API Documentation for TrustX
For more information, please visit: TrustX Documentation
Last Updated: 2026-04-27
URL for fir regional system
URL for gum regional system
URL for oak regional system
Obtain a bearer token by API Key for the tenant
Returns the JWT token, otherwise 401 and an error code and message.
OK
Bad Request
Unauthorized
List API Keys for the tenant
List API Keys for the tenant.
API Permissions: TNT#{tenantid}#ArthrServer:listTenantApiKeys
OK
Bad Request
Unauthorized
Create an API Key for a tenant
Create an API Key for a tenant.
API Permissions: TNT#{tenantid}#ArthrServer:createTenantApiKey
Created
Bad Request
Unauthorized
Get an API Key for a tenant
Returns the specific API Key for a tenant.
API Permissions: TNT#{tenantid}#ArthrServer:getFromTenant
OK
Bad Request
Unauthorized
Update an API Key for a tenant
Updates an API Key for a tenant.
API Permissions: TNT#{tenantid}#ArthrServer:updateTenantApiKey
OK
Bad Request
Unauthorized
Delete an API Key.
Deletes the specific API Key. Once the API is deleted it cannot be recovered.
API Permissions: TNT#{tenantid}#ArthrServer:deleteFromTenant
No Content
Bad Request
Unauthorized
Get an Admin Session by sessionId for a tenant
Retrieves a specific OIDC session by its session ID for the specified tenant.
API Permissions: TNT#{tenantid}#ArthrServer:getTenantOidcSessionBySessionId
Successfully retrieved OIDC session
Bad Request
Unauthorized
Access denied - insufficient tenant permissions
OIDC session not found
Internal server error
List Admin Sessions for a tenant
Retrieves a paginated list of OIDC sessions for the specified tenant with optional filtering by client ID and subject.
API Permissions: TNT#{tenantid}#ArthrServer:listTenantOidcSessions
Successfully retrieved OIDC sessions
Bad Request
Unauthorized
Access denied - insufficient tenant permissions
Internal server error
Get an Admin Session by id for a tenant
Retrieves a specific OIDC session by its unique ID for the specified tenant.
API Permissions: TNT#{tenantid}#ArthrServer:getTenantOidcSessionById
Successfully retrieved OIDC session
Bad Request
Unauthorized
Access denied - insufficient tenant permissions
OIDC session not found
Internal server error
Continue process.
Signal to the process instance that it should continue.
OK
Start a process instance.
Start a process process instance given the process instance id (id).
OK
Get Process Token.
Get process token for the given ID.
API Permissions: TNT#{tenantid}#ProcessManager:getProcessToken
OK
Bad Request
Not Found
Invalidate a process token.Deprecated
Invalidate process token given a processTokenId.
API Permissions: TNT#{tenantid}#ProcessManager:invalidateProcessToken
OK
Bad Request
Not Found
Delete a process token.
Delete a process token given a processTokenId.
API Permissions: TNT#{tenantid}#ProcessManager:deleteProcessToken
OK
Bad Request
Not Found
List Process Tokens.
List process tokens given a search criteria.
API Permissions: TNT#{tenantid}#ProcessManager:listProcessTokens
OK
Bad Request
Not Found
Create a process token.
Create a process token.
API Permissions: TNT#{tenantid}#ProcessManager:addProcessToken
Created
Bad Request
Not Found
Get tag list
List the Tags that exist (for the tenant). If successful, it returns HTTP 200 and a list of Tags; otherwise, an appropriate error is returned.
The API allows the caller to filter on one or more Tag names (comma-separated). Wildcard matches are performed for Tag names, unless the exactMatch parameter is set to true.
API Permissions: TNT#{tenantid}#ProcessManager:getTagsForTenant
OK
Bad Request
Not Found
Delete tag
Delete a Tag from a Process Definition. Returns HTTP 204 for successful deletion of the Tag; otherwise, an appropriate error. Once the Tag is deleted, it cannot be referenced within the system (subject to cache expiry).
Warning: If you delete a Tag that is being used to reference a Process Definition when creating Process Tokens or Process Instances you will no longer be able to create Process Tokens or Instances.
API Permissions: TNT#{tenantid}#ProcessManager:deleteTagFromProcessDefinition
No Content
Bad Request
Process definition tag not found
Tag process definition
Create a Tag on the Process Definition.
This operation will move an existing Tag from another Process Definition if it already exists.
Returns HTTP 201 for successful creation or move of the tag(s) and tag(s) created or modified in body,
otherwise an appropriate error.
Note:
API Permissions: TNT#{tenantid}#ProcessManager:tagProcessDefinition
Created
Bad request
Process definition not found
Process Instances
Get a Process Instance.
Get a Process Instance based an ID.
API Permissions: TNT#{tenantid}#ProcessManager:getProcessInstance
OK
Bad Request
Not Found
Delete a Process Instance.
Delete a Process Instance based an ID.
API Permissions: TNT#{tenantid}#ProcessManager:deleteProcessInstance
OK
Bad Request
Not Found
List Process Instances.
List Process Instances based on a filter.
API Permissions: TNT#{tenantid}#ProcessManager:listProcessInstancesBetweenDates
OK
Bad Request
Not Found
Create a Process Instance (with redirect).
Create a Process Instance with redirect.
API Permissions: TNT#{tenantid}#ProcessManager:createProcessInstanceAndRedirect
Temporary Redirect
Bad Request
Not Found
Export process instance search results to CSV.
List Process Instances based on a filter and export results to a CSV file.
API Permissions: TNT#{tenantid}#ProcessManager:exportProcessInstancesToCsv
OK
Bad Request
Not Found
Get Process Instances by IDs.
Retrieve a list of process instances matching the provided IDs. Duplicate IDs are silently deduplicated; each matching instance is returned at most once.
API Permissions: TNT#{tenantid}#ProcessManager:getProcessInstancesByIds
List of process instances matching the provided IDs
Invalid request (empty ID list or exceeds maximum size)
Unauthorized
Forbidden - insufficient tenant permissions
Not Found
Get a Process Instance with additional paramaters.
Get a Process Instance based an ID (with addititional paramaters).
API Permissions: TNT#{tenantid}#ProcessManager:getProcessInstanceWithParameters
OK
Bad Request
Not Found
Create a Process Instance.
Create a Process Instance.
API Permissions: TNT#{tenantid}#ProcessManager:createProcessInstance
Created
Bad Request
Not Found
Search Process Instances.
Search Process Instances based on the provided criteria.
API Permissions: TNT#{tenantid}#ProcessManager:searchProcessInstancesBetweenDates
OK
Bad Request
Not Found
List the Cloud Secrets.
List the Cloud Secrets that exist (for the tenant). If successful returns HTTP 200 and a page of Cloud Secrets, otherwise an appriopriate error.
API Permissions: TNT#{tenantid}#ProcessManager:listCloudSecrets
OK
Bad Request
Not Found
Create a Cloud Secret.
Create a Cloud Secret. Returns HTTP 201 for successful creation of the Cloud Secret, otherwise an appropriate error. Once created the Cloud Secret is assigned a unique id.
Note:
API Permissions:
TNT#{tenantid}#ProcessManager:addCloudSecretCreated
Bad Request
Not Found
Get a Cloud Secret.
Get a Cloud Secret based on the id of the Cloud Secret. If successful returns HTTP 200 and the Cloud Secret, otherwise an appropriate error.
API Permissions: TNT#{tenantid}#ProcessManager:getCloudSecret
OK
Bad Request
Not Found
Update an existing Cloud Secret.
Update an Cloud Secret based in the ID. If successful returns HTTP 200 and the updated Cloud Secret, otherwise an appropriate error.
Note:
API Permissions:
TNT#{tenantid}#ProcessManager:updateCloudSecretOK
Bad Request
Not Found
Delete a Cloud Secret.
Delete a cloud secret based on the id. Returns HTTP 200 for successful deletion of the Cloud Secret, otherwise an appropriate error. Once the Cloud Secret is deleted, it cannot be referenced within the system (subject to cache expiry).
