IAM | Cloudflare API

IAMPermission Groups

List Account Permission Groups

client.iam.permissionGroups.list(, ?): V4PagePaginationArray<PermissionGroupListResponse { id, meta, name } >

GET/accounts/{account_id}/iam/permission_groups

Permission Group Details

client.iam.permissionGroups.get(, , ?): PermissionGroupGetResponse { id, meta, name }

GET/accounts/{account_id}/iam/permission_groups/{permission_group_id}

ModelsExpand Collapse

PermissionGroupListResponse { id, meta, name }

A named group of permissions that map to a group of operations against resources.

id: string

Identifier of the permission group.

meta?: Meta { key, value }

Attributes associated to the permission group.

key?: string

value?: string

name?: string

Name of the permission group.

PermissionGroupGetResponse { id, meta, name }

A named group of permissions that map to a group of operations against resources.

id: string

Identifier of the permission group.

meta?: Meta { key, value }

Attributes associated to the permission group.

key?: string

value?: string

name?: string

Name of the permission group.

IAMResource Groups

List Resource Groups

client.iam.resourceGroups.list(, ?): SinglePage<ResourceGroupListResponse { id, scope, meta, name } >

GET/accounts/{account_id}/iam/resource_groups

Resource Group Details

client.iam.resourceGroups.get(, , ?): ResourceGroupGetResponse { id, scope, meta, name }

GET/accounts/{account_id}/iam/resource_groups/{resource_group_id}

Create Resource Group

client.iam.resourceGroups.create(, ?): ResourceGroupCreateResponse { id, scope, meta, name }

POST/accounts/{account_id}/iam/resource_groups

Update Resource Group

client.iam.resourceGroups.update(, , ?): ResourceGroupUpdateResponse { id, scope, meta, name }

PUT/accounts/{account_id}/iam/resource_groups/{resource_group_id}

Remove Resource Group

client.iam.resourceGroups.delete(, , ?): ResourceGroupDeleteResponse { id } | null

DELETE/accounts/{account_id}/iam/resource_groups/{resource_group_id}

ModelsExpand Collapse

ResourceGroupListResponse { id, scope, meta, name }

A group of scoped resources.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

ResourceGroupGetResponse { id, scope, meta, name }

A group of scoped resources.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

ResourceGroupCreateResponse { id, scope, meta, name }

A group of scoped resources.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

ResourceGroupUpdateResponse { id, scope, meta, name }

A group of scoped resources.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

ResourceGroupDeleteResponse { id }

id: string

Identifier

maxLength32

minLength32

IAMUser Groups

List User Groups

client.iam.userGroups.list(, ?): V4PagePaginationArray<UserGroupListResponse { id, created_on, modified_on, 2 more } >

GET/accounts/{account_id}/iam/user_groups

User Group Details

client.iam.userGroups.get(, , ?): UserGroupGetResponse { id, created_on, modified_on, 2 more }

GET/accounts/{account_id}/iam/user_groups/{user_group_id}

Create User Group

client.iam.userGroups.create(, ?): UserGroupCreateResponse { id, created_on, modified_on, 2 more }

POST/accounts/{account_id}/iam/user_groups

Update User Group

client.iam.userGroups.update(, , ?): UserGroupUpdateResponse { id, created_on, modified_on, 2 more }

PUT/accounts/{account_id}/iam/user_groups/{user_group_id}

Remove User Group

client.iam.userGroups.delete(, , ?): UserGroupDeleteResponse { id } | null

DELETE/accounts/{account_id}/iam/user_groups/{user_group_id}

ModelsExpand Collapse

UserGroupListResponse { id, created_on, modified_on, 2 more }

A group of policies resources.

id: string

User Group identifier tag.

maxLength32

minLength32

created_on: string

Timestamp for the creation of the user group

formatdate-time

modified_on: string

Last time the user group was modified.

formatdate-time

Name of the user group.

policies?: Array<Policy>

Policies attached to the User group

id?: string

Policy identifier.

access?: "allow" | "deny"

Allow or deny operations against the resources.

