System APIs - Home - FusionAuth

1. Overview

This page contains the APIs that are used for retrieving and updating the system configuration. The

Retrieve the System Configuration
Update the System Configuration

The following APIs provide a subset of the System Configuration without an API Key.

Retrieve the Password Validation Rules

2. Retrieve the System Configuration

This API is used to retrieve the System Configuration.

2.1. Request

Retrieve the System Configuration

URI

GET /api/system-configuration

2.2. Response

The response for this API contains the System Configuration.

Table 1. Response Codes
Code	Description
200	The request was successful. The response will contain a JSON body.
401	You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500	There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503	The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Table 2. Response Body
systemConfiguration.cookieEncryptionIV [String]	The Base64 encoded initialization vector used to encrypt saved request cookies for FusionAuth. This value has been auto-generated and may not be modified.
systemConfiguration.cookieEncryptionKey [String]	The Base64 encoded encryption key used to encrypt saved request cookies for FusionAuth. This value has been auto-generated and may not be modified.
systemConfiguration.emailConfiguration.enabled [Boolean]	Indicates that the SMTP email configuration is available for use by FusionAuth.
systemConfiguration.emailConfiguration.host [String]	The host name of the SMTP server that FusionAuth will use.
systemConfiguration.emailConfiguration.forgotPasswordEmailTemplateId [UUID]	The Id of the Email Template that is used when a user is sent a forgot password email.
systemConfiguration.emailConfiguration.password [String]	An optional password FusionAuth will use to authenticate with the SMTP server.
systemConfiguration.emailConfiguration.port [Integer]	The port of the SMTP server that FusionAuth will use.
systemConfiguration.emailConfiguration.security String	The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are: `NONE` - no security will be used. All communications will be sent plaintext. `SSL` - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports. `TLS` - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
systemConfiguration.emailConfiguration.setPasswordEmailTemplateId [UUID]	The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
systemConfiguration.emailConfiguration.username [String]	An optional username FusionAuth will to authenticate with the SMTP server.
systemConfiguration.emailConfiguration.verificationEmailTemplateId [UUID]	The Id of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If the `verifyEmail` field is `true` this field is required.
systemConfiguration.emailConfiguration.verifyEmail [Boolean]	Whether or not user’s email addresses are verified when the register with your application.
systemConfiguration.emailConfiguration.verifyEmailWhenChanged [Boolean]	Whether or not user’s email addresses are verified when the user changes them.
systemConfiguration.eventConfiguration.events [Object]	A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are: `user.bulk.create` - When multiple users are created in bulk (i.e. during an import) `user.create` - When a user is created `user.deactivate` - When a user is deactivated `user.delete` - When a user is deleted `user.reactivate` - When a user is reactivated `user.update` - When a user is updated `user.action` - When a user action event `jwt.refresh-token.revoke` - When a JWT Refresh Token is revoked `jwt.public-key.update` - When a JWT RSA Public / Private keypair may have been changed
systemConfiguration.eventConfiguration.events`[type]`.enabled [Boolean]	Whether or not FusionAuth should send these types of events to any configured Webhooks.
systemConfiguration.eventConfiguration.events`[type]`.transactionType String	The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are: `None` - No Webhooks are required to succeed for the FusionAuth transaction to be committed. `Any` - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed. `SimpleMajority` - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed. `SuperMajority` - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed. `AbsoluteMajority` - Every Webhook must succeed for the FusionAuth transaction to be committed.
systemConfiguration.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer]	The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
systemConfiguration.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer]	The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API.
systemConfiguration.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer]	The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API.
systemConfiguration.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer]	The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API.
systemConfiguration.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer]	The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API.
systemConfiguration.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer]	The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API.
systemConfiguration.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer]	The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt.
systemConfiguration.failedAuthenticationConfiguration.actionDuration [Long]	The duration of the User Action. This value along with the `actionDurationUnit` will be used to set the duration of the User Action.
systemConfiguration.failedAuthenticationConfiguration.actionDurationUnit [String]	The unit of time associated with a duration. The possible values are: `MINUTES` `HOURS` `DAYS` `WEEKS` `MONTHS` `YEARS`
systemConfiguration.failedAuthenticationConfiguration.resetCountInSeconds [Integer]	The length of time in seconds before the failed authentication count will be reset. For example, if `tooManyAttempts` is set to `5` and you fail to authenticate `4` times in a row, waiting for the duration specified here will cause your fifth attempt to start back at `1`.
systemConfiguration.failedAuthenticationConfiguration.tooManyAttempts [Integer]	The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified.
systemConfiguration.failedAuthenticationConfiguration.userActionId [UUID]	The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
systemConfiguration.httpSessionMaxInactiveInterval [Integer]	The time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth front-end.
systemConfiguration.jwtConfiguration.algorithm [String]	The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available. `ES256` - ECDSA using P-256 curve and SHA-256 Available Since 1.4.0 `ES384` - ECDSA using P-384 curve and SHA-384 Available Since 1.4.0 `ES512` - ECDSA using P-521 curve and SHA-512 Available Since 1.4.0 `HS256` - HMAC using SHA-256 `HS384` - HMAC using SHA-384 `HS512` - HMAC using SHA-512 `RS256` - RSASSA-PKCS1-v1_5 using SHA-256 `RS384` - RSASSA-PKCS1-v1_5 using SHA-384 `RS512` - RSASSA-PKCS1-v1_5 using SHA-512
systemConfiguration.jwtConfiguration.enabled [Boolean]	This value will always be true. The JWT configuration may not be disabled for the System Configuration.
systemConfiguration.jwtConfiguration.issuer [String]	The name or issuer of the JWT, this is generally something unique such as a fully qualified domain name. For example, `fusionauth.io`.
systemConfiguration.jwtConfiguration.privateKey [String]	The private key used when an `RSA` signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
systemConfiguration.jwtConfiguration.publicKey [String]	The public key used when an `RSA` signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
systemConfiguration.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer]	The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
systemConfiguration.jwtConfiguration.secret [String]	The secret used when an `HMAC` based signing algorithm has been selected. This secret is used to sign and verify JWTs.
systemConfiguration.jwtConfiguration.timeToLiveInSeconds [Integer]	The length of time in seconds the JWT will live before it is expired. This value is used to calculate the `exp` (expiration) identity claim.
systemConfiguration.logoutURL [String]	The logout redirect URL when sending the user’s browser to the `/oauth2/logout` URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
systemConfiguration.maximumPasswordAge.days [Integer]	The password maximum age in days. The number of days after which FusionAuth will require a user to change their password.
systemConfiguration.maximumPasswordAge.enabled [Boolean]	Indicates that the maximum password age is enabled and being enforced.
systemConfiguration.minimumPasswordAge.seconds [Integer]	The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age.
systemConfiguration.minimumPasswordAge.enabled [Boolean]	Indicates that the minimum password age is enabled and being enforced.
systemConfiguration.passwordEncryptionConfiguration.encryptionScheme [String]	The selected default encryption scheme.
systemConfiguration.passwordEncryptionConfiguration.encryptionSchemeFactor [String]	The factor used by the password encryption scheme. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the `PasswordEncryptor` implementation.
systemConfiguration.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean]	When enabled a user’s hash configuration will be modified to match these configured settings.
systemConfiguration.passwordValidationRules.maxLength [Integer]	The maximum number of characters that are allowed for user passwords.
systemConfiguration.passwordValidationRules.minLength [Integer]	The minimum number of characters that are required for user passwords.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.count [Integer]	The number of previous passwords that should be remembered so they are not re-used by the User.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean]	Indicates that the remember previous password validation is enabled and being enforced.
systemConfiguration.passwordValidationRules.requireMixedCase [Boolean]	Indicates that passwords require an uppercase and lowercase character to be valid.
systemConfiguration.passwordValidationRules.requireNonAlpha [Boolean]	Indicates that passwords require a non-alphanumeric character to be valid.
systemConfiguration.passwordValidationRules.requireNumber [Boolean]	Indicates that passwords require at least one number to be valid.
systemConfiguration.reportTimezone [String]	The timezone that all reports will be generated in. Since reports are usually rolled up hourly, this timezone will be used for demarcating the hours. This must be a valid `java.util.time.ZoneId` String. (see https://docs.oracle.com/javase/8/docs/api/java/time/ZoneId.html)
systemConfiguration.uiConfiguration.headerColor [String]	A hexadecimal color to override the default menu color in the user interface.
systemConfiguration.uiConfiguration.loginTheme.emailComplete [String]	A FreeMarker template that is rendered when the user requests the /email/complete page. This page is used after a user has verified their email address by clicking the URL in the email. After FusionAuth has updated their user object to indicate that their email was verified, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailSend [String]	A FreeMarker template that is rendered when the user requests the /email/send page. This page is used after a user has asked for the verification email to be resent. This can happen if the URL in the email expired and the user clicked it. In this case, the user can provide their email address again and FusionAuth will resend the email. After the user submits their email and FusionAuth re-sends a verification email to them, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailVerify [String]	A FreeMarker template that is rendered when the user requests the /email/verify page by clicking the URL from the verification email and the `verificationId` has expired. FusionAuth expires `verificationId` after a period of time (which is configurable). If the user has a URL from the verification email that has expired, this page will be rendered and the error will be displayed to the user.
systemConfiguration.uiConfiguration.loginTheme.enabled [Boolean]	Indicates that the login theme is enabled and will be used to style the login pages.
systemConfiguration.uiConfiguration.loginTheme.helpers [String]	A FreeMarker template that contains all of the macros and templates used by the rest of the `loginTheme` FreeMarker templates (i.e. `oauth2Authorize`). This allows you to configure the general layout of your UI configuration and login theme without having to copy and paste HTML into each of the templates.
systemConfiguration.uiConfiguration.loginTheme.oauth2Authorize [String]	A FreeMarker template that is rendered when the user requests the /oauth2/authorize page. This is the main login page for FusionAuth and is used for all interactive OAuth and OpenId Connect workflows.
systemConfiguration.uiConfiguration.loginTheme.oauth2Error [String]	A FreeMarker template that is rendered when the user requests the /oauth2/error page. This page is used if the user starts or is in the middle of the OAuth workflow and any type of error occurs. This could be caused by the user messing with the URL or internally some type of information wasn’t passed between the OAuth endpoints correctly. For example, if you are federating login to an external IdP and that IdP does not properly echo the `state` parameter, FusionAuth’s OAuth workflow will break and this page will be displayed.
systemConfiguration.uiConfiguration.loginTheme.oauth2TwoFactor [String]	A FreeMarker template that is rendered when the user requests the /oauth2/two-factor page. This page is used if the user has two-factor authentication enabled and they need to type in their code again. FusionAuth will properly handle the SMS or authenticator app processing on the back end. This page contains the form that the user will put their code into.
systemConfiguration.uiConfiguration.loginTheme.passwordChange [String]	A FreeMarker template that is rendered when the user requests the /password/change page. This page is used if the user is required to change their password or if they have requested a password reset. This page contains the form that allows the user to provide a new password.
systemConfiguration.uiConfiguration.loginTheme.passwordComplete [String]	A FreeMarker template that is rendered when the user requests the /password/complete page. This page is used after the user has successfully updated their password (or reset it). This page should instruct the user that their password was updated and that they need to login again.
systemConfiguration.uiConfiguration.loginTheme.passwordForgot [String]	A FreeMarker template that is rendered when the user requests the /password/forgot page. This page is used when a user starts the forgot password workflow. This page renders the form where the user types in their email address.
systemConfiguration.uiConfiguration.loginTheme.passwordSent [String]	A FreeMarker template that is rendered when the user requests the /password/sent page. This page is used when a user has submitted the forgot password form with their email. FusionAuth does not indicate back to the user if their email address was valid in order to prevent malicious activity that could reveal valid email addresses. Therefore, this page should indicate to the user that if their email was valid, they will receive an email shortly with a link to reset their password.
systemConfiguration.uiConfiguration.loginTheme.registrationComplete [String]	A FreeMarker template that is rendered when the user requests the /registration/complete page. This page is used after a user has verified their email address for a specific application (i.e. a user registration) by clicking the URL in the email. After FusionAuth has updated their registration object to indicate that their email was verified, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.registrationSend [String]	A FreeMarker template that is rendered when the user requests the /registration/send page. This page is used after a user has asked for the application specific verification email to be resent. This can happen if the URL in the email expired and the user clicked it. In this case, the user can provide their email address again and FusionAuth will resend the email. After the user submits their email and FusionAuth re-sends a verification email to them, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailVerify [String]	A FreeMarker template that is rendered when the user requests the /registration/verify page by clicking the URL from the application specific verification email and the `verificationId` has expired. FusionAuth expires `verificationId` after a period of time (which is configurable). If the user has a URL from the verification email that has expired, this page will be rendered and the error will be displayed to the user.
systemConfiguration.uiConfiguration.loginTheme.stylesheet [String]	A CSS stylesheet used to style the login page and other templates such as forgot password, and verify email.
systemConfiguration.uiConfiguration.logoURL [String]	A URL of a logo to override the default FusionAuth logo in the user interface.
systemConfiguration.uiConfiguration.menuFontColor [String]	A hexadecimal color to override the default menu font color in the user interface.