API Permissions: TNT#{tenantid}#ProcessManager:addCloudSecret
OK
Bad Request
Not Found
Query the status of an audit query.
Query the status of an audit query based on the executionId.
The state of query execution. QUEUED indicates that the query has been submitted to the
service, and will execute the query as soon as resources are available. RUNNING
indicates that the query is in execution phase. SUCCEEDED indicates that the query completed
without errors. FAILED indicates that the query experienced an error and did not complete
processing. CANCELLED indicates that a user input interrupted query execution.
API Permissions:
TNT#{tenantid}#MetricsServer:getAuditQueryStatusOK
Bad Request
Unauthorized
Internal Server Error
Create an audit query.
Create an audit query for which the result must be collected later.
API Permissions: TNT#{tenantid}#MetricsServer:startAuditQuery
OK
Bad Request
Unauthorized
Internal Server Error
Get a query result.
Get they query result based on the exeuctionId.
API Permissions: TNT#{tenantid}#MetricsServer:getAuditQueryStatus
OK
Bad Request
Unauthorized
Internal Server Error
Userdata-controller
Get Checks.
Get Checks for the Process Instance. Optionally filter by key
API Permissions: TNT#{tenantid}#UserDataServer:getChecksByKey
OK
Bad Request
Unauthorized
Get Image.
Get base64 encoded representation of user data such as a document or face image.
API Permissions: TNT#{tenantid}#UserDataServer:getProcessInstanceImages
OK
Bad Request
Unauthorized
Get User Data.
Get the Process Instance information as User Data.
API Permissions: TNT#{tenantid}#UserDataServer:getProcessInstanceUserData
OK
Bad Request
Unauthorized
Get Summary Archive.
Get Summary Archive. This file contains PII information - it is the responsibility of the consumer of the API to provide the apprioprate protections for the data.
API Permissions: TNT#{tenantid}#UserDataServer:getProcessInstanceUserDataArchive
OK
Bad Request
Unauthorized
Custom Pages
List Custom Pages
List custom pages for a tenant. The list can be filtered by name and status.
API Permissions: TNT#{tenantid}#ThemeServer:listCustomPages
OK
Bad Request
Create Custom Page
Create a custom page with the provided details.
API Permissions: TNT#{tenantid}#ThemeServer:createCustomPage
Created
Bad Request
Get Custom Page By Name And Version
Get a custom page by name and version for the specified tenant.
API Permissions: TNT#{tenantid}#ThemeServer:getCustomPageByNameAndVersion
OK
Bad Request
Create Custom Page Preview
Create a custom page preview by uploading a preview archive.
API Permissions: TNT#{tenantid}#ThemeServer:createCustomPagePreview
OK
Bad Request
Change Custom Page Status
Change the status of a custom page by id for the specified tenant.
API Permissions: TNT#{tenantid}#ThemeServer:changeCustomPageStatus
OK
Bad Request
Delete Custom Page Archive
Delete a custom page archive by custom page ID.
API Permissions: TNT#{tenantid}#ThemeServer:deleteCustomPageArchive
OK
Bad Request
Get Custom Page
Get a custom page by id.
API Permissions: TNT#{tenantid}#ThemeServer:getCustomPage
OK
Bad Request
Update Custom Page
Update a custom page by id.
API Permissions: TNT#{tenantid}#ThemeServer:updateCustomPage
OK
Bad Request
Delete Custom Page
Delete a custom page by id.
API Permissions: TNT#{tenantid}#ThemeServer:deleteCustomPage
OK
Bad Request
Get Custom Page Versions
Get custom page versions by name.
API Permissions: TNT#{tenantid}#ThemeServer:getCustomPageVersions
OK
Bad Request
Watchlist V2
Get a watchlist by ID
Retrieves detailed information about a specific watchlist including metadata and current entry count.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlistV2
Watchlist retrieved successfully
Bad Request
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Update a watchlist
Updates an existing watchlist. The watchlist type cannot be changed after creation. The name must remain unique within the tenant.
API Permissions: TNT#{tenantid}#WatchlistManager:updateWatchlistV2
Watchlist updated successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 11 (VALIDATION_NAME_REQUIRED), Error Code 12 (VALIDATION_NAME_INVALID_FORMAT), Error Code 13 (VALIDATION_NAME_TOO_LONG), Error Code 14 (VALIDATION_DESCRIPTION_TOO_LONG), Error Code 16 (VALIDATION_DURATION_INVALID), Error Code 38 (INVALID_ISO_DURATION)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict - Watchlist name already exists (Error Code 21 - WATCHLIST_NAME_ALREADY_EXISTS)
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Delete a watchlist
Permanently deletes a watchlist and all its entries. This action cannot be undone.
API Permissions: TNT#{tenantid}#WatchlistManager:deleteWatchlistV2
Watchlist deleted successfully
Bad Request - Cannot delete active watchlist (Error Code 28 - DELETE_OF_ACTIVE_WATCHLIST_ERROR)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Get largest watchlists by entry count
Retrieves the top N watchlists sorted by entry count (size) in descending order. Results are cached for 1 minute to improve performance. When multiple watchlists have the same entry count, they are ordered by most recently updated to ensure deterministic ordering. Exactly limit results are returned (no ties beyond limit). The response includes cache metadata indicating when the statistics were collected and when the cache will be expired.
API Permissions: TNT#{tenantid}#WatchlistManager:getLargestWatchlists
Largest watchlists retrieved successfully
Bad Request - Invalid limit parameter (Error Code 9 - INVALID_API_FIELD_ERROR)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Get individual watchlist usage statistics
Retrieves usage statistics for a specific watchlist including total entry count, remaining capacity, and maximum allowed entries.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlistUsage
Usage statistics retrieved successfully
Bad Request
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
List watchlists
Retrieves a paginated list of watchlists for the tenant. Supports filtering by type, status, name, and date range. Results are sorted by creation date in descending order by default.
API Permissions: TNT#{tenantid}#WatchlistManager:listWatchlistsV2
Watchlists retrieved successfully
Bad Request - Cannot specify both 'name' and 'nameLike' parameters (Error Code 9 - INVALID_API_FIELD_ERROR)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Create a new watchlist
Creates a new watchlist for the specified type. Each tenant has a maximum number of watchlists they can create. The watchlist name must be unique within the tenant.
API Permissions: TNT#{tenantid}#WatchlistManager:createWatchlistV2
Watchlist created successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 11 (VALIDATION_NAME_REQUIRED), Error Code 12 (VALIDATION_NAME_INVALID_FORMAT), Error Code 13 (VALIDATION_NAME_TOO_LONG), Error Code 14 (VALIDATION_DESCRIPTION_TOO_LONG), Error Code 15 (VALIDATION_TYPE_REQUIRED), Error Code 16 (VALIDATION_DURATION_INVALID), Error Code 33 (WATCHLIST_MAX_LIMIT_REACHED), Error Code 38 (INVALID_ISO_DURATION), Error Code 40 (INVALID_WATCHLIST_TYPE)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict - Watchlist name already exists (Error Code 21 - WATCHLIST_NAME_ALREADY_EXISTS)
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Get watchlist usage statistics
Retrieves usage statistics for watchlists including total count, remaining capacity, and breakdown by watchlist type. Useful for monitoring quota limits and current usage.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlistV2Usage
Usage statistics retrieved successfully
Bad Request
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Query a watchlist
Searches a watchlist for matches against the provided query. The query type must match the watchlist type. For documentNumber queries, the 'documentType' field is optional: when provided, the search is limited to that type; when omitted, the search runs across all document types in the watchlist. Returns matching entries with scores and metadata.
