Application APIs
Overview
This page contains the APIs that are used to manage Applications as well as the Roles of an Application. Here are the APIs:
Create an Application
This API is used to create an Application. Specifying an Id on the URI will instruct FusionAuth to use that Id when creating the Application. Otherwise, FusionAuth will generate an Id for the Application.
Request
Create an Application with a generated Id
POST /api/application
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Create an Application with the given Id
POST /api/application/{applicationId}
Request Parameters
- applicationId [UUID] Optional defaults to a generated UUID
-
The Id to use for the new Application. If not specified a secure random UUID will be generated.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body
- application.accessControlConfiguration.uiIPAccessControlListId [UUID] Optional Available since 1.30.0
-
The Id of the IP Access Control List limiting access to this application.
Note: An Enterprise plan is required to utilize IP ACLs.
- application.authenticationTokenConfiguration.enabled [Boolean] Optional Defaults to
false
-
Determines if Users can have Authentication Tokens associated with this Application. This feature may not be enabled for the FusionAuth application.
- application.cleanSpeakConfiguration.applicationIds [Array<UUID>] Optional
-
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- application.cleanSpeakConfiguration.usernameModeration.applicationId [UUID] Optional
-
The Id of the CleanSpeak application that usernames are sent to for moderation.
- application.cleanSpeakConfiguration.usernameModeration.enabled [Boolean] Optional Defaults to
false
-
True if CleanSpeak username moderation is enabled.
- application.data [Object] Optional
-
An object that can hold any information about the Application that should be persisted.
- application.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Optional Available since 1.37.0
-
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.
When this value is not defined, the value defined by tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds is utilized. When this value is defined it will override the tenant configured value.
This configuration is only utilized when application.multiFactorConfiguration.loginPolicy is enabled.
- application.formConfiguration.selfServiceFormId [UUID] Optional Available since 1.26.0
-
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
Note: A paid plan is required to utilize custom forms.
- application.jwtConfiguration.accessTokenKeyId [UUID] Optional Available since 1.6.0
-
The Id of the signing key used to sign the access token.
- application.jwtConfiguration.algorithm [String] Optional Deprecated
-
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Required when
enabled
is set totrue
.When an HMAC algorithm is used such as
HS256
,HS384
orHS512
, the OAuthclient_secret
will be used as the signing secret.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- application.jwtConfiguration.enabled [Boolean] Optional Defaults to
false
-
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - application.jwtConfiguration.idTokenKeyId [UUID] Optional Available since 1.6.0
-
The Id of the signing key used to sign the Id token.
- application.jwtConfiguration.privateKey [String] Optional Deprecated
-
The private key used when an
RSA
orECDSA
based signing algorithm has been selected. The private key will be used to sign the JWT. This key is expected to be presented in a PEM encoded format.Required when
enabled
is set totrue
andalgorithm
is set to anRSA
orECDSA
based value.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.publicKey [String] Optional Deprecated
-
The public key used when an
RSA
orECDSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key is expected to be presented in a PEM encoded format.Required when
enabled
is set totrue
andalgorithm
is set to anRSA
orECDSA
based value.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Optional Available since 1.2.0
-
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
Required when
enabled
is set totrue
. - application.jwtConfiguration.secret [String] Optional Deprecated
-
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Required when
enabled
is set totrue
andalgorithm
is set to anHMAC
based value.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - application.jwtConfiguration.timeToLiveInSeconds [Integer] Optional
-
The length of time in seconds the JWT will live before it is expired and no longer valid.
Required when
enabled
is set totrue
. - application.lambdaConfiguration.accessTokenPopulateId [UUID] Optional Available since 1.6.0
-
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- application.lambdaConfiguration.idTokenPopulateId [UUID] Optional Available since 1.6.0
-
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- application.lambdaConfiguration.samlv2PopulateId [UUID] Optional Available since 1.6.0
-
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- application.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Optional Available since 1.43.0
-
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
Note: A paid plan is required to utilize custom forms.
- application.loginConfiguration.allowTokenRefresh [Boolean] Optional Defaults to
false
Available since 1.5.0 -
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to
false
to ensure Refresh Tokens cannot be used outside of the Refresh Token Grant. - application.loginConfiguration.generateRefreshTokens [Boolean] Optional Defaults to
false
Available since 1.5.0 -
Indicates if a Refresh Token should be issued from the Login API.
If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to
false
to ensure Refresh Tokens will not be issued outside of the OAuth grants. - application.loginConfiguration.requireAuthentication [Boolean] Optional Defaults to
true
Available since 1.5.0 -
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.If you do not intend to use the Login API, or will only be calling this API from a secure backend server, setting this value to
true
in order to require an API key is preferred. - application.multiFactorConfiguration.email.templateId [UUID] Optional Available since 1.26.0
-
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.loginPolicy [String] Optional Available since 1.37.0
-
When enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When required, the user will be required to complete a two-factor challenge during login.
When configured, this value overrides the value configured by the tenant.multiFactorConfiguration.loginPolicy.
Supported values include:
-
Enabled
- Require a two-factor challenge during login when an eligible method is available. -
Disabled
- Do not require a two-factor challenge during login. -
Required
- Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0
-
- application.multiFactorConfiguration.sms.templateId [UUID] Optional Available since 1.26.0
-
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.trustPolicy [String] Optional Defaults to
Any
Available since 1.37.0 -
When application.multiFactorConfiguration.loginPolicy is set to
Enabled
, this trust policy is utilized when determining if a user must complete a two-factor challenge during login.For example, a normal two-factor login flow will result in a trust Id being returned if you set trustComputer equal to
true
when completing a Two Factor Login. The returned Trust identifier can be used on subsequent Login requests to keep from being required to complete a Two-Factor login. This configuration determines if that trust value can be utilized for another application.Supported values include:
-
Any
- Trust obtained from any application is sufficient to bypass the two-factor challenge. -
This
- Only trust obtained for this application is sufficient to bypass the two-factor challenge. -
None
- Never trusted. The user will be required to complete a two-factor challenge during each login attempt.
-
- application.name [String] Required
-
The name of the Application.
- application.oauthConfiguration.authorizedOriginURLs [Array<String>] Optional
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
For improved security, all FusionAuth hosted login pages add an HTTP response header of
X-Frame-Options: DENY
. This response header disallows loading the FusionAuth pages from an iframe. To utilize an iframe and load one or more of the FusionAuth hosted login pages, add the iframe page URLs to this property. For that host, FusionAuth will remove theX-Frame-Options
header allowing the page to load in the iframe.Examples of valid authorized origin URIs:
-
https://example.com
-
com.myApp://example
-
com.myApp:/example
Available since 1.32.0
You may now use URLs that do not begin with
http
to support native application origins. Prior to this version the value will be validated to begin withhttp
. This also includes authorized origins that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such ascom.myApp:/example
would fail validation as an invalid URL.Available since 1.43.0
Configured URLs containing wildcards are considered during validation when application.oauthConfiguration.authorizedURLValidationPolicy is set to
AllowWildcards
. Wildcards are allowed in the following positions:-
The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. -
The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
-
A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. -
A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
-
- application.oauthConfiguration.authorizedRedirectURLs [Array<String>] Optional
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
Examples of valid redirect URIs:
-
https://example.com/redirect
-
com.myApp://redirect
-
com.myApp:/redirect
Available since 1.7.0
You may now use URLs that do not begin with
http
to support native application redirect. Prior to this version the value will be validated to begin withhttp
.Available since 1.12.0
You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as
com.myApp:/redirect
would fail validation as in invalid URL.Available since 1.43.0
Configured URLs containing wildcards are considered during validation when application.oauthConfiguration.authorizedURLValidationPolicy is set to
AllowWildcards
. Wildcards are allowed in the following positions:-
The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. -
The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
-
A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. -
A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
-
- application.oauthConfiguration.authorizedURLValidationPolicy String Optional Defaults to
ExactMatch
Available since 1.43.0 -
Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- application.oauthConfiguration.clientAuthenticationPolicy [String] Optional Defaults to
Required
Available since 1.28.0 -
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- application.oauthConfiguration.clientSecret [String] Optional
-
The OAuth 2.0 client secret. If you leave this blank during a POST, a secure secret will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.
- application.oauthConfiguration.debug [Boolean] Optional Defaults to
false
Available since 1.25.0 -
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- application.oauthConfiguration.deviceVerificationURL [String] Optional Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type, this field is required when
device_code
is enabled. - application.oauthConfiguration.enabledGrants [Array<String>] Optional Available since 1.5.0
-
The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- application.oauthConfiguration.generateRefreshTokens [Boolean] Optional Defaults to
true
Available since 1.3.0 -
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - application.oauthConfiguration.logoutBehavior [String] Optional Defaults to
AllApplications
Available since 1.11.0 -
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- application.oauthConfiguration.logoutURL [String] Optional
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- application.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Optional Defaults to
NotRequired
Available since 1.28.0 -
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- application.oauthConfiguration.requireClientAuthentication [Boolean] Optional Defaults to
true
Deprecated -
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy.
- application.oauthConfiguration.requireRegistration [Boolean] Optional Defaults to
false
Available since 1.28.0 -
When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- application.passwordlessConfiguration.enabled [Boolean] Optional Defaults to
false
Available since 1.5.0 -
Determines if passwordless login is enabled for this application.
- application.registrationConfiguration.birthDate.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
birthDate
field will be included on the registration form. - application.registrationConfiguration.birthDate.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
birthDate
field is required when displayed on the registration form. - application.registrationConfiguration.confirmPassword [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- application.registrationConfiguration.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
Self service registration cannot be enabled on the FusionAuth application.
If
true
, any user logging in to this application using hosted login pages will automatically have a registration created, if they are not already registered. - application.registrationConfiguration.firstName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
firstName
field will be included on the registration form. - application.registrationConfiguration.firstName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
firstName
field is required when displayed on the registration form. - application.registrationConfiguration.formId [UUID] Optional Available since 1.18.0
-
The Id of an associated Form when using
advanced
registration configuration type. This field is required when application.registrationConfiguration.type is set toadvanced
. - application.registrationConfiguration.fullName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
fullName
field will be included on the registration form. - application.registrationConfiguration.fullName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
fullName
field is required when displayed on the registration form. - application.registrationConfiguration.lastName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
lastName
field will be included on the registration form. - application.registrationConfiguration.lastName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
lastName
field is required when displayed on the registration form. - application.registrationConfiguration.loginIdType [String] Optional Defaults to
email
Available since 1.4.0 -
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- application.registrationConfiguration.middleName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
middleName
field will be included on the registration form. - application.registrationConfiguration.middleName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
middleName
field is required when displayed on the registration form. - application.registrationConfiguration.mobilePhone.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
mobilePhone
field will be included on the registration form. - application.registrationConfiguration.mobilePhone.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
mobilePhone
field is required when displayed on the registration form. - application.registrationConfiguration.type [String] Optional Defaults to
basic
Available since 1.18.0 -
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- application.registrationDeletePolicy.unverified.enabled [Boolean] Optional Defaults to
false
Available since 1.13.0 -
Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
- application.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Optional Available since 1.13.0
-
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. This field is required when application.registrationDeletePolicy.enabled is set to
true
. Value must be greater than 0. - application.roles [Array] Optional
-
An array of Role objects.
- application.roles
[x]
.description [String] Optional -
A description for the role.
- application.roles
[x]
.id [UUID] Optional generated if null -
The Id of the Role.
- application.roles
[x]
.name [String] Required -
The name of the Role.
- application.roles
[x]
.isDefault [Boolean] Optional Defaults tofalse
-
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- application.roles
[x]
.isSuperRole [Boolean] Optional Defaults tofalse
-
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
- application.samlv2Configuration.audience [String] Optional Defaults to
issuer
Available since 1.6.0 -
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - application.samlv2Configuration.authorizedRedirectURLs [Array<String>] Required Available since 1.20.0
-
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - application.samlv2Configuration.callbackURL [String] Optional Available since 1.6.0 Deprecated
-
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 In version 1.20.0 and beyond, Callback URLs can be managed via application.samlv2Configuration.authorizedRedirectURLs.
- application.samlv2Configuration.debug [Boolean] Optional Defaults to
false
Available since 1.6.0 -
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- application.samlv2Configuration.defaultVerificationKeyId [UUID] Optional Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.This parameter is required when application.samlv2Configuration.requireSignedRequests is set to
true
. - application.samlv2Configuration.enabled [Boolean] Optional Defaults to
false
Available since 1.6.0 -
Determines if the SAML IdP is enabled for this Application.
- application.samlv2Configuration.issuer [String] Required Available since 1.6.0
-
An
issuer
identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration. If you don’t know theissuer
, you can put anything in this field and FusionAuth will display an error message with theissuer
from the service provider when you test the SAML login. - application.samlv2Configuration.initiatedLogin.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Determines if SAML v2 IdP initiated login is enabled for this application.
- application.samlv2Configuration.initiatedLogin.nameIdFormat [String] Optional Defaults to
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Available since 1.41.0 -
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- application.samlv2Configuration.keyId [UUID] Optional Defaults to a new key Available since 1.6.0
-
The unique Id of the Key used to sign the SAML response. If you do not specify this property, FusionAuth will create a new key and associate it with this Application.
- application.samlv2Configuration.logout.behavior [String] Optional Defaults to
AllParticipants
Available since 1.25.0 -
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- application.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Optional Available since 1.25.0
-
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.This parameter is required when application.samlv2Configuration.logout.requireSignedRequests is set to
true
. - application.samlv2Configuration.logout.keyId [UUID] Optional Defaults to [see description] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Logout response.