Example Response JSON

{
  "systemConfiguration": {
    "emailConfiguration": {
      "enabled": true,
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "port": 587,
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87a00",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "user.create": {
        "enabled": true,
        "transactionType": "AbsoluteMajority"
      }
    },
    "externalIdentifierConfiguration" : {
      "authorizationGrantIdTimeToLiveInSeconds" : 30,
      "changePasswordIdTimeToLiveInSeconds" : 300,
      "emailVerificationIdTimeToLiveInSeconds" : 86400,
      "setupPasswordIdTimeToLiveInSeconds" : 86400,
      "twoFactorIdTimeToLiveInSeconds" : 300,
      "twoFactorTrustIdTimeToLiveInSeconds" : 2592000
    },
    "failedAuthenticationConfiguration" : {
      "actionDuration" : 3,
      "actionDurationUnit" : "MINUTES",
      "resetCountInSeconds" : 60,
      "tooManyAttempts" : 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "jwtConfiguration": {
      "algorithm": "HS256",
      "issuer": "https://example.com",
      "refreshTokenTimeToLiveInMinutes": 43200,
      "secret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
      "timeToLiveInSeconds": 3600
    },
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": true
    },
    "minimumPasswordAge": {
      "enabled": true,
      "seconds": 60
    },
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordExpirationDays": 30,
    "passwordValidationRules": {
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true
    },
    "reportTimezone": "America/Denver",
    "uiConfiguration": {
      "loginTheme": {
        "emailComplete": "FreeMarker template goes here ...",
        "emailSend": "FreeMarker template goes here ...",
        "emailVerify": "FreeMarker template goes here ...",
        "enabled": true,
        "lastModified": 1540588216227,
        "helpers": "FreeMarker template goes here ...",
        "oauth2Authorize": "FreeMarker template goes here ...",
        "oauth2Error": "FreeMarker template goes here ...",
        "oauth2TwoFactor": "FreeMarker template goes here ...",
        "passwordChange": "FreeMarker template goes here ...",
        "passwordComplete": "FreeMarker template goes here ...",
        "passwordForgot": "FreeMarker template goes here ...",
        "passwordSent": "FreeMarker template goes here ...",
        "registrationComplete": "FreeMarker template goes here ...",
        "registrationSend": "FreeMarker template goes here ...",
        "registrationVerify": "FreeMarker template goes here ...",
        "stylesheet": "CSS definition goes here ..."
      }
    }
  }
}

3. Update the System Configuration

This API is used to update System Configuration.