One of the following:

"allow"

"deny"

permission_groups?: Array<PermissionGroup>

A set of permission groups that are specified to the policy.

id: string

Identifier of the permission group.

meta?: Meta { key, value }

Attributes associated to the permission group.

key?: string

value?: string

name?: string

Name of the permission group.

resource_groups?: Array<ResourceGroup>

A list of resource groups that the policy applies to.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

UserGroupGetResponse { id, created_on, modified_on, 2 more }

A group of policies resources.

id: string

User Group identifier tag.

maxLength32

minLength32

created_on: string

Timestamp for the creation of the user group

formatdate-time

modified_on: string

Last time the user group was modified.

formatdate-time

Name of the user group.

policies?: Array<Policy>

Policies attached to the User group

id?: string

Policy identifier.

access?: "allow" | "deny"

Allow or deny operations against the resources.

One of the following:

"allow"

"deny"

permission_groups?: Array<PermissionGroup>

A set of permission groups that are specified to the policy.

id: string

Identifier of the permission group.

meta?: Meta { key, value }

Attributes associated to the permission group.

key?: string

value?: string

name?: string

Name of the permission group.

resource_groups?: Array<ResourceGroup>

A list of resource groups that the policy applies to.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

UserGroupCreateResponse { id, created_on, modified_on, 2 more }

A group of policies resources.

id: string

User Group identifier tag.

maxLength32

minLength32

created_on: string

Timestamp for the creation of the user group

formatdate-time

modified_on: string

Last time the user group was modified.

formatdate-time

Name of the user group.

policies?: Array<Policy>

Policies attached to the User group

id?: string

Policy identifier.

access?: "allow" | "deny"

Allow or deny operations against the resources.

One of the following:

"allow"

"deny"

permission_groups?: Array<PermissionGroup>

A set of permission groups that are specified to the policy.

id: string

Identifier of the permission group.

meta?: Meta { key, value }

Attributes associated to the permission group.

key?: string

value?: string

name?: string

Name of the permission group.

resource_groups?: Array<ResourceGroup>

A list of resource groups that the policy applies to.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

UserGroupUpdateResponse { id, created_on, modified_on, 2 more }

A group of policies resources.

id: string

User Group identifier tag.

maxLength32

minLength32

created_on: string

Timestamp for the creation of the user group

formatdate-time

modified_on: string

Last time the user group was modified.

formatdate-time

Name of the user group.

policies?: Array<Policy>

Policies attached to the User group

id?: string

Policy identifier.

access?: "allow" | "deny"

Allow or deny operations against the resources.

One of the following:

"allow"

"deny"

permission_groups?: Array<PermissionGroup>

A set of permission groups that are specified to the policy.

id: string

Identifier of the permission group.

meta?: Meta { key, value }

Attributes associated to the permission group.

key?: string

value?: string

name?: string

Name of the permission group.

resource_groups?: Array<ResourceGroup>

A list of resource groups that the policy applies to.

id: string

Identifier of the resource group.

scope: Array<Scope>

The scope associated to the resource group

key: string

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: Array<Object>

A list of scope objects for additional context.

key: string

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta?: Meta { key, value }

Attributes associated to the resource group.

key?: string

value?: string

name?: string

Name of the resource group.