When this parameter is omitted, the key defined by
application.samlv2Configuration.keyId
will be used. - application.samlv2Configuration.logout.requireSignedRequests [Boolean] Required Defaults to
false
Available since 1.25.0 -
Set this parameter equal to
true
to require the SAML v2 Service Provider to sign the Logout request. When this value istrue
all Logout requests missing a signature will be rejected.When set to
true
, the parameter application.samlv2Configuration.logout.defaultVerificationKeyId is required. - application.samlv2Configuration.logout.singleLogout.enabled [Boolean] Optional Defaults to
false
Available since 1.25.0 -
Whether or not SAML Single Logout for this SAML IdP is enabled.
- application.samlv2Configuration.logout.singleLogout.keyId [UUID] Optional Defaults to [see description] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Single Logout response.
When this parameter is omitted, the key defined by
application.samlv2Configuration.keyId
will be used. - application.samlv2Configuration.logout.singleLogout.url [String] Optional Available since 1.25.0
-
The URL at which you want to receive the
LogoutRequest
from FusionAuth.Required if application.samlv2Configuration.logout.singleLogout.enabled is
true
. - application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the SAML Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logoutURL [String] Optional Defaults to the system logout URL or
/
Available since 1.6.0 -
The URL that the browser is taken to after the user logs out of the SAML service provider. Often service providers need this URL in order to correctly hook up single-logout.
This is also the URL that will be sent the SAML v2 LogoutResponse using the same bindings that were used to initiate the logout request with the IdP. For example, if POST bindings were used to initiate the logout request, POST bindings will be used for this LogoutResponse request.
- application.samlv2Configuration.requireSignedRequests [Boolean] Optional Defaults to
false
Available since 1.20.0 -
Set this parameter equal to
true
to require the SAML v2 Service Provider to sign the request. When this value istrue
all requests missing a signature will be rejected.When set to
true
, the parameter application.samlv2Configuration.defaultVerificationKeyId is required. - application.samlv2Configuration.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.6.0 -
The XML signature canonicalization method used when digesting and signing the SAML response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.xmlSignatureLocation [String] Defaults to
Assertion
Available since 1.21.0 -
The location to place the XML signature when signing a successful SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
In most cases the default configuration will be adequate. If you encounter a SAML v2 Service Provider that requires the signature to be a child of the Response, use this configuration to change the signature location. Prior to version
1.21.0
, the XML signature was always located as a child element of the Assertion when the response was successful. -
- application.themeId [UUID] Optional Available since 1.27.0
-
The unique Id of the theme to be used to style the login page and other end user templates.
Note: A paid plan is required to utilize application themes.
- application.verificationEmailTemplateId [UUID] Optional
-
The Id of the Email Template that is used to send the Registration Verification emails to users. If the
verifyRegistration
field istrue
this field is required. - application.verifyRegistration [Boolean] Optional Defaults to
false
-
Whether or not registrations to this Application may be verified. When this is set to
true
theverificationEmailTemplateId
parameter is also required. - application.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.Note: An Essentials or Enterprise plan is required to utilize WebAuthn.
- application.webAuthnConfiguration.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows will be enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows will be enabled according to the configuration of this application.Note: An Essentials or Enterprise plan is required to utilize WebAuthn.
- application.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.Note: An Essentials or Enterprise plan is required to utilize WebAuthn.
- sourceApplicationId [UUID] Optional Available since 1.43.0
-
The optional Id of an existing Application from which a copy will be made.
A unique application.name is required.
The
oauthConfiguration.clientSecret
and each role Id will be cleared so new values can be generated. All other values will be copied from the source Application. - webhookIds [Array<UUID>] Optional Deprecated
-
An array of Webhook Ids. For Webhooks that are not already configured for All Applications, specifying an Id on this request will indicate the associated Webhook should handle events for this application.
Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks configuration can be managed in the
Tenant API
.
{
"application": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false,
"isSuperRole": true
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true,
"isSuperRole": false
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Response
The response for this API contains the information for the Application that was created.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- application.accessControlConfiguration.uiIPAccessControlListId [UUID] Available since 1.30.0
-
The Id of the IP Access Control List limiting access to this application.
- application.active [Boolean] Deprecated
-
Whether or not the Application is active.
Deprecated in version 1.22.0 In version 1.22.0 and beyond, prefer the use of state.
- application.authenticationTokenConfiguration.enabled [Boolean]
-
Whether or not Users can have Authentication Tokens associated with this Application.
- application.cleanSpeakConfiguration.applicationIds [Array<UUID>]
-
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- application.cleanSpeakConfiguration.enabled [Boolean]
-
True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
- application.cleanSpeakConfiguration.usernameModeration.applicationId [UUID]
-
The Id of the CleanSpeak application that usernames are sent to for moderation.
- application.cleanSpeakConfiguration.usernameModeration.enabled [Boolean]
-
True if CleanSpeak username moderation is enabled.
- application.data [Object]
-
An object that can hold any information about the Application that should be persisted.
- application.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.formConfiguration.adminRegistrationFormId [UUID] Available since 1.20.0
-
The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
- application.formConfiguration.selfServiceFormId [UUID] Available since 1.26.0
-
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
- application.id [UUID]
-
The unique identifier for this Application.
- application.insertInstant [Long] Available since 1.18.0
-
The instant that the Application was added to the FusionAuth database.
- application.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the access token.
- application.jwtConfiguration.algorithm [String] Deprecated
-
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- application.jwtConfiguration.enabled [Boolean]
-
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - application.jwtConfiguration.idTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the Id token.
- application.jwtConfiguration.privateKey [String] Deprecated
-
The private key used when an
RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.publicKey [String] Deprecated
-
The public key used when an
RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.2.0
-
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
- application.jwtConfiguration.secret [String] Deprecated
-
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - application.jwtConfiguration.timeToLiveInSeconds [Integer]
-
The length of time in seconds the JWT will live before it is expired and no longer valid.
- application.lambdaConfiguration.accessTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- application.lambdaConfiguration.idTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- application.lambdaConfiguration.samlv2PopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- application.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Available since 1.43.0
-
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
- application.lastUpdateInstant [Long] Available since 1.18.0
-
The instant that the Application was last updated in the FusionAuth database.
- application.name [String]
-
The name of the Application.
- application.loginConfiguration.allowTokenRefresh [Boolean] Available since 1.5.0
-
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API. - application.loginConfiguration.generateRefreshTokens [Boolean] Available since 1.5.0
-
Indicates if a Refresh Token should be issued from the Login API.
- application.loginConfiguration.requireAuthentication [Boolean] Available since 1.5.0
-
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API. - application.multiFactorConfiguration.email.templateId [UUID] Available since 1.26.0
-
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.sms.templateId [UUID] Available since 1.26.0
-
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- application.oauthConfiguration.authorizedOriginURLs [Array<String>]
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of
X-Frame-Options: DENY
will be added to each response to disallow iframe loading. - application.oauthConfiguration.authorizedRedirectURLs [Array<String>]
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
- application.oauthConfiguration.authorizedURLValidationPolicy String Available since 1.43.0
-
Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- application.oauthConfiguration.clientAuthenticationPolicy [String] Available since 1.28.0
-
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- application.oauthConfiguration.clientId [String]
-
The OAuth client Id of the Application.
- application.oauthConfiguration.clientSecret [String]
-
The OAuth client secret.
- application.oauthConfiguration.debug [Boolean] Available since 1.25.0
-
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- application.oauthConfiguration.deviceVerificationURL [String] Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type.
- application.oauthConfiguration.enabledGrants [Array<String>] Available since 1.5.0
-
The enabled grants for this application.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- application.oauthConfiguration.generateRefreshTokens [Boolean] Available since 1.3.0
-
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - application.oauthConfiguration.logoutBehavior [String] Available since 1.11.0
-
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- application.oauthConfiguration.logoutURL [String]
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- application.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Available since 1.28.0
-
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- application.oauthConfiguration.requireClientAuthentication [Boolean] Available since 1.3.0 Deprecated
-
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the cloient must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy.
- application.oauthConfiguration.requireRegistration [Boolean] Available since 1.28.0
-
Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- application.passwordlessConfiguration.enabled [Boolean] Available since 1.5.0
-
Determines if passwordless login is enabled for this application.
- application.registrationConfiguration.birthDate.enabled [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field will be included on the registration form. - application.registrationConfiguration.birthDate.required [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field is required when displayed on the registration form. - application.registrationConfiguration.confirmPassword [Boolean] Available since 1.4.0
-
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- application.registrationConfiguration.enabled [Boolean] Available since 1.4.0
-
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
- application.registrationConfiguration.firstName.enabled [Boolean] Available since 1.4.0
-
Determines if the
firstName
field will be included on the registration form. - application.registrationConfiguration.firstName.required [Boolean] Available since 1.4.0
-
Determines if the
firstName
field is required when displayed on the registration form. - application.registrationConfiguration.formId [UUID] Available since 1.18.0
-
The Id of an associated Form when using
advanced
registration configuration type. - application.registrationConfiguration.fullName.enabled [Boolean] Available since 1.4.0
-
Determines if the
fullName
field will be included on the registration form. - application.registrationConfiguration.fullName.required [Boolean] Available since 1.4.0
-
Determines if the
fullName
field is required when displayed on the registration form. - application.registrationConfiguration.lastName.enabled [Boolean] Available since 1.4.0
-
Determines if the
lastName
field will be included on the registration form. - application.registrationConfiguration.lastName.required [Boolean] Available since 1.4.0
-
Determines if the
lastName
field is required when displayed on the registration form. - application.registrationConfiguration.loginIdType [String] Available since 1.4.0
-
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- application.registrationConfiguration.middleName.enabled [Boolean] Available since 1.4.0
-
Determines if the
middleName
field will be included on the registration form. - application.registrationConfiguration.middleName.required [Boolean] Available since 1.4.0
-
Determines if the
middleName
field is required when displayed on the registration form. - application.registrationConfiguration.mobilePhone.enabled [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field will be included on the registration form. - application.registrationConfiguration.mobilePhone.required [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field is required when displayed on the registration form. - application.registrationConfiguration.type [String] Available since 1.18.0
-
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- application.registrationDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0
-
Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
- application.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0
-
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
- application.roles [Array]
-
An array of Role objects.
- application.roles
[x]
.description [String] -
A description of the role.
- application.roles
[x]
.id [UUID] -
The Id of the Role.
- application.roles
[x]
.name [String] -
The name of the Role.
- application.roles
[x]
.isDefault [Boolean] -
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- application.roles
[x]
.isSuperRole [Boolean] -
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
- application.samlv2Configuration.audience [String] Available since 1.6.0
-
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - application.samlv2Configuration.authorizedRedirectURLs [Array<String>] Available since 1.20.0
-
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - application.samlv2Configuration.callbackURL [String] Available since 1.6.0 Deprecated
-
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
- application.samlv2Configuration.debug [Boolean] Available since 1.6.0
-
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- application.samlv2Configuration.defaultVerificationKeyId [UUID] Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature. - application.samlv2Configuration.enabled [Boolean] Available since 1.6.0
-
Whether or not the SAML IdP for this Application is enabled or not.
- application.samlv2Configuration.initiatedLogin.enabled [Boolean] Available since 1.41.0
-
Determines if SAML v2 IdP initiated login is enabled for this application.
- application.samlv2Configuration.initiatedLogin.nameIdFormat [String] Available since 1.41.0
-
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- application.samlv2Configuration.issuer [String] Available since 1.6.0
-
The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
- application.samlv2Configuration.keyId [UUID] Available since 1.6.0
-
The unique Id of the Key used to sign the SAML response.
- application.samlv2Configuration.logout.behavior [String] Available since 1.25.0
-
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- application.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings. - application.samlv2Configuration.logout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Logout response.
- application.samlv2Configuration.logout.requireSignedRequests [Boolean] Available since 1.25.0
-
When this value is
true
all Logout requests missing a signature will be rejected. - application.samlv2Configuration.logout.singleLogout.enabled [Boolean] Available since 1.25.0
-
Whether or not SAML Single Logout for this SAML IdP is enabled.
- application.samlv2Configuration.logout.singleLogout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Single Logout response.
- application.samlv2Configuration.logout.singleLogout.url [String] Available since 1.25.0
-
The URL at which you want to receive the
LogoutRequest
from FusionAuth. - application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Available since 1.25.0
-
The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logoutURL [String] Available since 1.6.0
-
The URL that the browser is taken to after the user logs out of the SAML service provider.
- application.samlv2Configuration.requireSignedRequests [Boolean] Available since 1.20.0
-
When this value is
true
all requests missing a signature will be rejected. - application.samlv2Configuration.xmlSignatureC14nMethod [String] Available since 1.6.0
-
The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.xmlSignatureLocation [String] Available since 1.21.0
-
The location to place the XML signature when signing the SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
-
- application.state [String] Available since 1.22.0
-
The current state of the application. The following are valid values:
-
Active
- The tenant is active. -
Inactive
- The application is not active. An application can not be modified or authenticated against when inactive.
-
- application.themeId [UUID] Available since 1.27.0
-
The unique Id of the theme to be used to style the login page and other end user templates.
- application.verificationEmailTemplateId [UUID]
-
The Id of the Email Template that is used to send the Registration Verification emails to users.
- application.verifyRegistration [Boolean]
-
Whether or not registrations to this Application may be verified.
- application.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
. - application.webAuthnConfiguration.enabled [Boolean] Available since 1.41.0
-
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows are enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows are enabled according to the configuration of this application. - application.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"requireClientAuthentication": true,
"requireRegistration": false
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"state": "Active",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Retrieve an Application
This API is used to retrieve one or all of the configured Applications. Specifying an Id on the URI will retrieve a single Application. Leaving off the Id will retrieve all of the Applications.