3.1. Request

Update the System Configuration

URI

PUT /api/system-configuration

Table 3. Request Body
systemConfiguration.emailConfiguration.enabled Optional [Boolean] defaults to `false`	Indicates that the SMTP email configuration is available for use by FusionAuth.
systemConfiguration.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Required	The Id of the Email Template that is used when a user is sent a forgot password email.
systemConfiguration.emailConfiguration.host [String] Optional	The host name of the SMTP server that FusionAuth will use. Required when `systemConfiguration.emailConfiguration.enabled` is set to `true`.
systemConfiguration.emailConfiguration.password [String] Optional	An optional password FusionAuth will use to authenticate with the SMTP server.
systemConfiguration.emailConfiguration.port [Integer] Optional	The port of the SMTP server that FusionAuth will use. Required when `systemConfiguration.emailConfiguration.enabled` is set to `true`.
systemConfiguration.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional	The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
systemConfiguration.emailConfiguration.security String Optional defaults to NONE	The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are: `NONE` - no security will be used. All communications will be sent plaintext. `SSL` - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports. `TLS` - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
systemConfiguration.emailConfiguration.username [String] Optional	An optional username FusionAuth will to authenticate with the SMTP server.
systemConfiguration.emailConfiguration.verificationEmailTemplateId [UUID] Optional	The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If the `verifyEmail` field is `true` this field is required.
systemConfiguration.emailConfiguration.verifyEmail [Boolean] Optional defaults to `false`	Whether or not user’s email addresses are verified when the register with your application.
systemConfiguration.emailConfiguration.verifyEmailWhenChanged [Boolean] Optional defaults to `false`	Whether or not user’s email addresses are verified when the user changes them.
systemConfiguration.eventConfiguration.events [Object] Optional defaults to {}	A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are: `user.bulk.create` - When multiple users are created in bulk (i.e. during an import) `user.create` - When a user is created `user.deactivate` - When a user is deactivated `user.delete` - When a user is deleted `user.reactivate` - When a user is reactivated `user.update` - When a user is updated `user.action` - When a user action event `jwt.refresh-token.revoke` - When a JWT Refresh Token is revoked `jwt.public-key.update` - When a JWT RSA Public / Private keypair may have been changed
systemConfiguration.eventConfiguration.events`[type]`.enabled [Boolean] Optional defaults to `false`	Whether or not FusionAuth should send these types of events to any configured Webhooks.
systemConfiguration.eventConfiguration.events`[type]`.transactionType String Optional	The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are: `None` - No Webhooks are required to succeed for the FusionAuth transaction to be committed. `Any` - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed. `SimpleMajority` - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed. `SuperMajority` - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed. `AbsoluteMajority` - Every Webhook must succeed for the FusionAuth transaction to be committed.
systemConfiguration.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Required	The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600.
systemConfiguration.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Required	The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
systemConfiguration.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Required	The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0.
systemConfiguration.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Required	The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0.
systemConfiguration.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Required	The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0.
systemConfiguration.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Required	The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0.
systemConfiguration.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Required	The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0.
systemConfiguration.failedAuthenticationConfiguration.actionDuration [Long]	The duration of the User Action. This value along with the `actionDurationUnit` will be used to set the duration of the User Action.
systemConfiguration.failedAuthenticationConfiguration.actionDurationUnit [String]	The unit of time associated with a duration. The possible values are: `MINUTES` `HOURS` `DAYS` `WEEKS` `MONTHS` `YEARS`
systemConfiguration.failedAuthenticationConfiguration.resetCountInSeconds [Integer]	The length of time in seconds before the failed authentication count will be reset. For example, if `tooManyAttempts` is set to `5` and you fail to authenticate `4` times in a row, waiting for the duration specified here will cause your fifth attempt to start back at `1`.
systemConfiguration.failedAuthenticationConfiguration.tooManyAttempts [Integer]	The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified.
systemConfiguration.failedAuthenticationConfiguration.userActionId [UUID]	The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
systemConfiguration.httpSessionMaxInactiveInterval [Integer] Required defaults to `60 minutes`	The time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth Front End.
systemConfiguration.jwtConfiguration.algorithm [String] Required	The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available. `ES256` - ECDSA using P-256 curve and SHA-256 Available Since 1.4.0 `ES384` - ECDSA using P-384 curve and SHA-384 Available Since 1.4.0 `ES512` - ECDSA using P-521 curve and SHA-512 Available Since 1.4.0 `HS256` - HMAC using SHA-256 `HS384` - HMAC using SHA-384 `HS512` - HMAC using SHA-512 `RS256` - RSASSA-PKCS1-v1_5 using SHA-256 `RS384` - RSASSA-PKCS1-v1_5 using SHA-384 `RS512` - RSASSA-PKCS1-v1_5 using SHA-512
systemConfiguration.jwtConfiguration.issuer [String] Required	The name or issuer of the JWT, this is generally something unique such as a fully qualified domain name. For example, `fusionauth.io`.
systemConfiguration.jwtConfiguration.privateKey [String] Optional	The private key used when an `RSA` signing algorithm has been selected. The private key will be used to sign the JWT. This key is expected to be in a PEM encoded format. Required when `algorithm` is set to an RSA based value.
systemConfiguration.jwtConfiguration.publicKey [String] Optional	The public key used when an `RSA` signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key is expected to be in a PEM encoded format. Required when `algorithm` is set to an RSA based value.
systemConfiguration.jwtConfiguration.refreshTokenTimeToLiveInMinutes Required [Integer]	The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
systemConfiguration.jwtConfiguration.secret [String] Optional	The secret used when an `HMAC` based signing algorithm has been selected. This secret is used to sign and verify JWTs. Required when `algorithm` is set to an HMAC based value.
systemConfiguration.jwtConfiguration.timeToLiveInSeconds [Integer] Required	The length of time in seconds the JWT will live before it is expired. This value is used to calculate the `exp` (expiration) identity claim.
systemConfiguration.logoutURL [String] Optional	The logout redirect URL when sending the user’s browser to the `/oauth2/logout` URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
systemConfiguration.maximumPasswordAge.days [Integer] Optional	The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when `systemConfiguration.maximumPasswordAge.enabled` is set to `true`.
systemConfiguration.maximumPasswordAge.enabled [Boolean] Optional	Indicates that the maximum password age is enabled and being enforced.
systemConfiguration.minimumPasswordAge.seconds [Integer] Optional	The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when `systemConfiguration.minimumPasswordAge.enabled` is set to `true`.
systemConfiguration.minimumPasswordAge.enabled [Boolean] Optional	Indicates that the minimum password age is enabled and being enforced.
systemConfiguration.passwordEncryptionConfiguration.encryptionScheme [String] Optional	The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: `salted-md5` `salted-sha256` `salted-hmac-sha256` `salted-pbkdf2-hmac-sha256` `bcrypt`