UserGroupDeleteResponse { id }

id: string

Identifier

maxLength32

minLength32

IAMUser GroupsMembers

List User Group Members

client.iam.userGroups.members.list(, , ?): V4PagePaginationArray<MemberListResponse { id, email, status } >

GET/accounts/{account_id}/iam/user_groups/{user_group_id}/members

Get User Group Member

client.iam.userGroups.members.get(, , , ?): MemberGetResponse { id, created_at, email, 2 more }

GET/accounts/{account_id}/iam/user_groups/{user_group_id}/members/{member_id}

Add User Group Members

client.iam.userGroups.members.create(, , ?): SinglePage<MemberCreateResponse { id, email, status } >

POST/accounts/{account_id}/iam/user_groups/{user_group_id}/members

Update User Group Members

client.iam.userGroups.members.update(, , ?): SinglePage<MemberUpdateResponse { id, email, status } >

PUT/accounts/{account_id}/iam/user_groups/{user_group_id}/members

Remove User Group Member

client.iam.userGroups.members.delete(, , , ?): MemberDeleteResponse { id, email, status }

DELETE/accounts/{account_id}/iam/user_groups/{user_group_id}/members/{member_id}

ModelsExpand Collapse

MemberListResponse { id, email, status }

Member attached to a User Group.

id: string

Account member identifier.

email?: string

The contact email address of the user.

maxLength90

status?: "accepted" | "pending"

The member’s status in the account.

One of the following:

"accepted"

"pending"

MemberGetResponse { id, created_at, email, 2 more }

Detailed member information for a User Group member.

id: string

Account member identifier.

created_at?: string

When the member was added to the user group.

formatdate-time

email?: string

The contact email address of the user.

maxLength90

status?: "accepted" | "pending"

The member’s status in the account.

One of the following:

"accepted"

"pending"

user?: User { id, email, first_name, last_name }

Details of the user associated with this membership.

id?: string

User identifier tag.

email?: string

The contact email address of the user.

maxLength90

first_name?: string

User’s first name.

last_name?: string

User’s last name.

MemberCreateResponse { id, email, status }

Member attached to a User Group.

id: string

Account member identifier.

email?: string

The contact email address of the user.

maxLength90

status?: "accepted" | "pending"

The member’s status in the account.

One of the following:

"accepted"

"pending"

MemberUpdateResponse { id, email, status }

Member attached to a User Group.

id: string

Account member identifier.

email?: string

The contact email address of the user.

maxLength90

status?: "accepted" | "pending"

The member’s status in the account.

One of the following:

"accepted"

"pending"

MemberDeleteResponse { id, email, status }

Member attached to a User Group.

id: string

Account member identifier.

email?: string

The contact email address of the user.

maxLength90

status?: "accepted" | "pending"

The member’s status in the account.

One of the following:

"accepted"

"pending"

IAMSSO

Get all SSO connectors

client.iam.sso.list(, ?): SinglePage<SSOListResponse { id, created_on, email_domain, 4 more } >

GET/accounts/{account_id}/sso_connectors

Get single SSO connector

client.iam.sso.get(, , ?): SSOGetResponse { id, created_on, email_domain, 4 more }

GET/accounts/{account_id}/sso_connectors/{sso_connector_id}

Initialize new SSO connector

client.iam.sso.create(, ?): SSOCreateResponse { id, created_on, email_domain, 4 more }

POST/accounts/{account_id}/sso_connectors

Update SSO connector state

client.iam.sso.update(, , ?): SSOUpdateResponse { id, created_on, email_domain, 4 more }

PATCH/accounts/{account_id}/sso_connectors/{sso_connector_id}

Delete SSO connector

client.iam.sso.delete(, , ?): SSODeleteResponse { id } | null

DELETE/accounts/{account_id}/sso_connectors/{sso_connector_id}

Begin SSO connector verification

client.iam.sso.beginVerification(, , ?): SSOBeginVerificationResponse { errors, messages, success }

POST/accounts/{account_id}/sso_connectors/{sso_connector_id}/begin_verification

ModelsExpand Collapse

SSOListResponse { id, created_on, email_domain, 4 more }

id?: string

SSO Connector identifier tag.

maxLength32

minLength32

created_on?: string

Timestamp for the creation of the SSO connector

formatdate-time

email_domain?: string

enabled?: boolean

updated_on?: string

Timestamp for the last update of the SSO connector

formatdate-time

use_fedramp_language?: boolean

Controls the display of FedRAMP language to the user during SSO login

verification?: Verification { code, status }

code?: string

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status?: "awaiting" | "pending" | "failed" | "verified"

The status of the verification code from the verification process.