Request
Retrieve all of the active Applications
GET /api/application
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Retrieve all of the inactive Applications
GET /api/application?inactive=true
Request Parameters
- inactive [Boolean] Optional
-
Set this parameter to
true
in order to retrieve only inactive Applications. Setting this parameter tofalse
is equivalent omitting theinactive
parameter.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Retrieve a single Application by Id
GET /api/application/{applicationId}
Request Parameters
- applicationId [UUID] Optional
-
The Id of the Application to retrieve. This request will return the Application if it exists regardless if the Application is active or not.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response
The response for this API contains either a single Application or all of the Applications. When you call this API with an Id the response will contain just that Application. When you call this API without an Id the response will contain all of the Applications. Both response types are defined below along with an example JSON response.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you requested doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- application.accessControlConfiguration.uiIPAccessControlListId [UUID] Available since 1.30.0
-
The Id of the IP Access Control List limiting access to this application.
- application.active [Boolean] Deprecated
-
Whether or not the Application is active.
Deprecated in version 1.22.0 In version 1.22.0 and beyond, prefer the use of state.
- application.authenticationTokenConfiguration.enabled [Boolean]
-
Whether or not Users can have Authentication Tokens associated with this Application.
- application.cleanSpeakConfiguration.applicationIds [Array<UUID>]
-
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- application.cleanSpeakConfiguration.enabled [Boolean]
-
True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
- application.cleanSpeakConfiguration.usernameModeration.applicationId [UUID]
-
The Id of the CleanSpeak application that usernames are sent to for moderation.
- application.cleanSpeakConfiguration.usernameModeration.enabled [Boolean]
-
True if CleanSpeak username moderation is enabled.
- application.data [Object]
-
An object that can hold any information about the Application that should be persisted.
- application.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.formConfiguration.adminRegistrationFormId [UUID] Available since 1.20.0
-
The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
- application.formConfiguration.selfServiceFormId [UUID] Available since 1.26.0
-
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
- application.id [UUID]
-
The unique identifier for this Application.
- application.insertInstant [Long] Available since 1.18.0
-
The instant that the Application was added to the FusionAuth database.
- application.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the access token.
- application.jwtConfiguration.algorithm [String] Deprecated
-
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- application.jwtConfiguration.enabled [Boolean]
-
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - application.jwtConfiguration.idTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the Id token.
- application.jwtConfiguration.privateKey [String] Deprecated
-
The private key used when an
RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.publicKey [String] Deprecated
-
The public key used when an
RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.2.0
-
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
- application.jwtConfiguration.secret [String] Deprecated
-
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - application.jwtConfiguration.timeToLiveInSeconds [Integer]
-
The length of time in seconds the JWT will live before it is expired and no longer valid.
- application.lambdaConfiguration.accessTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- application.lambdaConfiguration.idTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- application.lambdaConfiguration.samlv2PopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- application.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Available since 1.43.0
-
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
- application.lastUpdateInstant [Long] Available since 1.18.0
-
The instant that the Application was last updated in the FusionAuth database.
- application.name [String]
-
The name of the Application.
- application.loginConfiguration.allowTokenRefresh [Boolean] Available since 1.5.0
-
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API. - application.loginConfiguration.generateRefreshTokens [Boolean] Available since 1.5.0
-
Indicates if a Refresh Token should be issued from the Login API.
- application.loginConfiguration.requireAuthentication [Boolean] Available since 1.5.0
-
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API. - application.multiFactorConfiguration.email.templateId [UUID] Available since 1.26.0
-
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.sms.templateId [UUID] Available since 1.26.0
-
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- application.oauthConfiguration.authorizedOriginURLs [Array<String>]
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of
X-Frame-Options: DENY
will be added to each response to disallow iframe loading. - application.oauthConfiguration.authorizedRedirectURLs [Array<String>]
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
- application.oauthConfiguration.authorizedURLValidationPolicy String Available since 1.43.0
-
Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- application.oauthConfiguration.clientAuthenticationPolicy [String] Available since 1.28.0
-
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- application.oauthConfiguration.clientId [String]
-
The OAuth client Id of the Application.
- application.oauthConfiguration.clientSecret [String]
-
The OAuth client secret.
- application.oauthConfiguration.debug [Boolean] Available since 1.25.0
-
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- application.oauthConfiguration.deviceVerificationURL [String] Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type.
- application.oauthConfiguration.enabledGrants [Array<String>] Available since 1.5.0
-
The enabled grants for this application.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- application.oauthConfiguration.generateRefreshTokens [Boolean] Available since 1.3.0
-
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - application.oauthConfiguration.logoutBehavior [String] Available since 1.11.0
-
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- application.oauthConfiguration.logoutURL [String]
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- application.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Available since 1.28.0
-
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- application.oauthConfiguration.requireClientAuthentication [Boolean] Available since 1.3.0 Deprecated
-
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the cloient must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy.
- application.oauthConfiguration.requireRegistration [Boolean] Available since 1.28.0
-
Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- application.passwordlessConfiguration.enabled [Boolean] Available since 1.5.0
-
Determines if passwordless login is enabled for this application.
- application.registrationConfiguration.birthDate.enabled [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field will be included on the registration form. - application.registrationConfiguration.birthDate.required [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field is required when displayed on the registration form. - application.registrationConfiguration.confirmPassword [Boolean] Available since 1.4.0
-
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- application.registrationConfiguration.enabled [Boolean] Available since 1.4.0
-
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
- application.registrationConfiguration.firstName.enabled [Boolean] Available since 1.4.0
-
Determines if the
firstName
field will be included on the registration form. - application.registrationConfiguration.firstName.required [Boolean] Available since 1.4.0
-
Determines if the
firstName
field is required when displayed on the registration form. - application.registrationConfiguration.formId [UUID] Available since 1.18.0
-
The Id of an associated Form when using
advanced
registration configuration type. - application.registrationConfiguration.fullName.enabled [Boolean] Available since 1.4.0
-
Determines if the
fullName
field will be included on the registration form. - application.registrationConfiguration.fullName.required [Boolean] Available since 1.4.0
-
Determines if the
fullName
field is required when displayed on the registration form. - application.registrationConfiguration.lastName.enabled [Boolean] Available since 1.4.0
-
Determines if the
lastName
field will be included on the registration form. - application.registrationConfiguration.lastName.required [Boolean] Available since 1.4.0
-
Determines if the
lastName
field is required when displayed on the registration form. - application.registrationConfiguration.loginIdType [String] Available since 1.4.0
-
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- application.registrationConfiguration.middleName.enabled [Boolean] Available since 1.4.0
-
Determines if the
middleName
field will be included on the registration form. - application.registrationConfiguration.middleName.required [Boolean] Available since 1.4.0
-
Determines if the
middleName
field is required when displayed on the registration form. - application.registrationConfiguration.mobilePhone.enabled [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field will be included on the registration form. - application.registrationConfiguration.mobilePhone.required [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field is required when displayed on the registration form. - application.registrationConfiguration.type [String] Available since 1.18.0
-
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- application.registrationDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0
-
Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
- application.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0
-
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
- application.roles [Array]
-
An array of Role objects.
- application.roles
[x]
.description [String] -
A description of the role.
- application.roles
[x]
.id [UUID] -
The Id of the Role.
- application.roles
[x]
.name [String] -
The name of the Role.
- application.roles
[x]
.isDefault [Boolean] -
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- application.roles
[x]
.isSuperRole [Boolean] -
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
- application.samlv2Configuration.audience [String] Available since 1.6.0
-
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - application.samlv2Configuration.authorizedRedirectURLs [Array<String>] Available since 1.20.0
-
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - application.samlv2Configuration.callbackURL [String] Available since 1.6.0 Deprecated
-
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
- application.samlv2Configuration.debug [Boolean] Available since 1.6.0
-
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- application.samlv2Configuration.defaultVerificationKeyId [UUID] Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature. - application.samlv2Configuration.enabled [Boolean] Available since 1.6.0
-
Whether or not the SAML IdP for this Application is enabled or not.
- application.samlv2Configuration.initiatedLogin.enabled [Boolean] Available since 1.41.0
-
Determines if SAML v2 IdP initiated login is enabled for this application.
- application.samlv2Configuration.initiatedLogin.nameIdFormat [String] Available since 1.41.0
-
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- application.samlv2Configuration.issuer [String] Available since 1.6.0
-
The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
- application.samlv2Configuration.keyId [UUID] Available since 1.6.0
-
The unique Id of the Key used to sign the SAML response.
- application.samlv2Configuration.logout.behavior [String] Available since 1.25.0
-
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- application.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings. - application.samlv2Configuration.logout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Logout response.
- application.samlv2Configuration.logout.requireSignedRequests [Boolean] Available since 1.25.0
-
When this value is
true
all Logout requests missing a signature will be rejected. - application.samlv2Configuration.logout.singleLogout.enabled [Boolean] Available since 1.25.0
-
Whether or not SAML Single Logout for this SAML IdP is enabled.
- application.samlv2Configuration.logout.singleLogout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Single Logout response.
- application.samlv2Configuration.logout.singleLogout.url [String] Available since 1.25.0
-
The URL at which you want to receive the
LogoutRequest
from FusionAuth. - application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Available since 1.25.0
-
The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logoutURL [String] Available since 1.6.0
-
The URL that the browser is taken to after the user logs out of the SAML service provider.
- application.samlv2Configuration.requireSignedRequests [Boolean] Available since 1.20.0
-
When this value is
true
all requests missing a signature will be rejected. - application.samlv2Configuration.xmlSignatureC14nMethod [String] Available since 1.6.0
-
The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.xmlSignatureLocation [String] Available since 1.21.0
-
The location to place the XML signature when signing the SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
-
- application.state [String] Available since 1.22.0
-
The current state of the application. The following are valid values:
-
Active
- The tenant is active. -
Inactive
- The application is not active. An application can not be modified or authenticated against when inactive.
-
- application.themeId [UUID] Available since 1.27.0
-
The unique Id of the theme to be used to style the login page and other end user templates.
- application.verificationEmailTemplateId [UUID]
-
The Id of the Email Template that is used to send the Registration Verification emails to users.
- application.verifyRegistration [Boolean]
-
Whether or not registrations to this Application may be verified.
- application.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
. - application.webAuthnConfiguration.enabled [Boolean] Available since 1.41.0
-
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows are enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows are enabled according to the configuration of this application. - application.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"requireClientAuthentication": true,
"requireRegistration": false
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"state": "Active",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Response Body
- applications
[x]
[Array] -
The list of Application objects.
- applications
[x]
.accessControlConfiguration.uiIPAccessControlListId [UUID] Available since 1.30.0 -
The Id of the IP Access Control List limiting access to this application.
- applications
[x]
.active [Boolean] Deprecated -
Whether or not the Application is active.
Deprecated in version 1.22.0 In version 1.22.0 and beyond, prefer the use of state.
- applications
[x]
.authenticationTokenConfiguration.enabled [Boolean] -
Whether or not Users can have Authentication Tokens associated with this Application.
- applications
[x]
.cleanSpeakConfiguration.applicationIds [Array<UUID>] -
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- applications
[x]
.cleanSpeakConfiguration.enabled [Boolean] -
True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
- applications
[x]
.cleanSpeakConfiguration.usernameModeration.applicationId [UUID] -
The Id of the CleanSpeak application that usernames are sent to for moderation.
- applications
[x]
.cleanSpeakConfiguration.usernameModeration.enabled [Boolean] -
True if CleanSpeak username moderation is enabled.
- applications
[x]
.data [Object] -
An object that can hold any information about the Application that should be persisted.
- applications
[x]
.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0 -
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0 -
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0 -
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0 -
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0 -
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0 -
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- applications
[x]
.formConfiguration.adminRegistrationFormId [UUID] Available since 1.20.0 -
The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
- applications
[x]
.formConfiguration.selfServiceFormId [UUID] Available since 1.26.0 -
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
- applications
[x]
.id [UUID] -
The unique identifier for this Application.
- applications
[x]
.insertInstant [Long] Available since 1.18.0 -
The instant that the Application was added to the FusionAuth database.
- applications
[x]
.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.6.0 -
The Id of the signing key used to sign the access token.
- applications
[x]
.jwtConfiguration.algorithm [String] Deprecated -
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- applications
[x]
.jwtConfiguration.enabled [Boolean] -
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - applications
[x]
.jwtConfiguration.idTokenKeyId [UUID] Available since 1.6.0 -
The Id of the signing key used to sign the Id token.
- applications
[x]
.jwtConfiguration.privateKey [String] Deprecated -
The private key used when an
RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - applications
[x]
.jwtConfiguration.publicKey [String] Deprecated -
The public key used when an
RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - applications
[x]
.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.2.0 -
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
- applications
[x]
.jwtConfiguration.secret [String] Deprecated -
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - applications
[x]
.jwtConfiguration.timeToLiveInSeconds [Integer] -
The length of time in seconds the JWT will live before it is expired and no longer valid.
- applications
[x]
.lambdaConfiguration.accessTokenPopulateId [UUID] Available since 1.6.0 -
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- applications
[x]
.lambdaConfiguration.idTokenPopulateId [UUID] Available since 1.6.0 -
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- applications
[x]
.lambdaConfiguration.samlv2PopulateId [UUID] Available since 1.6.0 -
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- applications
[x]
.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Available since 1.43.0 -
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
- applications
[x]
.lastUpdateInstant [Long] Available since 1.18.0 -
The instant that the Application was last updated in the FusionAuth database.
- applications
[x]
.name [String] -
The name of the Application.