systemConfiguration.passwordEncryptionConfiguration.encryptionSchemeFactor [String] Optional	The factor used by the password encryption scheme. If not provided, the `PasswordEncryptor` provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the `PasswordEncryptor` implementation.
systemConfiguration.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Optional	When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import.
systemConfiguration.passwordValidationRules.maxLength [Integer] Required	The maximum number of characters that are allowed for user passwords.
systemConfiguration.passwordValidationRules.minLength [Integer] Required	The minimum number of characters that are required for user passwords.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.count [Integer] Optional	The number of previous passwords that should be remembered so they are not re-used by the User. Required when `systemConfiguration.passwordValidationRules.rememberPreviousPasswords.count` is set to `true`.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Optional	Indicates that the remember previous password validation is enabled and being enforced.
systemConfiguration.passwordValidationRules.requireMixedCase [Boolean] Optional defaults to `false`	Indicates that passwords require an uppercase and lowercase character to be valid.
systemConfiguration.passwordValidationRules.requireNonAlpha [Boolean] Optional defaults to `false`	Indicates that passwords require a non-alphanumeric character to be valid.
systemConfiguration.passwordValidationRules.requireNumber [Boolean] Optional defaults to `false`	Indicates that passwords require at least one number to be valid.
systemConfiguration.reportTimezone [String] Required	The timezone that all reports will be generated in. Since reports are usually rolled up hourly, this timezone will be used for demarcating the hours. This must be a valid `java.util.time.ZoneId` String. (see https://docs.oracle.com/javase/8/docs/api/java/time/ZoneId.html)
systemConfiguration.uiConfiguration.headerColor [String] Optional	A hexadecimal color to override the default menu color in the user interface. Example: `000000` would set the menu color to black.
systemConfiguration.uiConfiguration.loginTheme.emailComplete [String]	A FreeMarker template that is rendered when the user requests the /email/complete page. This page is used after a user has verified their email address by clicking the URL in the email. After FusionAuth has updated their user object to indicate that their email was verified, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailSend [String]	A FreeMarker template that is rendered when the user requests the /email/send page. This page is used after a user has asked for the verification email to be resent. This can happen if the URL in the email expired and the user clicked it. In this case, the user can provide their email address again and FusionAuth will resend the email. After the user submits their email and FusionAuth re-sends a verification email to them, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailVerify [String]	A FreeMarker template that is rendered when the user requests the /email/verify page by clicking the URL from the verification email and the `verificationId` has expired. FusionAuth expires `verificationId` after a period of time (which is configurable). If the user has a URL from the verification email that has expired, this page will be rendered and the error will be displayed to the user.
systemConfiguration.uiConfiguration.loginTheme.enabled [Boolean]	Indicates that the login theme is enabled and will be used to style the login pages.
systemConfiguration.uiConfiguration.loginTheme.helpers [String]	A FreeMarker template that contains all of the macros and templates used by the rest of the `loginTheme` FreeMarker templates (i.e. `oauth2Authorize`). This allows you to configure the general layout of your UI configuration and login theme without having to copy and paste HTML into each of the templates.
systemConfiguration.uiConfiguration.loginTheme.oauth2Authorize [String]	A FreeMarker template that is rendered when the user requests the /oauth2/authorize page. This is the main login page for FusionAuth and is used for all interactive OAuth and OpenId Connect workflows.
systemConfiguration.uiConfiguration.loginTheme.oauth2Error [String]	A FreeMarker template that is rendered when the user requests the /oauth2/error page. This page is used if the user starts or is in the middle of the OAuth workflow and any type of error occurs. This could be caused by the user messing with the URL or internally some type of information wasn’t passed between the OAuth endpoints correctly. For example, if you are federating login to an external IdP and that IdP does not properly echo the `state` parameter, FusionAuth’s OAuth workflow will break and this page will be displayed.
systemConfiguration.uiConfiguration.loginTheme.oauth2TwoFactor [String]	A FreeMarker template that is rendered when the user requests the /oauth2/two-factor page. This page is used if the user has two-factor authentication enabled and they need to type in their code again. FusionAuth will properly handle the SMS or authenticator app processing on the back end. This page contains the form that the user will put their code into.
systemConfiguration.uiConfiguration.loginTheme.passwordChange [String]	A FreeMarker template that is rendered when the user requests the /password/change page. This page is used if the user is required to change their password or if they have requested a password reset. This page contains the form that allows the user to provide a new password.
systemConfiguration.uiConfiguration.loginTheme.passwordComplete [String]	A FreeMarker template that is rendered when the user requests the /password/complete page. This page is used after the user has successfully updated their password (or reset it). This page should instruct the user that their password was updated and that they need to login again.
systemConfiguration.uiConfiguration.loginTheme.passwordForgot [String]	A FreeMarker template that is rendered when the user requests the /password/forgot page. This page is used when a user starts the forgot password workflow. This page renders the form where the user types in their email address.
systemConfiguration.uiConfiguration.loginTheme.passwordSent [String]	A FreeMarker template that is rendered when the user requests the /password/sent page. This page is used when a user has submitted the forgot password form with their email. FusionAuth does not indicate back to the user if their email address was valid in order to prevent malicious activity that could reveal valid email addresses. Therefore, this page should indicate to the user that if their email was valid, they will receive an email shortly with a link to reset their password.
systemConfiguration.uiConfiguration.loginTheme.registrationComplete [String]	A FreeMarker template that is rendered when the user requests the /registration/complete page. This page is used after a user has verified their email address for a specific application (i.e. a user registration) by clicking the URL in the email. After FusionAuth has updated their registration object to indicate that their email was verified, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.registrationSend [String]	A FreeMarker template that is rendered when the user requests the /registration/send page. This page is used after a user has asked for the application specific verification email to be resent. This can happen if the URL in the email expired and the user clicked it. In this case, the user can provide their email address again and FusionAuth will resend the email. After the user submits their email and FusionAuth re-sends a verification email to them, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailVerify [String]	A FreeMarker template that is rendered when the user requests the /registration/verify page by clicking the URL from the application specific verification email and the `verificationId` has expired. FusionAuth expires `verificationId` after a period of time (which is configurable). If the user has a URL from the verification email that has expired, this page will be rendered and the error will be displayed to the user.
systemConfiguration.uiConfiguration.loginTheme.stylesheet [String]	A CSS stylesheet used to style the login page and other templates such as forgot password, and verify email.
systemConfiguration.uiConfiguration.logoURL [String] Optional	A URL of a logo to override the default FusionAuth logo in the user interface.
systemConfiguration.uiConfiguration.menuFontColor [String] Optional	A hexadecimal color to override the default menu font color in the user interface. Example: `FFFFFF` would set the menu font color to white.

