1. Overview
A FusionAuth Tenant is a named object that represents a discrete namespace for Users, Applications and Groups. A user is unique by email address or username within a tenant.
Tenants may be useful to support a multi-tenant application where you wish to use a single instance of FusionAuth but require the ability to have duplicate users across the tenants in your own application. In this scenario a user may exist multiple times with the same email address and different passwords across tenants.
Tenants may also be useful in a test or staging environment to allow multiple users to call APIs and create and modify users without possibility of collision.
The following APIs are provided to manage Tenants.
The following APIs provide a subset of the Tenant configuration without an API Key.
2. Create a Tenant
This API is used to create a new Tenant.
2.1. Requestu
Create a Tenant with a randomly generated Id
POST /api/tenant
Create a Tenant with the provided unique Id
POST /api/tenant/{tenantId}
tenantId [UUID] Optional defaults to secure random UUID |
The Id to use for the new Tenant. If not specified a secure random UUID will be generated. |
tenant.data [Object] Optional |
An object that can hold any information about the Tenant that should be persisted. |
tenant.emailConfiguration.enabled [Boolean] Optional Deprecated |
When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration. Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration. |
tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional |
The Id of the Email Template that is used when a user is sent a forgot password email. |
tenant.emailConfiguration.host [String] Required Available Since 1.8.0 |
The host name of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.password [String] Optional Available Since 1.8.0 |
An optional password FusionAuth will use to authenticate with the SMTP server. |
tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The Id of the Passwordless Email Template. |
tenant.emailConfiguration.port [Integer] Required Available Since 1.8.0 |
The port of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.properties [String] Optional Available Since 1.8.0 |
Additional Email Configuration in a properties file formatted String. |
tenant.emailConfiguration.security [String] Optional defaults to |
The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
|
tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional |
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. |
tenant.emailConfiguration.username [String] Optional Available Since 1.8.0 |
An optional username FusionAuth will to authenticate with the SMTP server. |
tenant.emailConfiguration.verificationEmailTemplateId [UUID] Optional |
The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the |
tenant.emailConfiguration.verifyEmail [Boolean] Optional defaults to |
Whether the user’s email addresses are verified when the registers with your application. |
tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] Optional defaults to |
Whether the user’s email addresses are verified when the user changes them. |
tenant.eventConfiguration.events [Object] Optional defaults to {} Available Since 1.8.0 |
A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
|
tenant.eventConfiguration.events |
Whether or not FusionAuth should send these types of events to any configured Webhooks. |
tenant.eventConfiguration.events |
The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
|
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600. |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the change password Id.
If the |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the change password Id. Must be either |
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the email verification Id.
If the |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the email verification Id. Must be either |
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the passwordless login.
If the |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the passwordless login. Must be either |
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the registration verification Id.
If the |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the registration verification Id. Must be either |
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the setup password Id.
If the |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the setup password Id. Must be either |
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.actionDuration [Long] Required defaults to |
The duration of the User Action. This value along with the |
tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Required defaults to |
The unit of time associated with a duration. The possible values are:
|
tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Required defaults to |
The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if |
tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Required defaults to |
The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.userActionId [UUID] Optional Available Since 1.8.0 |
The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts. |
tenant.familyConfiguration.allowChildRegistrations [Boolean] Optional defaults to |
Whether to allow child registrations. |
tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The unique Id of the email template to use when confirming a child. |
tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Optional defaults to |
Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days. |
tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Optional defaults to |
The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0. |
tenant.familyConfiguration.enabled [Boolean] Optional defaults to |
Whether family configuration is enabled. |
tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The unique Id of the email template to use when a family request is made. |
tenant.familyConfiguration.maximumChildAge [Integer] Optional defaults to |
The maximum age of a child. Value must be greater than 0. |
tenant.familyConfiguration.minimumOwnerAge [Integer] Optional defaults to |
The minimum age to be an owner. Value must be greater than 0. |
tenant.familyConfiguration.parentEmailRequired [Boolean] Optional defaults to |
Whether a parent email is required. |
tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The unique Id of the email template to use for parent registration. |
tenant.httpSessionMaxInactiveInterval [Integer] Optional default is |
Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend. |
tenant.issuer [String] Required Available Since 1.8.0 |
The named issuer used to sign tokens, this is generally your public fully qualified domain. |
tenant.jwtConfiguration.accessTokenKeyId [UUID] Required Available Since 1.8.0 |
The unique id of the signing key used to sign the access token. |
tenant.jwtConfiguration.idTokenKeyId [UUID] Required Available Since 1.8.0 |
The unique id of the signing key used to sign the Id token. |
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Required Available Since 1.8.0 |
The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0. |
tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0. |
tenant.logoutURL [String] Optional Available Since 1.8.0 |
The logout redirect URL when sending the user’s browser to the |
tenant.maximumPasswordAge.days [Integer] Optional defaults to |
The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when |
tenant.maximumPasswordAge.enabled [Boolean] Optional defaults to |
Indicates that the maximum password age is enabled and being enforced. |
tenant.minimumPasswordAge.seconds [Integer] Optional defaults to |
The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when |
tenant.minimumPasswordAge.enabled [Boolean] Optional defaults to |
Indicates that the minimum password age is enabled and being enforced. |
tenant.name [String] Required |
The unique name of the Tenant. |
tenant.passwordEncryptionConfiguration.encryptionScheme [String] Optional defaults to |
The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: |
tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Optional defaults to |
The factor used by the password encryption scheme. If not provided, the |
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Optional defaults to |
When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import. |
tenant.passwordValidationRules.maxLength [Integer] Required defaults to |
The maximum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.minLength [Integer] Required defaults to |
The minimum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Optional Available Since 1.8.0 |
The number of previous passwords to remember. Value must be greater than 0. |
tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Optional defaults to |
Whether to prevent a user from using any of their previous passwords. |
tenant.passwordValidationRules.requiredMixedCase [Boolean] Optional defaults to |
Whether to force the user to use at least one uppercase and one lowercase character. |
tenant.passwordValidationRules.requireNonAlpha [Boolean] Optional defaults to |
Whether to force the user to use at least one non-alphanumeric character. |
tenant.passwordValidationRules.requireNumber [Boolean] Optional defaults to |
Whether to force the user to use at least one number. |
tenant.themeId [UUID] Required Available Since 1.8.0 |
The unique Id of the theme to be used to style the login page and other end user templates. |
tenant.userDeletePolicy.unverified.enabled [Boolean] Optional defaults to |
Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days. |
tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Optional Available Since 1.13.0 |
The number of days from creation users will be retained before being deleted for not completing email verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to |
{
"tenant": {
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"httpSessionMaxInactiveInterval": 3600,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"name": "Playtronics Co.",
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
}
}
}2.2. Response
The response for this API contains the Tenant that was created.