- applications
[x]
.loginConfiguration.allowTokenRefresh [Boolean] Available since 1.5.0 -
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API. - applications
[x]
.loginConfiguration.generateRefreshTokens [Boolean] Available since 1.5.0 -
Indicates if a Refresh Token should be issued from the Login API.
- applications
[x]
.loginConfiguration.requireAuthentication [Boolean] Available since 1.5.0 -
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API. - applications
[x]
.multiFactorConfiguration.email.templateId [UUID] Available since 1.26.0 -
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- applications
[x]
.multiFactorConfiguration.sms.templateId [UUID] Available since 1.26.0 -
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- applications
[x]
.oauthConfiguration.authorizedOriginURLs [Array<String>] -
An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of
X-Frame-Options: DENY
will be added to each response to disallow iframe loading. - applications
[x]
.oauthConfiguration.authorizedRedirectURLs [Array<String>] -
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
- applications
[x]
.oauthConfiguration.authorizedURLValidationPolicy String Available since 1.43.0 -
Controls the validation policy for applications
[x]
.oauthConfiguration.authorizedOriginURLs and applications[x]
.oauthConfiguration.authorizedRedirectURLs.The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- applications
[x]
.oauthConfiguration.clientAuthenticationPolicy [String] Available since 1.28.0 -
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- applications
[x]
.oauthConfiguration.clientId [String] -
The OAuth client Id of the Application.
- applications
[x]
.oauthConfiguration.clientSecret [String] -
The OAuth client secret.
- applications
[x]
.oauthConfiguration.debug [Boolean] Available since 1.25.0 -
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- applications
[x]
.oauthConfiguration.deviceVerificationURL [String] Available since 1.11.0 -
The device verification URL to be used with the Device Code grant type.
- applications
[x]
.oauthConfiguration.enabledGrants [Array<String>] Available since 1.5.0 -
The enabled grants for this application.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- applications
[x]
.oauthConfiguration.generateRefreshTokens [Boolean] Available since 1.3.0 -
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - applications
[x]
.oauthConfiguration.logoutBehavior [String] Available since 1.11.0 -
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- applications
[x]
.oauthConfiguration.logoutURL [String] -
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- applications
[x]
.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Available since 1.28.0 -
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- applications
[x]
.oauthConfiguration.requireClientAuthentication [Boolean] Available since 1.3.0 Deprecated -
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the cloient must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via applications
[x]
.oauthConfiguration.clientAuthenticationPolicy. - applications
[x]
.oauthConfiguration.requireRegistration [Boolean] Available since 1.28.0 -
Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- applications
[x]
.passwordlessConfiguration.enabled [Boolean] Available since 1.5.0 -
Determines if passwordless login is enabled for this application.
- applications
[x]
.registrationConfiguration.birthDate.enabled [Boolean] Available since 1.4.0 -
Determines if the
birthDate
field will be included on the registration form. - applications
[x]
.registrationConfiguration.birthDate.required [Boolean] Available since 1.4.0 -
Determines if the
birthDate
field is required when displayed on the registration form. - applications
[x]
.registrationConfiguration.confirmPassword [Boolean] Available since 1.4.0 -
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- applications
[x]
.registrationConfiguration.enabled [Boolean] Available since 1.4.0 -
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
- applications
[x]
.registrationConfiguration.firstName.enabled [Boolean] Available since 1.4.0 -
Determines if the
firstName
field will be included on the registration form. - applications
[x]
.registrationConfiguration.firstName.required [Boolean] Available since 1.4.0 -
Determines if the
firstName
field is required when displayed on the registration form. - applications
[x]
.registrationConfiguration.formId [UUID] Available since 1.18.0 -
The Id of an associated Form when using
advanced
registration configuration type. - applications
[x]
.registrationConfiguration.fullName.enabled [Boolean] Available since 1.4.0 -
Determines if the
fullName
field will be included on the registration form. - applications
[x]
.registrationConfiguration.fullName.required [Boolean] Available since 1.4.0 -
Determines if the
fullName
field is required when displayed on the registration form. - applications
[x]
.registrationConfiguration.lastName.enabled [Boolean] Available since 1.4.0 -
Determines if the
lastName
field will be included on the registration form. - applications
[x]
.registrationConfiguration.lastName.required [Boolean] Available since 1.4.0 -
Determines if the
lastName
field is required when displayed on the registration form. - applications
[x]
.registrationConfiguration.loginIdType [String] Available since 1.4.0 -
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- applications
[x]
.registrationConfiguration.middleName.enabled [Boolean] Available since 1.4.0 -
Determines if the
middleName
field will be included on the registration form. - applications
[x]
.registrationConfiguration.middleName.required [Boolean] Available since 1.4.0 -
Determines if the
middleName
field is required when displayed on the registration form. - applications
[x]
.registrationConfiguration.mobilePhone.enabled [Boolean] Available since 1.4.0 -
Determines if the
mobilePhone
field will be included on the registration form. - applications
[x]
.registrationConfiguration.mobilePhone.required [Boolean] Available since 1.4.0 -
Determines if the
mobilePhone
field is required when displayed on the registration form. - applications
[x]
.registrationConfiguration.type [String] Available since 1.18.0 -
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- applications
[x]
.registrationDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0 -
Indicates that users without a verified registration for this application will have their registration permanently deleted after applications
[x]
.registrationDeletePolicy.unverified.numberOfDaysToRetain days. - applications
[x]
.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0 -
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
- applications
[x]
.roles [Array] -
An array of Role objects.
- applications
[x]
.roles[x]
.description [String] -
A description of the role.
- applications
[x]
.roles[x]
.id [UUID] -
The Id of the Role.
- applications
[x]
.roles[x]
.name [String] -
The name of the Role.
- applications
[x]
.roles[x]
.isDefault [Boolean] -
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- applications
[x]
.roles[x]
.isSuperRole [Boolean] -
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
- applications
[x]
.samlv2Configuration.audience [String] Available since 1.6.0 -
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - applications
[x]
.samlv2Configuration.authorizedRedirectURLs [Array<String>] Available since 1.20.0 -
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - applications
[x]
.samlv2Configuration.callbackURL [String] Available since 1.6.0 Deprecated -
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
- applications
[x]
.samlv2Configuration.debug [Boolean] Available since 1.6.0 -
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- applications
[x]
.samlv2Configuration.defaultVerificationKeyId [UUID] Available since 1.20.0 -
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature. - applications
[x]
.samlv2Configuration.enabled [Boolean] Available since 1.6.0 -
Whether or not the SAML IdP for this Application is enabled or not.
- applications
[x]
.samlv2Configuration.initiatedLogin.enabled [Boolean] Available since 1.41.0 -
Determines if SAML v2 IdP initiated login is enabled for this application.
- applications
[x]
.samlv2Configuration.initiatedLogin.nameIdFormat [String] Available since 1.41.0 -
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- applications
[x]
.samlv2Configuration.issuer [String] Available since 1.6.0 -
The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
- applications
[x]
.samlv2Configuration.keyId [UUID] Available since 1.6.0 -
The unique Id of the Key used to sign the SAML response.
- applications
[x]
.samlv2Configuration.logout.behavior [String] Available since 1.25.0 -
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- applications
[x]
.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Available since 1.25.0 -
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings. - applications
[x]
.samlv2Configuration.logout.keyId [UUID] Available since 1.25.0 -
The unique Id of the Key used to sign the SAML Logout response.
- applications
[x]
.samlv2Configuration.logout.requireSignedRequests [Boolean] Available since 1.25.0 -
When this value is
true
all Logout requests missing a signature will be rejected. - applications
[x]
.samlv2Configuration.logout.singleLogout.enabled [Boolean] Available since 1.25.0 -
Whether or not SAML Single Logout for this SAML IdP is enabled.
- applications
[x]
.samlv2Configuration.logout.singleLogout.keyId [UUID] Available since 1.25.0 -
The unique Id of the Key used to sign the SAML Single Logout response.
- applications
[x]
.samlv2Configuration.logout.singleLogout.url [String] Available since 1.25.0 -
The URL at which you want to receive the
LogoutRequest
from FusionAuth. - applications
[x]
.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- applications
[x]
.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults toexclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- applications
[x]
.samlv2Configuration.logoutURL [String] Available since 1.6.0 -
The URL that the browser is taken to after the user logs out of the SAML service provider.
- applications
[x]
.samlv2Configuration.requireSignedRequests [Boolean] Available since 1.20.0 -
When this value is
true
all requests missing a signature will be rejected. - applications
[x]
.samlv2Configuration.xmlSignatureC14nMethod [String] Available since 1.6.0 -
The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- applications
[x]
.samlv2Configuration.xmlSignatureLocation [String] Available since 1.21.0 -
The location to place the XML signature when signing the SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
-
- applications
[x]
.state [String] Available since 1.22.0 -
The current state of the application. The following are valid values:
-
Active
- The tenant is active. -
Inactive
- The application is not active. An application can not be modified or authenticated against when inactive.
-
- applications
[x]
.themeId [UUID] Available since 1.27.0 -
The unique Id of the theme to be used to style the login page and other end user templates.
- applications
[x]
.verificationEmailTemplateId [UUID] -
The Id of the Email Template that is used to send the Registration Verification emails to users.
- applications
[x]
.verifyRegistration [Boolean] -
Whether or not registrations to this Application may be verified.
- applications
[x]
.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Available since 1.41.0 -
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if applications
[x]
.webAuthnConfiguration.enabled isfalse
. - applications
[x]
.webAuthnConfiguration.enabled [Boolean] Available since 1.41.0 -
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows are enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows are enabled according to the configuration of this application. - applications
[x]
.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Available since 1.41.0 -
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if applications
[x]
.webAuthnConfiguration.enabled isfalse
.
{
"applications": [
{
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"lastUpdateInstant": 1595361143101,
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"requireClientAuthentication": true,
"requireRegistration": false
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"state": "Active",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
]
}
Update an Application
This API is used to update an existing Application.
You must specify the Id of the Application you are updating on the URI.
You must specify all of the properties of the Application when calling this API with the PUT
HTTP method. When used with PUT
, this API doesn’t merge the existing Application and your new data. It replaces the existing Application with your new data.
Utilize the PATCH
HTTP method to send specific changes to merge into an existing Application.
You can’t update an Application’s roles via this API. This prevents you from accidentally removing all the roles of an Application. To create, update or remove a role from the Application, you need to call one of these APIs:
Request
PUT /api/application/{applicationId}
PATCH /api/application/{applicationId}
Available since 1.39.0
When using the PATCH method, you can either use the same request body documentation that is provided for the PUT request for backward compatibility. Or you may use either JSON Patch/RFC 6902 or JSON Merge Patch/RFC 7396. See the
PATCH
documentation for more information.Available since 1.12.0
When using the PATCH method, use the same request body documentation that is provided for the PUT request. The PATCH method will merge the provided request parameters into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A
null
value can be used to remove a value. Patching anArray
will result in all values from the new list being appended to the existing list, this is a known limitation to the current implementation of PATCH.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body
- application.accessControlConfiguration.uiIPAccessControlListId [UUID] Optional Available since 1.30.0
-
The Id of the IP Access Control List limiting access to this application.
Note: An Enterprise plan is required to utilize IP ACLs.
- application.authenticationTokenConfiguration.enabled [Boolean] Optional Defaults to
false
-
Determines if Users can have Authentication Tokens associated with this Application. This feature may not be enabled for the FusionAuth application.
- application.cleanSpeakConfiguration.applicationIds [Array<UUID>] Optional
-
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- application.cleanSpeakConfiguration.usernameModeration.applicationId [UUID] Optional
-
The Id of the CleanSpeak application that usernames are sent to for moderation.
- application.cleanSpeakConfiguration.usernameModeration.enabled [Boolean] Optional Defaults to
false
-
True if CleanSpeak username moderation is enabled.
- application.data [Object] Optional
-
An object that can hold any information about the Application that should be persisted.
- application.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
Note: An Enterprise plan is required to utilize advanced threat detection emails.
- application.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Optional Available since 1.37.0
-
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.
When this value is not defined, the value defined by tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds is utilized. When this value is defined it will override the tenant configured value.
This configuration is only utilized when application.multiFactorConfiguration.loginPolicy is enabled.
- application.formConfiguration.selfServiceFormId [UUID] Optional Available since 1.26.0
-
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
Note: A paid plan is required to utilize custom forms.
- application.jwtConfiguration.accessTokenKeyId [UUID] Optional Available since 1.6.0
-
The Id of the signing key used to sign the access token.
- application.jwtConfiguration.algorithm [String] Optional Deprecated
-
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Required when
enabled
is set totrue
.When an HMAC algorithm is used such as
HS256
,HS384
orHS512
, the OAuthclient_secret
will be used as the signing secret.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- application.jwtConfiguration.enabled [Boolean] Optional Defaults to
false
-
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - application.jwtConfiguration.idTokenKeyId [UUID] Optional Available since 1.6.0
-
The Id of the signing key used to sign the Id token.
- application.jwtConfiguration.privateKey [String] Optional Deprecated
-
The private key used when an
RSA
orECDSA
based signing algorithm has been selected. The private key will be used to sign the JWT. This key is expected to be presented in a PEM encoded format.Required when
enabled
is set totrue
andalgorithm
is set to anRSA
orECDSA
based value.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.publicKey [String] Optional Deprecated
-
The public key used when an
RSA
orECDSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key is expected to be presented in a PEM encoded format.Required when
enabled
is set totrue
andalgorithm
is set to anRSA
orECDSA
based value.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Optional Available since 1.2.0
-
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
Required when
enabled
is set totrue
. - application.jwtConfiguration.secret [String] Optional Deprecated
-
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Required when
enabled
is set totrue
andalgorithm
is set to anHMAC
based value.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - application.jwtConfiguration.timeToLiveInSeconds [Integer] Optional
-
The length of time in seconds the JWT will live before it is expired and no longer valid.