API Permissions: TNT#{tenantid}#WatchlistManager:queryWatchlistV2
Query executed successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 22 (MISSING_FACE_IMAGE), Error Code 23 (GENERATING_FACE_TEMPLATE_ERROR), Error Code 27 (GENERATING_FACE_TEMPLATE_INVALID_IMAGE_ERROR), Error Code 39 (QUERY_LIMIT_EXCEEDED), Error Code 44 (INVALID_IPV4_ADDRESS_FOR_QUERY)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
List trend records
Lists individual trend records for a specific identifier over a time period. If 'type' is omitted, a unified view across all trend types is returned with common attributes only. If 'type' is provided, full type-specific details are included. Uses slice-based pagination for efficient handling of large datasets. The response includes a 'queryValue' field indicating the actual value used for the query (may be normalized). Pagination uses page (zero-based, default 0) and size (default 10). Sorting uses the sort query parameter, repeated as needed, each in the form property,(asc|desc) (e.g. sort=recordedDtm,desc). When omitted, the default is recordedDtm descending. Supported sort properties are the trend list view fields: recordedDtm, id, type, value, processDefnId, processDefnName, processDefnVersion, processInstanceId, trendGroup, expiresAfterDate, expiresAfterDays. Other property names are not supported and may result in an error.
API Permissions: TNT#{tenantid}#WatchlistManager:listTrendRecords
Trend records retrieved successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 45 (INVALID_TREND_TYPE), Error Code 46 (INVALID_IPV4_ADDRESS_FORMAT), Error Code 51 (INVALID_TIME_RANGE), Error Code 58 (INVALID_EMAIL_FORMAT), Error Code 59 (INVALID_PHONE_NUMBER_FORMAT)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Add trend record
Adds a single trend record for a document number, IP address, visitor ID, email, or phone number. The request body is polymorphic based on the type of identifier being recorded.
API Permissions: SYS#WatchlistManager:addTrendRecord
Trend record added successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 45 (INVALID_TREND_TYPE), Error Code 46 (INVALID_IPV4_ADDRESS_FORMAT), Error Code 55 (PROCESS_DEFINITION_FIELDS_REQUIRED), Error Code 56 (INVALID_EXPIRES_AFTER_DAYS), Error Code 58 (INVALID_EMAIL_FORMAT), Error Code 59 (INVALID_PHONE_NUMBER_FORMAT)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Delete trend records by process instance ID
Deletes all trend records associated with the supplied process instance ID across all trend types.
API Permissions: TNT#{tenantid}#WatchlistManager:deleteTrendsByProcessInstanceId
Trend records deleted successfully
Bad Request
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
List process instances for a trend value
Returns process instances that share a given trend value over a time period. The response wraps the original process-manager process instance payloads and adds HATEOAS links so the UI can navigate directly to each process instance. Process instance IDs are deduplicated within each page; if the same process instance has multiple trend records that span page boundaries, it may appear in more than one page of results. Callers that require a fully deduplicated list across all pages should accumulate and deduplicate client-side. Pagination uses page (zero-based, default 0) and size (default 10, consistent with Watchlist Manager V2 list endpoints). Sorting is not client-configurable: the sort query parameter is ignored if sent. Results are always ordered by the most recent trend recordedDtm per distinct process instance within the time range (descending), i.e. process instances with the newest matching trend activity appear first.
API Permissions: TNT#{tenantid}#WatchlistManager:listTrendProcessInstances
Process instances retrieved successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 45 (INVALID_TREND_TYPE), Error Code 51 (INVALID_TIME_RANGE)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Get trend record by ID
Retrieves a single trend record by its unique ID, including all attributes. The response is polymorphic based on the type of identifier.
API Permissions: TNT#{tenantid}#WatchlistManager:getTrendRecord
Trend record retrieved successfully
Bad Request
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Trend record with the specified ID does not exist
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Query trend statistics
Returns trend statistics for a specific identifier over a given time period. Granularity is automatically determined from the time range using a snap-up algorithm that selects the smallest 'nice' interval from a fixed set (1s, 2s, 5s, 10s, 15s, 30s, 1m, 2m, 5m, 10m, 20m, 30m, 1h, 2h, 4h, 8h, 1d) to keep the response at approximately 90 data points, depending on bucket alignment. The granularity is returned as a compact label in the response (e.g. '5m', '2h', '1d'). The response includes a 'queryValue' field indicating the actual value used for the query (may be normalized).
API Permissions: TNT#{tenantid}#WatchlistManager:getTrendStatistics
Trend statistics retrieved successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 45 (INVALID_TREND_TYPE), Error Code 46 (INVALID_IPV4_ADDRESS_FORMAT), Error Code 51 (INVALID_TIME_RANGE), Error Code 52 (TIME_RANGE_EXCEEDED), Error Code 58 (INVALID_EMAIL_FORMAT), Error Code 59 (INVALID_PHONE_NUMBER_FORMAT)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Watchlist Member Management Deprecated
List watchlist members. (DEPRECATED)Deprecated
List the members of a watchlist. Returns a paged list of watchlist members. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:listWatchlistMembers
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Add watchlist member. (DEPRECATED)Deprecated
Add a watchlist member to a watchlist. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:createWatchlistMember
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Get a watchlist member. (DEPRECATED)Deprecated
Get a watchlist member based on a member's id. Returns detailed information for the watchlist member. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlistMember
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Delete a watchlist member. (DEPRECATED)Deprecated
Delete a watchlist member based on a member's id. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:deleteWatchlistMember
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Get a watchlist member's face image if available (DEPRECATED)Deprecated
Get a watchlist member's face image based on a member's id. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlistMemberImage
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
List watchlist. (DEPRECATED)Deprecated
List watchlists. Returns a paged list of watchlists based on sort criteria. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:listWatchLists
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Create a watchlist. (DEPRECATED)Deprecated
Create a watchlist, watchlist members can be added once created. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:createWatchlist
Created
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Get a watchlist. (DEPRECATED)Deprecated
Get a watchlist based on the watchlist id. Returns detailed information on the watchlist. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlist
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Update a watchlist. (DEPRECATED)Deprecated
Update a watchlist based on the watchlist id. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:updateWatchlist
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Delete a watchlist. (DEPRECATED)Deprecated
Delete a watchlist based on the watchlist id. The delete of watchlist data is not immediate and is performed as a background task. DEPRECATED: Use '/watchlists' API endpoints instead.
API Permissions: TNT#{tenantid}#WatchlistManager:deleteWatchlist
OK
Bad Request
Forbidden
Not Found
Conflict
Internal Server Error
Get a watchlist entry by ID
Retrieves detailed information about a specific watchlist entry. For face recognition entries, the face image can be optionally included in the response.
API Permissions: TNT#{tenantid}#WatchlistManager:getWatchlistEntry
Watchlist entry retrieved successfully
Bad Request - Unsupported watchlist type (Error Code 9 - INVALID_API_FIELD_ERROR)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND), Watchlist member image not found (Error Code 30 - WATCHLIST_MEMBER_IMAGE_NOT_FOUND), Watchlist entry not found (Error Code 31 - WATCHLIST_ENTRY_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Delete a watchlist entry
Permanently removes an entry from the watchlist. This action cannot be undone.
API Permissions: TNT#{tenantid}#WatchlistManager:deleteWatchlistEntry
Watchlist entry deleted successfully
Bad Request - Unsupported watchlist type (Error Code 9 - INVALID_API_FIELD_ERROR), Inactive watchlist operation (Error Code 42 - INACTIVE_WATCHLIST_OPERATION_NOT_ALLOWED)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND), Watchlist entry not found (Error Code 31 - WATCHLIST_ENTRY_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
List watchlist entries
Retrieves a paginated list of entries in the watchlist. Supports filtering by date range and value. For face recognition watchlists, the face image is not included in the list for performance reasons.
API Permissions: TNT#{tenantid}#WatchlistManager:listWatchlistEntries
Watchlist entries retrieved successfully
Bad Request - Unsupported watchlist type (Error Code 9 - INVALID_API_FIELD_ERROR)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Create a new watchlist entry
Adds a new entry to the watchlist. The entry type must match the watchlist type. Each entry value must be unique within the watchlist (for document numbers, the combination of value and document type must be unique).