| Code | Description |
|---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
tenant.data [Object] |
An object that can hold any information about the Tenant that should be persisted. |
tenant.emailConfiguration.enabled [Boolean] Deprecated |
When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration. Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration. |
tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] |
The Id of the Email Template that is used when a user is sent a forgot password email. |
tenant.emailConfiguration.host [String] Available Since 1.8.0 |
The host name of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.password [String] Available Since 1.8.0 |
An optional password FusionAuth will use to authenticate with the SMTP server. |
tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Available Since 1.8.0 |
The Id of the Passwordless Email Template. |
tenant.emailConfiguration.port [Integer] Available Since 1.8.0 |
The port of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.properties [String] Available Since 1.8.0 |
Additional Email Configuration in a properties file formatted String. |
tenant.emailConfiguration.security [String] Available Since 1.8.0 |
The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
|
tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] |
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. |
tenant.emailConfiguration.username [String] Available Since 1.8.0 |
An optional username FusionAuth will to authenticate with the SMTP server. |
tenant.emailConfiguration.verificationEmailTemplateId [UUID] |
The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the |
tenant.emailConfiguration.verifyEmail [Boolean] |
Whether the user’s email addresses are verified when the registers with your application. |
tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] |
Whether the user’s email addresses are verified when the user changes them. |
tenant.eventConfiguration.events [Object] Available Since 1.8.0 |
A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
|
tenant.eventConfiguration.events |
Whether or not FusionAuth should send these types of events to any configured Webhooks. |
tenant.eventConfiguration.events |
The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
|
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600. |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the change password Id.
If the |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the change password Id. Must be either |
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the email verification Id.
If the |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the email verification Id. Must be either |
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the passwordless login.
If the |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the passwordless login. Must be either |
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the registration verification Id.
If the |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the registration verification Id. Must be either |
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the setup password Id.
If the |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the setup password Id. Must be either |
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.actionDuration [Long] Available Since 1.8.0 |
The duration of the User Action. This value along with the |
tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Available Since 1.8.0 |
The unit of time associated with a duration. The possible values are:
|
tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available Since 1.8.0 |
The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if |
tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Available Since 1.8.0 |
The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.userActionId [UUID] Available Since 1.8.0 |
The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts. |
tenant.familyConfiguration.allowChildRegistrations [Boolean] Available Since 1.8.0 |
Whether to allow child registrations. |
tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use when confirming a child. |
tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Available Since 1.8.0 |
Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days. |
tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Available Since 1.8.0 |
The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0. |
tenant.familyConfiguration.enabled [Boolean] Available Since 1.8.0 |
Whether family configuration is enabled. |
tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use when a family request is made. |
tenant.familyConfiguration.maximumChildAge [Integer] Available Since 1.8.0 |
The maximum age of a child. Value must be greater than 0. |
tenant.familyConfiguration.minimumOwnerAge [Integer] Available Since 1.8.0 |
The minimum age to be an owner. Value must be greater than 0. |
tenant.familyConfiguration.parentEmailRequired [Boolean] Available Since 1.8.0 |
Whether a parent email is required. |
tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use for parent registration. |
tenant.httpSessionMaxInactiveInterval [Integer] Available Since 1.8.0 |
Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend. |
tenant.id [UUID] |
The unique identifier for this Tenant. |
tenant.issuer [String] Available Since 1.8.0 |
The named issuer used to sign tokens, this is generally your public fully qualified domain. |
tenant.jwtConfiguration.accessTokenKeyId [UUID] Available Since 1.8.0 |
The unique id of the signing key used to sign the access token. |
tenant.jwtConfiguration.idTokenKeyId [UUID] Available Since 1.8.0 |
The unique id of the signing key used to sign the Id token. |
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available Since 1.8.0 |
The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0. |
tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Available Since 1.8.0 |
The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0. |
tenant.logoutURL [String] Available Since 1.8.0 |
The logout redirect URL when sending the user’s browser to the |
tenant.maximumPasswordAge.days [Integer] Available Since 1.8.0 |
The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when |
tenant.maximumPasswordAge.enabled [Boolean] Available Since 1.8.0 |
Indicates that the maximum password age is enabled and being enforced. |
tenant.minimumPasswordAge.seconds [Integer] Available Since 1.8.0 |
The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when |
tenant.minimumPasswordAge.enabled [Boolean] Available Since 1.8.0 |
Indicates that the minimum password age is enabled and being enforced. |
tenant.name [String] |
The unique name of the Tenant. |
tenant.passwordEncryptionConfiguration.encryptionScheme [String] Available Since 1.8.0 |
The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: |
tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available Since 1.8.0 |
The factor used by the password encryption scheme. If not provided, the |
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available Since 1.8.0 |
When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import. |
tenant.passwordValidationRules.maxLength [Integer] Available Since 1.8.0 |
The maximum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.minLength [Integer] Available Since 1.8.0 |
The minimum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Available Since 1.8.0 |
The number of previous passwords to remember. Value must be greater than 0. |
tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available Since 1.8.0 |
Whether to prevent a user from using any of their previous passwords. |
tenant.passwordValidationRules.requiredMixedCase [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one uppercase and one lowercase character. |
tenant.passwordValidationRules.requireNonAlpha [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one non-alphanumeric character. |
tenant.passwordValidationRules.requireNumber [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one number. |
tenant.themeId [UUID] Available Since 1.8.0 |
The unique Id of the theme to be used to style the login page and other end user templates. |
tenant.userDeletePolicy.unverified.enabled [Boolean] Available Since 1.13.0 |
Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days. |
tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available Since 1.13.0 |
The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0. |
{
"tenant": {
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"name": "Playtronics Co.",
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
}
}
}3. Retrieve a Tenant
This API is used to retrieve a single Tenant by unique Id or all of the configured Tenants.