Required when
enabled
is set totrue
. - application.lambdaConfiguration.accessTokenPopulateId [UUID] Optional Available since 1.6.0
-
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- application.lambdaConfiguration.idTokenPopulateId [UUID] Optional Available since 1.6.0
-
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- application.lambdaConfiguration.samlv2PopulateId [UUID] Optional Available since 1.6.0
-
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- application.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Optional Available since 1.43.0
-
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
Note: A paid plan is required to utilize custom forms.
- application.loginConfiguration.allowTokenRefresh [Boolean] Optional Defaults to
false
Available since 1.5.0 -
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to
false
to ensure Refresh Tokens cannot be used outside of the Refresh Token Grant. - application.loginConfiguration.generateRefreshTokens [Boolean] Optional Defaults to
false
Available since 1.5.0 -
Indicates if a Refresh Token should be issued from the Login API.
If you do not intend to use the Login API, and instead will only be using the OAuth endpoints, you may leave this set to
false
to ensure Refresh Tokens will not be issued outside of the OAuth grants. - application.loginConfiguration.requireAuthentication [Boolean] Optional Defaults to
true
Available since 1.5.0 -
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API.If you do not intend to use the Login API, or will only be calling this API from a secure backend server, setting this value to
true
in order to require an API key is preferred. - application.multiFactorConfiguration.email.templateId [UUID] Optional Available since 1.26.0
-
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.loginPolicy [String] Optional Available since 1.37.0
-
When enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When required, the user will be required to complete a two-factor challenge during login.
When configured, this value overrides the value configured by the tenant.multiFactorConfiguration.loginPolicy.
Supported values include:
-
Enabled
- Require a two-factor challenge during login when an eligible method is available. -
Disabled
- Do not require a two-factor challenge during login. -
Required
- Require a two-factor challenge during login. A user will be required to configure 2FA if no eligible methods are available. Available since 1.42.0
-
- application.multiFactorConfiguration.sms.templateId [UUID] Optional Available since 1.26.0
-
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.trustPolicy [String] Optional Defaults to
Any
Available since 1.37.0 -
When application.multiFactorConfiguration.loginPolicy is set to
Enabled
, this trust policy is utilized when determining if a user must complete a two-factor challenge during login.For example, a normal two-factor login flow will result in a trust Id being returned if you set trustComputer equal to
true
when completing a Two Factor Login. The returned Trust identifier can be used on subsequent Login requests to keep from being required to complete a Two-Factor login. This configuration determines if that trust value can be utilized for another application.Supported values include:
-
Any
- Trust obtained from any application is sufficient to bypass the two-factor challenge. -
This
- Only trust obtained for this application is sufficient to bypass the two-factor challenge. -
None
- Never trusted. The user will be required to complete a two-factor challenge during each login attempt.
-
- application.name [String] Required
-
The name of the Application.
- application.oauthConfiguration.authorizedOriginURLs [Array<String>] Optional
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
For improved security, all FusionAuth hosted login pages add an HTTP response header of
X-Frame-Options: DENY
. This response header disallows loading the FusionAuth pages from an iframe. To utilize an iframe and load one or more of the FusionAuth hosted login pages, add the iframe page URLs to this property. For that host, FusionAuth will remove theX-Frame-Options
header allowing the page to load in the iframe.Examples of valid authorized origin URIs:
-
https://example.com
-
com.myApp://example
-
com.myApp:/example
Available since 1.32.0
You may now use URLs that do not begin with
http
to support native application origins. Prior to this version the value will be validated to begin withhttp
. This also includes authorized origins that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such ascom.myApp:/example
would fail validation as an invalid URL.Available since 1.43.0
Configured URLs containing wildcards are considered during validation when application.oauthConfiguration.authorizedURLValidationPolicy is set to
AllowWildcards
. Wildcards are allowed in the following positions:-
The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. -
The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
-
A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. -
A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
-
- application.oauthConfiguration.authorizedRedirectURLs [Array<String>] Optional
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
Examples of valid redirect URIs:
-
https://example.com/redirect
-
com.myApp://redirect
-
com.myApp:/redirect
Available since 1.7.0
You may now use URLs that do not begin with
http
to support native application redirect. Prior to this version the value will be validated to begin withhttp
.Available since 1.12.0
You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as
com.myApp:/redirect
would fail validation as in invalid URL.Available since 1.43.0
Configured URLs containing wildcards are considered during validation when application.oauthConfiguration.authorizedURLValidationPolicy is set to
AllowWildcards
. Wildcards are allowed in the following positions:-
The left-most subdomain - A full or partial wildcard is allowed in the left-most subdomain. The replacement value cannot contain a
.
. -
The port number - A wildcard is allowed in place of the port number. Partial wildcards are not allowed in this position.
-
A path segment - A full or partial wildcard is allowed in any path segment. The replacement value cannot contain a
/
. -
A query string value - A wildcard is allowed in place of a query string value. Partial wildcards are not allowed in this position. Wildcards are not allowed in query string names.
See the OAuth 2.0 URL Validation page for more detail.
-
- application.oauthConfiguration.authorizedURLValidationPolicy String Optional Defaults to
ExactMatch
Available since 1.43.0 -
Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- application.oauthConfiguration.clientAuthenticationPolicy [String] Optional Defaults to
Required
Available since 1.28.0 -
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- application.oauthConfiguration.clientSecret [String] Optional
-
The OAuth 2.0 client secret. If you leave this blank during a POST, a secure secret will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.
- application.oauthConfiguration.debug [Boolean] Optional Defaults to
false
Available since 1.25.0 -
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- application.oauthConfiguration.deviceVerificationURL [String] Optional Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type, this field is required when
device_code
is enabled. - application.oauthConfiguration.enabledGrants [Array<String>] Optional Available since 1.5.0
-
The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- application.oauthConfiguration.generateRefreshTokens [Boolean] Optional Defaults to
true
Available since 1.3.0 -
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - application.oauthConfiguration.logoutBehavior [String] Optional Defaults to
AllApplications
Available since 1.11.0 -
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- application.oauthConfiguration.logoutURL [String] Optional
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- application.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Optional Defaults to
NotRequired
Available since 1.28.0 -
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- application.oauthConfiguration.requireClientAuthentication [Boolean] Optional Defaults to
true
Deprecated -
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy.
- application.oauthConfiguration.requireRegistration [Boolean] Optional Defaults to
false
Available since 1.28.0 -
When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- application.passwordlessConfiguration.enabled [Boolean] Optional Defaults to
false
Available since 1.5.0 -
Determines if passwordless login is enabled for this application.
- application.registrationConfiguration.birthDate.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
birthDate
field will be included on the registration form. - application.registrationConfiguration.birthDate.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
birthDate
field is required when displayed on the registration form. - application.registrationConfiguration.confirmPassword [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- application.registrationConfiguration.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
Self service registration cannot be enabled on the FusionAuth application.
If
true
, any user logging in to this application using hosted login pages will automatically have a registration created, if they are not already registered. - application.registrationConfiguration.firstName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
firstName
field will be included on the registration form. - application.registrationConfiguration.firstName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
firstName
field is required when displayed on the registration form. - application.registrationConfiguration.formId [UUID] Optional Available since 1.18.0
-
The Id of an associated Form when using
advanced
registration configuration type. This field is required when application.registrationConfiguration.type is set toadvanced
. - application.registrationConfiguration.fullName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
fullName
field will be included on the registration form. - application.registrationConfiguration.fullName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
fullName
field is required when displayed on the registration form. - application.registrationConfiguration.lastName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
lastName
field will be included on the registration form. - application.registrationConfiguration.lastName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
lastName
field is required when displayed on the registration form. - application.registrationConfiguration.loginIdType [String] Optional Defaults to
email
Available since 1.4.0 -
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- application.registrationConfiguration.middleName.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
middleName
field will be included on the registration form. - application.registrationConfiguration.middleName.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
middleName
field is required when displayed on the registration form. - application.registrationConfiguration.mobilePhone.enabled [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
mobilePhone
field will be included on the registration form. - application.registrationConfiguration.mobilePhone.required [Boolean] Optional Defaults to
false
Available since 1.4.0 -
Determines if the
mobilePhone
field is required when displayed on the registration form. - application.registrationConfiguration.type [String] Optional Defaults to
basic
Available since 1.18.0 -
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- application.registrationDeletePolicy.unverified.enabled [Boolean] Optional Defaults to
false
Available since 1.13.0 -
Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
- application.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Optional Available since 1.13.0
-
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. This field is required when application.registrationDeletePolicy.enabled is set to
true
. Value must be greater than 0. - application.samlv2Configuration.audience [String] Optional Defaults to
issuer
Available since 1.6.0 -
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - application.samlv2Configuration.authorizedRedirectURLs [Array<String>] Required Available since 1.20.0
-
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - application.samlv2Configuration.callbackURL [String] Optional Available since 1.6.0 Deprecated
-
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 In version 1.20.0 and beyond, Callback URLs can be managed via application.samlv2Configuration.authorizedRedirectURLs.
- application.samlv2Configuration.debug [Boolean] Optional Defaults to
false
Available since 1.6.0 -
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- application.samlv2Configuration.defaultVerificationKeyId [UUID] Optional Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.This parameter is required when application.samlv2Configuration.requireSignedRequests is set to
true
. - application.samlv2Configuration.enabled [Boolean] Optional Defaults to
false
Available since 1.6.0 -
Determines if the SAML IdP is enabled for this Application.
- application.samlv2Configuration.issuer [String] Required Available since 1.6.0
-
An
issuer
identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration. If you don’t know theissuer
, you can put anything in this field and FusionAuth will display an error message with theissuer
from the service provider when you test the SAML login. - application.samlv2Configuration.initiatedLogin.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Determines if SAML v2 IdP initiated login is enabled for this application.
- application.samlv2Configuration.initiatedLogin.nameIdFormat [String] Optional Defaults to
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Available since 1.41.0 -
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- application.samlv2Configuration.keyId [UUID] Optional Defaults to a new key Available since 1.6.0
-
The unique Id of the Key used to sign the SAML response. If you do not specify this property, FusionAuth will create a new key and associate it with this Application.
- application.samlv2Configuration.logout.behavior [String] Optional Defaults to
AllParticipants
Available since 1.25.0 -
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- application.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Optional Available since 1.25.0
-
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.This parameter is required when application.samlv2Configuration.logout.requireSignedRequests is set to
true
. - application.samlv2Configuration.logout.keyId [UUID] Optional Defaults to [see description] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Logout response.
When this parameter is omitted, the key defined by
application.samlv2Configuration.keyId
will be used. - application.samlv2Configuration.logout.requireSignedRequests [Boolean] Required Defaults to
false
Available since 1.25.0 -
Set this parameter equal to
true
to require the SAML v2 Service Provider to sign the Logout request. When this value istrue
all Logout requests missing a signature will be rejected.When set to
true
, the parameter application.samlv2Configuration.logout.defaultVerificationKeyId is required. - application.samlv2Configuration.logout.singleLogout.enabled [Boolean] Optional Defaults to
false
Available since 1.25.0 -
Whether or not SAML Single Logout for this SAML IdP is enabled.
- application.samlv2Configuration.logout.singleLogout.keyId [UUID] Optional Defaults to [see description] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Single Logout response.
When this parameter is omitted, the key defined by
application.samlv2Configuration.keyId
will be used. - application.samlv2Configuration.logout.singleLogout.url [String] Optional Available since 1.25.0
-
The URL at which you want to receive the
LogoutRequest
from FusionAuth.Required if application.samlv2Configuration.logout.singleLogout.enabled is
true
. - application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the SAML Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logoutURL [String] Optional Defaults to the system logout URL or
/
Available since 1.6.0 -
The URL that the browser is taken to after the user logs out of the SAML service provider. Often service providers need this URL in order to correctly hook up single-logout.
This is also the URL that will be sent the SAML v2 LogoutResponse using the same bindings that were used to initiate the logout request with the IdP. For example, if POST bindings were used to initiate the logout request, POST bindings will be used for this LogoutResponse request.
- application.samlv2Configuration.requireSignedRequests [Boolean] Optional Defaults to
false
Available since 1.20.0 -
Set this parameter equal to
true
to require the SAML v2 Service Provider to sign the request. When this value istrue
all requests missing a signature will be rejected.When set to
true
, the parameter application.samlv2Configuration.defaultVerificationKeyId is required. - application.samlv2Configuration.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.6.0 -
The XML signature canonicalization method used when digesting and signing the SAML response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.xmlSignatureLocation [String] Defaults to
Assertion
Available since 1.21.0 -
The location to place the XML signature when signing a successful SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
In most cases the default configuration will be adequate. If you encounter a SAML v2 Service Provider that requires the signature to be a child of the Response, use this configuration to change the signature location. Prior to version
1.21.0
, the XML signature was always located as a child element of the Assertion when the response was successful. -
- application.themeId [UUID] Optional Available since 1.27.0
-
The unique Id of the theme to be used to style the login page and other end user templates.
Note: A paid plan is required to utilize application themes.
- application.verificationEmailTemplateId [UUID] Optional
-
The Id of the Email Template that is used to send the Registration Verification emails to users. If the
verifyRegistration
field istrue
this field is required. - application.verifyRegistration [Boolean] Optional Defaults to
false
-
Whether or not registrations to this Application may be verified. When this is set to
true
theverificationEmailTemplateId
parameter is also required. - application.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.Note: An Essentials or Enterprise plan is required to utilize WebAuthn.
