Applications
Overview
This page contains the APIs that are used to manage Applications as well as the Roles of an Application. Here are the APIs:
Create an Application
This API is used to create an Application. Specifying an Id on the URI will instruct FusionAuth to use that Id when creating the Application. Otherwise, FusionAuth will generate an Id for the Application.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDDefaults to a generated UUIDThe Id to use for the new Application, which must be unique across all Tenants. If not specified a secure random UUID will be generated.
Request Body
application.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
Note: An Enterprise plan is required to utilize IP ACLs.
application.authenticationTokenConfiguration.enabled
BooleanDetermines if Users can have Authentication Tokens associated with this Application. This feature may not be enabled for the FusionAuth application.
application.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
application.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
application.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
application.data
ObjectAn object that can hold any information about the Application that should be persisted.
application.emailConfiguration.additionalHeaders
Array<Object>Available since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
application.emailConfiguration.debug
BooleanDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
application.emailConfiguration.defaultFromEmail
StringAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com
).
application.emailConfiguration.defaultFromName
StringAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com
).
application.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid.
application.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
application.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
application.emailConfiguration.host
StringDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0
this value was required.
application.emailConfiguration.implicitEmailVerificationAllowed
Defaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
application.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.password
StringAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
application.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
application.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.port
IntegerDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0
this value was required.
application.emailConfiguration.properties
StringAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocols
has a default value ofTLSv1 TLSv1.1 TLSv1.2
.
Since version 1.44.0
, the following two properties have default values:
mail.smtp.timeout
has a default value of2000
.mail.smtp.connectiontimeout
has a default value of2000
.
Here’s an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000
application.emailConfiguration.security
StringDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE
- no security will be used. All communications will be sent plaintext.SSL
- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS
- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
application.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
application.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.unverified.allowEmailChangeWhenGated
BooleanDefaults to falseAvailable since 1.27.0When this value is set to true
, the user is allowed to change their email address when they are gated because they haven’t verified their email address.
application.emailConfiguration.unverified.behavior
StringDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow
- the user will be allowed to complete login.Gated
- verification is required before a user can complete login. The use of this value will require a paid plan.
application.emailConfiguration.username
StringAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
application.emailConfiguration.verificationEmailTemplateId
UUIDThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail
or verifyEmailWhenChanged
fields are true
, this field is required.
application.emailConfiguration.verificationStrategy
StringAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink
- send the user a code with a clickable link.FormField
- send the user a short code intended to be manually entered into a form field. This is only available when application.emailConfiguration.unverified.behavior has theGated
value.
application.emailConfiguration.verifyEmail
BooleanDefaults to falseWhether the user’s email addresses are verified when the registers with your application.
application.emailConfiguration.verifyEmailWhenChanged
BooleanDefaults to falseWhether the user’s email addresses are verified when the user changes them.
application.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds
IntegerAvailable since 1.37.0The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.
When this value is not defined, the value defined by tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds is utilized. When this value is defined it will override the tenant configured value.
This configuration is only utilized when application.multiFactorConfiguration.loginPolicy is Enabled
or Required
.
application.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
Note: A paid plan is required to utilize custom forms.
application.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
Note: A paid plan is required to utilize custom forms.
application.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
application.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Required when enabled
is set to true
.
When an HMAC algorithm is used such as HS256
, HS384
or HS512
, the OAuth client_secret
will be used as the signing secret.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
application.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
application.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
or ECDSA
based signing algorithm has been selected. The private key will be used to sign the JWT. This key is expected to be presented in a PEM encoded format.
Required when enabled
is set to true
and algorithm
is set to an RSA
or ECDSA
based value.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
or ECDSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key is expected to be presented in a PEM encoded format.
Required when enabled
is set to true
and algorithm
is set to an RSA
or ECDSA
based value.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.refreshTokenExpirationPolicy
StringDefaults to FixedAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
application.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerDefaults to 43,200Available since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
. Value must be greater than 0.
When refreshTokenExpirationPolicy is set to SlidingWindowWithMaximumLifetime
, this value must be greater than or equal to refreshTokenTimeToLiveInMinutes .
application.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
Required when enabled
is set to true
.
application.jwtConfiguration.refreshTokenUsagePolicy
StringDefaults to ReusableAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
application.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
Required when enabled
is set to true
and algorithm
is set to an HMAC
based value.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
application.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
Required when enabled
is set to true
.
application.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
application.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
application.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the lambda that will be invoked when a SAML response is generated during a SAML authentication request.
application.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The Id of the lambda that will be used to perform additional validation on registration form steps.
Note: A paid plan is required to utilize custom forms.
application.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the lambda that will be invoked when a UserInfo response is generated for this application.
application.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to false
to ensure Refresh Tokens cannot be used outside of the Refresh Token Grant.
application.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to false
to ensure Refresh Tokens will not be issued outside of the OAuth grants.
application.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
If you do not intend to use the Login API, or will only be calling this API from a secure backend server, setting this value to true
in order to require an API key is preferred.
application.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.loginPolicy
StringAvailable since 1.37.0When enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When required, the user will be required to complete a two-factor challenge during login.
When configured, this value overrides the value configured by the tenant.multiFactorConfiguration.loginPolicy .
Supported values include:
Enabled
- Require a two-factor challenge during login when an eligible method is available.Disabled
- Do not require a two-factor challenge during login.Required
- Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0
While this configuration requires a license, in version 1.49.0
or later it may be enabled for the FusionAuth admin application regardless of the license state.
application.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.trustPolicy
StringAvailable since 1.37.0When application.multiFactorConfiguration.loginPolicy is set to Enabled
or Required
, this trust policy is utilized when determining if a user must complete a two-factor challenge during login.
For example, a normal two-factor login flow will result in a trust Id being returned if you set trustComputer equal to true
when completing a Two Factor Login. The returned Trust identifier can be used on subsequent Login requests to keep from being required to complete a Two-Factor login. This configuration determines if that trust value can be utilized for another application.
Supported values include:
Any
- Trust obtained from any application is sufficient to bypass the two-factor challenge.This
- Only trust obtained for this application is sufficient to bypass the two-factor challenge.None
- Never trusted. The user will be required to complete a two-factor challenge during each login attempt.
application.name
StringrequiredThe name of the Application.
application.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
For improved security, all FusionAuth hosted login pages add an HTTP response header of X-Frame-Options: DENY
. This response header disallows loading the FusionAuth pages from an iframe. To utilize an iframe and load one or more of the FusionAuth hosted login pages, add the iframe page URLs to this property. For that host, FusionAuth will remove the X-Frame-Options
header allowing the page to load in the iframe.
Examples of valid authorized origin URIs:
- https://example.com
- com.myApp://example
- com.myApp:/example
You may now use URLs that do not begin with http
to support native application origins. Prior to this version the value will be validated to begin with http
. This also includes authorized origins that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/example
would fail validation as an invalid URL.
Configured URLs containing wildcards are considered during validation when is set to . Wildcards are allowed in the following positions:
- The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. - The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
- A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. - A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
application.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
Examples of valid redirect URIs:
- https://example.com/redirect
- com.myApp://redirect
- com.myApp:/redirect
You may now use URLs that do not begin with http
to support native application redirect. Prior to this version the value will be validated to begin with http
.
You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/redirect
would fail validation as in invalid URL.
Configured URLs containing wildcards are considered during validation when is set to . Wildcards are allowed in the following positions:
- The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. - The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
- A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. - A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
application.oauthConfiguration.authorizedURLValidationPolicy
Available since 1.43.0Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
application.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
application.oauthConfiguration.clientSecret
StringThe OAuth 2.0 client secret. If you leave this blank during a POST, a secure secret will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.
application.oauthConfiguration.consentMode
StringDefaults to AlwaysPromptAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
application.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
application.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type, this field is required when device_code
is enabled.
application.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
application.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
application.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
application.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
application.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
application.oauthConfiguration.providedScopePolicy.address.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.email.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.relationship
StringDefaults to FirstPartyAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on the application object’s oauthConfiguration.consentMode value.
Note: An Essentials or Enterprise plan is required to utilize third-party applications.
application.oauthConfiguration.requireClientAuthentication
BooleanDEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .
application.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
application.oauthConfiguration.scopeHandlingPolicy
StringDefaults to StrictAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
application.oauthConfiguration.unknownScopePolicy
StringDefaults to RejectAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
application.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
application.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
application.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
application.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
application.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
Self service registration cannot be enabled on the FusionAuth application.
If true
, any user logging in to this application using hosted login pages will automatically have a registration created, if they are not already registered.
application.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
application.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
application.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
This field is required when application.registrationConfiguration.type is set to advanced
.
application.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
application.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
application.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
application.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
application.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
application.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
application.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
application.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
application.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
application.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form. The default form control will display all available locales.
application.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
application.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
application.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
application.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. This field is required when application.registrationDeletePolicy.enabled is set to true
. Value must be greater than 0.
application.roles
ArrayAn array of Role objects.
application.roles[x].description
StringA description for the role.
application.roles[x].id
UUIDThe Id of the Role.
application.roles[x].name
StringrequiredThe name of the Role.
application.roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
application.roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
application.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
Using SHA256
or higher is recommended.
application.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Determines if SAML assertion encryption is enabled for this Application.
application.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
Cryptography experts strongly recommend the use of AES using GCM if supported. Availability will depend on whether the SAML Service Provider (SP) supports those algorithms.
application.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
This value will be dictated by the SAML Service Provider (SP) and which options it supports.
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
Use of RSAv15
is not recommended but is available for backwards compatibility.
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response. The selected Key must contain an RSA certificate.
This parameter is required when application.samlv2Configuration.assertionEncryptionConfiguration.enabled is set to true
.
application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
application.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
application.samlv2Configuration.authorizedRedirectURLs
Array<String>requiredAvailable since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
If the application.samlv2Configuration.initiatedLogin.enabled is true
, the particular URL where the user will end up after successful login can be configured by appending a parameter to the Initiate login URL
. The parameter must be either redirect_uri
or RelayState
. The value should be a URL encoded URL present in this field. If both RelayState
and redirect_uri
are present redirect_uri
will be ignored in favor of RelayState
.
application.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated since 1.20.0In version 1.20.0 and beyond, Callback URLs can be managed via application.samlv2Configuration.authorizedRedirectURLs .
application.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
application.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
This parameter is required when application.samlv2Configuration.requireSignedRequests is set to true
.
application.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Determines if the SAML IdP is enabled for this Application.
application.samlv2Configuration.issuer
StringrequiredAvailable since 1.6.0An issuer
identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration. If you don’t know the issuer
, you can put anything in this field and FusionAuth will display an error message with the issuer
from the service provider when you test the SAML login.
application.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application. See application.samlv2Configuration.authorizedRedirectURLs for information on which destination URLs are allowed.
application.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
application.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response. If you do not specify this property, FusionAuth will create a new key and associate it with this Application.
application.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0When enabled, FusionAuth will accept a username or email address as a login hint on a custom HTTP request parameter.
application.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
application.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
application.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
This parameter is required when application.samlv2Configuration.logout.requireSignedRequests is set to true
.
application.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
When this parameter is omitted, the key defined by application.samlv2Configuration.keyId
will be used.
application.samlv2Configuration.logout.requireSignedRequests
BooleanrequiredAvailable since 1.25.0Set this parameter equal to true
to require the SAML v2 Service Provider to sign the Logout request. When this value is true
all Logout requests missing a signature will be rejected.