Example Request JSON

{
  "systemConfiguration": {
    "emailConfiguration": {
      "enabled": true,
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "port": 587,
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87a00",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "user.create": {
        "enabled": true,
        "transactionType": "AbsoluteMajority"
      }
    },
    "externalIdentifierConfiguration" : {
      "authorizationGrantIdTimeToLiveInSeconds" : 30,
      "changePasswordIdTimeToLiveInSeconds" : 300,
      "emailVerificationIdTimeToLiveInSeconds" : 86400,
      "setupPasswordIdTimeToLiveInSeconds" : 86400,
      "twoFactorIdTimeToLiveInSeconds" : 300,
      "twoFactorTrustIdTimeToLiveInSeconds" : 2592000
    },
    "failedAuthenticationConfiguration" : {
      "actionDuration" : 3,
      "actionDurationUnit" : "MINUTES",
      "resetCountInSeconds" : 60,
      "tooManyAttempts" : 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "jwtConfiguration": {
      "algorithm": "HS256",
      "issuer": "https://example.com",
      "refreshTokenTimeToLiveInMinutes": 43200,
      "secret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
      "timeToLiveInSeconds": 3600
    },
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": true
    },
    "minimumPasswordAge": {
      "enabled": true,
      "seconds": 60
    },
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordExpirationDays": 30,
    "passwordValidationRules": {
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true
    },
    "reportTimezone": "America/Denver",
    "uiConfiguration": {
      "loginTheme": {
        "emailComplete": "FreeMarker template goes here ...",
        "emailSend": "FreeMarker template goes here ...",
        "emailVerify": "FreeMarker template goes here ...",
        "enabled": true,
        "helpers": "FreeMarker template goes here ...",
        "oauth2Authorize": "FreeMarker template goes here ...",
        "oauth2Error": "FreeMarker template goes here ...",
        "oauth2TwoFactor": "FreeMarker template goes here ...",
        "passwordChange": "FreeMarker template goes here ...",
        "passwordComplete": "FreeMarker template goes here ...",
        "passwordForgot": "FreeMarker template goes here ...",
        "passwordSent": "FreeMarker template goes here ...",
        "registrationComplete": "FreeMarker template goes here ...",
        "registrationSend": "FreeMarker template goes here ...",
        "registrationVerify": "FreeMarker template goes here ...",
        "stylesheet": "CSS definition goes here ..."
      }
    }
  }
}

3.2. Response

The response for this API contains the System Configuration.