- application.webAuthnConfiguration.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows will be enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows will be enabled according to the configuration of this application.Note: An Essentials or Enterprise plan is required to utilize WebAuthn.
- application.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Optional Defaults to
false
Available since 1.41.0 -
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.Note: An Essentials or Enterprise plan is required to utilize WebAuthn.
- sourceApplicationId [UUID] Optional Available since 1.43.0
-
The optional Id of an existing Application from which a copy will be made.
A unique application.name is required.
The
oauthConfiguration.clientSecret
and each role Id will be cleared so new values can be generated. All other values will be copied from the source Application. - webhookIds [Array<UUID>] Optional Deprecated
-
An array of Webhook Ids. For Webhooks that are not already configured for All Applications, specifying an Id on this request will indicate the associated Webhook should handle events for this application.
Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks configuration can be managed in the
Tenant API
.
{
"application": {
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Response
The response for this API contains the new information for the Application that was updated.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you are trying to update doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- application.accessControlConfiguration.uiIPAccessControlListId [UUID] Available since 1.30.0
-
The Id of the IP Access Control List limiting access to this application.
- application.active [Boolean] Deprecated
-
Whether or not the Application is active.
Deprecated in version 1.22.0 In version 1.22.0 and beyond, prefer the use of state.
- application.authenticationTokenConfiguration.enabled [Boolean]
-
Whether or not Users can have Authentication Tokens associated with this Application.
- application.cleanSpeakConfiguration.applicationIds [Array<UUID>]
-
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- application.cleanSpeakConfiguration.enabled [Boolean]
-
True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
- application.cleanSpeakConfiguration.usernameModeration.applicationId [UUID]
-
The Id of the CleanSpeak application that usernames are sent to for moderation.
- application.cleanSpeakConfiguration.usernameModeration.enabled [Boolean]
-
True if CleanSpeak username moderation is enabled.
- application.data [Object]
-
An object that can hold any information about the Application that should be persisted.
- application.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.formConfiguration.adminRegistrationFormId [UUID] Available since 1.20.0
-
The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
- application.formConfiguration.selfServiceFormId [UUID] Available since 1.26.0
-
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
- application.id [UUID]
-
The unique identifier for this Application.
- application.insertInstant [Long] Available since 1.18.0
-
The instant that the Application was added to the FusionAuth database.
- application.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the access token.
- application.jwtConfiguration.algorithm [String] Deprecated
-
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- application.jwtConfiguration.enabled [Boolean]
-
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - application.jwtConfiguration.idTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the Id token.
- application.jwtConfiguration.privateKey [String] Deprecated
-
The private key used when an
RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.publicKey [String] Deprecated
-
The public key used when an
RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.2.0
-
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
- application.jwtConfiguration.secret [String] Deprecated
-
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - application.jwtConfiguration.timeToLiveInSeconds [Integer]
-
The length of time in seconds the JWT will live before it is expired and no longer valid.
- application.lambdaConfiguration.accessTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- application.lambdaConfiguration.idTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- application.lambdaConfiguration.samlv2PopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- application.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Available since 1.43.0
-
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
- application.lastUpdateInstant [Long] Available since 1.18.0
-
The instant that the Application was last updated in the FusionAuth database.
- application.name [String]
-
The name of the Application.
- application.loginConfiguration.allowTokenRefresh [Boolean] Available since 1.5.0
-
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API. - application.loginConfiguration.generateRefreshTokens [Boolean] Available since 1.5.0
-
Indicates if a Refresh Token should be issued from the Login API.
- application.loginConfiguration.requireAuthentication [Boolean] Available since 1.5.0
-
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API. - application.multiFactorConfiguration.email.templateId [UUID] Available since 1.26.0
-
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.sms.templateId [UUID] Available since 1.26.0
-
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- application.oauthConfiguration.authorizedOriginURLs [Array<String>]
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of
X-Frame-Options: DENY
will be added to each response to disallow iframe loading. - application.oauthConfiguration.authorizedRedirectURLs [Array<String>]
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
- application.oauthConfiguration.authorizedURLValidationPolicy String Available since 1.43.0
-
Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- application.oauthConfiguration.clientAuthenticationPolicy [String] Available since 1.28.0
-
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- application.oauthConfiguration.clientId [String]
-
The OAuth client Id of the Application.
- application.oauthConfiguration.clientSecret [String]
-
The OAuth client secret.
- application.oauthConfiguration.debug [Boolean] Available since 1.25.0
-
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- application.oauthConfiguration.deviceVerificationURL [String] Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type.
- application.oauthConfiguration.enabledGrants [Array<String>] Available since 1.5.0
-
The enabled grants for this application.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- application.oauthConfiguration.generateRefreshTokens [Boolean] Available since 1.3.0
-
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - application.oauthConfiguration.logoutBehavior [String] Available since 1.11.0
-
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- application.oauthConfiguration.logoutURL [String]
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- application.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Available since 1.28.0
-
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- application.oauthConfiguration.requireClientAuthentication [Boolean] Available since 1.3.0 Deprecated
-
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the cloient must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy.
- application.oauthConfiguration.requireRegistration [Boolean] Available since 1.28.0
-
Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- application.passwordlessConfiguration.enabled [Boolean] Available since 1.5.0
-
Determines if passwordless login is enabled for this application.
- application.registrationConfiguration.birthDate.enabled [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field will be included on the registration form. - application.registrationConfiguration.birthDate.required [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field is required when displayed on the registration form. - application.registrationConfiguration.confirmPassword [Boolean] Available since 1.4.0
-
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- application.registrationConfiguration.enabled [Boolean] Available since 1.4.0
-
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
- application.registrationConfiguration.firstName.enabled [Boolean] Available since 1.4.0
-
Determines if the
firstName
field will be included on the registration form. - application.registrationConfiguration.firstName.required [Boolean] Available since 1.4.0
-
Determines if the
firstName
field is required when displayed on the registration form. - application.registrationConfiguration.formId [UUID] Available since 1.18.0
-
The Id of an associated Form when using
advanced
registration configuration type. - application.registrationConfiguration.fullName.enabled [Boolean] Available since 1.4.0
-
Determines if the
fullName
field will be included on the registration form. - application.registrationConfiguration.fullName.required [Boolean] Available since 1.4.0
-
Determines if the
fullName
field is required when displayed on the registration form. - application.registrationConfiguration.lastName.enabled [Boolean] Available since 1.4.0
-
Determines if the
lastName
field will be included on the registration form. - application.registrationConfiguration.lastName.required [Boolean] Available since 1.4.0
-
Determines if the
lastName
field is required when displayed on the registration form. - application.registrationConfiguration.loginIdType [String] Available since 1.4.0
-
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- application.registrationConfiguration.middleName.enabled [Boolean] Available since 1.4.0
-
Determines if the
middleName
field will be included on the registration form. - application.registrationConfiguration.middleName.required [Boolean] Available since 1.4.0
-
Determines if the
middleName
field is required when displayed on the registration form. - application.registrationConfiguration.mobilePhone.enabled [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field will be included on the registration form. - application.registrationConfiguration.mobilePhone.required [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field is required when displayed on the registration form. - application.registrationConfiguration.type [String] Available since 1.18.0
-
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- application.registrationDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0
-
Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
- application.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0
-
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
- application.roles [Array]
-
An array of Role objects.
- application.roles
[x]
.description [String] -
A description of the role.
- application.roles
[x]
.id [UUID] -
The Id of the Role.
- application.roles
[x]
.name [String] -
The name of the Role.
- application.roles
[x]
.isDefault [Boolean] -
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- application.roles
[x]
.isSuperRole [Boolean] -
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
- application.samlv2Configuration.audience [String] Available since 1.6.0
-
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - application.samlv2Configuration.authorizedRedirectURLs [Array<String>] Available since 1.20.0
-
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - application.samlv2Configuration.callbackURL [String] Available since 1.6.0 Deprecated
-
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
- application.samlv2Configuration.debug [Boolean] Available since 1.6.0
-
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- application.samlv2Configuration.defaultVerificationKeyId [UUID] Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature. - application.samlv2Configuration.enabled [Boolean] Available since 1.6.0
-
Whether or not the SAML IdP for this Application is enabled or not.
- application.samlv2Configuration.initiatedLogin.enabled [Boolean] Available since 1.41.0
-
Determines if SAML v2 IdP initiated login is enabled for this application.
- application.samlv2Configuration.initiatedLogin.nameIdFormat [String] Available since 1.41.0
-
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- application.samlv2Configuration.issuer [String] Available since 1.6.0
-
The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
- application.samlv2Configuration.keyId [UUID] Available since 1.6.0
-
The unique Id of the Key used to sign the SAML response.
- application.samlv2Configuration.logout.behavior [String] Available since 1.25.0
-
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- application.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings. - application.samlv2Configuration.logout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Logout response.
- application.samlv2Configuration.logout.requireSignedRequests [Boolean] Available since 1.25.0
-
When this value is
true
all Logout requests missing a signature will be rejected. - application.samlv2Configuration.logout.singleLogout.enabled [Boolean] Available since 1.25.0
-
Whether or not SAML Single Logout for this SAML IdP is enabled.
- application.samlv2Configuration.logout.singleLogout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Single Logout response.
- application.samlv2Configuration.logout.singleLogout.url [String] Available since 1.25.0
-
The URL at which you want to receive the
LogoutRequest
from FusionAuth. - application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Available since 1.25.0
-
The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logoutURL [String] Available since 1.6.0
-
The URL that the browser is taken to after the user logs out of the SAML service provider.
- application.samlv2Configuration.requireSignedRequests [Boolean] Available since 1.20.0
-
When this value is
true
all requests missing a signature will be rejected. - application.samlv2Configuration.xmlSignatureC14nMethod [String] Available since 1.6.0
-
The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.xmlSignatureLocation [String] Available since 1.21.0
-
The location to place the XML signature when signing the SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
-
- application.state [String] Available since 1.22.0
-
The current state of the application. The following are valid values:
-
Active
- The tenant is active. -
Inactive
- The application is not active. An application can not be modified or authenticated against when inactive.
-
- application.themeId [UUID] Available since 1.27.0
-
The unique Id of the theme to be used to style the login page and other end user templates.
- application.verificationEmailTemplateId [UUID]
-
The Id of the Email Template that is used to send the Registration Verification emails to users.
- application.verifyRegistration [Boolean]
-
Whether or not registrations to this Application may be verified.
- application.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
. - application.webAuthnConfiguration.enabled [Boolean] Available since 1.41.0
-
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows are enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows are enabled according to the configuration of this application. - application.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"requireClientAuthentication": true,
"requireRegistration": false
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"state": "Active",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Delete an Application
This API is used to delete an Application. You must specify the Id of the Application on the URI. You can also specify whether or not the Application is soft or hard deleted. Soft deleted Applications are marked as inactive but not deleted from FusionAuth.
Request
Soft delete an Application. This operation can be reversed by re-activating the Application.
DELETE /api/application/{applicationId}
Permanently delete an Application. This operation cannot be reversed.
DELETE /api/application/{applicationId}?hardDelete=true
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application to delete.
- hardDelete [Boolean] Optional
-
Whether or not the Application is soft or hard deleted. A hard delete is a permanent operation.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response
This API does not return a JSON response body.
Code | Description |
---|---|
200 |
The request was successful. The response will be empty. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you are trying to delete doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Reactivate an Application
This API is used to reactivate an inactive Application. You must specify the Id of the Application on the URI.
Request
PUT /api/application/{applicationId}?reactivate=true
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application to reactivate.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response
The response for this API contains the information for the Application that was reactivated.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you requested doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- application.accessControlConfiguration.uiIPAccessControlListId [UUID] Available since 1.30.0
-
The Id of the IP Access Control List limiting access to this application.
- application.active [Boolean] Deprecated
-
Whether or not the Application is active.
Deprecated in version 1.22.0 In version 1.22.0 and beyond, prefer the use of state.
- application.authenticationTokenConfiguration.enabled [Boolean]
-
Whether or not Users can have Authentication Tokens associated with this Application.
- application.cleanSpeakConfiguration.applicationIds [Array<UUID>]
-
An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
This property is used when CleanSpeak sends user action notifications to FusionAuth (when users are disciplined for example). FusionAuth will translate the CleanSpeak ids to FusionAuth ids and then apply the user action.
- application.cleanSpeakConfiguration.enabled [Boolean]
-
True if CleanSpeak integration is enabled. This setting is global and is not modifiable using this API.
- application.cleanSpeakConfiguration.usernameModeration.applicationId [UUID]
-
The Id of the CleanSpeak application that usernames are sent to for moderation.
- application.cleanSpeakConfiguration.usernameModeration.enabled [Boolean]
-
True if CleanSpeak username moderation is enabled.
- application.data [Object]
-
An object that can hold any information about the Application that should be persisted.
- application.emailConfiguration.emailVerificationEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.emailVerifiedEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template used to notify a user that their email address has been verified. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnCreateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginIdInUseOnUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginNewDeviceEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.loginSuspiciousEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordResetSuccessEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.passwordUpdateEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional Available since 1.19.0
-
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodAddEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.emailConfiguration.twoFactorMethodRemoveEmailTemplateId [UUID] Optional Available since 1.30.0
-
The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
- application.formConfiguration.adminRegistrationFormId [UUID] Available since 1.20.0
-
The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
- application.formConfiguration.selfServiceFormId [UUID] Available since 1.26.0
-
The unique Id of the form to to enable authenticated users to manage their profile on the account page.
- application.id [UUID]
-
The unique identifier for this Application.