When set to true
, the parameter application.samlv2Configuration.logout.defaultVerificationKeyId is required.
application.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
application.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
When this parameter is omitted, the key defined by application.samlv2Configuration.keyId
will be used.
application.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
Required if application.samlv2Configuration.logout.singleLogout.enabled is true
.
application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider. Often service providers need this URL in order to correctly hook up single-logout.
This is also the URL that will be sent the SAML v2 LogoutResponse using the same bindings that were used to initiate the logout request with the IdP. For example, if POST bindings were used to initiate the logout request, POST bindings will be used for this LogoutResponse request.
application.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0Set this parameter equal to true
to require the SAML v2 Service Provider to sign the request. When this value is true
all requests missing a signature will be rejected.
When set to true
, the parameter application.samlv2Configuration.defaultVerificationKeyId is required.
application.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing a successful SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
In most cases the default configuration will be adequate. If you encounter a SAML v2 Service Provider that requires the signature to be a child of the Response, use this configuration to change the signature location. Prior to version 1.21.0
, the XML signature was always located as a child element of the Assertion when the response was successful.
application.scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
Note: An Essentials or Enterprise plan is required to utilize advanced OAuth scopes.
application.scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
application.scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
application.scopes[x].name
StringrequiredAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
application.scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
application.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
Note: A paid plan is required to utilize application themes.
application.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users. If the verifyRegistration
field is true
this field is required.
application.verifyRegistration
BooleanWhether or not registrations to this Application may be verified. When this is set to true
the verificationEmailTemplateId
parameter is also required.
application.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Note: A license is required to utilize WebAuthn
application.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows will be enabled based on the Tenant configuration. If true
, WebAuthn workflows will be enabled according to the configuration of this application.
Note: A license is required to utilize WebAuthn
application.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Note: A license is required to utilize WebAuthn
webhookIds
Array<UUID>DEPRECATEDAn array of Webhook Ids. For Webhooks that are not already configured for All Applications, specifying an Id on this request will indicate the associated Webhook should handle events for this application.
Removed in 1.37.0In version 1.37.0 and beyond, Webhooks configuration can be managed in the Tenant API.
Example Request JSON
{
"application": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"relationship": "FirstParty",
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false,
"isSuperRole": true
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true,
"isSuperRole": false
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
This API has been available since 1.43.0
This API has been available since 1.43.0
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDDefaults to a generated UUIDThe Id to use for the new Application. If not specified a secure random UUID will be generated.
Request Body
application.name
StringrequiredThe name of the Application.
sourceApplicationId
UUIDrequiredThe Id of an existing Application from which a copy will be made.
The oauthConfiguration.clientSecret
and each role Id will be cleared so new values can be generated. All other values will be copied from the source Application.
.Example request JSON
{
"sourceApplicationId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"application": {
"name": "Forum - copied"
}
}
Response
The response for this API contains the information for the Application that was created.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
application.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
application.active
BooleanDEPRECATEDWhether or not the Application is active.
Deprecated since 1.22.0In version 1.22.0 and beyond, prefer the use of state .
application.authenticationTokenConfiguration.enabled
BooleanWhether or not Users can have Authentication Tokens associated with this Application.
application.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
application.cleanSpeakConfiguration.enabled
BooleanTrue if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
application.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
application.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
application.data
ObjectAn object that can hold any information about the Application that should be persisted.
application.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.formConfiguration.adminRegistrationFormId
UUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
application.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
application.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
application.id
UUIDThe unique identifier for this Application.
application.insertInstant
LongAvailable since 1.18.0The instant that the Application was added to the FusionAuth database.
application.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
application.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
application.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
application.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.refreshTokenExpirationPolicy
StringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
application.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
.
application.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
application.jwtConfiguration.refreshTokenUsagePolicy
StringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
application.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
application.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
application.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
application.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
application.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.
application.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The unique Id of the lambda that will be used to perform additional validation on registration form steps.
application.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
application.lastUpdateInstant
LongAvailable since 1.18.0The instant that the Application was last updated in the FusionAuth database.
application.name
StringThe name of the Application.
application.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
application.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
application.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
application.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
application.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
application.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
application.oauthConfiguration.authorizedURLValidationPolicy
StringAvailable since 1.43.0Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
application.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
application.oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
application.oauthConfiguration.clientSecret
StringThe OAuth client secret.
application.oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
application.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
application.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
application.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
application.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
application.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
application.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
application.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
application.oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on application.oauthConfiguration.consentMode .
application.oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .
application.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
application.oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
application.oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
application.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
application.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
application.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
application.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
application.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
application.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
application.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
application.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
application.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
application.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
application.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
application.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
application.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
application.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
application.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
application.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
application.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
application.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form.
application.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
application.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
application.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
application.registrationDeletePolicy.unverified.enabledInstant
LongAvailable since 1.48.0The instant that this policy was enabled.
User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.
Please note that prior to version 1.48.0
, when enabling this policy all unverified user registrations are eligible for deletion.
application.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
application.roles
ArrayAn array of Role objects.
application.roles[x].description
StringA description of the role.
application.roles[x].id
UUIDThe Id of the Role.
application.roles[x].name
StringThe name of the Role.
application.roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
application.roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
application.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
application.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Whether or SAML assertion encryption is enabled for this Application.
application.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
application.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.
application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
application.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
application.samlv2Configuration.authorizedRedirectURLs
Array<String>Available since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
application.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
application.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
application.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
application.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Whether or not the SAML IdP for this Application is enabled or not.
application.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application.
application.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
application.samlv2Configuration.issuer
StringAvailable since 1.6.0The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
application.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response.
application.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0Determines if support for a login hint sent by a SAML service provider is enabled for this application.
application.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
application.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
application.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
application.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
application.samlv2Configuration.logout.requireSignedRequests
BooleanAvailable since 1.25.0When this value is true
all Logout requests missing a signature will be rejected.
application.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
application.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
application.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider.
application.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0When this value is true
all requests missing a signature will be rejected.
application.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing the SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
application.scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
application.scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
application.scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
application.scopes[x].insertInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was added to the FusionAuth database.
application.scopes[x].lastUpdateInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was last updated in the FusionAuth database.
application.scopes[x].name
StringAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
application.scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
application.state
StringAvailable since 1.22.0The current state of the application. The following are valid values:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
application.tenantId
UUIDThe unique Id of the Tenant.
application.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
application.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users.
application.verifyRegistration
BooleanWhether or not registrations to this Application may be verified.
application.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
application.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows are enabled based on the Tenant configuration. If true
, WebAuthn workflows are enabled according to the configuration of this application.
application.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Example Response JSON for a Single Application
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"lastUpdateInstant": 1595361143101,
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Retrieve an Application
This API is used to retrieve one or all of the configured Applications. Specifying an Id on the URI will retrieve a single Application. Leaving off the Id will retrieve all of the Applications.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
inactive
BooleanSet this parameter to true
in order to retrieve only inactive Applications. Setting this parameter to false
is equivalent omitting the inactive
parameter.
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDThe Id of the Application to retrieve. This request will return the Application if it exists regardless if the Application is active or not.
Response
The response for this API contains either a single Application or all of the Applications. When you call this API with an Id the response will contain just that Application. When you call this API without an Id the response will contain all of the Applications. Both response types are defined below along with an example JSON response.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 | The object you requested doesn't exist. The response will be empty. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
application.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
application.active
BooleanDEPRECATEDWhether or not the Application is active.
Deprecated since 1.22.0In version 1.22.0 and beyond, prefer the use of state .
application.authenticationTokenConfiguration.enabled
BooleanWhether or not Users can have Authentication Tokens associated with this Application.
application.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
application.cleanSpeakConfiguration.enabled
BooleanTrue if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
application.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
application.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
application.data
ObjectAn object that can hold any information about the Application that should be persisted.
application.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.formConfiguration.adminRegistrationFormId
UUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
application.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
application.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
application.id
UUIDThe unique identifier for this Application.
application.insertInstant
LongAvailable since 1.18.0The instant that the Application was added to the FusionAuth database.
application.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
application.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
application.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
application.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.refreshTokenExpirationPolicy
StringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
application.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
.
application.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
application.jwtConfiguration.refreshTokenUsagePolicy
StringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
application.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
application.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
application.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
application.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
application.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.
application.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The unique Id of the lambda that will be used to perform additional validation on registration form steps.
application.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
application.lastUpdateInstant
LongAvailable since 1.18.0The instant that the Application was last updated in the FusionAuth database.
application.name
StringThe name of the Application.
application.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
application.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
application.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
application.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
application.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
application.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
application.oauthConfiguration.authorizedURLValidationPolicy
StringAvailable since 1.43.0Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
application.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
application.oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
application.oauthConfiguration.clientSecret
StringThe OAuth client secret.
application.oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
application.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
application.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
application.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
application.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
application.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
application.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
application.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
application.oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on application.oauthConfiguration.consentMode .
application.oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .
application.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
application.oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
application.oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
application.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
application.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
application.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
application.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
application.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
application.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
application.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
application.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
application.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
application.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
application.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
application.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
application.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
application.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
application.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
application.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
application.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
application.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form.
application.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
application.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
application.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
application.registrationDeletePolicy.unverified.enabledInstant
LongAvailable since 1.48.0The instant that this policy was enabled.
User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.