3.1. Request
GET /api/tenant
GET /api/tenant/{tenantId}
tenantId [UUID] Required |
The unique Id of the Tenant to retrieve. |
3.2. Response
The response for this API contains either a single Tenant or all of the Tenants. When you call this API with an Id the response will contain a single Tenant. When you call this API without an Id the response will contain all of the Tenants. Both response types are defined below along with an example JSON response.
| Code | Description |
|---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you requested doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
tenant.data [Object] |
An object that can hold any information about the Tenant that should be persisted. |
tenant.emailConfiguration.enabled [Boolean] Deprecated |
When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration. Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration. |
tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] |
The Id of the Email Template that is used when a user is sent a forgot password email. |
tenant.emailConfiguration.host [String] Available Since 1.8.0 |
The host name of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.password [String] Available Since 1.8.0 |
An optional password FusionAuth will use to authenticate with the SMTP server. |
tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Available Since 1.8.0 |
The Id of the Passwordless Email Template. |
tenant.emailConfiguration.port [Integer] Available Since 1.8.0 |
The port of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.properties [String] Available Since 1.8.0 |
Additional Email Configuration in a properties file formatted String. |
tenant.emailConfiguration.security [String] Available Since 1.8.0 |
The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
|
tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] |
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. |
tenant.emailConfiguration.username [String] Available Since 1.8.0 |
An optional username FusionAuth will to authenticate with the SMTP server. |
tenant.emailConfiguration.verificationEmailTemplateId [UUID] |
The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the |
tenant.emailConfiguration.verifyEmail [Boolean] |
Whether the user’s email addresses are verified when the registers with your application. |
tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] |
Whether the user’s email addresses are verified when the user changes them. |
tenant.eventConfiguration.events [Object] Available Since 1.8.0 |
A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
|
tenant.eventConfiguration.events |
Whether or not FusionAuth should send these types of events to any configured Webhooks. |
tenant.eventConfiguration.events |
The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
|
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600. |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the change password Id.
If the |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the change password Id. Must be either |
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the email verification Id.
If the |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the email verification Id. Must be either |
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the passwordless login.
If the |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the passwordless login. Must be either |
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the registration verification Id.
If the |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the registration verification Id. Must be either |
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the setup password Id.
If the |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the setup password Id. Must be either |
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.actionDuration [Long] Available Since 1.8.0 |
The duration of the User Action. This value along with the |
tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Available Since 1.8.0 |
The unit of time associated with a duration. The possible values are:
|
tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available Since 1.8.0 |
The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if |
tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Available Since 1.8.0 |
The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.userActionId [UUID] Available Since 1.8.0 |
The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts. |
tenant.familyConfiguration.allowChildRegistrations [Boolean] Available Since 1.8.0 |
Whether to allow child registrations. |
tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use when confirming a child. |
tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Available Since 1.8.0 |
Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days. |
tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Available Since 1.8.0 |
The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0. |
tenant.familyConfiguration.enabled [Boolean] Available Since 1.8.0 |
Whether family configuration is enabled. |
tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use when a family request is made. |
tenant.familyConfiguration.maximumChildAge [Integer] Available Since 1.8.0 |
The maximum age of a child. Value must be greater than 0. |
tenant.familyConfiguration.minimumOwnerAge [Integer] Available Since 1.8.0 |
The minimum age to be an owner. Value must be greater than 0. |
tenant.familyConfiguration.parentEmailRequired [Boolean] Available Since 1.8.0 |
Whether a parent email is required. |
tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use for parent registration. |
tenant.httpSessionMaxInactiveInterval [Integer] Available Since 1.8.0 |
Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend. |
tenant.id [UUID] |
The unique identifier for this Tenant. |
tenant.issuer [String] Available Since 1.8.0 |
The named issuer used to sign tokens, this is generally your public fully qualified domain. |
tenant.jwtConfiguration.accessTokenKeyId [UUID] Available Since 1.8.0 |
The unique id of the signing key used to sign the access token. |
tenant.jwtConfiguration.idTokenKeyId [UUID] Available Since 1.8.0 |
The unique id of the signing key used to sign the Id token. |
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available Since 1.8.0 |
The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0. |
tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Available Since 1.8.0 |
The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0. |
tenant.logoutURL [String] Available Since 1.8.0 |
The logout redirect URL when sending the user’s browser to the |
tenant.maximumPasswordAge.days [Integer] Available Since 1.8.0 |
The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when |
tenant.maximumPasswordAge.enabled [Boolean] Available Since 1.8.0 |
Indicates that the maximum password age is enabled and being enforced. |
tenant.minimumPasswordAge.seconds [Integer] Available Since 1.8.0 |
The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when |
tenant.minimumPasswordAge.enabled [Boolean] Available Since 1.8.0 |
Indicates that the minimum password age is enabled and being enforced. |
tenant.name [String] |
The unique name of the Tenant. |
tenant.passwordEncryptionConfiguration.encryptionScheme [String] Available Since 1.8.0 |
The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: |
tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available Since 1.8.0 |
The factor used by the password encryption scheme. If not provided, the |
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available Since 1.8.0 |
When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import. |
tenant.passwordValidationRules.maxLength [Integer] Available Since 1.8.0 |
The maximum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.minLength [Integer] Available Since 1.8.0 |
The minimum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Available Since 1.8.0 |