API Permissions: TNT#{tenantid}#WatchlistManager:createWatchlistEntry
Watchlist entry created successfully
Bad Request - Error Code 9 (INVALID_API_FIELD_ERROR), Error Code 17 (VALIDATION_VALUE_REQUIRED), Error Code 18 (VALIDATION_VALUE_TOO_LONG), Error Code 19 (VALIDATION_DOCUMENT_TYPE_REQUIRED), Error Code 22 (MISSING_FACE_IMAGE), Error Code 23 (GENERATING_FACE_TEMPLATE_ERROR), Error Code 27 (GENERATING_FACE_TEMPLATE_INVALID_IMAGE_ERROR), Error Code 34 (INVALID_IPV4_ADDRESS), Error Code 35 (INVALID_DOCUMENT_NUMBER), Error Code 36 (INVALID_VISITOR_ID), Error Code 37 (INVALID_EXPIRATION_DATE), Error Code 40 (INVALID_WATCHLIST_TYPE), Error Code 41 (WATCHLIST_MAX_ENTRIES_EXCEEDED), Error Code 42 (INACTIVE_WATCHLIST_OPERATION_NOT_ALLOWED), Error Code 43 (VALIDATION_DOCUMENT_TYPE_TOO_LONG)
Unauthorized - Authentication required
Forbidden - Insufficient permissions
Not Found - Watchlist not found (Error Code 20 - WATCHLIST_NOT_FOUND)
Conflict - Entry already exists (Error Code 32 - WATCHLIST_ENTRY_ALREADY_EXISTS)
Internal Server Error - Unexpected error occurred (Error Code 1 - UNEXPECTED_ERROR)
Get the results of a store event query
Event querying may take a long time and so is implemented using three APIs:
- Start a query
- Get the query status. Poll until a result is available.
- Get the query results. this API
NOTE: If there are too many results to return in this response then a token is returned which may be supplied in the request to this API get the next set of results.
Refer to Daon documentation for more details on how to query identity store events.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getStoreEventsQueryResults permission.
API Permissions: TNT#{tenant}#IdentityStore:getStoreEventsQueryResults
Query results returned successfully
An error occurred. Possible error codes:
- 824: Failed to get query results from Athena
Unauthorized
Tenant not found.
Get the status of a store event query
Event querying may take a long time and so is implemented using three APIs:
- Start a query
- Get the query status. Poll until a result is available. this API
- Get the query results.
The API typically returns HTTP status 200 and response containing the status, for example QUEUED or SUCCEEDED.The API returns HTTP status 400 if the query failed to execute for some reason.Refer to Daon documentation for more details on how to query identity store events.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getStoreEventsQueryStatus permission.
API Permissions: TNT#{tenant}#IdentityStore:getStoreEventsQueryStatus
Query status returned successfully.
The response is a string indiciating the state of an identity store event query in Athena. Possible values:
- QUEUED: the query has been submitted to the service and Athena will execute the query as soon as resources are available.
- RUNNING: the query is in execution phase.
- SUCCEEDED: the query completed without errors.
- FAILED: the query experienced an error and did not complete processing.
- CANCELLED: a user input interrupted query execution.
An error occurred. Possible error codes:
- 823: The Athena query failed to execute
- 825: An unsupported column name was provided in a sort parameter
Unauthorized
Tenant not found.
Get tenant statistics (key rollover, configured limits, identity store events statistics)
Returns:
- configured limits set for the tenant such as maximum number of stores and users
- the overall number of users added and deleted for this tenant
- the statistics for each store defined for this tenant. For details of how stats data is populated for different types of store event, refer to Daon documentation
Permission
The JWT must contain theTNT#{tenant}#IdentityStore:getTenantStatspermission.
API Permissions:TNT#{tenant}#IdentityStore:getTenantStats
Tenant stats retrieved successfully
An error occurred.
Unauthorized
Tenant not found.
Start a store event query
Event querying may take a long time and so is implemented using three APIs:
- Start a query this API
- Get the query status. Poll until a result is available.
- Get the query results. Refer to Daon documentation for more details on how to query identity store events.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:startStoreEventQuery permission.
API Permissions: TNT#{tenant}#IdentityStore:startStoreEventQuery
The query to execute
Query created successfully.
The response is a string containing the unique ID of the query execution which must be provided to the APIs which get the query status and results.
An error occurred. Possible error codes:
- 822: Error trying to start the Athena query
Unauthorized
Tenant not found.
User Biometric Management
List biometric verisons for a user identified by external ID, the type and subtype
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserBiometricVersionsByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserBiometricsByExtUserId
User biometric versions retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
List biometrics for a user identified by external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserBiometricsByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserBiometricsByExtUserId
User biometrics retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
List biometric versions for a user identified by internal ID and the type and subtype
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserBiometricVersions permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserBiometricVersions
User biometric versions retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
Delete a user biometric by external user ID and biometric ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserBiometricByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserBiometricByExtId
User biometric deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2001: Biometric not found
List biometrics for a user identified by internal ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserBiometrics permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserBiometrics
User biometrics retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
Add or update biometric within an identity store for a user identified by its internal ID
If a biometric for this user with the specified type and subtype already exists then the following fields will be updated from the request:
- atributes- createdFromRefs- data- status.
Otherwise a new biometric entry will be created using the details in the request with the user and store details set to reference the user and store specified in the request parameters.
NOTE: The type, subtype and data fields of the biometric object are mandatory and the data must match the subtype.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:addUserBiometric permission.
API Permissions: TNT#{tenant}#IdentityStore:addUserBiometric
The biometric to create or update
Biometric created/updated successfully
An error occurred. Possible error codes:
- 2002: A biometric for this user with a duplicate type and subtype exists
- 2003: A data integrity violation occurred when saving the biometric to the database
- 2014: The subtype biometric data is too long for the specified subtype and can't be stored in the database.
- 2015: The user is not in a state to allow this operation.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
Update all biometrics for a user (identified by external user ID) of the specified type to the specified status
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserBiometricStatusByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserBiometricStatusByExtId
The biometric status information
User biometric updated successfully
An error occurred. Possible error codes:
- 2007: All biometrics of the specified type are already in the specified state.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2009: No biometrics of the specified type found
Get the biometric sample versions references by the biometric specified by its type, subtype and versionId
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getReferenceUserBiometrics permission.
API Permissions: TNT#{tenant}#IdentityStore:getReferenceUserBiometrics
Reference User biometric versions retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric versions not found
Get a biometric including sensitive data for a user identified by internal ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometric permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometric
User biometric retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric not found
Delete a user biometric by internal user ID and biometric ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserBiometric permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserBiometric
User biometric deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric not found
Add or update biometric within an identity store for a user identified by its external ID
If a biometric for this user with the specified type and subtype already exists then the following fields will be updated from the request:
- atributes- createdFromRefs- data- status.
Otherwise a new biometric entry will be created using the details in the request with the user and store details set to reference the user and store specified in the request parameters.
NOTE: The type, subtype and data fields of the biometric object are mandatory.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:addUserBiometricByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:addUserBiometricByExtId
The biometric to create or update
Biometric created/updated successfully
An error occurred. Possible error codes:
- 2002: A biometric for this user with a duplicate type and subtype exists
- 2003: A data integrity violation occurred when saving the biometric to the database
- 2014: The subtype biometric data is too long for the specified subtype and can't be stored in the database.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
Get a biometric version including sensitive data for a user identified by external ID with the specified type, subtype and versionId
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometricVersionWithTypeAndSubtypeByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometricVersionWithTypeAndSubtypeByExtId
User biometric version retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2001: Biometric not found
Record that a failed authentication has taken place with a user biometric. The user is identified by its external ID.
If an authentication fails before the identity store must be notified so that it can record the failure and increment the user lock counter.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:recordUserBiometricAuthenticationFailureByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:recordUserBiometricAuthenticationFailureByExtId
Information about a failed biometric authentication
Failed biometric authentication recorded successfully
An error occurred. Possible error codes:
- 2005: The specified biometric type is not supported
- 2006: The specified biometric subtype is not supported
- 2012: The type of the biometric data has not been specified
- 2100: Can't authenticate because the user is locked
- 2101: Can't authenticate because the user's modality is locked
- 2102: Can't authenticate because the user is disabled
- 20113: The subtype of the biometric data has not been specified.