Please note that prior to version 1.48.0
, when enabling this policy all unverified user registrations are eligible for deletion.
application.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
application.roles
ArrayAn array of Role objects.
application.roles[x].description
StringA description of the role.
application.roles[x].id
UUIDThe Id of the Role.
application.roles[x].name
StringThe name of the Role.
application.roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
application.roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
application.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
application.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Whether or SAML assertion encryption is enabled for this Application.
application.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
application.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.
application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
application.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
application.samlv2Configuration.authorizedRedirectURLs
Array<String>Available since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
application.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
application.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
application.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
application.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Whether or not the SAML IdP for this Application is enabled or not.
application.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application.
application.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
application.samlv2Configuration.issuer
StringAvailable since 1.6.0The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
application.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response.
application.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0Determines if support for a login hint sent by a SAML service provider is enabled for this application.
application.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
application.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
application.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
application.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
application.samlv2Configuration.logout.requireSignedRequests
BooleanAvailable since 1.25.0When this value is true
all Logout requests missing a signature will be rejected.
application.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
application.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
application.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider.
application.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0When this value is true
all requests missing a signature will be rejected.
application.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing the SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
application.scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
application.scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
application.scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
application.scopes[x].insertInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was added to the FusionAuth database.
application.scopes[x].lastUpdateInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was last updated in the FusionAuth database.
application.scopes[x].name
StringAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
application.scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
application.state
StringAvailable since 1.22.0The current state of the application. The following are valid values:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
application.tenantId
UUIDThe unique Id of the Tenant.
application.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
application.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users.
application.verifyRegistration
BooleanWhether or not registrations to this Application may be verified.
application.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
application.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows are enabled based on the Tenant configuration. If true
, WebAuthn workflows are enabled according to the configuration of this application.
application.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Example Response JSON for a Single Application
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"lastUpdateInstant": 1595361143101,
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Response Body
applications[x]
ArrayThe list of Application objects.
applications[x].accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
applications[x].active
BooleanDEPRECATEDWhether or not the Application is active.
Deprecated since 1.22.0In version 1.22.0 and beyond, prefer the use of state .
applications[x].authenticationTokenConfiguration.enabled
BooleanWhether or not Users can have Authentication Tokens associated with this Application.
applications[x].cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
applications[x].cleanSpeakConfiguration.enabled
BooleanTrue if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
applications[x].cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
applications[x].cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
applications[x].data
ObjectAn object that can hold any information about the Application that should be persisted.
applications[x].emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
applications[x].formConfiguration.adminRegistrationFormId
UUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
applications[x].formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
applications[x].formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
applications[x].id
UUIDThe unique identifier for this Application.
applications[x].insertInstant
LongAvailable since 1.18.0The instant that the Application was added to the FusionAuth database.
applications[x].jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
applications[x].jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
applications[x].jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
applications[x].jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
applications[x].jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
applications[x].jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
applications[x].jwtConfiguration.refreshTokenExpirationPolicy
StringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
applications[x].jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
.
applications[x].jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
applications[x].jwtConfiguration.refreshTokenUsagePolicy
StringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
applications[x].jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
applications[x].jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
applications[x].lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
applications[x].lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
applications[x].lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.
applications[x].lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The unique Id of the lambda that will be used to perform additional validation on registration form steps.
applications[x].lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
applications[x].lastUpdateInstant
LongAvailable since 1.18.0The instant that the Application was last updated in the FusionAuth database.
applications[x].name
StringThe name of the Application.
applications[x].loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
applications[x].loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
applications[x].loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
applications[x].multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
applications[x].multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
applications[x].oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
applications[x].oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
applications[x].oauthConfiguration.authorizedURLValidationPolicy
StringAvailable since 1.43.0Controls the validation policy for applications[x].oauthConfiguration.authorizedOriginURLs and applications[x].oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
applications[x].oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
applications[x].oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
applications[x].oauthConfiguration.clientSecret
StringThe OAuth client secret.
applications[x].oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when applications[x].oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
applications[x].oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
applications[x].oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
applications[x].oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
applications[x].oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
applications[x].oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
applications[x].oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
applications[x].oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
applications[x].oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
applications[x].oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications[x].oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
applications[x].oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications[x].oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
applications[x].oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications[x].oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
applications[x].oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications[x].oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on applications[x].oauthConfiguration.consentMode .
applications[x].oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via applications[x].oauthConfiguration.clientAuthenticationPolicy .
applications[x].oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
applications[x].oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
applications[x].oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
applications[x].passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
applications[x].registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
applications[x].registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
applications[x].registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
applications[x].registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
applications[x].registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
applications[x].registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
applications[x].registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
applications[x].registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
applications[x].registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
applications[x].registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
applications[x].registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
applications[x].registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
applications[x].registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
applications[x].registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
applications[x].registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
applications[x].registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
applications[x].registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form.
applications[x].registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
applications[x].registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
applications[x].registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after applications[x].registrationDeletePolicy.unverified.numberOfDaysToRetain days.
applications[x].registrationDeletePolicy.unverified.enabledInstant
LongAvailable since 1.48.0The instant that this policy was enabled.
User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.
Please note that prior to version 1.48.0
, when enabling this policy all unverified user registrations are eligible for deletion.
applications[x].registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
applications[x].roles
ArrayAn array of Role objects.
applications[x].roles[x].description
StringA description of the role.
applications[x].roles[x].id
UUIDThe Id of the Role.
applications[x].roles[x].name
StringThe name of the Role.
applications[x].roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
applications[x].roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
applications[x].samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
applications[x].samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Whether or SAML assertion encryption is enabled for this Application.
applications[x].samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
applications[x].samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
applications[x].samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
applications[x].samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.
applications[x].samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
applications[x].samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
applications[x].samlv2Configuration.authorizedRedirectURLs
Array<String>Available since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
applications[x].samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
applications[x].samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
applications[x].samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
applications[x].samlv2Configuration.enabled
BooleanAvailable since 1.6.0Whether or not the SAML IdP for this Application is enabled or not.
applications[x].samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application.
applications[x].samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
applications[x].samlv2Configuration.issuer
StringAvailable since 1.6.0The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
applications[x].samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response.
applications[x].samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0Determines if support for a login hint sent by a SAML service provider is enabled for this application.
applications[x].samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
applications[x].samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
applications[x].samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
applications[x].samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
applications[x].samlv2Configuration.logout.requireSignedRequests
BooleanAvailable since 1.25.0When this value is true
all Logout requests missing a signature will be rejected.
applications[x].samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
applications[x].samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
applications[x].samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
applications[x].samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
applications[x].samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
applications[x].samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider.
applications[x].samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0When this value is true
all requests missing a signature will be rejected.
applications[x].samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
applications[x].samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing the SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
applications[x].scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
applications[x].scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
applications[x].scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
applications[x].scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
applications[x].scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
applications[x].scopes[x].insertInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was added to the FusionAuth database.
applications[x].scopes[x].lastUpdateInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was last updated in the FusionAuth database.
applications[x].scopes[x].name
StringAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
applications[x].scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
applications[x].state
StringAvailable since 1.22.0The current state of the application. The following are valid values:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
applications[x].tenantId
UUIDThe unique Id of the Tenant.
applications[x].themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
applications[x].verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users.
applications[x].verifyRegistration
BooleanWhether or not registrations to this Application may be verified.
applications[x].webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if applications[x].webAuthnConfiguration.enabled is false
.
applications[x].webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows are enabled based on the Tenant configuration. If true
, WebAuthn workflows are enabled according to the configuration of this application.
applications[x].webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if applications[x].webAuthnConfiguration.enabled is false
.
Example Response JSON for all the Applications
{
"applications": [
{
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"lastUpdateInstant": 1595361143101,
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
]
}
Update an Application
This API is used to update an existing Application.
You must specify all of the properties of the Application when calling this API with the PUT
HTTP method. When used with PUT
, this API doesn’t merge the existing Application and your new data. It replaces the existing Application with your new data.
Utilize the PATCH
HTTP method to send specific changes to merge into an existing Application.
You can’t update an Application’s roles or OAuth scopes via this API. This prevents you from accidentally removing all the roles or scopes of an Application.
To create, update or remove a role from the Application, you need to call one of these APIs:
To create, update or remove an OAuth scope from the Application, you need to call one of these APIs:
Request
When using the PATCH method, you can either use the same request body documentation that is provided for the PUT request for backward compatibility. Or you may use either JSON Patch/RFC 6902] or JSON Merge Patch/RFC 7396. See the PATCH documentation for more information.
When using the PATCH method with a Content-Type
of application/json
the provided request parameters will be merged into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A null
value can be used to remove a value. Patching an Array
will result in all values from the new list being appended to the existing list, this is a known limitation to the current implementation of PATCH.
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body
application.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
Note: An Enterprise plan is required to utilize IP ACLs.
application.authenticationTokenConfiguration.enabled
BooleanDetermines if Users can have Authentication Tokens associated with this Application. This feature may not be enabled for the FusionAuth application.
application.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
application.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
application.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
application.data
ObjectAn object that can hold any information about the Application that should be persisted.
application.emailConfiguration.additionalHeaders
Array<Object>Available since 1.32.0The additional SMTP headers to be added to each outgoing email. Each SMTP header consists of a name and a value.
application.emailConfiguration.debug
BooleanDefaults to falseAvailable since 1.37.0Determines if debug should be enabled to create an event log to assist in debugging SMTP errors.
application.emailConfiguration.defaultFromEmail
StringAvailable since 1.16.0The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn jared@piedpiper.com
).
application.emailConfiguration.defaultFromName
StringAvailable since 1.16.0The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn jared@piedpiper.com
).
application.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid.
application.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
application.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
application.emailConfiguration.host
StringDefaults to localhostAvailable since 1.8.0The host name of the SMTP server that FusionAuth will use.
Prior to version 1.28.0
this value was required.
application.emailConfiguration.implicitEmailVerificationAllowed
Defaults to trueAvailable since 1.32.0When set to true, this allows email to be verified as a result of completing a similar email based workflow such as change password. When set to false, the user must explicitly complete the email verification workflow even if the user has already completed a similar email workflow such as change password.
application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
application.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.password
StringAvailable since 1.8.0An optional password FusionAuth will use to authenticate with the SMTP server.
application.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
application.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.port
IntegerDefaults to 25Available since 1.8.0The port of the SMTP server that FusionAuth will use.
Prior to version 1.28.0
this value was required.
application.emailConfiguration.properties
StringAvailable since 1.8.0Custom SMTP configuration properties that may be necessary in some cases. This can contain any Java mail property. It will override anything FusionAuth sets by default.
The following property has a default value:
mail.smtp.ssl.protocols
has a default value ofTLSv1 TLSv1.1 TLSv1.2
.
Since version 1.44.0
, the following two properties have default values:
mail.smtp.timeout
has a default value of2000
.mail.smtp.connectiontimeout
has a default value of2000
.