The number of previous passwords to remember. Value must be greater than 0. |
tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available Since 1.8.0 |
Whether to prevent a user from using any of their previous passwords. |
tenant.passwordValidationRules.requiredMixedCase [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one uppercase and one lowercase character. |
tenant.passwordValidationRules.requireNonAlpha [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one non-alphanumeric character. |
tenant.passwordValidationRules.requireNumber [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one number. |
tenant.themeId [UUID] Available Since 1.8.0 |
The unique Id of the theme to be used to style the login page and other end user templates. |
tenant.userDeletePolicy.unverified.enabled [Boolean] Available Since 1.13.0 |
Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days. |
tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available Since 1.13.0 |
The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0. |
{
"tenant": {
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"name": "Playtronics Co.",
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
}
}
}tenants [Array] |
The list of Tenant objects. |
tenants |
An object that can hold any information about the Tenant that should be persisted. |
tenants |
When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration. Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration. |
tenants |
The Id of the Email Template that is used when a user is sent a forgot password email. |
tenants |
The host name of the SMTP server that FusionAuth will use. |
tenants |
An optional password FusionAuth will use to authenticate with the SMTP server. |
tenants |
The Id of the Passwordless Email Template. |
tenants |
The port of the SMTP server that FusionAuth will use. |
tenants |
Additional Email Configuration in a properties file formatted String. |
tenants |
The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
|
tenants |
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. |
tenants |
An optional username FusionAuth will to authenticate with the SMTP server. |
tenants |
The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the |
tenants |
Whether the user’s email addresses are verified when the registers with your application. |
tenants |
Whether the user’s email addresses are verified when the user changes them. |
tenants |
A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
|
tenants |
Whether or not FusionAuth should send these types of events to any configured Webhooks. |
tenants |
The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
|
tenants |
The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600. |
tenants |
The length of the secure generator used for generating the change password Id.
If the |
tenants |
The type of the secure generator used for generating the change password Id. Must be either |
tenants |
The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenants |
The length of the secure generator used for generating the email verification Id.
If the |
tenants |
The type of the secure generator used for generating the email verification Id. Must be either |
tenants |
The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0. |
tenants |
The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0. |
tenants |
The length of the secure generator used for generating the passwordless login.
If the |
tenants |
The type of the secure generator used for generating the passwordless login. Must be either |
tenants |
The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0. |
tenants |
The length of the secure generator used for generating the registration verification Id.
If the |
tenants |
The type of the secure generator used for generating the registration verification Id. Must be either |
tenants |
The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0. |
tenants |
The length of the secure generator used for generating the setup password Id.
If the |
tenants |
The type of the secure generator used for generating the setup password Id. Must be either |
tenants |
The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenants |
The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0. |
tenants |
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0. |
tenants |
The duration of the User Action. This value along with the |
tenants |
The unit of time associated with a duration. The possible values are:
|
tenants |
The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if |
tenants |
The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0. |
tenants |
The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts. |
tenants |
Whether to allow child registrations. |
tenants |
The unique Id of the email template to use when confirming a child. |
tenants |
Indicates that child users without parental verification will be permanently deleted after tenants |
tenants |
The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0. |
tenants |
Whether family configuration is enabled. |
tenants |
The unique Id of the email template to use when a family request is made. |
tenants |
The maximum age of a child. Value must be greater than 0. |
tenants |
The minimum age to be an owner. Value must be greater than 0. |
tenants |
Whether a parent email is required. |
tenants |
The unique Id of the email template to use for parent registration. |
tenants |
Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend. |
tenants |
The unique identifier for this Tenant. |
tenants |
The named issuer used to sign tokens, this is generally your public fully qualified domain. |
tenants |
The unique id of the signing key used to sign the access token. |
tenants |
The unique id of the signing key used to sign the Id token. |
tenants |
The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0. |
tenants |
The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0. |
tenants |
The logout redirect URL when sending the user’s browser to the |
tenants |
The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when |
tenants |
Indicates that the maximum password age is enabled and being enforced. |
tenants |
The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when |
tenants |
Indicates that the minimum password age is enabled and being enforced. |
tenants |
The unique name of the Tenant. |
tenants |
The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: |
tenants |
The factor used by the password encryption scheme. If not provided, the |
tenants |
When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import. |
tenants |
The maximum length of a password when a new user is created or a user requests a password change. |
tenants |
The minimum length of a password when a new user is created or a user requests a password change. |
tenants |
The number of previous passwords to remember. Value must be greater than 0. |
tenants |
Whether to prevent a user from using any of their previous passwords. |
tenants |
Whether to force the user to use at least one uppercase and one lowercase character. |
tenants |
Whether to force the user to use at least one non-alphanumeric character. |
tenants |
Whether to force the user to use at least one number. |
tenants |
The unique Id of the theme to be used to style the login page and other end user templates. |
tenants |
Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days. |
tenants |
The number of days from creation users will be retained before being deleted for not completing email verification. |
{
"tenants": [
{
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"name": "Playtronics Co.",
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
}
}
]
}4. Update a Tenant
This API is used to update an existing Tenant. You must specify the Id of the Tenant you are updating on the URI. You must specify all of the properties of the Tenant when calling this API. This API does not merge the existing Tenant and your new data. It replaces the existing Tenant with your new data.