Table 4. Response Codes
Code	Description
200	The request was successful. The response will contain a JSON body.
400	The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors.
401	You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500	There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503	The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Table 5. Response Body
systemConfiguration.cookieEncryptionIV [String]	The Base64 encoded initialization vector used to encrypt saved request cookies for FusionAuth. This value has been auto-generated and may not be modified.
systemConfiguration.cookieEncryptionKey [String]	The Base64 encoded encryption key used to encrypt saved request cookies for FusionAuth. This value has been auto-generated and may not be modified.
systemConfiguration.emailConfiguration.enabled [Boolean]	Indicates that the SMTP email configuration is available for use by FusionAuth.
systemConfiguration.emailConfiguration.host [String]	The host name of the SMTP server that FusionAuth will use.
systemConfiguration.emailConfiguration.forgotPasswordEmailTemplateId [UUID]	The Id of the Email Template that is used when a user is sent a forgot password email.
systemConfiguration.emailConfiguration.password [String]	An optional password FusionAuth will use to authenticate with the SMTP server.
systemConfiguration.emailConfiguration.port [Integer]	The port of the SMTP server that FusionAuth will use.
systemConfiguration.emailConfiguration.security String	The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are: `NONE` - no security will be used. All communications will be sent plaintext. `SSL` - SSL will be used to connect to the SMTP server. This protocol is not recommended unless it is the only one your SMTP server supports. `TLS` - TLS will be used to connect to the SMTP server. This is the preferred protocol for all SMTP servers.
systemConfiguration.emailConfiguration.setPasswordEmailTemplateId [UUID]	The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password.
systemConfiguration.emailConfiguration.username [String]	An optional username FusionAuth will to authenticate with the SMTP server.
systemConfiguration.emailConfiguration.verificationEmailTemplateId [UUID]	The Id of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If the `verifyEmail` field is `true` this field is required.
systemConfiguration.emailConfiguration.verifyEmail [Boolean]	Whether or not user’s email addresses are verified when the register with your application.
systemConfiguration.emailConfiguration.verifyEmailWhenChanged [Boolean]	Whether or not user’s email addresses are verified when the user changes them.
systemConfiguration.eventConfiguration.events [Object]	A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are: `user.bulk.create` - When multiple users are created in bulk (i.e. during an import) `user.create` - When a user is created `user.deactivate` - When a user is deactivated `user.delete` - When a user is deleted `user.reactivate` - When a user is reactivated `user.update` - When a user is updated `user.action` - When a user action event `jwt.refresh-token.revoke` - When a JWT Refresh Token is revoked `jwt.public-key.update` - When a JWT RSA Public / Private keypair may have been changed
systemConfiguration.eventConfiguration.events`[type]`.enabled [Boolean]	Whether or not FusionAuth should send these types of events to any configured Webhooks.
systemConfiguration.eventConfiguration.events`[type]`.transactionType String	The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are: `None` - No Webhooks are required to succeed for the FusionAuth transaction to be committed. `Any` - Only a single Webhook is required to succeed for the FusionAuth transaction to be committed. `SimpleMajority` - A simple majority (50% or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed. `SuperMajority` - A super majority (2/3 or more) of Webhooks are required to succeed for the FusionAuth transaction to be committed. `AbsoluteMajority` - Every Webhook must succeed for the FusionAuth transaction to be committed.
systemConfiguration.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer]	The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint.
systemConfiguration.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer]	The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API.
systemConfiguration.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer]	The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API.
systemConfiguration.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer]	The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API.
systemConfiguration.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer]	The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API.
systemConfiguration.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer]	The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API.
systemConfiguration.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer]	The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt.
systemConfiguration.failedAuthenticationConfiguration.actionDuration [Long]	The duration of the User Action. This value along with the `actionDurationUnit` will be used to set the duration of the User Action.
systemConfiguration.failedAuthenticationConfiguration.actionDurationUnit [String]	The unit of time associated with a duration. The possible values are: `MINUTES` `HOURS` `DAYS` `WEEKS` `MONTHS` `YEARS`
systemConfiguration.failedAuthenticationConfiguration.resetCountInSeconds [Integer]	The length of time in seconds before the failed authentication count will be reset. For example, if `tooManyAttempts` is set to `5` and you fail to authenticate `4` times in a row, waiting for the duration specified here will cause your fifth attempt to start back at `1`.
systemConfiguration.failedAuthenticationConfiguration.tooManyAttempts [Integer]	The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified.
systemConfiguration.failedAuthenticationConfiguration.userActionId [UUID]	The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts.
systemConfiguration.httpSessionMaxInactiveInterval [Integer]	The time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth front-end.
systemConfiguration.jwtConfiguration.algorithm [String]	The algorithm used to sign the JSON Web Token (JWT). The following available JSON Web Algorithms (JWA) as described in RFC 7518 are available. `ES256` - ECDSA using P-256 curve and SHA-256 Available Since 1.4.0 `ES384` - ECDSA using P-384 curve and SHA-384 Available Since 1.4.0 `ES512` - ECDSA using P-521 curve and SHA-512 Available Since 1.4.0 `HS256` - HMAC using SHA-256 `HS384` - HMAC using SHA-384 `HS512` - HMAC using SHA-512 `RS256` - RSASSA-PKCS1-v1_5 using SHA-256 `RS384` - RSASSA-PKCS1-v1_5 using SHA-384 `RS512` - RSASSA-PKCS1-v1_5 using SHA-512
systemConfiguration.jwtConfiguration.enabled [Boolean]	This value will always be true. The JWT configuration may not be disabled for the System Configuration.
systemConfiguration.jwtConfiguration.issuer [String]	The name or issuer of the JWT, this is generally something unique such as a fully qualified domain name. For example, `fusionauth.io`.
systemConfiguration.jwtConfiguration.privateKey [String]	The private key used when an `RSA` signing algorithm has been selected. The private key will be used to sign the JWT. This key will be returned in a PEM encoded format.
systemConfiguration.jwtConfiguration.publicKey [String]	The public key used when an `RSA` signing algorithms has been selected. The public key will be used to verify JWTs signed with the private key. This key will be returned in a PEM encoded format.
systemConfiguration.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer]	The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
systemConfiguration.jwtConfiguration.secret [String]	The secret used when an `HMAC` based signing algorithm has been selected. This secret is used to sign and verify JWTs.
systemConfiguration.jwtConfiguration.timeToLiveInSeconds [Integer]	The length of time in seconds the JWT will live before it is expired. This value is used to calculate the `exp` (expiration) identity claim.
systemConfiguration.logoutURL [String]	The logout redirect URL when sending the user’s browser to the `/oauth2/logout` URI of the FusionAuth Front End. This value is only used when a logout URL is not defined in your Application.
systemConfiguration.maximumPasswordAge.days [Integer]	The password maximum age in days. The number of days after which FusionAuth will require a user to change their password.
systemConfiguration.maximumPasswordAge.enabled [Boolean]	Indicates that the maximum password age is enabled and being enforced.
systemConfiguration.minimumPasswordAge.seconds [Integer]	The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age.