Here’s an example value which overrides these properties; in this case setting both timeout defaults to 5 seconds.
mail.smtp.timeout=5000\nmail.smtp.connectiontimeout=5000
application.emailConfiguration.security
StringDefaults to NONEAvailable since 1.8.0The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
NONE
- no security will be used. All communications will be sent plaintext.SSL
- SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports.TLS
- TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
application.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
application.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
application.emailConfiguration.unverified.allowEmailChangeWhenGated
BooleanDefaults to falseAvailable since 1.27.0When this value is set to true
, the user is allowed to change their email address when they are gated because they haven’t verified their email address.
application.emailConfiguration.unverified.behavior
StringDefaults to AllowAvailable since 1.27.0The desired behavior during login for a user that does not have a verified email. The possible values are:
Allow
- the user will be allowed to complete login.Gated
- verification is required before a user can complete login. The use of this value will require a paid plan.
application.emailConfiguration.username
StringAvailable since 1.8.0An optional username FusionAuth will to authenticate with the SMTP server.
application.emailConfiguration.verificationEmailTemplateId
UUIDThe Id of the Email Template used to send emails to users to verify that their email address is valid. If either the verifyEmail
or verifyEmailWhenChanged
fields are true
, this field is required.
application.emailConfiguration.verificationStrategy
StringAvailable since 1.27.0The process by which the user will verify their email address. The possible values are:
ClickableLink
- send the user a code with a clickable link.FormField
- send the user a short code intended to be manually entered into a form field. This is only available when application.emailConfiguration.unverified.behavior has theGated
value.
application.emailConfiguration.verifyEmail
BooleanDefaults to falseWhether the user’s email addresses are verified when the registers with your application.
application.emailConfiguration.verifyEmailWhenChanged
BooleanDefaults to falseWhether the user’s email addresses are verified when the user changes them.
application.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds
IntegerAvailable since 1.37.0The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.
When this value is not defined, the value defined by tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds is utilized. When this value is defined it will override the tenant configured value.
This configuration is only utilized when application.multiFactorConfiguration.loginPolicy is Enabled
or Required
.
application.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
Note: A paid plan is required to utilize custom forms.
application.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
Note: A paid plan is required to utilize custom forms.
application.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
application.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Required when enabled
is set to true
.
When an HMAC algorithm is used such as HS256
, HS384
or HS512
, the OAuth client_secret
will be used as the signing secret.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
application.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
application.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
or ECDSA
based signing algorithm has been selected. The private key will be used to sign the JWT. This key is expected to be presented in a PEM encoded format.
Required when enabled
is set to true
and algorithm
is set to an RSA
or ECDSA
based value.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
or ECDSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key is expected to be presented in a PEM encoded format.
Required when enabled
is set to true
and algorithm
is set to an RSA
or ECDSA
based value.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.refreshTokenExpirationPolicy
StringDefaults to FixedAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
application.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerDefaults to 43,200Available since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
. Value must be greater than 0.
When refreshTokenExpirationPolicy is set to SlidingWindowWithMaximumLifetime
, this value must be greater than or equal to refreshTokenTimeToLiveInMinutes .
application.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
Required when enabled
is set to true
.
application.jwtConfiguration.refreshTokenUsagePolicy
StringDefaults to ReusableAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
application.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
Required when enabled
is set to true
and algorithm
is set to an HMAC
based value.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
application.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
Required when enabled
is set to true
.
application.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
application.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
application.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the lambda that will be invoked when a SAML response is generated during a SAML authentication request.
application.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The Id of the lambda that will be used to perform additional validation on registration form steps.
Note: A paid plan is required to utilize custom forms.
application.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the lambda that will be invoked when a UserInfo response is generated for this application.
application.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to false
to ensure Refresh Tokens cannot be used outside of the Refresh Token Grant.
application.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to false
to ensure Refresh Tokens will not be issued outside of the OAuth grants.
application.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
If you do not intend to use the Login API, or will only be calling this API from a secure backend server, setting this value to true
in order to require an API key is preferred.
application.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.loginPolicy
StringAvailable since 1.37.0When enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When required, the user will be required to complete a two-factor challenge during login.
When configured, this value overrides the value configured by the tenant.multiFactorConfiguration.loginPolicy .
Supported values include:
Enabled
- Require a two-factor challenge during login when an eligible method is available.Disabled
- Do not require a two-factor challenge during login.Required
- Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0
While this configuration requires a license, in version 1.49.0
or later it may be enabled for the FusionAuth admin application regardless of the license state.
application.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.trustPolicy
StringAvailable since 1.37.0When application.multiFactorConfiguration.loginPolicy is set to Enabled
or Required
, this trust policy is utilized when determining if a user must complete a two-factor challenge during login.
For example, a normal two-factor login flow will result in a trust Id being returned if you set trustComputer equal to true
when completing a Two Factor Login. The returned Trust identifier can be used on subsequent Login requests to keep from being required to complete a Two-Factor login. This configuration determines if that trust value can be utilized for another application.
Supported values include:
Any
- Trust obtained from any application is sufficient to bypass the two-factor challenge.This
- Only trust obtained for this application is sufficient to bypass the two-factor challenge.None
- Never trusted. The user will be required to complete a two-factor challenge during each login attempt.
application.name
StringrequiredThe name of the Application.
application.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
For improved security, all FusionAuth hosted login pages add an HTTP response header of X-Frame-Options: DENY
. This response header disallows loading the FusionAuth pages from an iframe. To utilize an iframe and load one or more of the FusionAuth hosted login pages, add the iframe page URLs to this property. For that host, FusionAuth will remove the X-Frame-Options
header allowing the page to load in the iframe.
Examples of valid authorized origin URIs:
- https://example.com
- com.myApp://example
- com.myApp:/example
You may now use URLs that do not begin with http
to support native application origins. Prior to this version the value will be validated to begin with http
. This also includes authorized origins that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/example
would fail validation as an invalid URL.
Configured URLs containing wildcards are considered during validation when is set to . Wildcards are allowed in the following positions:
- The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. - The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
- A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. - A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
application.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
Examples of valid redirect URIs:
- https://example.com/redirect
- com.myApp://redirect
- com.myApp:/redirect
You may now use URLs that do not begin with http
to support native application redirect. Prior to this version the value will be validated to begin with http
.
You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/redirect
would fail validation as in invalid URL.
Configured URLs containing wildcards are considered during validation when is set to . Wildcards are allowed in the following positions:
- The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. - The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
- A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. - A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
application.oauthConfiguration.authorizedURLValidationPolicy
Available since 1.43.0Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
application.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
application.oauthConfiguration.clientSecret
StringThe OAuth 2.0 client secret. If you leave this blank during a POST, a secure secret will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.
application.oauthConfiguration.consentMode
StringDefaults to AlwaysPromptAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
application.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
application.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type, this field is required when device_code
is enabled.
application.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
application.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
application.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
application.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
application.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
application.oauthConfiguration.providedScopePolicy.address.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.email.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanDefaults to trueAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.relationship
StringDefaults to FirstPartyAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on the application object’s oauthConfiguration.consentMode value.
Note: An Essentials or Enterprise plan is required to utilize third-party applications.
application.oauthConfiguration.requireClientAuthentication
BooleanDEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .
application.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
application.oauthConfiguration.scopeHandlingPolicy
StringDefaults to StrictAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
application.oauthConfiguration.unknownScopePolicy
StringDefaults to RejectAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
application.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
application.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
application.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
application.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
application.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
Self service registration cannot be enabled on the FusionAuth application.
If true
, any user logging in to this application using hosted login pages will automatically have a registration created, if they are not already registered.
application.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
application.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
application.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
This field is required when application.registrationConfiguration.type is set to advanced
.
application.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
application.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
application.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
application.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
application.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
application.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
application.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
application.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
application.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
application.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form. The default form control will display all available locales.
application.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
application.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
application.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
application.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. This field is required when application.registrationDeletePolicy.enabled is set to true
. Value must be greater than 0.
application.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
Using SHA256
or higher is recommended.
application.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Determines if SAML assertion encryption is enabled for this Application.
application.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
Cryptography experts strongly recommend the use of AES using GCM if supported. Availability will depend on whether the SAML Service Provider (SP) supports those algorithms.
application.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
This value will be dictated by the SAML Service Provider (SP) and which options it supports.
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
Use of RSAv15
is not recommended but is available for backwards compatibility.
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response. The selected Key must contain an RSA certificate.
This parameter is required when application.samlv2Configuration.assertionEncryptionConfiguration.enabled is set to true
.
application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
application.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
application.samlv2Configuration.authorizedRedirectURLs
Array<String>requiredAvailable since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
If the application.samlv2Configuration.initiatedLogin.enabled is true
, the particular URL where the user will end up after successful login can be configured by appending a parameter to the Initiate login URL
. The parameter must be either redirect_uri
or RelayState
. The value should be a URL encoded URL present in this field. If both RelayState
and redirect_uri
are present redirect_uri
will be ignored in favor of RelayState
.
application.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated since 1.20.0In version 1.20.0 and beyond, Callback URLs can be managed via application.samlv2Configuration.authorizedRedirectURLs .
application.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
application.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
This parameter is required when application.samlv2Configuration.requireSignedRequests is set to true
.
application.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Determines if the SAML IdP is enabled for this Application.
application.samlv2Configuration.issuer
StringrequiredAvailable since 1.6.0An issuer
identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration. If you don’t know the issuer
, you can put anything in this field and FusionAuth will display an error message with the issuer
from the service provider when you test the SAML login.
application.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application. See application.samlv2Configuration.authorizedRedirectURLs for information on which destination URLs are allowed.
application.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
application.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response. If you do not specify this property, FusionAuth will create a new key and associate it with this Application.
application.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0When enabled, FusionAuth will accept a username or email address as a login hint on a custom HTTP request parameter.
application.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
application.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
application.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
This parameter is required when application.samlv2Configuration.logout.requireSignedRequests is set to true
.
application.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
When this parameter is omitted, the key defined by application.samlv2Configuration.keyId
will be used.
application.samlv2Configuration.logout.requireSignedRequests
BooleanrequiredAvailable since 1.25.0Set this parameter equal to true
to require the SAML v2 Service Provider to sign the Logout request. When this value is true
all Logout requests missing a signature will be rejected.
When set to true
, the parameter application.samlv2Configuration.logout.defaultVerificationKeyId is required.
application.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
application.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
When this parameter is omitted, the key defined by application.samlv2Configuration.keyId
will be used.
application.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
Required if application.samlv2Configuration.logout.singleLogout.enabled is true
.
application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider. Often service providers need this URL in order to correctly hook up single-logout.
This is also the URL that will be sent the SAML v2 LogoutResponse using the same bindings that were used to initiate the logout request with the IdP. For example, if POST bindings were used to initiate the logout request, POST bindings will be used for this LogoutResponse request.
application.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0Set this parameter equal to true
to require the SAML v2 Service Provider to sign the request. When this value is true
all requests missing a signature will be rejected.