One of the following:

"awaiting"

"pending"

"failed"

"verified"

SSOGetResponse { id, created_on, email_domain, 4 more }

id?: string

SSO Connector identifier tag.

maxLength32

minLength32

created_on?: string

Timestamp for the creation of the SSO connector

formatdate-time

email_domain?: string

enabled?: boolean

updated_on?: string

Timestamp for the last update of the SSO connector

formatdate-time

use_fedramp_language?: boolean

Controls the display of FedRAMP language to the user during SSO login

verification?: Verification { code, status }

code?: string

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status?: "awaiting" | "pending" | "failed" | "verified"

The status of the verification code from the verification process.

One of the following:

"awaiting"

"pending"

"failed"

"verified"

SSOCreateResponse { id, created_on, email_domain, 4 more }

id?: string

SSO Connector identifier tag.

maxLength32

minLength32

created_on?: string

Timestamp for the creation of the SSO connector

formatdate-time

email_domain?: string

enabled?: boolean

updated_on?: string

Timestamp for the last update of the SSO connector

formatdate-time

use_fedramp_language?: boolean

Controls the display of FedRAMP language to the user during SSO login

verification?: Verification { code, status }

code?: string

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status?: "awaiting" | "pending" | "failed" | "verified"

The status of the verification code from the verification process.

One of the following:

"awaiting"

"pending"

"failed"

"verified"

SSOUpdateResponse { id, created_on, email_domain, 4 more }

id?: string

SSO Connector identifier tag.

maxLength32

minLength32

created_on?: string

Timestamp for the creation of the SSO connector

formatdate-time

email_domain?: string

enabled?: boolean

updated_on?: string

Timestamp for the last update of the SSO connector

formatdate-time

use_fedramp_language?: boolean

Controls the display of FedRAMP language to the user during SSO login

verification?: Verification { code, status }

code?: string

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status?: "awaiting" | "pending" | "failed" | "verified"

The status of the verification code from the verification process.

One of the following:

"awaiting"

"pending"

"failed"

"verified"

SSODeleteResponse { id }

id: string

Identifier

maxLength32

minLength32

SSOBeginVerificationResponse { errors, messages, success }

errors: Array<Error>

code: number

minimum1000

message: string

documentation_url?: string

source?: Source { pointer }

pointer?: string

messages: Array<Message>

code: number

minimum1000

message: string

documentation_url?: string

source?: Source { pointer }

pointer?: string

success: true

Whether the API call was successful.

IAMOAuth Clients

List OAuth Clients

client.iam.oauthClients.list(, ?): SinglePage<OAuthClientListResponse { client_id, visibility, allowed_cors_origins, 16 more } >

GET/accounts/{account_id}/oauth_clients

OAuth Client Details

client.iam.oauthClients.get(, , ?): OAuthClientGetResponse { client_id, visibility, allowed_cors_origins, 16 more }

GET/accounts/{account_id}/oauth_clients/{oauth_client_id}

Create OAuth Client

client.iam.oauthClients.create(, ?): OAuthClientCreateResponse { client_id, visibility, allowed_cors_origins, 17 more }

POST/accounts/{account_id}/oauth_clients

Update OAuth Client

client.iam.oauthClients.update(, , ?): OAuthClientUpdateResponse { client_id, visibility, allowed_cors_origins, 16 more }

PATCH/accounts/{account_id}/oauth_clients/{oauth_client_id}

Delete OAuth Client

client.iam.oauthClients.delete(, , ?): OAuthClientDeleteResponse { id } | null

DELETE/accounts/{account_id}/oauth_clients/{oauth_client_id}

Rotate OAuth Client Secret

client.iam.oauthClients.rotateSecret(, , ?): OAuthClientRotateSecretResponse { client_secret }