4.1. Request
Update the Tenant with the given Id
PUT /api/tenant/{tenantId}
PATCH /api/tenant/{tenantId}
Available since 1.12.0
When using the PATCH method, use the same request body documentation that is provided for the PUT request. The PATCH method will merge the provided request parameters into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A
nullvalue can be used to remove a value. Patching anArraywill result in all values from the new list being appended to the existing list.
tenantId [UUID] Required |
The Id of the Tenant to update. |
tenant.data [Object] Optional |
An object that can hold any information about the Tenant that should be persisted. |
tenant.emailConfiguration.enabled [Boolean] Optional Deprecated |
When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration. Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration. |
tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] Optional |
The Id of the Email Template that is used when a user is sent a forgot password email. |
tenant.emailConfiguration.host [String] Required Available Since 1.8.0 |
The host name of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.password [String] Optional Available Since 1.8.0 |
An optional password FusionAuth will use to authenticate with the SMTP server. |
tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The Id of the Passwordless Email Template. |
tenant.emailConfiguration.port [Integer] Required Available Since 1.8.0 |
The port of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.properties [String] Optional Available Since 1.8.0 |
Additional Email Configuration in a properties file formatted String. |
tenant.emailConfiguration.security [String] Optional defaults to |
The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
|
tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] Optional |
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. |
tenant.emailConfiguration.username [String] Optional Available Since 1.8.0 |
An optional username FusionAuth will to authenticate with the SMTP server. |
tenant.emailConfiguration.verificationEmailTemplateId [UUID] Optional |
The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the |
tenant.emailConfiguration.verifyEmail [Boolean] Optional defaults to |
Whether the user’s email addresses are verified when the registers with your application. |
tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] Optional defaults to |
Whether the user’s email addresses are verified when the user changes them. |
tenant.eventConfiguration.events [Object] Optional defaults to {} Available Since 1.8.0 |
A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
|
tenant.eventConfiguration.events |
Whether or not FusionAuth should send these types of events to any configured Webhooks. |
tenant.eventConfiguration.events |
The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
|
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600. |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the change password Id.
If the |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the change password Id. Must be either |
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the email verification Id.
If the |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the email verification Id. Must be either |
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the passwordless login.
If the |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the passwordless login. Must be either |
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the registration verification Id.
If the |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the registration verification Id. Must be either |
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Required Available Since 1.8.0 |
The length of the secure generator used for generating the setup password Id.
If the |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Required Available Since 1.8.0 |
The type of the secure generator used for generating the setup password Id. Must be either |
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.actionDuration [Long] Required defaults to |
The duration of the User Action. This value along with the |
tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Required defaults to |
The unit of time associated with a duration. The possible values are:
|
tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Required defaults to |
The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if |
tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Required defaults to |
The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.userActionId [UUID] Optional Available Since 1.8.0 |
The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts. |
tenant.familyConfiguration.allowChildRegistrations [Boolean] Optional defaults to |
Whether to allow child registrations. |
tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The unique Id of the email template to use when confirming a child. |
tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Optional defaults to |
Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days. |
tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Optional defaults to |
The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0. |
tenant.familyConfiguration.enabled [Boolean] Optional defaults to |
Whether family configuration is enabled. |
tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The unique Id of the email template to use when a family request is made. |
tenant.familyConfiguration.maximumChildAge [Integer] Optional defaults to |
The maximum age of a child. Value must be greater than 0. |
tenant.familyConfiguration.minimumOwnerAge [Integer] Optional defaults to |
The minimum age to be an owner. Value must be greater than 0. |
tenant.familyConfiguration.parentEmailRequired [Boolean] Optional defaults to |
Whether a parent email is required. |
tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Optional Available Since 1.8.0 |
The unique Id of the email template to use for parent registration. |
tenant.httpSessionMaxInactiveInterval [Integer] Optional default is |
Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend. |
tenant.issuer [String] Required Available Since 1.8.0 |
The named issuer used to sign tokens, this is generally your public fully qualified domain. |
tenant.jwtConfiguration.accessTokenKeyId [UUID] Required Available Since 1.8.0 |
The unique id of the signing key used to sign the access token. |
tenant.jwtConfiguration.idTokenKeyId [UUID] Required Available Since 1.8.0 |
The unique id of the signing key used to sign the Id token. |
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Required Available Since 1.8.0 |
The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0. |
tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Required Available Since 1.8.0 |
The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0. |
tenant.logoutURL [String] Optional Available Since 1.8.0 |
The logout redirect URL when sending the user’s browser to the |
tenant.maximumPasswordAge.days [Integer] Optional defaults to |
The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when |
tenant.maximumPasswordAge.enabled [Boolean] Optional defaults to |
Indicates that the maximum password age is enabled and being enforced. |
tenant.minimumPasswordAge.seconds [Integer] Optional defaults to |
The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when |
tenant.minimumPasswordAge.enabled [Boolean] Optional defaults to |
Indicates that the minimum password age is enabled and being enforced. |
tenant.name [String] Required |
The unique name of the Tenant. |
tenant.passwordEncryptionConfiguration.encryptionScheme [String] Optional defaults to |
The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: |
tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Optional defaults to |
The factor used by the password encryption scheme. If not provided, the |
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Optional defaults to |
When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import. |
tenant.passwordValidationRules.maxLength [Integer] Required defaults to |
The maximum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.minLength [Integer] Required defaults to |
The minimum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Optional Available Since 1.8.0 |
The number of previous passwords to remember. Value must be greater than 0. |
tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Optional defaults to |
Whether to prevent a user from using any of their previous passwords. |
tenant.passwordValidationRules.requiredMixedCase [Boolean] Optional defaults to |
Whether to force the user to use at least one uppercase and one lowercase character. |
tenant.passwordValidationRules.requireNonAlpha [Boolean] Optional defaults to |
Whether to force the user to use at least one non-alphanumeric character. |
tenant.passwordValidationRules.requireNumber [Boolean] Optional defaults to |
Whether to force the user to use at least one number. |
tenant.themeId [UUID] Required Available Since 1.8.0 |
The unique Id of the theme to be used to style the login page and other end user templates. |
tenant.userDeletePolicy.unverified.enabled [Boolean] Optional defaults to |
Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days. |
tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Optional Available Since 1.13.0 |
The number of days from creation users will be retained before being deleted for not completing email verification. This field is required when tenant.userDeletePolicy.unverified.enabled is set to |
{
"tenant": {
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"httpSessionMaxInactiveInterval": 3600,
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"name": "Playtronics Co.",
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
}
}
}4.2. Response
The response for this API contains the Tenant that was updated.