When set to true
, the parameter application.samlv2Configuration.defaultVerificationKeyId is required.
application.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing a successful SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
In most cases the default configuration will be adequate. If you encounter a SAML v2 Service Provider that requires the signature to be a child of the Response, use this configuration to change the signature location. Prior to version 1.21.0
, the XML signature was always located as a child element of the Assertion when the response was successful.
application.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
Note: A paid plan is required to utilize application themes.
application.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users. If the verifyRegistration
field is true
this field is required.
application.verifyRegistration
BooleanWhether or not registrations to this Application may be verified. When this is set to true
the verificationEmailTemplateId
parameter is also required.
application.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Note: A license is required to utilize WebAuthn
application.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows will be enabled based on the Tenant configuration. If true
, WebAuthn workflows will be enabled according to the configuration of this application.
Note: A license is required to utilize WebAuthn
application.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Note: A license is required to utilize WebAuthn
webhookIds
Array<UUID>DEPRECATEDAn array of Webhook Ids. For Webhooks that are not already configured for All Applications, specifying an Id on this request will indicate the associated Webhook should handle events for this application.
Removed in 1.37.0In version 1.37.0 and beyond, Webhooks configuration can be managed in the Tenant API.
Example Request JSON
{
"application": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"consentMode": "AlwaysPrompt",
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"relationship": "FirstParty",
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Response
The response for this API contains the new information for the Application that was updated.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 | The object you are trying to update doesn't exist. The response will be empty. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
application.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
application.active
BooleanDEPRECATEDWhether or not the Application is active.
Deprecated since 1.22.0In version 1.22.0 and beyond, prefer the use of state .
application.authenticationTokenConfiguration.enabled
BooleanWhether or not Users can have Authentication Tokens associated with this Application.
application.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
application.cleanSpeakConfiguration.enabled
BooleanTrue if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
application.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
application.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
application.data
ObjectAn object that can hold any information about the Application that should be persisted.
application.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.formConfiguration.adminRegistrationFormId
UUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
application.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
application.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
application.id
UUIDThe unique identifier for this Application.
application.insertInstant
LongAvailable since 1.18.0The instant that the Application was added to the FusionAuth database.
application.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
application.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
application.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
application.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.refreshTokenExpirationPolicy
StringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
application.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
.
application.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
application.jwtConfiguration.refreshTokenUsagePolicy
StringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
application.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
application.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
application.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
application.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
application.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.
application.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The unique Id of the lambda that will be used to perform additional validation on registration form steps.
application.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
application.lastUpdateInstant
LongAvailable since 1.18.0The instant that the Application was last updated in the FusionAuth database.
application.name
StringThe name of the Application.
application.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
application.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
application.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
application.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
application.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
application.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
application.oauthConfiguration.authorizedURLValidationPolicy
StringAvailable since 1.43.0Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
application.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
application.oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
application.oauthConfiguration.clientSecret
StringThe OAuth client secret.
application.oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
application.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
application.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
application.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
application.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
application.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
application.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
application.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
application.oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on application.oauthConfiguration.consentMode .
application.oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .
application.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
application.oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
application.oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
application.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
application.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
application.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
application.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
application.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
application.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
application.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
application.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
application.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
application.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
application.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
application.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
application.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
application.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
application.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
application.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
application.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
application.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form.
application.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
application.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
application.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
application.registrationDeletePolicy.unverified.enabledInstant
LongAvailable since 1.48.0The instant that this policy was enabled.
User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.
Please note that prior to version 1.48.0
, when enabling this policy all unverified user registrations are eligible for deletion.
application.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
application.roles
ArrayAn array of Role objects.
application.roles[x].description
StringA description of the role.
application.roles[x].id
UUIDThe Id of the Role.
application.roles[x].name
StringThe name of the Role.
application.roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
application.roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
application.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
application.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Whether or SAML assertion encryption is enabled for this Application.
application.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
application.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.
application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
application.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
application.samlv2Configuration.authorizedRedirectURLs
Array<String>Available since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
application.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
application.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
application.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
application.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Whether or not the SAML IdP for this Application is enabled or not.
application.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application.
application.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
application.samlv2Configuration.issuer
StringAvailable since 1.6.0The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
application.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response.
application.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0Determines if support for a login hint sent by a SAML service provider is enabled for this application.
application.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
application.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
application.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
application.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
application.samlv2Configuration.logout.requireSignedRequests
BooleanAvailable since 1.25.0When this value is true
all Logout requests missing a signature will be rejected.
application.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
application.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
application.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider.
application.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0When this value is true
all requests missing a signature will be rejected.
application.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing the SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
application.scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
application.scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
application.scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
application.scopes[x].insertInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was added to the FusionAuth database.
application.scopes[x].lastUpdateInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was last updated in the FusionAuth database.
application.scopes[x].name
StringAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
application.scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
application.state
StringAvailable since 1.22.0The current state of the application. The following are valid values:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
application.tenantId
UUIDThe unique Id of the Tenant.
application.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
application.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users.
application.verifyRegistration
BooleanWhether or not registrations to this Application may be verified.
application.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
application.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows are enabled based on the Tenant configuration. If true
, WebAuthn workflows are enabled according to the configuration of this application.
application.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Example Response JSON for a Single Application
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"lastUpdateInstant": 1595361143101,
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Search for Applications
This API has been available since 1.45.0
This API is used to search for Applications and may be called using the GET
or POST
HTTP methods. Examples of each are provided below. The POST
method is provided to allow for a richer request object without worrying about exceeding the maximum length of a URL. Calling this API with either the GET
or POST
HTTP method will provide the same search results given the same query parameters.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
expand
Array<String>Defaults to [roles, scopes]Available since 1.50.0This parameter allows you to optionally remove the roles
and scopes
from the API response. Removing these fields from the response may improve performance on large search requests.
For backwards compatibility, the default behavior will be to return both roles
and scopes
.
To request only the roles
but omit the scopes
from the response, provide a value of [roles]
. To omit both the roles
and scopes
from the response, provide a value of []
.
name
StringThe case-insensitive string to search for in the Application name. This can contain wildcards using the asterisk character (*
). If no wildcards are present, this parameter value will be interpreted as *value*
.
numberOfResults
IntegerDefaults to 25The number of results to return from the search.
orderBy
StringDefaults to name ASCThe database field to order the search results as well as an order direction.
The possible values are:
id
- the unique Id of the ApplicationinsertInstant
- the instant when the Application was createdname
- the Application nametenant
- the name of the Tenant in which the Application belongs
The order direction is optional. Possible values of the order direction are ASC
or DESC
. If omitted, the default sort order is ASC
.
For example, to order the results by the insert instant in a descending order, use insertInstant DESC
.
startRow
IntegerDefaults to 0The offset into the total results. In order to paginate the results, increment this value by the numberOfResults for subsequent requests.
For example, if the total search results are greater than the page size designated by numberOfResults , set this value to 25
to retrieve results 26-50
, assuming the default page size.
state
StringFilters on the state of the Application. Can be omitted to retrieve both active and inactive Applications.
The possible values are:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
tenantId
UUIDRestricts the results to Applications belonging to the given Tenant. This parameter will be overridden if the request contains an X-FusionAuth-TenantId
header, or if the supplied API key is scoped to a specific Tenant.
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
When calling the API using a POST
request you will send the search criteria in a JSON request body.
Request Body
expand
Array<String>Defaults to [roles, scopes]Available since 1.50.0This parameter allows you to optionally remove the roles
and scopes
from the API response. Removing these fields from the response may improve performance on large search requests.
For backwards compatibility, the default behavior will be to return both roles
and scopes
.
To request only the roles
but omit the scopes
from the response, provide a value of [roles]
. To omit both the roles
and scopes
from the response, provide a value of []
.
search.name
StringThe case-insensitive string to search for in the Application name. This can contain wildcards using the asterisk character (*
). If no wildcards are present, this parameter value will be interpreted as *value*
.
search.numberOfResults
IntegerDefaults to 25The number of results to return from the search.
search.orderBy
StringDefaults to name ASCThe database field to order the search results as well as an order direction.
The possible values are:
id
- the unique Id of the ApplicationinsertInstant
- the instant when the Application was createdname
- the Application nametenant
- the name of the Tenant in which the Application belongs
The order direction is optional. Possible values of the order direction are ASC
or DESC
. If omitted, the default sort order is ASC
.
For example, to order the results by the insert instant in a descending order, use insertInstant DESC
.
search.startRow
IntegerDefaults to 0The offset into the total results. In order to paginate the results, increment this value by the numberOfResults for subsequent requests.
For example, if the total search results are greater than the page size designated by numberOfResults , set this value to 25
to retrieve results 26-50
, assuming the default page size.
search.state
StringFilters on the state of the Application. Can be omitted to retrieve both active and inactive Applications.
The possible values are:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
search.tenantId
UUIDRestricts the results to Applications belonging to the given Tenant. This parameter will be overridden if the request contains an X-FusionAuth-TenantId
header, or if the supplied API key is scoped to a specific Tenant.
Example JSON Request
{
"search": {
"name": "Forum",
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"numberOfResults": 25,
"orderBy": "insertInstant",
"startRow": 0
}
}
Response
The response for this API contains the Applications matching the search criteria in paginated format.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
applications
ArrayThe list of Application objects.
applications.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
applications.active
BooleanDEPRECATEDWhether or not the Application is active.
Deprecated since 1.22.0In version 1.22.0 and beyond, prefer the use of state .
applications.authenticationTokenConfiguration.enabled
BooleanWhether or not Users can have Authentication Tokens associated with this Application.
applications.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
applications.cleanSpeakConfiguration.enabled
BooleanTrue if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
applications.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
applications.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
applications.data
ObjectAn object that can hold any information about the Application that should be persisted.
applications.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid.
applications.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated.
applications.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified.
applications.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email.
applications.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id.
applications.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id.
applications.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device.
applications.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs.
applications.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login.
applications.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset.
applications.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated.
applications.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
applications.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account.
applications.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account.
applications.formConfiguration.adminRegistrationFormId
UUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
applications.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
applications.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
applications.id
UUIDThe unique identifier for this Application.
applications.insertInstant
LongAvailable since 1.18.0The instant that the Application was added to the FusionAuth database.
applications.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
applications.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
applications.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
applications.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
applications.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
applications.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
applications.jwtConfiguration.refreshTokenExpirationPolicy
StringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
applications.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
.
applications.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
applications.jwtConfiguration.refreshTokenUsagePolicy
StringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
applications.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
applications.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
applications.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
applications.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
applications.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.
applications.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The unique Id of the lambda that will be used to perform additional validation on registration form steps.
applications.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
applications.lastUpdateInstant
LongAvailable since 1.18.0The instant that the Application was last updated in the FusionAuth database.
applications.name
StringThe name of the Application.
applications.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
applications.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
applications.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
applications.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
applications.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
applications.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
applications.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
applications.oauthConfiguration.authorizedURLValidationPolicy
StringAvailable since 1.43.0Controls the validation policy for applications.oauthConfiguration.authorizedOriginURLs and applications.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
applications.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
applications.oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
applications.oauthConfiguration.clientSecret
StringThe OAuth client secret.
applications.oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when applications.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
applications.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
applications.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
applications.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
applications.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
applications.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
applications.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
applications.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
applications.oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
applications.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications.oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
applications.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
applications.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
applications.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
applications.oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on applications.oauthConfiguration.consentMode .
applications.oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via applications.oauthConfiguration.clientAuthenticationPolicy .
applications.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
applications.oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
applications.oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
applications.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
applications.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
applications.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
applications.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
applications.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
applications.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
applications.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
applications.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
applications.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
applications.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
applications.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
applications.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
applications.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
applications.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
applications.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
applications.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
applications.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
applications.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form.
applications.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
applications.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
applications.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after applications.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
applications.registrationDeletePolicy.unverified.enabledInstant
LongAvailable since 1.48.0The instant that this policy was enabled.