POST/accounts/{account_id}/oauth_clients/{oauth_client_id}/rotate_secret

Delete Rotated OAuth Client Secret

client.iam.oauthClients.deleteRotatedSecret(, , ?): OAuthClientDeleteRotatedSecretResponse { id } | null

DELETE/accounts/{account_id}/oauth_clients/{oauth_client_id}/rotate_secret

ModelsExpand Collapse

OAuthClientListResponse { client_id, visibility, allowed_cors_origins, 16 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" | "private"

Visibility of the OAuth client.

One of the following:

"public"

"private"

allowed_cors_origins?: Array<string>

Array of allowed CORS origins.

client_name?: string

Human-readable name of the OAuth client.

client_uri?: string

URL of the home page of the client.

client_uri_verification?: ClientURIVerification { status, text }

Client URI domain control verification state.

status?: "pending" | "in_progress" | "verified" | "failed"

Current verification status for the client URI host.

One of the following:

"pending"

"in_progress"

"verified"

"failed"

text?: string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at?: string

Timestamp when the OAuth client was created.

formatdate-time

grant_types?: Array<"authorization_code" | "refresh_token">

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:

"authorization_code"

"refresh_token"

has_rotated_secret?: boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri?: string

URL of the client’s logo.

policy_uri?: string

URL that points to a privacy policy document.

post_logout_redirect_uris?: Array<string>

Array of allowed post-logout redirect URIs.

promoted_at?: string

Timestamp when the OAuth client was promoted to public visibility.

formatdate-time

redirect_uris?: Array<string>

Array of allowed redirect URIs for the client.

response_types?: Array<"token" | "id_token" | "code">

Array of OAuth response types the client is allowed to use.

One of the following:

"token"

"id_token"

"code"

scopes?: Array<string>

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:

"none"

"client_secret_basic"

"client_secret_post"

tos_uri?: string

URL that points to a terms of service document.

updated_at?: string

Timestamp when the OAuth client was last updated.

formatdate-time

OAuthClientGetResponse { client_id, visibility, allowed_cors_origins, 16 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" | "private"

Visibility of the OAuth client.

One of the following:

"public"

"private"

allowed_cors_origins?: Array<string>

Array of allowed CORS origins.

client_name?: string

Human-readable name of the OAuth client.

client_uri?: string

URL of the home page of the client.

client_uri_verification?: ClientURIVerification { status, text }

Client URI domain control verification state.

status?: "pending" | "in_progress" | "verified" | "failed"

Current verification status for the client URI host.

One of the following:

"pending"

"in_progress"

"verified"

"failed"

text?: string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at?: string

Timestamp when the OAuth client was created.

formatdate-time

grant_types?: Array<"authorization_code" | "refresh_token">

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:

"authorization_code"

"refresh_token"

has_rotated_secret?: boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri?: string

URL of the client’s logo.

policy_uri?: string

URL that points to a privacy policy document.

post_logout_redirect_uris?: Array<string>

Array of allowed post-logout redirect URIs.

promoted_at?: string

Timestamp when the OAuth client was promoted to public visibility.

formatdate-time

redirect_uris?: Array<string>

Array of allowed redirect URIs for the client.

response_types?: Array<"token" | "id_token" | "code">

Array of OAuth response types the client is allowed to use.

One of the following:

"token"

"id_token"

"code"

scopes?: Array<string>

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:

"none"

"client_secret_basic"

"client_secret_post"

tos_uri?: string

URL that points to a terms of service document.

updated_at?: string

Timestamp when the OAuth client was last updated.

formatdate-time

OAuthClientCreateResponse { client_id, visibility, allowed_cors_origins, 17 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" | "private"

Visibility of the OAuth client.