- application.insertInstant [Long] Available since 1.18.0
-
The instant that the Application was added to the FusionAuth database.
- application.jwtConfiguration.accessTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the access token.
- application.jwtConfiguration.algorithm [String] Deprecated
-
The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available.
-
ES256
- ECDSA using P-256 curve and SHA-256 Available since 1.4.0 -
ES384
- ECDSA using P-384 curve and SHA-384 Available since 1.4.0 -
ES512
- ECDSA using P-521 curve and SHA-512 Available since 1.4.0 -
HS256
- HMAC using SHA-256 -
HS384
- HMAC using SHA-384 -
HS512
- HMAC using SHA-512 -
RS256
- RSASSA-PKCS1-v1_5 using SHA-256 -
RS384
- RSASSA-PKCS1-v1_5 using SHA-384 -
RS512
- RSASSA-PKCS1-v1_5 using SHA-512
Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. -
- application.jwtConfiguration.enabled [Boolean]
-
Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the Tenant. If this is
false
the signing algorithm configured in the Tenant will be used. Iftrue
the signing algorithm defined in this application will be used. - application.jwtConfiguration.idTokenKeyId [UUID] Available since 1.6.0
-
The Id of the signing key used to sign the Id token.
- application.jwtConfiguration.privateKey [String] Deprecated
-
The private key used when an
RSA
signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.publicKey [String] Deprecated
-
The public key used when an
RSA
signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.Removed in version 1.6.0 In version 1.6.0 and beyond, JWT configuration can be managed in the
Keys API
and Keymaster. - application.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available since 1.2.0
-
The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
- application.jwtConfiguration.secret [String] Deprecated
-
The secret used when an
HMAC
based signing algorithm has been selected. This secret is used to sign and verify JWTs.Removed in version 1.5.0 In version 1.5.0 and beyond, when selecting an
HMAC
algorithm, theclient_secret
from the OAuth configuration will be used to sign and verify the JWTs. - application.jwtConfiguration.timeToLiveInSeconds [Integer]
-
The length of time in seconds the JWT will live before it is expired and no longer valid.
- application.lambdaConfiguration.accessTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
- application.lambdaConfiguration.idTokenPopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
- application.lambdaConfiguration.samlv2PopulateId [UUID] Available since 1.6.0
-
The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
- application.lambdaConfiguration.selfServiceRegistrationValidationId [UUID] Available since 1.43.0
-
The unique Id of the lambda that will be used to perform additional validation on registration form steps.
- application.lastUpdateInstant [Long] Available since 1.18.0
-
The instant that the Application was last updated in the FusionAuth database.
- application.name [String]
-
The name of the Application.
- application.loginConfiguration.allowTokenRefresh [Boolean] Available since 1.5.0
-
Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the
generateRefreshTokens
parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API. - application.loginConfiguration.generateRefreshTokens [Boolean] Available since 1.5.0
-
Indicates if a Refresh Token should be issued from the Login API.
- application.loginConfiguration.requireAuthentication [Boolean] Available since 1.5.0
-
Indicates if the Login API should require an API key. If you set this value to
false
and your FusionAuth API is on a public network, anyone may attempt to use the Login API. - application.multiFactorConfiguration.email.templateId [UUID] Available since 1.26.0
-
The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
- application.multiFactorConfiguration.sms.templateId [UUID] Available since 1.26.0
-
The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
- application.oauthConfiguration.authorizedOriginURLs [Array<String>]
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of
X-Frame-Options: DENY
will be added to each response to disallow iframe loading. - application.oauthConfiguration.authorizedRedirectURLs [Array<String>]
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
- application.oauthConfiguration.authorizedURLValidationPolicy String Available since 1.43.0
-
Controls the validation policy for application.oauthConfiguration.authorizedOriginURLs and application.oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- application.oauthConfiguration.clientAuthenticationPolicy [String] Available since 1.28.0
-
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- application.oauthConfiguration.clientId [String]
-
The OAuth client Id of the Application.
- application.oauthConfiguration.clientSecret [String]
-
The OAuth client secret.
- application.oauthConfiguration.debug [Boolean] Available since 1.25.0
-
Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant.
- application.oauthConfiguration.deviceVerificationURL [String] Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type.
- application.oauthConfiguration.enabledGrants [Array<String>] Available since 1.5.0
-
The enabled grants for this application.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- application.oauthConfiguration.generateRefreshTokens [Boolean] Available since 1.3.0
-
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - application.oauthConfiguration.logoutBehavior [String] Available since 1.11.0
-
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- application.oauthConfiguration.logoutURL [String]
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- application.oauthConfiguration.proofKeyForCodeExchangePolicy [String] Available since 1.28.0
-
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- application.oauthConfiguration.requireClientAuthentication [Boolean] Available since 1.3.0 Deprecated
-
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the cloient must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via application.oauthConfiguration.clientAuthenticationPolicy.
- application.oauthConfiguration.requireRegistration [Boolean] Available since 1.28.0
-
Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
- application.passwordlessConfiguration.enabled [Boolean] Available since 1.5.0
-
Determines if passwordless login is enabled for this application.
- application.registrationConfiguration.birthDate.enabled [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field will be included on the registration form. - application.registrationConfiguration.birthDate.required [Boolean] Available since 1.4.0
-
Determines if the
birthDate
field is required when displayed on the registration form. - application.registrationConfiguration.confirmPassword [Boolean] Available since 1.4.0
-
Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
- application.registrationConfiguration.enabled [Boolean] Available since 1.4.0
-
Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
- application.registrationConfiguration.firstName.enabled [Boolean] Available since 1.4.0
-
Determines if the
firstName
field will be included on the registration form. - application.registrationConfiguration.firstName.required [Boolean] Available since 1.4.0
-
Determines if the
firstName
field is required when displayed on the registration form. - application.registrationConfiguration.formId [UUID] Available since 1.18.0
-
The Id of an associated Form when using
advanced
registration configuration type. - application.registrationConfiguration.fullName.enabled [Boolean] Available since 1.4.0
-
Determines if the
fullName
field will be included on the registration form. - application.registrationConfiguration.fullName.required [Boolean] Available since 1.4.0
-
Determines if the
fullName
field is required when displayed on the registration form. - application.registrationConfiguration.lastName.enabled [Boolean] Available since 1.4.0
-
Determines if the
lastName
field will be included on the registration form. - application.registrationConfiguration.lastName.required [Boolean] Available since 1.4.0
-
Determines if the
lastName
field is required when displayed on the registration form. - application.registrationConfiguration.loginIdType [String] Available since 1.4.0
-
The unique login Id that will be collected during registration, this value can be
email
orusername
. Leaving the default value ofemail
is preferred because an email address is globally unique.-
email
-
username
-
- application.registrationConfiguration.middleName.enabled [Boolean] Available since 1.4.0
-
Determines if the
middleName
field will be included on the registration form. - application.registrationConfiguration.middleName.required [Boolean] Available since 1.4.0
-
Determines if the
middleName
field is required when displayed on the registration form. - application.registrationConfiguration.mobilePhone.enabled [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field will be included on the registration form. - application.registrationConfiguration.mobilePhone.required [Boolean] Available since 1.4.0
-
Determines if the
mobilePhone
field is required when displayed on the registration form. - application.registrationConfiguration.type [String] Available since 1.18.0
-
The type of registration flow.
Supported values include:
-
basic
- the basic self registration options available prior to version1.18.0
. -
advanced
- advanced usage of custom forms, requires a paid edition of FusionAuth.
-
- application.registrationDeletePolicy.unverified.enabled [Boolean] Available since 1.13.0
-
Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
- application.registrationDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available since 1.13.0
-
The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. Value must be greater than 0.
- application.roles [Array]
-
An array of Role objects.
- application.roles
[x]
.description [String] -
A description of the role.
- application.roles
[x]
.id [UUID] -
The Id of the Role.
- application.roles
[x]
.name [String] -
The name of the Role.
- application.roles
[x]
.isDefault [Boolean] -
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- application.roles
[x]
.isSuperRole [Boolean] -
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
- application.samlv2Configuration.audience [String] Available since 1.6.0
-
The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the
issuer
and this configuration option lets you change theaudience
in the response. - application.samlv2Configuration.authorizedRedirectURLs [Array<String>] Available since 1.20.0
-
One or more authorized URLS that may be specified by the SAML v2 Service Provider in the Authentication request
<AssertionConsumerServiceURL>
element. If a requested URL is not in this list the request will be rejected by FusionAuth.This is the URL that FusionAuth will send the SAML response during a SAML login request, this URL is also referred to as the Assertion Consumer Service or ACS). If the the Authentication request does not contain the
<AssertionConsumerServiceURL>
element, the first URL found in this list will be used to send the SAML response back to the Service Provider. - application.samlv2Configuration.callbackURL [String] Available since 1.6.0 Deprecated
-
The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
Deprecated in version 1.20.0 This field is preserved for backwards compatibility and may be removed in a future release. This is the first value found in the authorizedRedirectURLs parameter.
- application.samlv2Configuration.debug [Boolean] Available since 1.6.0
-
Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
- application.samlv2Configuration.defaultVerificationKeyId [UUID] Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature. - application.samlv2Configuration.enabled [Boolean] Available since 1.6.0
-
Whether or not the SAML IdP for this Application is enabled or not.
- application.samlv2Configuration.initiatedLogin.enabled [Boolean] Available since 1.41.0
-
Determines if SAML v2 IdP initiated login is enabled for this application.
- application.samlv2Configuration.initiatedLogin.nameIdFormat [String] Available since 1.41.0
-
The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
- application.samlv2Configuration.issuer [String] Available since 1.6.0
-
The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration.
- application.samlv2Configuration.keyId [UUID] Available since 1.6.0
-
The unique Id of the Key used to sign the SAML response.
- application.samlv2Configuration.logout.behavior [String] Available since 1.25.0
-
The possible values are:
-
AllParticipants
- each session participant that has enabled single logout will be sent a Logout Request -
OnlyOriginator
- no other session participants will be notified when a logout request is sent for this application
This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
-
- application.samlv2Configuration.logout.defaultVerificationKeyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to verify the signature if the public key cannot be determined by the
KeyInfo
element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings. - application.samlv2Configuration.logout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Logout response.
- application.samlv2Configuration.logout.requireSignedRequests [Boolean] Available since 1.25.0
-
When this value is
true
all Logout requests missing a signature will be rejected. - application.samlv2Configuration.logout.singleLogout.enabled [Boolean] Available since 1.25.0
-
Whether or not SAML Single Logout for this SAML IdP is enabled.
- application.samlv2Configuration.logout.singleLogout.keyId [UUID] Available since 1.25.0
-
The unique Id of the Key used to sign the SAML Single Logout response.
- application.samlv2Configuration.logout.singleLogout.url [String] Available since 1.25.0
-
The URL at which you want to receive the
LogoutRequest
from FusionAuth. - application.samlv2Configuration.logout.singleLogout.xmlSignatureC14nMethod [String] Available since 1.25.0
-
The XML signature canonicalization method used when digesting and signing the Single Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logout.xmlSignatureC14nMethod [String] Optional Defaults to
exclusive_with_comments
Available since 1.25.0 -
The XML signature canonicalization method used when digesting and signing the Logout response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.logoutURL [String] Available since 1.6.0
-
The URL that the browser is taken to after the user logs out of the SAML service provider.
- application.samlv2Configuration.requireSignedRequests [Boolean] Available since 1.20.0
-
When this value is
true
all requests missing a signature will be rejected. - application.samlv2Configuration.xmlSignatureC14nMethod [String] Available since 1.6.0
-
The XML signature canonicalization method used when digesting and signing the SAML response.
The possible values are:
-
exclusive
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#
-
-
exclusive_with_comments
-
The URI for this method is http://www.w3.org/2001/10/xml-exc-c14n#WithComments
-
-
inclusive
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
-
-
inclusive_with_comments
-
The URI for this method is http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
-
-
- application.samlv2Configuration.xmlSignatureLocation [String] Available since 1.21.0
-
The location to place the XML signature when signing the SAML response.
The possible values are:
-
Assertion
- The XML signature will be added as a child element of the Assertion. -
Response
- The XML signature will be added as a child element of the Response.
-
- application.state [String] Available since 1.22.0
-
The current state of the application. The following are valid values:
-
Active
- The tenant is active. -
Inactive
- The application is not active. An application can not be modified or authenticated against when inactive.
-
- application.themeId [UUID] Available since 1.27.0
-
The unique Id of the theme to be used to style the login page and other end user templates.
- application.verificationEmailTemplateId [UUID]
-
The Id of the Email Template that is used to send the Registration Verification emails to users.
- application.verifyRegistration [Boolean]
-
Whether or not registrations to this Application may be verified.
- application.webAuthnConfiguration.bootstrapWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
. - application.webAuthnConfiguration.enabled [Boolean] Available since 1.41.0
-
Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is
false
, WebAuthn workflows are enabled based on the Tenant configuration. Iftrue
, WebAuthn workflows are enabled according to the configuration of this application. - application.webAuthnConfiguration.reauthenticationWorkflow.enabled [Boolean] Available since 1.41.0
-
Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is
false
.