systemConfiguration.minimumPasswordAge.enabled [Boolean]	Indicates that the minimum password age is enabled and being enforced.
systemConfiguration.passwordEncryptionConfiguration.encryptionScheme [String]	The selected default encryption scheme.
systemConfiguration.passwordEncryptionConfiguration.encryptionSchemeFactor [String]	The factor used by the password encryption scheme. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the `PasswordEncryptor` implementation.
systemConfiguration.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean]	When enabled a user’s hash configuration will be modified to match these configured settings.
systemConfiguration.passwordValidationRules.maxLength [Integer]	The maximum number of characters that are allowed for user passwords.
systemConfiguration.passwordValidationRules.minLength [Integer]	The minimum number of characters that are required for user passwords.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.count [Integer]	The number of previous passwords that should be remembered so they are not re-used by the User.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean]	Indicates that the remember previous password validation is enabled and being enforced.
systemConfiguration.passwordValidationRules.requireMixedCase [Boolean]	Indicates that passwords require an uppercase and lowercase character to be valid.
systemConfiguration.passwordValidationRules.requireNonAlpha [Boolean]	Indicates that passwords require a non-alphanumeric character to be valid.
systemConfiguration.passwordValidationRules.requireNumber [Boolean]	Indicates that passwords require at least one number to be valid.
systemConfiguration.reportTimezone [String]	The timezone that all reports will be generated in. Since reports are usually rolled up hourly, this timezone will be used for demarcating the hours. This must be a valid `java.util.time.ZoneId` String. (see https://docs.oracle.com/javase/8/docs/api/java/time/ZoneId.html)
systemConfiguration.uiConfiguration.headerColor [String]	A hexadecimal color to override the default menu color in the user interface.
systemConfiguration.uiConfiguration.loginTheme.emailComplete [String]	A FreeMarker template that is rendered when the user requests the /email/complete page. This page is used after a user has verified their email address by clicking the URL in the email. After FusionAuth has updated their user object to indicate that their email was verified, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailSend [String]	A FreeMarker template that is rendered when the user requests the /email/send page. This page is used after a user has asked for the verification email to be resent. This can happen if the URL in the email expired and the user clicked it. In this case, the user can provide their email address again and FusionAuth will resend the email. After the user submits their email and FusionAuth re-sends a verification email to them, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailVerify [String]	A FreeMarker template that is rendered when the user requests the /email/verify page by clicking the URL from the verification email and the `verificationId` has expired. FusionAuth expires `verificationId` after a period of time (which is configurable). If the user has a URL from the verification email that has expired, this page will be rendered and the error will be displayed to the user.
systemConfiguration.uiConfiguration.loginTheme.enabled [Boolean]	Indicates that the login theme is enabled and will be used to style the login pages.
systemConfiguration.uiConfiguration.loginTheme.helpers [String]	A FreeMarker template that contains all of the macros and templates used by the rest of the `loginTheme` FreeMarker templates (i.e. `oauth2Authorize`). This allows you to configure the general layout of your UI configuration and login theme without having to copy and paste HTML into each of the templates.
systemConfiguration.uiConfiguration.loginTheme.oauth2Authorize [String]	A FreeMarker template that is rendered when the user requests the /oauth2/authorize page. This is the main login page for FusionAuth and is used for all interactive OAuth and OpenId Connect workflows.
systemConfiguration.uiConfiguration.loginTheme.oauth2Error [String]	A FreeMarker template that is rendered when the user requests the /oauth2/error page. This page is used if the user starts or is in the middle of the OAuth workflow and any type of error occurs. This could be caused by the user messing with the URL or internally some type of information wasn’t passed between the OAuth endpoints correctly. For example, if you are federating login to an external IdP and that IdP does not properly echo the `state` parameter, FusionAuth’s OAuth workflow will break and this page will be displayed.
systemConfiguration.uiConfiguration.loginTheme.oauth2TwoFactor [String]	A FreeMarker template that is rendered when the user requests the /oauth2/two-factor page. This page is used if the user has two-factor authentication enabled and they need to type in their code again. FusionAuth will properly handle the SMS or authenticator app processing on the back end. This page contains the form that the user will put their code into.
systemConfiguration.uiConfiguration.loginTheme.passwordChange [String]	A FreeMarker template that is rendered when the user requests the /password/change page. This page is used if the user is required to change their password or if they have requested a password reset. This page contains the form that allows the user to provide a new password.
systemConfiguration.uiConfiguration.loginTheme.passwordComplete [String]	A FreeMarker template that is rendered when the user requests the /password/complete page. This page is used after the user has successfully updated their password (or reset it). This page should instruct the user that their password was updated and that they need to login again.
systemConfiguration.uiConfiguration.loginTheme.passwordForgot [String]	A FreeMarker template that is rendered when the user requests the /password/forgot page. This page is used when a user starts the forgot password workflow. This page renders the form where the user types in their email address.
systemConfiguration.uiConfiguration.loginTheme.passwordSent [String]	A FreeMarker template that is rendered when the user requests the /password/sent page. This page is used when a user has submitted the forgot password form with their email. FusionAuth does not indicate back to the user if their email address was valid in order to prevent malicious activity that could reveal valid email addresses. Therefore, this page should indicate to the user that if their email was valid, they will receive an email shortly with a link to reset their password.
systemConfiguration.uiConfiguration.loginTheme.registrationComplete [String]	A FreeMarker template that is rendered when the user requests the /registration/complete page. This page is used after a user has verified their email address for a specific application (i.e. a user registration) by clicking the URL in the email. After FusionAuth has updated their registration object to indicate that their email was verified, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.registrationSend [String]	A FreeMarker template that is rendered when the user requests the /registration/send page. This page is used after a user has asked for the application specific verification email to be resent. This can happen if the URL in the email expired and the user clicked it. In this case, the user can provide their email address again and FusionAuth will resend the email. After the user submits their email and FusionAuth re-sends a verification email to them, the browser is redirected to this page.
systemConfiguration.uiConfiguration.loginTheme.emailVerify [String]	A FreeMarker template that is rendered when the user requests the /registration/verify page by clicking the URL from the application specific verification email and the `verificationId` has expired. FusionAuth expires `verificationId` after a period of time (which is configurable). If the user has a URL from the verification email that has expired, this page will be rendered and the error will be displayed to the user.
systemConfiguration.uiConfiguration.loginTheme.stylesheet [String]	A CSS stylesheet used to style the login page and other templates such as forgot password, and verify email.
systemConfiguration.uiConfiguration.logoURL [String]	A URL of a logo to override the default FusionAuth logo in the user interface.
systemConfiguration.uiConfiguration.menuFontColor [String]	A hexadecimal color to override the default menu font color in the user interface.