| Code | Description |
|---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you are trying to updated doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
tenant.data [Object] |
An object that can hold any information about the Tenant that should be persisted. |
tenant.emailConfiguration.enabled [Boolean] Deprecated |
When this value is set to true the email configuration provided by this tenant will take precedence over the configuration by the System Configuration. Removed in version 1.8.0 In version 1.8.0 and beyond, a Tenant’s email configuration is enabled upon configuration. |
tenant.emailConfiguration.forgotPasswordEmailTemplateId [UUID] |
The Id of the Email Template that is used when a user is sent a forgot password email. |
tenant.emailConfiguration.host [String] Available Since 1.8.0 |
The host name of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.password [String] Available Since 1.8.0 |
An optional password FusionAuth will use to authenticate with the SMTP server. |
tenant.emailConfiguration.passwordlessEmailTemplateId [UUID] Available Since 1.8.0 |
The Id of the Passwordless Email Template. |
tenant.emailConfiguration.port [Integer] Available Since 1.8.0 |
The port of the SMTP server that FusionAuth will use. |
tenant.emailConfiguration.properties [String] Available Since 1.8.0 |
Additional Email Configuration in a properties file formatted String. |
tenant.emailConfiguration.security [String] Available Since 1.8.0 |
The type of security protocol FusionAuth will use when connecting to the SMTP server. The possible values are:
|
tenant.emailConfiguration.setPasswordEmailTemplateId [UUID] |
The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. |
tenant.emailConfiguration.username [String] Available Since 1.8.0 |
An optional username FusionAuth will to authenticate with the SMTP server. |
tenant.emailConfiguration.verificationEmailTemplateId [UUID] |
The If of the Email Template that is used to send the verification emails to users. These emails are used to verify that a user’s email address is valid. If either the |
tenant.emailConfiguration.verifyEmail [Boolean] |
Whether the user’s email addresses are verified when the registers with your application. |
tenant.emailConfiguration.verifyEmailWhenChanged [Boolean] |
Whether the user’s email addresses are verified when the user changes them. |
tenant.eventConfiguration.events [Object] Available Since 1.8.0 |
A mapping of the configuration for each event type that FusionAuth sends. The event types that are the keys into this Object are:
|
tenant.eventConfiguration.events |
Whether or not FusionAuth should send these types of events to any configured Webhooks. |
tenant.eventConfiguration.events |
The transaction type that FusionAuth uses when sending these types of events to any configured Webhooks. The transaction types are:
|
tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a OAuth authorization code in no longer valid to be exchanged for an access token. This is essentially the time allowed between the start of an Authorization request during the Authorization code grant and when you request an access token using this authorization code on the Token endpoint. Value must be greater than 0 and less than or equal to 600. |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the change password Id.
If the |
tenant.externalIdentifierConfiguration.changePasswordIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the change password Id. Must be either |
tenant.externalIdentifierConfiguration.changePasswordIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a change password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the email verification Id.
If the |
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the email verification Id. Must be either |
tenant.externalIdentifierConfiguration.emailVerificationIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a email verification Id is no longer valid and cannot be used by the Verify Email API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.oneTimePasswordTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a One Time Password is no longer valid and cannot be used by the Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the passwordless login.
If the |
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the passwordless login. Must be either |
tenant.externalIdentifierConfiguration.passwordlessLoginTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a passwordless code is no longer valid and cannot be used by the Passwordless API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the registration verification Id.
If the |
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the registration verification Id. Must be either |
tenant.externalIdentifierConfiguration.registrationVerificationIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a registration verification Id is no longer valid and cannot be used by the Verify Registration API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.length [Integer] Available Since 1.8.0 |
The length of the secure generator used for generating the setup password Id.
If the |
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator.type [String] Available Since 1.8.0 |
The type of the secure generator used for generating the setup password Id. Must be either |
tenant.externalIdentifierConfiguration.setupPasswordIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a setup password Id is no longer valid and cannot be used by the Change Password API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until a two factor Id is no longer valid and cannot be used by the Two Factor Login API. Value must be greater than 0. |
tenant.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds [Integer] Available Since 1.8.0 |
The time in seconds until an issued Two Factor trust Id is no longer valid and the User will be required to complete Two Factor authentication during the next authentication attempt. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.actionDuration [Long] Available Since 1.8.0 |
The duration of the User Action. This value along with the |
tenant.failedAuthenticationConfiguration.actionDurationUnit [String] Available Since 1.8.0 |
The unit of time associated with a duration. The possible values are:
|
tenant.failedAuthenticationConfiguration.resetCountInSeconds [Integer] Available Since 1.8.0 |
The length of time in seconds before the failed authentication count will be reset. Value must be greater than 0.