One of the following:

"public"

"private"

allowed_cors_origins?: Array<string>

Array of allowed CORS origins.

client_name?: string

Human-readable name of the OAuth client.

client_secret?: string

The client secret. This is the only time the secret is returned in a response.

client_uri?: string

URL of the home page of the client.

client_uri_verification?: ClientURIVerification { status, text }

Client URI domain control verification state.

status?: "pending" | "in_progress" | "verified" | "failed"

Current verification status for the client URI host.

One of the following:

"pending"

"in_progress"

"verified"

"failed"

text?: string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at?: string

Timestamp when the OAuth client was created.

formatdate-time

grant_types?: Array<"authorization_code" | "refresh_token">

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:

"authorization_code"

"refresh_token"

has_rotated_secret?: boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri?: string

URL of the client’s logo.

policy_uri?: string

URL that points to a privacy policy document.

post_logout_redirect_uris?: Array<string>

Array of allowed post-logout redirect URIs.

promoted_at?: string

Timestamp when the OAuth client was promoted to public visibility.

formatdate-time

redirect_uris?: Array<string>

Array of allowed redirect URIs for the client.

response_types?: Array<"token" | "id_token" | "code">

Array of OAuth response types the client is allowed to use.

One of the following:

"token"

"id_token"

"code"

scopes?: Array<string>

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:

"none"

"client_secret_basic"

"client_secret_post"

tos_uri?: string

URL that points to a terms of service document.

updated_at?: string

Timestamp when the OAuth client was last updated.

formatdate-time

OAuthClientUpdateResponse { client_id, visibility, allowed_cors_origins, 16 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" | "private"

Visibility of the OAuth client.

One of the following:

"public"

"private"

allowed_cors_origins?: Array<string>

Array of allowed CORS origins.

client_name?: string

Human-readable name of the OAuth client.

client_uri?: string

URL of the home page of the client.

client_uri_verification?: ClientURIVerification { status, text }

Client URI domain control verification state.

status?: "pending" | "in_progress" | "verified" | "failed"

Current verification status for the client URI host.

One of the following:

"pending"

"in_progress"

"verified"

"failed"

text?: string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at?: string

Timestamp when the OAuth client was created.

formatdate-time

grant_types?: Array<"authorization_code" | "refresh_token">

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:

"authorization_code"

"refresh_token"

has_rotated_secret?: boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri?: string

URL of the client’s logo.

policy_uri?: string

URL that points to a privacy policy document.

post_logout_redirect_uris?: Array<string>

Array of allowed post-logout redirect URIs.

promoted_at?: string

Timestamp when the OAuth client was promoted to public visibility.

formatdate-time

redirect_uris?: Array<string>

Array of allowed redirect URIs for the client.

response_types?: Array<"token" | "id_token" | "code">

Array of OAuth response types the client is allowed to use.

One of the following:

"token"

"id_token"

"code"

scopes?: Array<string>

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:

"none"

"client_secret_basic"

"client_secret_post"

tos_uri?: string

URL that points to a terms of service document.

updated_at?: string

Timestamp when the OAuth client was last updated.

formatdate-time

OAuthClientDeleteResponse { id }

id: string

Identifier

maxLength32

minLength32

OAuthClientRotateSecretResponse { client_secret }

client_secret?: string

The new client secret.

OAuthClientDeleteRotatedSecretResponse { id }

id: string

Identifier

maxLength32

minLength32

IAMOAuth Scopes

List OAuth Scopes

client.iam.oauthScopes.list(?): SinglePage<OAuthScopeListResponse { id, name, category, scopes } >

GET/oauth/scopes

ModelsExpand Collapse

OAuthScopeListResponse { id, name, category, scopes }

An available OAuth scope that can be assigned to an OAuth client.

id: string

The scope label to use in the scopes array when creating or updating an OAuth client.

Human-readable name of the OAuth scope.

category?: string

Category for grouping scopes in the UI.

scopes?: Array<string>

The underlying resource scopes (Bach scopes) that define which resources this OAuth scope can act upon.