- 20130: The reason for the biometric authentication failure has not been specified.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
Get a biometric including sensitive data for a user identified with type and subtype
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometricWithTypeAndSubtype permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometricWithTypeAndSubtype
User biometric retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric not found
Delete a user biometric by internal user ID and biometric type and subtype
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserBiometricWithTypeAndSubtype permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserBiometricWithTypeAndSubtype
User biometric deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric not found
Get the biometric samples references by the biometric specified by its type, subtype and versionId by user external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getReferenceUserBiometricsByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:getReferenceUserBiometricsByExtId
User biometric versions retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2001: Biometric versions not found
Perform a biometric face match. The user is identified by its external ID.
The face matching takes place within the identity store and the success or failure event is created. A face match sample must be provided with a type of Face, a subtype of Image or a supported template type, the data set to the image or template data and a status, typically set to ACTIVE.
If the storeAudit configuration field is set to true in the identity store's biometric authentication configuration then a detailed audit of the biometric authentication is created.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:matchFaceByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:matchFaceByExtId
Information about the face authentication
Face matched successfully
An error occurred - including the face match failing.
NOTE For convenience the updated user object is returned when there is a face match failure because it may contain updated information about the user lock state.
Possible error codes:
- 8: Face algorithm not supported
- 2005: The biometric type is not supported
- 2006: The biometric subtype is not supported
- 2100: The user is locked so authentication cannot be performed
- 2101: The face modality is locked so authentication cannot be performed
- 2102: The user is disabled so authentication cannot be performed
- 2103: The presented biometric is disabled so authentication cannot be performed
- 20114: Biometric data is not supplied in the request
- 20115: The specified biometric type is not supported
- 20120: An unexpected error occurred while generating face template
- 20121: An error occurred while attempting to perform a face match
- 20122: There is no suitable face data available for matching against the presented sample
- 20123: The matching process data is missing from the request
- 20124: The matching algorithm is missing from the request
- 20125: The matching threshold must be between 0 and 1
- 20126: The internal matching threshold must be between 0 and 1
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2013: Biometric data not found for the specified user
Record that a failed authentication has taken place with a user biometric. The user is identified by its internal ID.
If an authentication fails before the identity store must be notified so that it can record the failure and increment the user lock counter.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:recordUserBiometricAuthenticationFailure permission.
API Permissions: TNT#{tenant}#IdentityStore:recordUserBiometricAuthenticationFailure
Information about a failed biometric authentication
Failed biometric authentication recorded successfully
An error occurred. Possible error codes:
- 2005: The specified biometric type is not supported
- 2006: The specified biometric subtype is not supported
- 2012: The type of the biometric data has not been specified
- 2100: Can't authenticate because the user is locked
- 2101: Can't authenticate because the user's modality is locked
- 2102: Can't authenticate because the user is disabled
- 20113: The subtype of the biometric data has not been specified.
- 20130: The reason for the biometric authentication failure has not been specified.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
Get a biometric version sensitive data for a user identified with type and subtype and version Id
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometricVersionDataWithTypeAndSubtype permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometricVersionDataWithTypeAndSubtype
User biometric version retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric not found
Perform a biometric face match. The user is identified by its internal ID.
The face matching takes place within the identity store and the success or failure event is created. A face match sample must be provided with a type of Face, a subtype of Image or a supported template type, the data set to the image or template data and a status, typically set to ACTIVE.
If the storeAudit configuration field is set to true in the identity store's biometric authentication configuration then a detailed audit of the biometric authentication is created.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:matchFace permission.
API Permissions: TNT#{tenant}#IdentityStore:matchFace
Information about the face authentication
Face matched successfully
An error occurred - including the face match failing.
NOTE For convenience the updated user object is returned when there is a face match failure because it may contain updated information about the user lock state.
Possible error codes:
- 8: Face algorithm not supported
- 2005: The biometric type is not supported
- 2006: The biometric subtype is not supported
- 2100: The user is locked so authentication cannot be performed
- 2101: The face modality is locked so authentication cannot be performed
- 2102: The user is disabled so authentication cannot be performed
- 2103: The presented biometric is disabled so authentication cannot be performed
- 20114: Biometric data is not supplied in the request
- 20115: The specified biometric type is not supported
- 20120: An unexpected error occurred while generating face template
- 20121: An error occurred while attempting to perform a face match
- 20122: There is no suitable face data available for matching against the presented sample
- 20123: The matching process data is missing from the request
- 20124: The matching algorithm is missing from the request
- 20125: The matching threshold must be between 0 and 1
- 20126: The internal matching threshold must be between 0 and 1
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2013: Biometric data not found for the specified user
Get a biometric including sensitive data for a user identified by external ID with the specified type and subtype
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometricWithTypeAndSubtypeByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometricWithTypeAndSubtypeByExtId
User biometric retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2001: Biometric not found
Get a biometric version including sensitive data for a user identified with type and subtype and version Id
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometricVersionWithTypeAndSubtype permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometricVersionWithTypeAndSubtype
User biometric version retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2001: Biometric not found
Get a biometric including sensitive data for a user identified by external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserBiometricByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserBiometricByExtId
User biometric retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2001: Biometric not found
Update all biometrics for a user (identified by internal user ID) of the specified type to the specified status
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserBiometricStatus permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserBiometricStatus
The biometric status information
User biometric updated successfully
An error occurred. Possible error codes:
- 2007: All biometrics of the specified type are already in the specified state.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 2009: No biometrics of the specified type found
Delete a user biometric by external user ID and biometric type and subtype
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserBiometricWithTypeAndSubtypeByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserBiometricWithTypeAndSubtypeByExtId
User biometric deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 2001: Biometric not found
User Appkey Management
Delete registered appkeys from a device given an appkey's key ID from the device itself and the user identified by its internal ID.
This API supports an appkey deregistration flow in which a key ID of an appkey to delete is sent from the device client. The appkey is deleted on the server and a deregistration request message is provided which is sent to the client to delete the key.
The default behaviour is to delete the specified appkey from the server and generate a deregistration request to delete than single key from the client. A mode parameter may be supplied to delete:
- all appkeys of the same type on the same device as the specified appkey
- all appkeys for the same device as the specified appkey
- all appkeys registered for the same user as the specified appkey
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deregisterUserAppkeyByUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deregisterUserAppkeyByUserId
User appkey(s) deleted successfully
An error occurred. Possible error codes:
- 1068: The specified appkey is not registered to the specified user
- 1100: The specified appkey does not have a registered device ID so the requested appkeys belonging to the same device cannot be deleted.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1058: Appkey not found
Delete registered appkeys for a user (identified by internal ID) and create a deregistration request for the client. Appkeys can be deleted by type (silent, biometric) or AAID and can be restricted to a device or can be deleted across all devices for that user.
This API supports an TrustX process deregistration flow where the device ID and deregistration options (AAIDs, types to delete) are specified. The appkeys are deleted on the server and a deregistration request message is provided which is sent to the client to delete the keys.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deregisterUserAppkeys permission.
API Permissions: TNT#{tenant}#IdentityStore:deregisterUserAppkeys
User appkey(s) deleted successfully
An error occurred. Possible error codes:
- 1122: Parameters not supplied
- 1123: AAID options are empty in the supplied parameters.
- 1124: Appkey type options are empty in the supplied parameters.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1000: Appkey relying party ID not found
- 1125: No registered appkeys found for this device
- 1126: No registered appkeys found for this device and RP ID
- 1127: No registered appkeys found for this device and AAID
- 1128: No registered appkeys found for this device and AAIDs
- 1129: No registered appkeys found for this device and appkey type
- 1130: No registered appkeys found for this device and appkey types
- 1132: No registered appkeys found for this relying party
- 1133: No registered appkeys found for this relying party and AAID
- 1134: No registered appkeys found for this relying party and AAIDs
- 1135: No registered appkeys found for this relying party and appkey type
- 1136: No registered appkeys found for this relying party and appkey types
Complete an appkey authentication for an externally managed session.
