounts": false,
      "deleteOrphanedAccountsDays": 30,
      "enabled": true,
      "familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
      "maximumChildAge": 12,
      "minimumOwnerAge": 21,
      "parentEmailRequired": false,
      "parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
    },
    "formConfiguration": {
      "adminUserFormId": "e92751a5-25f4-4bca-ad91-66cdf67725d2"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "issuer": "https://example.com",
    "jwtConfiguration": {
      "accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
      "enabled": true,
      "idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
      "refreshTokenExpirationPolicy": "Fixed",
      "refreshTokenRevocationPolicy": {
        "onLoginPrevented": true,
        "onMultiFactorEnable": true,
        "onPasswordChanged": true
      },
      "refreshTokenTimeToLiveInMinutes": 43200,
      "refreshTokenUsagePolicy": "Reusable",
      "timeToLiveInSeconds": 3600
    },
    "lambdaConfiguration": {
      "scimEnterpriseUserRequestConverterId": "c2e70f8d-19bb-4df7-848a-33a9a1e26b84",
      "scimEnterpriseUserResponseConverterId": "44fc9553-8a2e-408f-8aa2-fa65b70b55e2",
      "scimGroupRequestConverterId": "66d65de0-1819-42f8-86ed-7daaa4e155dc",
      "scimGroupResponseConverterId": "79812ede-432f-4375-9b43-23c0fe996fef",
      "scimUserRequestConverterId": "8a51d7a1-5e3e-442a-b96a-0c31379bb3d4",
      "scimUserResponseConverterId": "c8720843-dc4f-4e6c-b6ca-500e9c44695f"
    },
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": false
    },
    "minimumPasswordAge": {
      "enabled": false,
      "seconds": 30
    },
    "multiFactorConfiguration": {
      "authenticator": {
        "enabled": true
      },
      "email": {
        "enabled": true,
        "templateId": "d312fb71-d7d8-4b75-a497-6096a07220b3"
      },
      "loginPolicy": "Enabled",
      "sms": {
        "enabled": true,
        "messengerId": "0a4bae38-ffef-4c33-b74c-1d50c796f600",
        "templateId": "f35e04e6-72ec-4f52-b552-29cf950a4ed6"
      }
    },
    "name": "Playtronics Co.",
    "oauthConfiguration": {
      "clientCredentialsAccessTokenPopulateLambdaId": "46e120c1-4c22-473f-95b4-e2c187cd20c2"
    },
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordValidationRules": {
      "breachDetection": {
        "enabled": true,
        "notifyUserEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
        "matchMode": "High",
        "onLogin": "Off"
      },
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true,
      "validateOnLogin": false
    },
    "rateLimitConfiguration": {
      "failedLogin": {
        "enabled": false,
        "limit": 5,
        "timePeriodInSeconds": 60
      },
      "forgotPassword": {
        "enabled": false,
        "limit": 5,
        "timePeriodInSeconds": 60
      },
      "sendEmailVerification": {
        "enabled": false,
        "limit": 5,
        "timePeriodInSeconds": 60
      },
      "sendRegistrationVerification": {
        "enabled": false,
        "limit": 5,
        "timePeriodInSeconds": 60
      },
      "sendPasswordless": {
        "enabled": false,
        "limit": 5,
        "timePeriodInSeconds": 60
      },
      "sendTwoFactor": {
        "enabled": false,
        "limit": 5,
        "timePeriodInSeconds": 60
      }
    },
    "registrationConfiguration": {},
    "scimServerConfiguration": {
      "clientEntityTypeId": "d9ed49f7-1106-4b20-acdb-5cbda76ae77e",
      "enabled": true,
      "serverEntityTypeId": "919e0ac5-1cf0-4fcf-a8fc-29d77a0d1d8f",
      "schemas": {}
    },
    "ssoConfiguration": {
      "deviceTrustTimeToLiveInSeconds": 31536000
    },
    "themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
    "userDeletePolicy": {
      "unverified": {
        "enabled": true,
        "numberOfDaysToRetain": 30
      }
    },
    "usernameConfiguration": {
      "unique": {
        "enabled": false,
        "numberOfDigits": 5,
        "separator": "#"
      }
    },
    "webAuthnConfiguration": {
      "enabled": true,
      "bootstrapWorkflow": {
        "authenticatorAttachmentPreference": "crossPlatform",
        "enabled": true,
        "userVerificationRequirement": "required"
      },
      "debug": false,
      "reauthenticationWorkflow": {
        "authenticatorAttachmentPreference": "platform",
        "enabled": true,
        "userVerificationRequirement": "required"
      },
      "relyingPartyId": "piedpiper.com",
      "relyingPartyName": "Pied Piper"
    },
    "webhookIds": [
      "00000000-0000-0000-0000-000000000042"
    ]
  }
}

Create a Tenant from an existing Tenant with a randomly generated I

This API has been available since 1.14.0

URI

POST/api/tenant

Create a Tenant from an existing Tenant with the provided unique Id

This API has been available since 1.14.0

URI

POST/api/tenant/{tenantId}

Request Parameters

tenantId[UUID]optionalDefaults to secure random UUID

The Id to use for the new Tenant. If not specified a secure random UUID will be generated.

Request Body

sourceTenantId[UUID]required

The Id of an existing Tenant from which a copy will be made. All other values will be copied from the source Tenant to the new Tenant.

tenant.name[String]required

The unique name of the Tenant.

Example request JSON

{
  "sourceTenantId": "32306536-3036-6431-3865-646430303332",
  "tenant": {
    "name": "Playtronics Co. - copied"
  }
}

Response

The response for this API contains the Tenant that was created.

Response Codes

Code	Description
200	The request was successful. The response will contain a JSON body.
400	The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.
401	You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500	There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

Response Body

tenant.accessControlConfiguration.uiIPAccessControlListId[UUID]available since 1.30.0

The Id of the IP Access Control List limiting access to this all applications in this tenant.

tenant.captchaConfiguration.captchaMethod[String]available since 1.30.0

The type of captcha method to use.

tenant.captchaConfiguration.enabled[Boolean]available since 1.30.0

Whether captcha configuration is enabled.

tenant.captchaConfiguration.secretKey[String]available since 1.30.0

The secret key for this captcha method.

tenant.captchaConfiguration.siteKey[String]available since 1.30.0

The site key for this captcha method.

tenant.captchaConfiguration.threshold[Float]available since 1.30.0

The numeric threshold which separates a passing score from a failing one. This value only applies if using either the Google v3 or HCaptcha Enterprise method, otherwise this value is ignored.

tenant.configured[Boolean]

Indicates the tenant has been configured. It is always true, except for default tenant when the setup wizard has not been completed, in which case it is false.

tenant.connectorPolicies[Array]available since 1.18.0

A list of Connector policies. Users will be authenticated against Connectors in order. Each Connector can be included in this list at most once and must exist.

tenant.connectorPolicies[x].connectorId[UUID]available since 1.18.0

The identifier of the Connector to which this policy refers.

tenant.connectorPolicies[x].domains[String]available since 1.18.0

An list of email domains to which this connector should apply.

A value of ["*"] indicates this connector applies to all users.

tenant.connectorPolicies[x].migrate[Boolean]available since 1.18.0

tenant.data[Object]