{
"application": {
"id": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"accessControlConfiguration": {
"uiIPAccessControlListId": "11d49de7-69f6-46fc-8270-0b3aa626327a"
},
"active": true,
"cleanSpeakConfiguration": {
"applicationIds": [
"6b4253e0-cee0-47dd-973a-a27b9e23987c",
"76a556ec-4ba8-4140-9085-555ee9a8bb1a"
],
"enabled": true,
"usernameModeration": {
"applicationId": "2338dc41-bed0-4cdb-8251-ac68701e9bc7",
"enabled": true
}
},
"data": {
"externalApplication": "Acme. Customer Support Forum",
"productOwner": "john@acme.com"
},
"emailConfiguration": {
"emailUpdateEmailTemplateId": "ec3045c7-97d8-47f8-8725-61b93deacf5d",
"emailVerificationEmailTemplateId": "e6c74b53-d43d-471e-ae7e-906456d0f341",
"emailVerifiedEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"forgotPasswordEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"loginIdInUseOnCreateEmailTemplateId": "1c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginIdInUseOnUpdateEmailTemplateId": "2c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginNewDeviceEmailTemplateId": "3c3045c7-97d8-47f8-8725-61b93deacf5d",
"loginSuspiciousEmailTemplateId": "4c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordlessEmailTemplateId": "162b3719-3d71-4638-b9bf-f3e2093f7fe1",
"passwordResetSuccessEmailTemplateId": "5c3045c7-97d8-47f8-8725-61b93deacf5d",
"passwordUpdateEmailTemplateId": "6c3045c7-97d8-47f8-8725-61b93deacf5d",
"setPasswordEmailTemplateId": "e160cc59-a73e-4d95-8287-f82e5c541a5c",
"twoFactorMethodAddEmailTemplateId": "7c3045c7-97d8-47f8-8725-61b93deacf5d",
"twoFactorMethodRemoveEmailTemplateId": "8c3045c7-97d8-47f8-8725-61b93deacf5d"
},
"formConfiguration": {
"adminRegistrationFormId": "e37dff97-9a94-48af-a0a6-c0bdfdd62c48"
},
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"lambdaConfiguration": {
"accessTokenPopulateId": "cbb303a4-0968-479c-ad62-de46b3fad130",
"idTokenPopulateId": "9987eec8-af37-4339-a969-bb462ff8b491",
"samlv2PopulateId": "0e58eb2b-b39e-41ad-bc06-52cd189b5908"
},
"multiFactorConfiguration": {
"email": {
"templateId": "859f394b-22a6-4fa6-ba55-de700df9e950"
},
"loginPolicy": "Required",
"sms": {
"templateId": "17760f96-dca7-448b-9a8f-c49016aa7210"
},
"trustPolicy": "Any"
},
"name": "Forum",
"loginConfiguration": {
"allowTokenRefresh": false,
"generateRefreshTokens": false,
"requireAuthentication": true
},
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"debug": false,
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"requireClientAuthentication": true,
"requireRegistration": false
},
"passwordlessConfiguration": {
"enabled": false
},
"registrationConfiguration": {
"enabled": false,
"type": "basic"
},
"registrationDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
},
"roles": [
{
"description": "Administrators that have access to everything",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"name": "admin",
"isDefault": false
},
{
"description": "Normal users that have access to nothing",
"id": "ce485a91-906f-4615-af75-81d37dc71e91",
"name": "user",
"isDefault": true
}
],
"samlv2Configuration": {
"audience": "example.com",
"authorizedRedirectURLs": [
"https://www.example.com/samlv2/acs"
],
"callbackURL": "https://www.example.com/samlv2/acs",
"debug": false,
"defaultVerificationKeyId": "be980e51-c94c-49f9-bfb5-90571c34a791",
"enabled": true,
"initiatedLogin": {
"enabled": false,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
},
"issuer": "example.com",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"logout": {
"behavior": "OnlyOriginator",
"defaultVerificationKeyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"requireSignedRequests": true,
"singleLogout": {
"enabled": true,
"keyId": "0a52ace4-3016-47da-906a-f7d272fbdaed",
"url": "https://www.example.com/logout",
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"xmlSignatureC14nMethod": "exclusive_with_comments"
},
"logoutURL": "https://www.example.com/logout",
"requireSignedRequests": true,
"xmlSignatureC14nMethod": "exclusive_with_comments",
"xmlSignatureLocation": "Assertion"
},
"state": "Active",
"verifyRegistration": false,
"webAuthnConfiguration": {
"bootstrapWorkflow": {
"enabled": false
},
"enabled": false,
"reauthenticationWorkflow": {
"enabled": false
}
}
}
}
Create an Application Role
This API is used to create a role for an Application. Specifying an Id on the URI will instruct FusionAuth to use that Id when creating the role. Otherwise, FusionAuth will generate an Id for the role.
Request
Create a Role with a generated Id
POST /api/application/{applicationId}
/role
POST /api/application/{applicationId}
/role/{roleId}
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application.
- roleId [UUID] Optional defaults to secure random UUID
-
The Id to use for the new role. If not specified a secure random UUID will be generated.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body
- role.description [String] Optional
-
A description for the role.
- role.name [String] Required
-
The name of the Role.
- role.isDefault [Boolean] Optional defaults to
false
-
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- role.isSuperRole [Boolean] Optional defaults to
false
-
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
{
"role": {
"description": "a new role for the app",
"name": "role 3",
"isDefault": true
}
}
Response
The response for this API contains the information for the role that was created.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- role.description [String]
-
The description of the role.
- role.id [UUID]
-
The Id of the Role.
- role.insertInstant [Long]
-
The instant that the Role was added to the FusionAuth database.
- role.lastUpdateInstant [Long]
-
The instant that the Role was updated in the FusionAuth database.
- role.name [String]
-
The name of the Role.
- role.isDefault [Boolean]
-
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- role.isSuperRole [Boolean]
-
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
{
"role": {
"description": "a new role for the app",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "role 3",
"isDefault": true
}
}
Update an Application Role
This API is used to update an existing Application Role.
You must specify the Application Id and the Role Id on the URI to identify the role that is being updated.
You must specify all of the properties of the Application Role when calling this API with the PUT
HTTP method. When used with PUT
, this API doesn’t merge the existing Application Role and your new data. It replaces the existing Application Role with your new data.
Utilize the PATCH
HTTP method to send specific changes to merge into an existing Application Role.
Request
Update an Application Role by Id
PUT /api/application/{applicationId}
/role/{roleId}
PATCH /api/application/{applicationId}
/role/{roleId}
Available since 1.39.0
When using the PATCH method, you can either use the same request body documentation that is provided for the PUT request for backward compatibility. Or you may use either JSON Patch/RFC 6902 or JSON Merge Patch/RFC 7396. See the
PATCH
documentation for more information.Available since 1.12.0
When using the PATCH method, use the same request body documentation that is provided for the PUT request. The PATCH method will merge the provided request parameters into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A
null
value can be used to remove a value. Patching anArray
will result in all values from the new list being appended to the existing list, this is a known limitation to the current implementation of PATCH.
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application.
- roleId [UUID] Required
-
The Id of the role that is being updated.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body
- role.description [String] Optional
-
A description for the role.
- role.name [String] Required
-
The name of the Role.
- role.isDefault [Boolean] Optional defaults to
false
-
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided. More than one role can be marked as default.
- role.isSuperRole [Boolean] Optional defaults to
false
-
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
{
"role": {
"description": "a new role for the app",
"name": "role 3",
"isDefault": true
}
}
Response
The response for this API contains the new information for the role that was updated.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- role.description [String]
-
The description of the role.
- role.id [UUID]
-
The Id of the Role.
- role.insertInstant [Long]
-
The instant that the Role was added to the FusionAuth database.
- role.lastUpdateInstant [Long]
-
The instant that the Role was updated in the FusionAuth database.
- role.name [String]
-
The name of the Role.
- role.isDefault [Boolean]
-
Whether or not the Role is a default role. A default role is automatically assigned to a user during registration if no roles are provided.
- role.isSuperRole [Boolean]
-
Whether or not the Role is a considered to be a super user role. This is a marker to indicate that it supersedes all other roles. FusionAuth will attempt to enforce this contract when using the web UI, it is not enforced programmatically when using the API.
{
"role": {
"description": "a new role for the app",
"id": "ce485a91-906f-4615-af75-81d37dc71e90",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "role 3",
"isDefault": true
}
}
Delete an Application Role
This API is used to delete a role from an Application.
Request
Delete an Application Role by Id
DELETE /api/application/{applicationId}
/role/{roleId}
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application to which the role belongs.
- roleId [UUID] Required
-
The Id of the role to delete.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Delete an Application Role by name
DELETE /api/application/{applicationId}
/role?name={name}
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application to which the role belongs.
- name [String] Required
-
The name of the role to delete.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response
This API does not return a JSON response body.
Code | Description |
---|---|
200 |
The request was successful. The response will be empty. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you are trying to delete doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Retrieve OAuth Configuration
This API is used to retrieve the Application OAuth configuration. When an API key is provided on the request the OAuth client secret will also be returned. When this API is called without authentication the client secret will not be returned in the response body.
Request
Retrieve the OAuth Configuration for an Application
GET /api/application/{applicationId}
/oauth-configuration
Request Parameters
- applicationId [UUID] Required
-
The Id of the Application to retrieve the OAuth configuration.
Request Headers
- X-FusionAuth-TenantId [String] Optional
-
The unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
404 |
The object you requested doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body
- httpSessionMaxInactiveInterval [Integer]
-
The time in seconds until an inactive session will be invalidated, from the application’s tenant. Used when creating a new session in the FusionAuth Front End.
- logoutURL [String]
-
The logout redirect URL when sending the user’s browser to the
/oauth2/logout
URI of the FusionAuth Front End. From the application’s tenant. - oauthConfiguration.authorizedOriginURLs [Array<String>]
-
An array of URLs that are the authorized origins for FusionAuth OAuth.
When this configuration is omitted, all HTTP origins are allowed to use the browser based grants and the HTTP response header of
X-Frame-Options: DENY
will be added to each response to disallow iframe loading. - oauthConfiguration.authorizedRedirectURLs [Array<String>]
-
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
- oauthConfiguration.authorizedURLValidationPolicy String Available since 1.43.0
-
Controls the validation policy for oauthConfiguration.authorizedOriginURLs and oauthConfiguration.authorizedRedirectURLs.
The possible values are:
-
ExactMatch
- Only the configured values that do not contain wildcards are considered for validation. Values during OAuth 2.0 workflows must match a configured value exactly. -
AllowWildcards
- Configured values with and without wildcards are considered for validation. Values during OAuth 2.0 workflows can be matched against wildcard patterns or exactly match a configured value.
-
- oauthConfiguration.clientAuthenticationPolicy [String] Available since 1.28.0
-
Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
The possible values are:
-
Required
- The client must provide client credentials when using the Token endpoint. Theclient_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data. -
NotRequired
- Providing client credentials is optional when using the Token endpoint. -
NotRequiredWhenUsingPKCE
- The client must provide client credentials when using the Token endpoint unless a valid PCKEcode_verifier
has been provided in the request body using POST data.
-
- oauthConfiguration.clientId [String]
-
The OAuth client Id of the Application.
- oauthConfiguration.clientSecret [String]
-
The OAuth client secret. This field will only be provided when the request was authenticated using an API key.
- oauthConfiguration.deviceVerificationURL [String] Available since 1.11.0
-
The device verification URL to be used with the Device Code grant type.
- oauthConfiguration.enabledGrants [Array<String>] Available since 1.5.0
-
The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
Supported values include:
-
authorization_code
-
implicit
-
password
-
refresh_token
-
urn:ietf:params:oauth:grant-type:device_code
Available since 1.11.0
-
- oauthConfiguration.generateRefreshTokens [Boolean] Available since 1.3.0
-
Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the
offline_access
scope is requested. - oauthConfiguration.logoutBehavior [String] Available since 1.11.0
-
Behavior when
/oauth2/logout
is called.Valid values:
-
RedirectOnly
-
End the SSO session and redirect to the configured Logout URL or the passed in post_logout_redirect_uri value.
-
-
AllApplications
-
End the SSO session and make a
GET
request to all configured Logout URLs for every application in the tenant.
-
-
- oauthConfiguration.logoutURL [String]
-
The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
- oauthConfiguration.proofKeyForCodeExchangePolicy [String] Available since 1.28.0
-
Determines the PKCE requirements when using the authorization code grant.
The possible values are:
-
Required
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant. -
NotRequired
- Providing acode_verifier
is optional when completing the authorization code grant. -
NotRequiredWhenUsingClientAuthentication
- The client must provide a validcode_verifier
on the request body when completing the authorization code grant unless valid client credentials have been provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
-
- oauthConfiguration.requireClientAuthentication [Boolean] Available since 1.3.0 Deprecated
-
Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the cloient must provide client credentials when using the Token endpoint. The
client_id
andclient_secret
may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.Deprecated in version 1.28.0 In version 1.28.0 and beyond, client authentication can be managed via oauthConfiguration.clientAuthenticationPolicy.
- oauthConfiguration.requireRegistration [Boolean] Available since 1.28.0
-
Determines if the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.
{
"httpSessionMaxInactiveInterval": 3600,
"logoutURL": "http://www.example.com/logout",
"oauthConfiguration": {
"authorizedOriginURLs": [
"http://www.example.com"
],
"authorizedRedirectURLs": [
"http://www.example.com/oauth-callback"
],
"authorizedURLValidationPolicy": "ExactMatch",
"clientAuthenticationPolicy": "Required",
"clientId": "8174f72f-5ecd-4eae-8de8-7fef597b3473",
"clientSecret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
"enabledGrants": [
"authorization_code",
"refresh_token"
],
"generateRefreshToken": true,
"logoutBehavior": "AllApplications",
"logoutURL": "http://www.example.com/logout",
"proofKeyForCodeExchangePolicy": "NotRequired",
"requireClientAuthentication": true,
"requireRegistration": false
}
}
Feedback
How helpful was this page?
See a problem?
File an issue in our docs repo
Have a question or comment to share?
Visit the FusionAuth community forum.