This API is used to complete an appkey authentication where the appkey configuration sessionManagementExternal parameter is set to true which means that the session data object was returned when the authentication was requested and must be provided back to the server along with the response from the client.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:completeAppkeyAuthenticationWithSession permission.
API Permissions: TNT#{tenant}#IdentityStore:completeAppkeyAuthenticationWithSession
The client authentication response message and session data object.
Appkey authentication completed successfully
An error occurred either on the server or the client. Not all the error codes are listed here as there are many and a lot of them are unlikely to occur when integrating a validated appkey client.
NOTE For convenience the updated user object is returned when there is an authentication error because it may contain updated information about the user lock state.
Some of the more likely errors are:
- 502: The user associated with this authentication is not active- 1009: Session data not provided
- 1011: Session data is missing the challenge
- 1012: Session data is missing the relying party ID
- 1017: The supplied client response message is not an authentication, it's a registration for example
- 1026: The application on the client device is not registered in the trusted facets list of the appkey policy
- 1029: The session challenge does not match the challenge in the client response
- 1035: The appkey type is not supported- 1055: Session data is missing the policy
- 1056: Session data is missing authentication policy name
- 1058: No appkey was found which matched the appkey key ID supplied in the authentication assertion
- 1059: The appkey referenced in the authentication assertion was not registered to the expected user
- 1060: The appkey referenced in the authentication assertion is not active
- 1061: Potential appkey clone detected, the signature count is lower than expected.
- 1090: The single-shot challenge timestamp is outside the valid time window
- 1091: Malformed authentication response message from the client
- 1092: Client response message contains no authentication responses
- 1093: Client response message contains multiple authentication responses
- 1102: Malformed authentication failure response message from the client
- 1104: The authentication failed on the client
- 1105: The authentication was cancelled by the client
- 1115: Operation success/failure response data not provided
- 2100: The user is locked. Authentication cannot proceed.
- 2101: The user appkey modality is locked. Authentication cannot proceed.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found by supplied user ID in session data
- 1000: Appkey relying party not found
- 1002: Appkey authentication policy not found
List registered appkeys for a user (identified by internal ID) optionally filtered by device
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserAppkeys permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserAppkeys
User appkeys retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
Create an appkey authentication request for a known user identified by external ID using the specified authentication policy for the specified relying party
The authentication request returned from the server must be supplied to the client to initiate a user appkey authentication. The response from the client is returned to the server to complete server authentication.
Session data is shared between the authentication request and completion API calls. If in the appkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the authentication is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the authentication is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createAppkeyAuthenticationForUserByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:createAppkeyAuthenticationForUserByExtId
Additional authentication parameters. May be empty.
Appkey authentication request created successfully
An error occurred. Possible error codes:
- 1004: The appkey policy does not contain accepted match criteria
- 1054: The provided transaction image could not be read.
- 10541: The provided transaction image is not supported or not a valid image.
- 1139: None of the appkeys allowed for this authentication support transaction processing.
- 2100: The user is locked. Authentication cannot proceed.
- 2101: The user appkey modality is locked. Authentication cannot proceed.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1000: Appkey relying party ID not found
- 1002: Appkey authentication policy not found
Create an anonymous appkey authentication request (where a user is not supplied) using the specified authentication policy for the specified relying party
The authentication request returned from the server must be supplied to the client to initiate a user appkey authentication. The response from the client is returned to the server to complete server authentication.
Session data is shared between the authentication request and completion API calls. If in the appkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the authentication is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the authentication is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createAppkeyAuthentication permission.
API Permissions: TNT#{tenant}#IdentityStore:createAppkeyAuthentication
Additional authentication parameters. May be empty.
Appkey authentication request created successfully
An error occurred. Possible error codes:
- 1004: The appkey policy does not contain accepted match criteria
- 1138: Transaction content is not supported for login authentications.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 1000: Appkey relying party ID not found
- 1002: Appkey authentication policy not found
Get a user appkey registration record for a user identified by internal ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserAppkeyRegistrationRecord permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserAppkeyRegistrationRecord
User appkey registration record retrieved successfully
An error occurred. Possible error codes:
- 1087: Failed to decompress and deserialize audit record
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1067: Appkey not found
- 1086: Appkey registration not found
Set a preferred device for notifications relating to a relying party's apps. The user is identified by its external ID.
If a customer has multiple deployments of an app across multiple devices it may be useful to set a single device to receive push notifications.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserAppkeyPreferredDeviceByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserAppkeyPreferredDeviceByExtUserId
The preferred device identifier.
User updated with the preferred device
An error occurred. Possible error codes:
- 1117: The preferred device ID is missing from the request.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1000: Appkey relying party ID not found
- 1118: Device ID not found (no appkeys registered for this device ID)
Clear the preferred device for notifications relating to a relying party's apps. The user is identified by its external ID.
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:clearUserAppkeyPreferredDeviceByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:clearUserAppkeyPreferredDeviceByExtUserId
Preferred device cleared from user
An error occurred. Possible error codes:
- 1132: No appkeys are registered for this RP ID
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1000: Appkey relying party ID not found
Set a preferred device for notifications relating to a relying party's apps. The user is identified by its internal ID.
If a customer has multiple deployments of an app across multiple devices it may be useful to set a single device to receive push notifications.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserAppkeyPreferredDevice permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserAppkeyPreferredDevice
The preferred device identifier.
User updated with the preferred device
An error occurred. Possible error codes:
- 1117: The preferred device ID is missing from the request.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1000: Appkey relying party ID not found
- 1118: Device ID not found (no appkeys registered for this device ID)
Clear the preferred device for notifications relating to a relying party's apps. The user is identified by its internal ID.
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:clearUserAppkeyPreferredDevice permission.
API Permissions: TNT#{tenant}#IdentityStore:clearUserAppkeyPreferredDevice
Preferred device cleared from user
An error occurred. Possible error codes:
- 1132: No appkeys are registered for this RP ID
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1000: Appkey relying party ID not found
Complete an appkey authentication for an internally managed session.
This API is used to complete an appkey authentication where the appkey configuration sessionManagementExternal parameter is set to false which means that a session ID of an internally managed session was returned when the authentication was requested and must be provided back to the server along with the response from the client.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:completeAppkeyAuthenticationWithSessionId permission.
API Permissions: TNT#{tenant}#IdentityStore:completeAppkeyAuthenticationWithSessionId
The client authentication response message.
Appkey authentication completed successfully
An error occurred either on the server or the client. Not all the error codes are listed here as there are many and a lot of them are unlikely to occur when integrating with a validated appkey client.
NOTE For convenience the updated user object is returned when there is an authentication error because it may contain updated information about the user lock state.
Some of the more likely errors are:
- 502: The user associated with this authentication is not active- 1014: Session data was provided but session management for this authentication is configured as internal
- 1017: The supplied client response message is not an authentication, it's a registration for example
- 1026: The application on the client device is not registered in the trusted facets list of the appkey policy
- 1029: The session challenge does not match the challenge in the client response
- 1035: The appkey type is not supported- 1058: No appkey was found which matched the appkey key ID supplied in the authentication assertion
- 1059: The appkey referenced in the authentication assertion was not registered to the expected user
- 1060: The appkey referenced in the authentication assertion is not active
- 1061: Potential appkey clone detected, the signature count is lower than expected.
- 1090: The single-shot challenge timestamp is outside the valid time window
- 1091: Malformed authentication response message from the client
- 1092: Client response message contains no authentication responses
- 1093: Client response message contains multiple authentication responses
- 1102: Malformed authentication failure response message from the client
- 1104: The authentication failed on the client
- 1105: The authentication was cancelled by the client
- 1115: Operation success/failure response data not provided
- 2100: The user is locked. Authentication cannot proceed.
- 2101: The user appkey modality is locked. Authentication cannot proceed.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found by supplied user ID in session data
- 1000: Appkey relying party not found
- 1002: Appkey authentication policy not found
- 1052: Session data for the specified session ID not found.