User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.
Please note that prior to version 1.48.0
, when enabling this policy all unverified user registrations are eligible for deletion.
applications.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
applications.roles
ArrayAn array of Role objects.
applications.roles[x].description
StringA description of the role.
applications.roles[x].id
UUIDThe Id of the Role.
applications.roles[x].name
StringThe name of the Role.
applications.roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
applications.roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
applications.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
applications.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Whether or SAML assertion encryption is enabled for this Application.
applications.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
applications.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
applications.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
applications.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.
applications.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
applications.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
applications.samlv2Configuration.authorizedRedirectURLs
Array<String>Available since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
applications.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
applications.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
applications.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
applications.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Whether or not the SAML IdP for this Application is enabled or not.
applications.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application.
applications.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
applications.samlv2Configuration.issuer
StringAvailable since 1.6.0The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
applications.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response.
applications.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0Determines if support for a login hint sent by a SAML service provider is enabled for this application.
applications.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
applications.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
applications.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
applications.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
applications.samlv2Configuration.logout.requireSignedRequests
BooleanAvailable since 1.25.0When this value is true
all Logout requests missing a signature will be rejected.
applications.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
applications.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
applications.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
applications.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
applications.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
applications.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider.
applications.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0When this value is true
all requests missing a signature will be rejected.
applications.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
applications.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing the SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
applications.scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
applications.scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
applications.scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
applications.scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
applications.scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
applications.scopes[x].insertInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was added to the FusionAuth database.
applications.scopes[x].lastUpdateInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was last updated in the FusionAuth database.
applications.scopes[x].name
StringAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
applications.scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
applications.state
StringAvailable since 1.22.0The current state of the application. The following are valid values:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
applications.tenantId
UUIDThe unique Id of the Tenant.
applications.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
applications.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users.
applications.verifyRegistration
BooleanWhether or not registrations to this Application may be verified.
applications.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if applications.webAuthnConfiguration.enabled is false
.
applications.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows are enabled based on the Tenant configuration. If true
, WebAuthn workflows are enabled according to the configuration of this application.
applications.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if applications.webAuthnConfiguration.enabled is false
.
expandable
Array<String>Available since 1.50.0The available expandable properties that are not expanded in the response.
For example, if you set the expand request parameter to [roles]
then the value of this parameter in the response will be [scopes]
indicating that the scopes
property was not expanded.
total
IntegerThe total number of Applications matching the search criteria. Use this value along with the numberOfResults and startRow in the Search request to perform pagination.
Example Response JSON for Application Search
{
"applications": [
{
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
}
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
],
"expandable": [],
"total": 1
}
Delete an Application
This API is used to delete an Application. You must specify the Id of the Application on the URI. You can also specify whether or not the Application is soft or hard deleted. Soft deleted Applications are marked as inactive but not deleted from FusionAuth.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application to delete.
hardDelete
BooleanWhether or not the Application is soft or hard deleted. A hard delete is a permanent operation.
Response
This API does not return a JSON response body.
Response CodesCode | Description |
---|---|
200 | The request was successful. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 | The object you requested doesn't exist. The response will be empty. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Reactivate an Application
This API is used to reactivate an inactive Application. You must specify the Id of the Application on the URI.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application to reactivate.
Response
The response for this API contains the information for the Application that was reactivated.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 | The object you requested doesn't exist. The response will be empty. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
application.accessControlConfiguration.uiIPAccessControlListId
UUIDAvailable since 1.30.0The Id of the IP Access Control List limiting access to this application.
application.active
BooleanDEPRECATEDWhether or not the Application is active.
Deprecated since 1.22.0In version 1.22.0 and beyond, prefer the use of state .
application.authenticationTokenConfiguration.enabled
BooleanWhether or not Users can have Authentication Tokens associated with this Application.
application.cleanSpeakConfiguration.applicationIds
Array<UUID>An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
application.cleanSpeakConfiguration.enabled
BooleanTrue if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
application.cleanSpeakConfiguration.usernameModeration.applicationId
UUIDThe Id of the CleanSpeak application that usernames are sent to for moderation.
application.cleanSpeakConfiguration.usernameModeration.enabled
BooleanTrue if CleanSpeak username moderation is enabled.
application.data
ObjectAn object that can hold any information about the Application that should be persisted.
application.emailConfiguration.emailVerificationEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.emailVerifiedEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.forgotPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginNewDeviceEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.loginSuspiciousEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordlessEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordResetSuccessEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when they have completed a ‘forgot password’ workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.passwordUpdateEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.setPasswordEmailTemplateId
UUIDAvailable since 1.19.0The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodAddEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId
UUIDAvailable since 1.30.0The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
application.formConfiguration.adminRegistrationFormId
UUIDAvailable since 1.20.0The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
application.formConfiguration.selfServiceFormConfiguration.requireCurrentPasswordOnPasswordChange
BooleanAvailable since 1.45.0When enabled a user will be required to provide their current password when changing their password on a self-service account form.
application.formConfiguration.selfServiceFormId
UUIDAvailable since 1.26.0The unique Id of the form to enable authenticated users to manage their profile on the account page.
application.id
UUIDThe unique identifier for this Application.
application.insertInstant
LongAvailable since 1.18.0The instant that the Application was added to the FusionAuth database.
application.jwtConfiguration.accessTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the access token.
application.jwtConfiguration.algorithm
StringDEPRECATEDThe algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0HS256
- HMAC using SHA-256HS384
- HMAC using SHA-384HS512
- HMAC using SHA-512RS256
- RSASSA-PKCS1-v1_5 using SHA-256RS384
- RSASSA-PKCS1-v1_5 using SHA-384RS512
- RSASSA-PKCS1-v1_5 using SHA-512
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.enabled
BooleanIndicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is false
the signing algorithm configured in the Tenant will be used. If true
the signing algorithm defined in this application will be used.
application.jwtConfiguration.idTokenKeyId
UUIDAvailable since 1.6.0The Id of the signing key used to sign the Id token.
application.jwtConfiguration.privateKey
StringDEPRECATEDThe private key used when an RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.publicKey
StringDEPRECATEDThe public key used when an RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
In version 1.6.0 and beyond, JWT configuration can be managed in the Keys API and Keymaster.
application.jwtConfiguration.refreshTokenExpirationPolicy
StringAvailable since 1.17.0The Refresh Token expiration policy.
The possible values are:
Fixed
- the expiration is calculated from the time the token is issued.SlidingWindow
- the expiration is calculated from the last time the token was used.SlidingWindowWithMaximumLifetime
- the expiration is calculated from the last time the token was used, or until the maximumTimeToLiveInMinutes is reached. Available since 1.46.0
application.jwtConfiguration.refreshTokenSlidingWindowConfiguration.maximumTimeToLiveInMinutes
IntegerAvailable since 1.46.0The maximum lifetime of a refresh token when using a refreshTokenExpirationPolicy of SlidingWindowWithMaximumLifetime
.
application.jwtConfiguration.refreshTokenTimeToLiveInMinutes
IntegerAvailable since 1.2.0The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
application.jwtConfiguration.refreshTokenUsagePolicy
StringAvailable since 1.17.0The refresh token usage policy. The following are valid values:
Reusable
- the token does not change after it was issued.OneTimeUse
- the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage.
application.jwtConfiguration.secret
StringDEPRECATEDThe secret used when an HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.
In version 1.5.0 and beyond, when selecting an HMAC
algorithm, the client_secret
from the OAuth configuration will be used to sign and verify the JWTs.
application.jwtConfiguration.timeToLiveInSeconds
IntegerThe length of time in seconds the JWT will live before it is expired and no longer valid.
application.lambdaConfiguration.accessTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
application.lambdaConfiguration.idTokenPopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
application.lambdaConfiguration.samlv2PopulateId
UUIDAvailable since 1.6.0The Id of the Lambda that will be invoked when a SAML response is generated during a SAML authentication request.
application.lambdaConfiguration.selfServiceRegistrationValidationId
UUIDAvailable since 1.43.0The unique Id of the lambda that will be used to perform additional validation on registration form steps.
application.lambdaConfiguration.userinfoPopulateId
UUIDAvailable since 1.50.0The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
application.lastUpdateInstant
LongAvailable since 1.18.0The instant that the Application was last updated in the FusionAuth database.
application.name
StringThe name of the Application.
application.loginConfiguration.allowTokenRefresh
BooleanAvailable since 1.5.0Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
application.loginConfiguration.generateRefreshTokens
BooleanAvailable since 1.5.0Indicates if a Refresh Token should be issued from the Login API.
application.loginConfiguration.requireAuthentication
BooleanAvailable since 1.5.0Indicates if the Login API should require an API key. If you set this value to false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
application.multiFactorConfiguration.email.templateId
UUIDAvailable since 1.26.0The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
application.multiFactorConfiguration.sms.templateId
UUIDAvailable since 1.26.0The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
application.oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
application.oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
application.oauthConfiguration.authorizedURLValidationPolicy
StringAvailable since 1.43.0Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
application.oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
application.oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
application.oauthConfiguration.clientSecret
StringThe OAuth client secret.
application.oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when application.oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
application.oauthConfiguration.debug
BooleanAvailable since 1.25.0Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
application.oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
application.oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
application.oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
application.oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
application.oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
application.oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
application.oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
application.oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
application.oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the OAuth server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on application.oauthConfiguration.consentMode .
application.oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy .
application.oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
application.oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
application.oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
application.passwordlessConfiguration.enabled
BooleanAvailable since 1.5.0Determines if passwordless login is enabled for this application.
application.registrationConfiguration.birthDate.enabled
BooleanAvailable since 1.4.0Determines if the birthDate
field will be included on the registration form.