Example Response JSON

{
  "systemConfiguration": {
    "emailConfiguration": {
      "enabled": true,
      "forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
      "host": "smtp.sendgrid.net",
      "password": "password",
      "port": 587,
      "security": "TLS",
      "setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
      "username": "username",
      "verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87a00",
      "verifyEmail": true,
      "verifyEmailWhenChanged": true
    },
    "eventConfiguration": {
      "user.create": {
        "enabled": true,
        "transactionType": "AbsoluteMajority"
      }
    },
    "externalIdentifierConfiguration" : {
      "authorizationGrantIdTimeToLiveInSeconds" : 30,
      "changePasswordIdTimeToLiveInSeconds" : 300,
      "emailVerificationIdTimeToLiveInSeconds" : 86400,
      "setupPasswordIdTimeToLiveInSeconds" : 86400,
      "twoFactorIdTimeToLiveInSeconds" : 300,
      "twoFactorTrustIdTimeToLiveInSeconds" : 2592000
    },
    "failedAuthenticationConfiguration" : {
      "actionDuration" : 3,
      "actionDurationUnit" : "MINUTES",
      "resetCountInSeconds" : 60,
      "tooManyAttempts" : 5,
      "userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
    },
    "httpSessionMaxInactiveInterval": 3600,
    "jwtConfiguration": {
      "algorithm": "HS256",
      "issuer": "https://example.com",
      "refreshTokenTimeToLiveInMinutes": 43200,
      "secret": "+fcXet9Iu2kQi61yWD9Tu4ReZ113P6yEAkr32v6WKOQ=",
      "timeToLiveInSeconds": 3600
    },
    "logoutURL": "http://example.com/logout",
    "maximumPasswordAge": {
      "days": 180,
      "enabled": true
    },
    "minimumPasswordAge": {
      "enabled": true,
      "seconds": 60
    },
    "passwordEncryptionConfiguration": {
      "encryptionScheme": "salted-pbkdf2-hmac-sha256",
      "encryptionSchemeFactor": 24000,
      "modifyEncryptionSchemeOnLogin": false
    },
    "passwordExpirationDays": 30,
    "passwordValidationRules": {
      "maxLength": 256,
      "minLength": 8,
      "rememberPreviousPasswords": {
        "count": 2,
        "enabled": true
      },
      "requireMixedCase": true,
      "requireNonAlpha": true,
      "requireNumber": true
    },
    "reportTimezone": "America/Denver",
    "uiConfiguration": {
      "loginTheme": {
        "emailComplete": "FreeMarker template goes here ...",
        "emailSend": "FreeMarker template goes here ...",
        "emailVerify": "FreeMarker template goes here ...",
        "enabled": true,
        "lastModified": 1540588216227,
        "helpers": "FreeMarker template goes here ...",
        "oauth2Authorize": "FreeMarker template goes here ...",
        "oauth2Error": "FreeMarker template goes here ...",
        "oauth2TwoFactor": "FreeMarker template goes here ...",
        "passwordChange": "FreeMarker template goes here ...",
        "passwordComplete": "FreeMarker template goes here ...",
        "passwordForgot": "FreeMarker template goes here ...",
        "passwordSent": "FreeMarker template goes here ...",
        "registrationComplete": "FreeMarker template goes here ...",
        "registrationSend": "FreeMarker template goes here ...",
        "registrationVerify": "FreeMarker template goes here ...",
        "stylesheet": "CSS definition goes here ..."
      }
    }
  }
}

4. Retrieve the Password Validation Rules

This API is used to retrieve the Password Validation Rules. This configuration is a subset of the System Configuration.

4.1. Request

Retrieve the Password Validation Rules

URI

GET /api/system-configuration/password-validation-rules

4.2. Response

The response for this API contains the Password Validation Rules.

Table 6. Response Codes
Code	Description
200	The request was successful. The response will contain a JSON body.
500	There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

Table 7. Response Body
systemConfiguration.passwordValidationRules.maxLength [Integer]	The maximum number of characters that are allowed for user passwords.
systemConfiguration.passwordValidationRules.minLength [Integer]	The minimum number of characters that are required for user passwords.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.count [Integer]	The number of previous passwords that should be remembered so they are not re-used by the User.
systemConfiguration.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean]	Indicates that the remember previous password validation is enabled and being enforced.
systemConfiguration.passwordValidationRules.requireMixedCase [Boolean]	Indicates that passwords require an uppercase and lowercase character to be valid.
systemConfiguration.passwordValidationRules.requireNonAlpha [Boolean]	Indicates that passwords require a non-alphanumeric character to be valid.
systemConfiguration.passwordValidationRules.requireNumber [Boolean]	Indicates that passwords require at least one number to be valid.

Example Response JSON

{
  "passwordValidationRules": {
    "maxLength": 256,
    "minLength": 8,
    "rememberPreviousPasswords": {
      "count": 2,
      "enabled": true
    },
    "requireMixedCase": true,
    "requireNonAlpha": true,
    "requireNumber": true
  }
}