Create an appkey authentication request for a known user identified by internal ID using the specified authentication policy for the specified relying party
The authentication request returned from the server must be supplied to the client to initiate a user appkey authentication. The response from the client is returned to the server to complete server authentication.
Session data is shared between the authentication request and completion API calls. If in the appkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the authentication is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the authentication is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createAppkeyAuthenticationForUser permission.
API Permissions: TNT#{tenant}#IdentityStore:createAppkeyAuthenticationForUser
Additional authentication parameters. May be empty.
Appkey authentication request created successfully
An error occurred. Possible error codes:
- 1004: The appkey policy does not contain accepted match criteria
- 1054: The provided transaction image could not be read.
- 10541: The provided transaction image is not supported or not a valid image.
- 1139: None of the appkeys allowed for this authentication support transaction processing.
- 2100: The user is locked. Authentication cannot proceed.
- 2101: The user appkey modality is locked. Authentication cannot proceed.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1000: Appkey relying party ID not found
- 1002: Appkey authentication policy not found
Delete registered appkeys for a user (identified by external ID) and create a deregistration request for the client. Appkeys can be deleted by type (silent, biometric) or AAID and can be restricted to a device or can be deleted across all devices for that user.
This API supports an TrustX process deregistration flow where the device ID and deregistration options (AAIDs, types to delete) are specified. The appkeys are deleted on the server and a deregistration request message is provided which is sent to the client to delete the keys.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deregisterUserAppkeysByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deregisterUserAppkeysByExtUserId
User appkey(s) deleted successfully
An error occurred. Possible error codes:
- 1122: Parameters not supplied
- 1123: AAID options are empty in the supplied parameters.
- 1124: Appkey type options are empty in the supplied parameters.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1000: Appkey relying party ID not found
- 1125: No registered appkeys found for this device
- 1126: No registered appkeys found for this device and RP ID
- 1127: No registered appkeys found for this device and AAID
- 1128: No registered appkeys found for this device and AAIDs
- 1129: No registered appkeys found for this device and appkey type
- 1130: No registered appkeys found for this device and appkey types
- 1132: No registered appkeys found for this relying party
- 1133: No registered appkeys found for this relying party and AAID
- 1134: No registered appkeys found for this relying party and AAIDs
- 1135: No registered appkeys found for this relying party and appkey type
- 1136: No registered appkeys found for this relying party and appkey types
Complete an appkey registration for an externally managed session.
This API is used to complete an appkey registration where the appkey configuration sessionManagementExternal parameter is set to true which means that the session data object was returned when the registration was requested and must be provided back to the server along with the response from the client.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:completeAppkeyRegistrationWithSession permission.
API Permissions: TNT#{tenant}#IdentityStore:completeAppkeyRegistrationWithSession
The client registration response message and session data object.
Appkey registration completed successfully
An error occurred either on the server or the client. Not all the error codes are listed here as there are many and a lot of them are unlikely to occur when integrating with a valid appkey client. Some of the more likely errors are:
- 501: When registration was requested neither a user object nor an external user ID was supplied therefore a user can't be found or created to associate with this appkey registration
- 1009: Session data not provided
- 1010: Session data is missing registration policy name
- 1011: Session data is missing the challenge
- 1012: Session data is missing the relying party ID
- 1017: The supplied client response message is not a registration, it's an authentication for example
- 1026: The application on the client device is not registered in the trusted facets list of the appkey policy
- 1029: The session challenge does not match the challenge in the client response
- 1035: The appkey type is not supported- 1050: The registered appkeys do not satisfy the registration policy- 1055: Session data is missing the policy
- 1094: Malformed registration response message from the client
- 1095: Client response message contains no registration responses
- 1096: Client response message contains multiple registration responses
- 1098: Maximum number of appkeys exceeded for this user
- 1115: Operation success/failure response data not provided
- 1116: Appkey registration failed on the client
- 1121: Appkey registration cancelled on the client
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found by supplied user ID in session data
- 1000: Appkey relying party not found
- 1001: Appkey registration policy not found
List registered appkeys for a user (identified by external ID) optionally filtered by device
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserAppkeysByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserAppkeysByExtUserId
User appkeys retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
Create an appkey registration request for a user identified by an optional external ID using the specified registration policy for the specified relying party
The request optionally contains the external ID of the user for whom the registration will be created. If this is not supplied an external ID with a random 32-character alphanumeric ID will be generated by the server and returned in the session data. A user will be created with this ext ID when registration is completed and the appkey will be registered to that user.
The registration request returned from the server must be supplied to the client on the device to initiate a user appkey registration. The response from the client is returned to the server to complete registration and store the generated appkey in the server.
Session data is shared between the registration request and completion API calls. If in the appkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the registration is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the registration is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createAppkeyRegistration permission.
API Permissions: TNT#{tenant}#IdentityStore:createAppkeyRegistration
Additional registration parameters. May be empty.
Appkey registration request created successfully
An error occurred. Possible error codes:
- 1004: The appkey policy does not contain accepted match criteria
- 1120: The user is not in a state to allow appkey registration
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 1000: Appkey relying party ID not found
- 1001: Appkey registration policy not found
Update an existing appkey's status by external user ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserAppkeyStatusByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserAppkeyStatusByExtId
The user appkey update information
User appkey updated successfully
An error occurred. Possible error codes:
- 1114: No update information provided
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1067: Appkey not found
Delete the preferred device for notifications relating to a relying party's apps. The user is identified by its internal ID.
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserAppkeyPreferredDevice permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserAppkeyPreferredDevice
Preferred device deleted from user
An error occurred. Possible error codes:
- 1119: The specified device ID is not a preferred device for this RP ID
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1000: Appkey relying party ID not found
- 1118: Device ID not found
Delete user appkeys by internal user ID for a specified device
Deletes all user appkeys registered on a particular device
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserAppkeysForDevice permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserAppkeysForDevice
User appkeys deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 10671: Appkeys not found
Get an appkey for a user identified by external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserAppkeyByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserAppkeyByExtUserId
User appkey retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1067: Appkey not found
Delete a user appkey by external user ID and internal appkey ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserAppkeyByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserAppkeyByExtUserId
User appkey deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1067: Appkey not found
Delete the preferred device for notifications relating to a relying party's apps. The user is identified by its external ID.
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserAppkeyPreferredDeviceByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserAppkeyPreferredDeviceByExtUserId
Preferred device deleted from user
An error occurred. Possible error codes:
- 1119: The specified device ID is not a preferred device for this RP ID
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1000: Appkey relying party ID not found
- 1118: Device ID not found
Get a user appkey registration record for a user identified by external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserAppkeyRegistrationRecordByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserAppkeyRegistrationRecordByExtUserId
User appkey registration record retrieved successfully
An error occurred. Possible error codes:
- 1087: Failed to decompress and deserialize audit record
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1067: Appkey not found
- 1086: Appkey registration not found
Get an appkey for a user identified by internal ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserAppkey permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserAppkey
User appkey retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1067: Appkey not found
Update an existing appkey's status by internal user ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserAppkeyStatus permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserAppkeyStatus
The user appkey update information
User appkey updated successfully
An error occurred. Possible error codes:
- 1114: No update information provided
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1067: Appkey not found
Delete a user appkey by internal user ID and appkey ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserAppkey permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserAppkey
User appkey deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1067: Appkey not found
Create an appkey registration request for an existing user identified by its external ID within an identity store using the specified registration policy for the specified relying party
The registration request returned from the server must be supplied to the client on the device to initiate a user appkey registration. The response from the client is returned to the server to complete registration and store the generated appkey in the server.
Session data is shared between the registration request and completion API calls. If in the appkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the registration is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the registration is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createAppkeyRegistrationForUserByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:createAppkeyRegistrationForUserByExtId
Additional registration parameters. May be empty.