For example, if |
tenant.failedAuthenticationConfiguration.tooManyAttempts [Integer] Available Since 1.8.0 |
The number of failed attempts considered to be too many. Once this threshold is reached the specified User Action will be applied to the user for the duration specified. Value must be greater than 0. |
tenant.failedAuthenticationConfiguration.userActionId [UUID] Available Since 1.8.0 |
The Id of the User Action that is applied when the threshold is reached for too many failed authentication attempts. |
tenant.familyConfiguration.allowChildRegistrations [Boolean] Available Since 1.8.0 |
Whether to allow child registrations. |
tenant.familyConfiguration.confirmChildEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use when confirming a child. |
tenant.familyConfiguration.deleteOrphanedAccounts [Boolean] Available Since 1.8.0 |
Indicates that child users without parental verification will be permanently deleted after tenant.familyConfiguration.deleteOrphanedAccountsDays days. |
tenant.familyConfiguration.deleteOrphanedAccountsDays [Integer] Available Since 1.8.0 |
The number of days from creation child users will be retained before being deleted for not completing parental verification. Value must be greater than 0. |
tenant.familyConfiguration.enabled [Boolean] Available Since 1.8.0 |
Whether family configuration is enabled. |
tenant.familyConfiguration.familyRequestEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use when a family request is made. |
tenant.familyConfiguration.maximumChildAge [Integer] Available Since 1.8.0 |
The maximum age of a child. Value must be greater than 0. |
tenant.familyConfiguration.minimumOwnerAge [Integer] Available Since 1.8.0 |
The minimum age to be an owner. Value must be greater than 0. |
tenant.familyConfiguration.parentEmailRequired [Boolean] Available Since 1.8.0 |
Whether a parent email is required. |
tenant.familyConfiguration.parentRegistrationEmailTemplateId [UUID] Available Since 1.8.0 |
The unique Id of the email template to use for parent registration. |
tenant.httpSessionMaxInactiveInterval [Integer] Available Since 1.8.0 |
Time in seconds until an inactive session will be invalidated. Used when creating a new session in the FusionAuth OAuth frontend. |
tenant.id [UUID] |
The unique identifier for this Tenant. |
tenant.issuer [String] Available Since 1.8.0 |
The named issuer used to sign tokens, this is generally your public fully qualified domain. |
tenant.jwtConfiguration.accessTokenKeyId [UUID] Available Since 1.8.0 |
The unique id of the signing key used to sign the access token. |
tenant.jwtConfiguration.idTokenKeyId [UUID] Available Since 1.8.0 |
The unique id of the signing key used to sign the Id token. |
tenant.jwtConfiguration.refreshTokenTimeToLiveInMinutes [Integer] Available Since 1.8.0 |
The length of time in minutes a Refresh Token is valid from the time it was issued. Value must be greater than 0. |
tenant.jwtConfiguration.timeToLiveInSeconds [Integer] Available Since 1.8.0 |
The length of time in seconds this JWT is valid from the time it was issued. Value must be greater than 0. |
tenant.logoutURL [String] Available Since 1.8.0 |
The logout redirect URL when sending the user’s browser to the |
tenant.maximumPasswordAge.days [Integer] Available Since 1.8.0 |
The password maximum age in days. The number of days after which FusionAuth will require a user to change their password. Required when |
tenant.maximumPasswordAge.enabled [Boolean] Available Since 1.8.0 |
Indicates that the maximum password age is enabled and being enforced. |
tenant.minimumPasswordAge.seconds [Integer] Available Since 1.8.0 |
The password minimum age in seconds. When enabled FusionAuth will not allow a password to be changed until it reaches this minimum age. Required when |
tenant.minimumPasswordAge.enabled [Boolean] Available Since 1.8.0 |
Indicates that the minimum password age is enabled and being enforced. |
tenant.name [String] |
The unique name of the Tenant. |
tenant.passwordEncryptionConfiguration.encryptionScheme [String] Available Since 1.8.0 |
The default method for encrypting the User’s password. The following encryptors are provided with FusionAuth: |
tenant.passwordEncryptionConfiguration.encryptionSchemeFactor [Integer] Available Since 1.8.0 |
The factor used by the password encryption scheme. If not provided, the |
tenant.passwordEncryptionConfiguration.modifyEncryptionSchemeOnLogin [Boolean] Available Since 1.8.0 |
When enabled a user’s hash configuration will be modified to match these configured settings. This can be useful to increase a password hash strength over time or upgrade imported users to a more secure encryption scheme after an initial import. |
tenant.passwordValidationRules.maxLength [Integer] Available Since 1.8.0 |
The maximum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.minLength [Integer] Available Since 1.8.0 |
The minimum length of a password when a new user is created or a user requests a password change. |
tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] Available Since 1.8.0 |
The number of previous passwords to remember. Value must be greater than 0. |
tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] Available Since 1.8.0 |
Whether to prevent a user from using any of their previous passwords. |
tenant.passwordValidationRules.requiredMixedCase [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one uppercase and one lowercase character. |
tenant.passwordValidationRules.requireNonAlpha [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one non-alphanumeric character. |
tenant.passwordValidationRules.requireNumber [Boolean] Available Since 1.8.0 |
Whether to force the user to use at least one number. |
tenant.themeId [UUID] Available Since 1.8.0 |
The unique Id of the theme to be used to style the login page and other end user templates. |
tenant.userDeletePolicy.unverified.enabled [Boolean] Available Since 1.13.0 |
Indicates that users without a verified email address will be permanently deleted after tenant.userDeletePolicy.unverified.numberOfDaysToRetain days. |
tenant.userDeletePolicy.unverified.numberOfDaysToRetain [Integer] Available Since 1.13.0 |
The number of days from creation users will be retained before being deleted for not completing email verification. Value must be greater than 0. |
{
"tenant": {
"data": {
"description": "No more secrets, Marty."