application.registrationConfiguration.birthDate.required
BooleanAvailable since 1.4.0Determines if the birthDate
field is required when displayed on the registration form.
application.registrationConfiguration.confirmPassword
BooleanAvailable since 1.4.0Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
application.registrationConfiguration.enabled
BooleanAvailable since 1.4.0Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
application.registrationConfiguration.firstName.enabled
BooleanAvailable since 1.4.0Determines if the firstName
field will be included on the registration form.
application.registrationConfiguration.firstName.required
BooleanAvailable since 1.4.0Determines if the firstName
field is required when displayed on the registration form.
application.registrationConfiguration.formId
UUIDAvailable since 1.18.0The Id of an associated Form when using advanced
registration configuration type.
application.registrationConfiguration.fullName.enabled
BooleanAvailable since 1.4.0Determines if the fullName
field will be included on the registration form.
application.registrationConfiguration.fullName.required
BooleanAvailable since 1.4.0Determines if the fullName
field is required when displayed on the registration form.
application.registrationConfiguration.lastName.enabled
BooleanAvailable since 1.4.0Determines if the lastName
field will be included on the registration form.
application.registrationConfiguration.lastName.required
BooleanAvailable since 1.4.0Determines if the lastName
field is required when displayed on the registration form.
application.registrationConfiguration.loginIdType
StringAvailable since 1.4.0The unique login Id that will be collected during registration, this value can be email
or username
. Leaving the default value of email
is preferred because an email address is globally unique.
email
username
application.registrationConfiguration.middleName.enabled
BooleanAvailable since 1.4.0Determines if the middleName
field will be included on the registration form.
application.registrationConfiguration.middleName.required
BooleanAvailable since 1.4.0Determines if the middleName
field is required when displayed on the registration form.
application.registrationConfiguration.mobilePhone.enabled
BooleanAvailable since 1.4.0Determines if the mobilePhone
field will be included on the registration form.
application.registrationConfiguration.mobilePhone.required
BooleanAvailable since 1.4.0Determines if the mobilePhone
field is required when displayed on the registration form.
application.registrationConfiguration.preferredLanguages.enabled
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field will be included on the registration form.
application.registrationConfiguration.preferredLanguages.required
BooleanAvailable since 1.47.0Determines if the preferredLanguages
field is required when displayed on the registration form.
application.registrationConfiguration.type
StringAvailable since 1.18.0The type of registration flow.
Supported values include:
basic
- the basic self registration options available prior to version1.18.0
.advanced
- advanced usage of custom forms, requires a paid plan.
application.registrationDeletePolicy.unverified.enabled
BooleanAvailable since 1.13.0Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
application.registrationDeletePolicy.unverified.enabledInstant
LongAvailable since 1.48.0The instant that this policy was enabled.
User registrations created before this time will not be eligible to be deleted. This means that you can safely enable this feature and the policy will only be enforced for user registrations created after this policy was enabled.
Please note that prior to version 1.48.0
, when enabling this policy all unverified user registrations are eligible for deletion.
application.registrationDeletePolicy.unverified.numberOfDaysToRetain
IntegerAvailable since 1.13.0The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
application.roles
ArrayAn array of Role objects.
application.roles[x].description
StringA description of the role.
application.roles[x].id
UUIDThe Id of the Role.
application.roles[x].name
StringThe name of the Role.
application.roles[x].isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
application.roles[x].isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
application.samlv2Configuration.assertionEncryptionConfiguration.digestAlgorithm
StringAvailable since 1.47.0The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are:
SHA1
- SHA-1 hashing algorithmSHA256
- SHA-256 hashing algorithmSHA384
- SHA-384 hashing algorithmSHA512
- SHA-512 hashing algorithm
application.samlv2Configuration.assertionEncryptionConfiguration.enabled
BooleanAvailable since 1.47.0Whether or SAML assertion encryption is enabled for this Application.
application.samlv2Configuration.assertionEncryptionConfiguration.encryptionAlgorithm
StringAvailable since 1.47.0The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are:
AES128
- AES in CBC mode with a 128-bit keyAES192
- AES in CBC mode with a 192-bit keyAES256
- AES in CBC mode with a 256-bit keyAES128GCM
- AES using GCM with a 128-bit keyAES192GCM
- AES using GCM with a 192-bit keyAES256GCM
- AES using GCM with a 256-bit keyTripleDES
- Triple DES with a 192-bit key
application.samlv2Configuration.assertionEncryptionConfiguration.keyLocation
StringAvailable since 1.47.0The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData
element containing the encrypted assertion value. The possible values are:
Child
- TheEncryptedKey
element will be wrapped in aKeyInfo
element and added inside theEncryptedData
Sibling
- TheEncryptedKey
element will be added to the document as a sibling ofEncryptedData
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm
StringAvailable since 1.47.0The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are:
RSAv15
- RSA version 1.5RSA_OAEP
- RSA encryption with Optimal Asymmetric Encryption Padding using the mask generation function and hash specified by application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunctionRSA_OAEP_MGF1P
- RSA encryption with Optimal Asymmetric Encryption Padding using the MGF1 mask generation function and SHA-1 hash
application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportEncryptionKeyId
UUIDAvailable since 1.47.0The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response.
application.samlv2Configuration.assertionEncryptionConfiguration.maskGenerationFunction
StringAvailable since 1.47.0The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are:
MGF1_SHA1
- MGF1 mask generation function with SHA-1 hashMGF1_SHA224
- MGF1 mask generation function with SHA-224 hashMGF1_SHA256
- MGF1 mask generation function with SHA-256 hashMGF1_SHA384
- MGF1 mask generation function with SHA-384 hashMGF1_SHA512
- MGF1 mask generation function with SHA-512 hash
This value is only used when the application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm is set to RSA_OAEP
. RSAv15
does not require a message digest function, and RSA_OAEP_MGF1P
will always use MGF1_SHA1
regardless of this value.
application.samlv2Configuration.audience
StringAvailable since 1.6.0The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer
and this configuration option lets you change the audience
in the response.
application.samlv2Configuration.authorizedRedirectURLs
Array<String>Available since 1.20.0One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request [AssertionConsumerServiceURL]
element. If a requested URL is not in this list the request will be rejected by FusionAuth.
This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the Authentication request does not contain the [AssertionConsumerServiceURL]
element, the first URL found in this list will be used to send the SAML response back to the Service Provider.
application.samlv2Configuration.callbackURL
StringAvailable since 1.6.0DEPRECATEDThe URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
application.samlv2Configuration.debug
BooleanAvailable since 1.6.0Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
application.samlv2Configuration.defaultVerificationKeyId
UUIDAvailable since 1.20.0The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a [KeyInfo]
element is not found in the SAML AuthNRequest. If a [KeyInfo]
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.
application.samlv2Configuration.enabled
BooleanAvailable since 1.6.0Whether or not the SAML IdP for this Application is enabled or not.
application.samlv2Configuration.initiatedLogin.enabled
BooleanAvailable since 1.41.0Determines if SAML v2 IdP initiated login is enabled for this application.
application.samlv2Configuration.initiatedLogin.nameIdFormat
StringAvailable since 1.41.0The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
application.samlv2Configuration.issuer
StringAvailable since 1.6.0The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
application.samlv2Configuration.keyId
UUIDAvailable since 1.6.0The unique Id of the Key used to sign the SAML response.
application.samlv2Configuration.loginHintConfiguration.enabled
BooleanAvailable since 1.47.0Determines if support for a login hint sent by a SAML service provider is enabled for this application.
application.samlv2Configuration.loginHintConfiguration.parameterName
StringAvailable since 1.47.0The name of the login hint parameter provided by the service provider on an AuthnRequest. If this parameter is present, its value will be used to pre-populate the username field on the FusionAuth login form.
application.samlv2Configuration.logout.behavior
StringAvailable since 1.25.0The possible values are:
AllParticipants
- each session participant that has enabled single logout will be sent a Logout RequestOnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
application.samlv2Configuration.logout.defaultVerificationKeyId
UUIDAvailable since 1.25.0The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
application.samlv2Configuration.logout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Logout response.
application.samlv2Configuration.logout.requireSignedRequests
BooleanAvailable since 1.25.0When this value is true
all Logout requests missing a signature will be rejected.
application.samlv2Configuration.logout.singleLogout.enabled
BooleanAvailable since 1.25.0Whether or not SAML Single Logout for this SAML IdP is enabled.
application.samlv2Configuration.logout.singleLogout.keyId
UUIDAvailable since 1.25.0The unique Id of the Key used to sign the SAML Single Logout response.
application.samlv2Configuration.logout.singleLogout.url
StringAvailable since 1.25.0The URL at which you want to receive the LogoutRequest
from FusionAuth.
application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logout.xmlSignatureC14nMethod
StringAvailable since 1.25.0The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.logoutURL
StringAvailable since 1.6.0The URL that the browser is taken to after the user logs out of the SAML service provider.
application.samlv2Configuration.requireSignedRequests
BooleanAvailable since 1.20.0When this value is true
all requests missing a signature will be rejected.
application.samlv2Configuration.xmlSignatureC14nMethod
StringAvailable since 1.6.0The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
exclusive
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#
exclusive_with_comments
: The URI for this method ishttp://www.w3.org/2001/10/xml-exc-c14n#WithComments
inclusive
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
inclusive_with_comments
: The URI for this method ishttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
application.samlv2Configuration.xmlSignatureLocation
StringAvailable since 1.21.0The location to place the XML signature when signing the SAML response.
The possible values are:
Assertion
- The XML signature will be added as a child element of the Assertion.Response
- The XML signature will be added as a child element of the Response.
application.scopes
ArrayAvailable since 1.50.0An array of OAuth Scope objects.
application.scopes[x].defaultConsentDetail
StringAvailable since 1.50.0The default detail to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].defaultConsentMessage
StringAvailable since 1.50.0The default message to display on the OAuth consent screen if one cannot be found in the theme.
application.scopes[x].description
StringAvailable since 1.50.0A description of the OAuth Scope for internal use.
application.scopes[x].id
UUIDAvailable since 1.50.0The Id of the OAuth Scope.
application.scopes[x].insertInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was added to the FusionAuth database.
application.scopes[x].lastUpdateInstant
LongAvailable since 1.50.0The instant that the OAuth Scope was last updated in the FusionAuth database.
application.scopes[x].name
StringAvailable since 1.50.0The name of the OAuth Scope. This is the value that will be used to request the scope in OAuth workflows.
application.scopes[x].required
BooleanAvailable since 1.50.0Determines if the OAuth Scope is required when requested in an OAuth workflow.
application.state
StringAvailable since 1.22.0The current state of the application. The following are valid values:
Active
- The Application is active.Inactive
- The Application is not active. An Application can not be modified or authenticated against when inactive.
application.tenantId
UUIDThe unique Id of the Tenant.
application.themeId
UUIDAvailable since 1.27.0The unique Id of the theme to be used to style the login page and other end user templates.
application.verificationEmailTemplateId
UUIDThe Id of the Email Template that is used to send the Registration Verification emails to users.
application.verifyRegistration
BooleanWhether or not registrations to this Application may be verified.
application.webAuthnConfiguration.bootstrapWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
application.webAuthnConfiguration.enabled
BooleanAvailable since 1.41.0Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false
, WebAuthn workflows are enabled based on the Tenant configuration. If true
, WebAuthn workflows are enabled according to the configuration of this application.
application.webAuthnConfiguration.reauthenticationWorkflow.enabled
BooleanAvailable since 1.41.0Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false
.