Appkey registration request created successfully
An error occurred. Possible error codes:
- 1004: The appkey policy does not contain accepted match criteria
- 1120: The user is not in a state to allow appkey registration
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1000: Appkey relying party ID not found
- 1001: Appkey registration policy not found
Delete user appkeys by external user ID for a specified device
Deletes all user appkeys registered on a particular device
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteAllUserAppkeysForDeviceByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteAllUserAppkeysForDeviceByExtUserId
User appkeys deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 10671: Appkeys not found
Delete registered appkeys from a device given an appkey's key ID from the device itself and the user identified by its external ID.
This API supports an appkey deregistration flow in which a key ID of an appkey to delete is sent from the device client. The appkey is deleted on the server and a deregistration request message is provided which is sent to the client to delete the key.
The default behaviour is to delete the specified appkey from the server and generate a deregistration request to delete than single key from the client. A mode parameter may be supplied to delete:
- all appkeys of the same type on the same device as the specified appkey
- all appkeys for the same device as the specified appkey
- all appkeys registered for the same user as the specified appkey
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deregisterUserAppkeyByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deregisterUserAppkeyByExtUserId
User appkey(s) deleted successfully
An error occurred. Possible error codes:
- 1068: The specified appkey is not registered to the specified user
- 1100: The specified appkey does not have a registered device ID so the requested appkeys belonging to the same device cannot be deleted.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 1058: Appkey not found
Complete an appkey registration for an internally managed session.
This API is used to complete an appkey registration where the appkey configuration sessionManagementExternal parameter is set to false which means that a session ID of an internally managed session was returned when the registration was requested and must be provided back to the server along with the response from the client.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:completeAppkeyRegistrationWithSessionId permission.
API Permissions: TNT#{tenant}#IdentityStore:completeAppkeyRegistrationWithSessionId
The client registration response message.
Appkey registration completed successfully
An error occurred either on the server or the client. Not all the error codes are listed here as there are many and a lot of them are unlikely to occur when integrating with a validated appkey client. Some of the more likely errors are:
- 501: When registration was requested neither a user object nor an external user ID was supplied therefore a user can't be found or created to associate with this appkey registration
- 1014: Session data was provided but session management for this registration is configured as internal
- 1017: The supplied client response message is not a registration, it's an authentication for example
- 1026: The application on the client device is not registered in the trusted facets list of the appkey policy
- 1029: The session challenge does not match the challenge in the client response
- 1035: The appkey type is not supported- 1050: The registered appkeys do not satisfy the registration policy- 1094: Malformed registration response message from the client
- 1095: Client response message contains no registration responses
- 1096: Client response message contains multiple registration responses
- 1098: Maximum number of appkeys exceeded for this user
- 1115: Operation success/failure response data not provided
- 1116: Appkey registration failed on the client
- 1121: Appkey registration cancelled on the client
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found by supplied user ID in session data
- 1000: Appkey relying party not found
- 1001: Appkey registration policy not found
Create an appkey registration request for an existing user identified by its internal ID within an identity store using the specified registration policy for the specified relying party
The registration request returned from the server must be supplied to the client on the device to initiate a user appkey registration. The response from the client is returned to the server to complete registration and store the generated appkey in the server.
Session data is shared between the registration request and completion API calls. If in the appkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the registration is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the registration is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createAppkeyRegistrationForUser permission.
API Permissions: TNT#{tenant}#IdentityStore:createAppkeyRegistrationForUser
Additional registration parameters. May be empty.
Appkey registration request created successfully
An error occurred. Possible error codes:
- 1004: The appkey policy does not contain accepted match criteria
- 1120: The user is not in a state to allow appkey registration
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 1000: Appkey relying party ID not found
- 1001: Appkey registration policy not found
User Passkey Management
Create a passkey credential creation request for an existing user identified by its external ID within an identity store using the specified registration policy for the specified relying party
The credential creation request returned from the server must be supplied to the user agent on the device to initiate a passkey registration. The response from the user agent is returned to the server to complete registration and store the generated paskey in the server.
Session data is shared between the registration request and completion API calls. If in the passkey configuration sessionManagementExternal is set to false then these session data are managed internally by the server and a session ID is returned by this API which must be provided when the registration is completed. Otherwise if sessionManagementExternal is true the session data itself is returned by the API and must be provided when the registration is completed. If session data is managed internally it is stored temporarily for the duration configured as sessionDuration.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:createPasskeyRegistrationForUserByExtId permission.
API Permissions: TNT#{tenant}#IdentityStore:createPasskeyRegistrationForUserByExtId
Additional registration parameters. May be empty.
Passkey credential creation request created successfully
An error occurred. Possible error codes
- 1120: The user is not in a state to allow passkey registration
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 235: Passkey relying party ID not found
- 233: Passkey registration policy not found
Complete a passkey credential creation request for an internally managed session.
This API is used to complete a passkey registration where the passkey configuration sessionManagementExternal parameter is set to false which means that a session ID of an internally managed session was returned when the registration was requested and must be provided back to the server along with the response from the client.
Permission
The JWT must contain the TNT#{tenant}#IdentityStore:completePasskeyRegistrationWithSessionId permission.
API Permissions: TNT#{tenant}#IdentityStore:completePasskeyRegistrationWithSessionId
The user agent registration response message and session data object.
Passkey registration completed successfully
An error occurred either on the server or the client. Not all the error codes are listed here as there are many and a lot of them are unlikely to occur when integrating with a valid user agent. Some of the more likely errors are:
- 352: The supplied client response message is not a registration, it's an authentication
- 353: The provided challenge is not the same as the challenge signed in the assertion
- 354: The origin in the client response is not in the restricted origins list
- 356: Token binding in the client response does not match the expected value
- 356: Token binding status missing from client response
- 382: The origin in the client response does not start with https
- 383: The origin in the client response does not match the relying party ID
- 388: Session data was provided but session management for this registration is configured as internal
- 389: Maximum number of passkeys exceeded for this user
- 395: Operation success/failure response data not provided
- 396: Passkey registration failed on the client
- 399: Passkey registration was cancelled on the client
- 401: The supplied user handle does not match the existing user handle for this user.
- 402: Passkey registration timed out on the client
- 501: When registration was requested neither a user object nor an external user ID was supplied therefore a user can't be found or created to associate with this passkey registration
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found by supplied user ID in session data
- 235: Passkey relying party ID not found
- 233: Passkey registration policy not found
Get a passkey for a user identified by external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserPasskeyByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserPasskeyByExtUserId
User passkey retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 390: Passkey not found
Delete a user passkey by external user ID and internal passkey ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserPasskeyByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserPasskeyByExtUserId
User passkey deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 390: Passkey not found
Get a user passkey registration record for a user identified by external ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserPasskeyRegistrationRecordByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserPasskeyRegistrationRecordByExtUserId
User passkey registration record retrieved successfully
An error occurred. Possible error codes:
- 392: Failed to decompress and deserialize audit record
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found
- 390: Passkey not found
- 391: Passkey registration not found
Get a passkey for a user identified by internal ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:getUserPasskey permission.
API Permissions: TNT#{tenant}#IdentityStore:getUserPasskey
User passkey retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 390: Passkey not found
Update an existing passkey's name and/or status by internal user ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:updateUserPasskeyStatus permission.
API Permissions: TNT#{tenant}#IdentityStore:updateUserPasskeyStatus
The user passkey update information
User passkey updated successfully
An error occurred. Possible error codes:
- 393: No update information provided
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 390: Passkey not found
Delete a user passkey by internal user ID and passkey ID
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:deleteUserPasskey permission.
API Permissions: TNT#{tenant}#IdentityStore:deleteUserPasskey
User passkey deleted successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
- 390: Passkey not found
List registered passkeys for a user (identified by internal ID)
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserPasskeys permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserPasskeys
User passkeys retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 500: User not found
List registered passkeys for a user (identified by external ID)
### Permission
The JWT must contain the TNT#{tenant}#IdentityStore:listUserPasskeysByExtUserId permission.
API Permissions: TNT#{tenant}#IdentityStore:listUserPasskeysByExtUserId
User passkeys retrieved successfully
An error occurred.
Unauthorized
A required entity was not found. Possible error codes:
- 90: Tenant not found
- 100: Store not found
- 503: User not found