},
"emailConfiguration": {
"forgotPasswordEmailTemplateId": "49aba1de-0225-45d7-a2b1-f9fe46b0242c",
"host": "smtp.sendgrid.net",
"password": "password",
"passwordlessEmailTemplateId": "a917e23a-da58-4cda-be01-90f542f8c343",
"port": 587,
"properties": {
"key": "value"
},
"security": "TLS",
"setPasswordEmailTemplateId": "a9aba13e-0125-4fd7-a2b1-aaa146b02423",
"username": "username",
"verificationEmailTemplateId": "8da42c09-461c-45f3-b931-6e9f63b87ab5",
"verifyEmail": true,
"verifyEmailWhenChanged": true
},
"eventConfiguration": {
"events": {
"user.delete": {
"enabled": true,
"transactionType": "None"
},
"user.create": {
"enabled": true,
"transactionType": "None"
},
"user.update": {
"enabled": true,
"transactionType": "None"
},
"user.deactivate": {
"enabled": true,
"transactionType": "None"
},
"user.bulk.create": {
"enabled": true,
"transactionType": "None"
},
"user.reactivate": {
"enabled": true,
"transactionType": "None"
},
"jwt.refresh-token.revoke": {
"enabled": true,
"transactionType": "None"
},
"jwt.public-key.update": {
"enabled": true,
"transactionType": "None"
},
"user.login.success": {
"enabled": true,
"transactionType": "None"
},
"user.login.failed": {
"enabled": true,
"transactionType": "None"
},
"user.registration.create": {
"enabled": true,
"transactionType": "None"
},
"user.registration.update": {
"enabled": true,
"transactionType": "None"
},
"user.registration.delete": {
"enabled": true,
"transactionType": "None"
},
"user.registration.verified": {
"enabled": true,
"transactionType": "None"
},
"user.email.verified": {
"enabled": true,
"transactionType": "None"
}
}
},
"externalIdentifierConfiguration": {
"authorizationGrantIdTimeToLiveInSeconds": 30,
"changePasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"changePasswordIdTimeToLiveInSeconds": 600,
"emailVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"emailVerificationIdTimeToLiveInSeconds": 86400,
"oneTimePasswordTimeToLiveInSeconds": 60,
"passwordlessLoginGenerator": {
"length": 32,
"type": "randomBytes"
},
"passwordlessLoginTimeToLiveInSeconds": 180,
"registrationVerificationIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"registrationVerificationIdTimeToLiveInSeconds": 86400,
"setupPasswordIdGenerator": {
"length": 32,
"type": "randomBytes"
},
"setupPasswordIdTimeToLiveInSeconds": 86400,
"twoFactorIdTimeToLiveInSeconds": 300,
"twoFactorTrustIdTimeToLiveInSeconds": 2592000
},
"failedAuthenticationConfiguration": {
"actionDuration": 3,
"actionDurationUnit": "MINUTES",
"resetCountInSeconds": 60,
"tooManyAttempts": 5,
"userActionId": "16cfc707-268c-4c5b-8989-f71f3ee156d4"
},
"familyConfiguration": {
"allowChildRegistrations": true,
"confirmChildEmailTemplateId": "87654321-4321-8765-ba09-ba0987654321",
"deleteOrphanedAccounts": false,
"deleteOrphanedAccountsDays": 30,
"enabled": true,
"familyRequestEmailTemplateId": "57462514-a73b-cd76-0001-b8a65cd61230",
"maximumChildAge": 12,
"minimumOwnerAge": 21,
"parentEmailRequired": false,
"parentRegistrationEmailTemplateId": "12345678-1234-5678-90ab-1234567890ab"
},
"httpSessionMaxInactiveInterval": 3600,
"id": "32306536-3036-6431-3865-646430303332",
"issuer": "https://example.com",
"jwtConfiguration": {
"accessTokenKeyId": "025233ca-d4f3-2aa4-eca9-7e4200e9b472",
"enabled": true,
"idTokenKeyId": "092dbedc-30af-4149-9c61-b578f2c72f59",
"refreshTokenTimeToLiveInMinutes": 43200,
"timeToLiveInSeconds": 3600
},
"logoutURL": "http://example.com/logout",
"maximumPasswordAge": {
"days": 180,
"enabled": false
},
"minimumPasswordAge": {
"enabled": false,
"seconds": 30
},
"name": "Playtronics Co.",
"passwordEncryptionConfiguration": {
"encryptionScheme": "salted-pbkdf2-hmac-sha256",
"encryptionSchemeFactor": 24000,
"modifyEncryptionSchemeOnLogin": false
},
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
},
"themeId": "c6ad3fac-6f32-4db7-91a4-061ff035e871",
"userDeletePolicy": {
"unverified": {
"enabled": true,
"numberOfDaysToRetain": 30
}
}
}
}5. Delete a Tenant
This API is used to permanently delete a Tenant. Deleting a Tenant will delete all Users, Applications and Groups that belong to this tenant. Proceed with caution.
5.1. Request
DELETE /api/tenant/{tenantId}
tenantId [UUID] Required |
The unique Id of the Tenant to delete. |
5.2. Response
This API does not return a JSON response body.
| Code | Description |
|---|---|
200 |
The request was successful. The response will be empty. |
400 |
The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. |
401 |
You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
404 |
The object you are trying to delete doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
503 |
The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
6. Retrieve the Password Validation Rules
|
This API has been available since 1.8.0 |
This API is used to retrieve the Password Validation Rules. This configuration is a subset of the Tenant configuration.
6.1. Request
Retrieve the Password Validation Rules
GET /api/tenant/password-validation-rules/{tenantId}
tenantId [UUID] Required |
The Id of the tenant. |
6.2. Response
The response for this API contains the Password Validation Rules.
| Code | Description |
|---|---|
200 |
The request was successful. The response will contain a JSON body. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
tenant.passwordValidationRules.maxLength [Integer] |
The maximum number of characters that are allowed for user passwords. |
tenant.passwordValidationRules.minLength [Integer] |
The minimum number of characters that are required for user passwords. |
tenant.passwordValidationRules.rememberPreviousPasswords.count [Integer] |
The number of previous passwords that should be remembered so they are not re-used by the User. |
tenant.passwordValidationRules.rememberPreviousPasswords.enabled [Boolean] |
Indicates that the remember previous password validation is enabled and being enforced. |
tenant.passwordValidationRules.requireMixedCase [Boolean] |
Indicates that passwords require an uppercase and lowercase character to be valid. |
tenant.passwordValidationRules.requireNonAlpha [Boolean] |
Indicates that passwords require a non-alphanumeric character to be valid. |
tenant.passwordValidationRules.requireNumber [Boolean] |
Indicates that passwords require at least one number to be valid. |
{
"passwordValidationRules": {
"maxLength": 256,
"minLength": 8,
"rememberPreviousPasswords": {
"count": 2,
"enabled": true
},
"requireMixedCase": true,
"requireNonAlpha": true,
"requireNumber": true
}
}