Example Response JSON for a Single Application
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908",
"userinfoPopulateId": "faaa713c-befd-43ee-9387-907828f80882"
},
"lastUpdateInstant": 1595361143101,
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"enabledInstant": 1698772159415,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"loginHintConfiguration": {
"enabled": true,
"parameterName": "login_hint"
},
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"scopes": [
{
"defaultConsentDetail": "Your calendar data will be used to provide you enhanced reminders",
"defaultConsentMessage": "Read your calendar",
"id": "b1e5afb2-e18f-4174-82c2-1fa7975ac598",
"name": "calendar:read",
"required": true
},
{
"defaultConsentDetail": "Create new events to remind you of upcoming discussions",
"defaultConsentMessage": "Write your calendar",
"id": "a9ae0a21-be87-4f04-850d-20a75020448b",
"name": "calendar:write",
"required": false
}
],
"state": "Active",
"tenantId": "50435e55-6e95-4d54-96d0-9c953dd53eeb",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Create an Application Role
This API is used to create a role for an Application. Specifying an Id on the URI will instruct FusionAuth to use that Id when creating the role. Otherwise, FusionAuth will generate an Id for the role.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application.
roleId
UUIDDefaults to secure random UUIDThe Id to use for the new role. If not specified a secure random UUID will be generated.
Request Body
role.description
StringA description for the role.
role.name
StringrequiredThe name of the Role.
role.isDefault
BooleanDefaults to falseWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
role.isSuperRole
BooleanDefaults to falseWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
Example Request JSON
{
"role": {
"description": "a new role for the app",
"name": "role 3",
"isDefault": true
}
}
Response
The response for this API contains the information for the role that was created.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
role.description
StringThe description of the role.
role.id
UUIDThe Id of the Role.
role.insertInstant
LongThe instant that the Role was added to the FusionAuth database.
role.lastUpdateInstant
LongThe instant that the Role was updated in the FusionAuth database.
role.name
StringThe name of the Role.
role.isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
role.isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
Example Response JSON
{
"role": {
"description": "a new role for the app",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "role 3",
"isDefault": true
}
}
Update an Application Role
This API is used to update an existing Application Role.
You must specify the Id of the Application Role you are updating on the URI. You must specify the Application Id and the Role Id on the URI to identify the role that is being updated.You must specify all of the properties of the Application Role when calling this API with the PUT
HTTP method. When used with PUT
, this API doesn’t merge the existing Application Role and your new data. It replaces the existing Application Role with your new data.
Utilize the PATCH
HTTP method to send specific changes to merge into an existing Application Role.
Request
When using the PATCH method, you can either use the same request body documentation that is provided for the PUT request for backward compatibility. Or you may use either JSON Patch/RFC 6902] or JSON Merge Patch/RFC 7396. See the PATCH documentation for more information.
When using the PATCH method with a Content-Type
of application/json
the provided request parameters will be merged into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A null
value can be used to remove a value. Patching an Array
will result in all values from the new list being appended to the existing list, this is a known limitation to the current implementation of PATCH.
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application.
roleId
UUIDrequiredThe Id of the role that is being updated.
Request Body
role.description
StringA description for the role.
role.name
StringrequiredThe name of the Role.
role.isDefault
BooleanDefaults to falseWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided. More than one role can be marked as default.
role.isSuperRole
BooleanDefaults to falseWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
Example Request JSON
{
"role": {
"description": "a new role for the app",
"name": "role 3",
"isDefault": true
}
}
Response
The response for this API contains the new information for the role that was updated.
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
role.description
StringThe description of the role.
role.id
UUIDThe Id of the Role.
role.insertInstant
LongThe instant that the Role was added to the FusionAuth database.
role.lastUpdateInstant
LongThe instant that the Role was updated in the FusionAuth database.
role.name
StringThe name of the Role.
role.isDefault
BooleanWhether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
role.isSuperRole
BooleanWhether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
Example Response JSON
{
"role": {
"description": "a new role for the app",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "role 3",
"isDefault": true
}
}
Delete an Application Role
This API is used to delete a role from an Application.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application to which the role belongs.
roleId
UUIDrequiredThe Id of the role to delete.
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application to which the role belongs.
name
StringrequiredThe name of the role to delete.
Response
This API does not return a JSON response body.
Response CodesCode | Description |
---|---|
200 | The request was successful. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 | The object you requested doesn't exist. The response will be empty. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Retrieve OAuth Configuration
This API is used to retrieve the Application OAuth configuration. When an API key is provided on the request the OAuth client secret will also be returned. When this API is called without authentication the client secret will not be returned in the response body.
Request
Request Headers
X-FusionAuth-TenantId
StringThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters
applicationId
UUIDrequiredThe Id of the Application to retrieve the OAuth configuration.
Response
Response CodesCode | Description |
---|---|
200 | The request was successful. The response will contain a JSON body. |
400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
404 | The object you requested doesn't exist. The response will be empty. |
500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
httpSessionMaxInactiveInterval
IntegerThe time in seconds until an inactive session will be invalidated, from the application’s tenant. Used when creating a new session in the FusionAuth Front End.
logoutURL
StringThe logout redirect URL when sending the user’s browser to the /oauth2/logout
URI of the FusionAuth Front End. From the application’s tenant.
oauthConfiguration.authorizedOriginURLs
Array<String>An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of X-Frame-Options: DENY
will be added to each response to disallow iframe loading.
oauthConfiguration.authorizedRedirectURLs
Array<String>An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
oauthConfiguration.authorizedURLValidationPolicy
Available since 1.43.0Controls the validation policy for oauthConfiguration.authorizedOriginURLs and oauthConfiguration.authorizedRedirectURLs .
The possible values are:
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly.AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
oauthConfiguration.clientAuthenticationPolicy
StringAvailable since 1.28.0Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.NotRequired
- Providing client credentials is optional when using the Token endpoint.NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
oauthConfiguration.clientId
StringThe OAuth client Id of the Application.
oauthConfiguration.clientSecret
StringThe OAuth client secret. This field will only be provided when the request was authenticated using an API key.
oauthConfiguration.consentMode
StringAvailable since 1.50.0Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when oauthConfiguration.relationship is ThirdParty
.
The possible values are:
AlwaysPrompt
- Always prompt the user for consent.RememberDecision
- Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds value.NeverPrompt
- The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were aFirstParty
application. This configuration is meant for testing purposes only and should not be used in production.
oauthConfiguration.deviceVerificationURL
StringAvailable since 1.11.0The device verification URL to be used with the Device Code grant type.
oauthConfiguration.enabledGrants
Array<String>Available since 1.5.0The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
Supported values include:
authorization_code
implicit
password
refresh_token
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
oauthConfiguration.generateRefreshTokens
BooleanAvailable since 1.3.0Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offline_access
scope is requested.
oauthConfiguration.logoutBehavior
StringAvailable since 1.11.0Behavior when /oauth2/logout
is called.
Valid values:
RedirectOnly
** End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.AllApplications
** End the SSO session and make aGET
request to all configured Logout URLs for every application in the tenant.
oauthConfiguration.logoutURL
StringThe logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
oauthConfiguration.proofKeyForCodeExchangePolicy
StringAvailable since 1.28.0Determines the PKCE requirements when using the authorization code grant.
The possible values are:
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant.NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant.NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
oauthConfiguration.providedScopePolicy.address.enabled
BooleanAvailable since 1.50.0Whether the address
OAuth scope provided by FusionAuth is enabled for this application.
oauthConfiguration.providedScopePolicy.address.required
BooleanAvailable since 1.50.0Whether consent to the address
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
oauthConfiguration.providedScopePolicy.email.enabled
BooleanAvailable since 1.50.0Whether the email
OAuth scope provided by FusionAuth is enabled for this application.
oauthConfiguration.providedScopePolicy.email.required
BooleanAvailable since 1.50.0Whether consent to the email
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
oauthConfiguration.providedScopePolicy.phone.enabled
BooleanAvailable since 1.50.0Whether the phone
OAuth scope provided by FusionAuth is enabled for this application.
oauthConfiguration.providedScopePolicy.phone.required
BooleanAvailable since 1.50.0Whether consent to the phone
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
oauthConfiguration.providedScopePolicy.profile.enabled
BooleanAvailable since 1.50.0Whether the profile
OAuth scope provided by FusionAuth is enabled for this application.
oauthConfiguration.providedScopePolicy.profile.required
BooleanAvailable since 1.50.0Whether consent to the profile
OAuth scope provided by FusionAuth is required for this application when present on the OAuth request.
oauthConfiguration.relationship
StringAvailable since 1.50.0The application’s relationship to the authorization server.
The possible values are:
FirstParty
- The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.ThirdParty
- The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on oauthConfiguration.consentMode .
oauthConfiguration.requireClientAuthentication
BooleanAvailable since 1.3.0DEPRECATEDDetermines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id
and client_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
In version 1.28.0 and beyond, client authentication can be managed via oauthConfiguration.clientAuthenticationPolicy .
oauthConfiguration.requireRegistration
BooleanAvailable since 1.28.0Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
oauthConfiguration.scopeHandlingPolicy
StringAvailable since 1.50.0Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:
Compatibility
- OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.Strict
- OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
oauthConfiguration.unknownScopePolicy
StringAvailable since 1.50.0Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:
Allow
- Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.Remove
- Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.Reject
- Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
Example Response JSON
{
"httpSessionMaxInactiveInterval": 3600,
"logoutURL": "http://www.example.com/logout",
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"consentMode": "AlwaysPrompt",
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshTokens": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"providedScopePolicy": {
"address": {
"enabled": true,
"required": false
},
"email": {
"enabled": true,
"required": false
},
"phone": {
"enabled": true,
"required": false
},
"profile": {
"enabled": true,
"required": false
}
},
"relationship": "FirstParty",
"requireClientAuthentication": true,
"requireRegistration": false,
"scopeHandlingPolicy": "Compatibility",
"unknownScopePolicy": "Reject"
}
}