> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Update app settings like groups, client config, etc. > Update app settings like groups, client config, etc. ## OpenAPI ````json PATCH /sys/v1/apps/{app_id} { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/sys/v1/apps/{app_id}": { "patch": { "operationId": "UpdateApp", "tags": [ "Apps" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Update app settings like groups, client config, etc.", "description": "Update app settings like groups, client config, etc.", "parameters": [ { "name": "app_id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }, { "$ref": "#/components/parameters/GetAppParams" } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AppRequest" } } } }, "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/App" } } } } } } } }, "components": { "parameters": { "GetAppParams": { "in": "query", "name": "GetAppParams", "schema": { "$ref": "#/components/schemas/GetAppParams" }, "explode": true } }, "schemas": { "AppRequest": { "allOf": [ { "type": "object", "properties": { "account_membership": { "$ref": "#/components/schemas/AppAccountMembership" }, "add_groups": { "$ref": "#/components/schemas/AppGroups" }, "app_type": { "type": "string", "nullable": true, "description": "The user-defined type of this application." }, "client_configurations": { "$ref": "#/components/schemas/ClientConfigurationsRequest" }, "credential": { "$ref": "#/components/schemas/AppCredentialRequest" }, "credential_migration_period": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Migration period for which credentials(and its sessions) remain valid during api key regeneration." }, "default_group": { "type": "string", "format": "uuid", "nullable": true, "description": "The default group an application belongs to." }, "del_groups": { "type": "array", "uniqueItems": true, "items": { "type": "string", "format": "uuid" }, "nullable": true, "description": "Groups an application no longer needs to be a part of. Array of UUID of groups." }, "description": { "type": "string", "nullable": true, "description": "Description of this application." }, "enabled": { "type": "boolean", "nullable": true, "description": "Whether this application is enabled." }, "interface": { "type": "string", "nullable": true, "description": "Interface used with this application (PKCS11, CNG, JCE, KMIP, etc)." }, "ip_address_policy": { "$ref": "#/components/schemas/IpAddressPolicy" }, "mod_groups": { "$ref": "#/components/schemas/AppGroups" }, "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "nullable": true, "description": "Name of this application, which must be unique within an account." }, "oauth_config": { "$ref": "#/components/schemas/AppOauthConfig" }, "role": { "$ref": "#/components/schemas/AppRole" }, "secret_size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Size in bytes of app's secret." } } } ] }, "App": { "allOf": [ { "type": "object", "properties": { "account_membership": { "$ref": "#/components/schemas/AppAccountMembership" }, "acct_id": { "type": "string", "format": "uuid", "description": "The id of the Account that this application belongs to." }, "app_id": { "type": "string", "format": "uuid", "description": "Unique id to identify the application." }, "app_type": { "type": "string", "description": "The user-defined type of this application." }, "cert_not_after": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Certificate expiration date for apps that use client certificate or trusted CA auth.\n\nFor a client certificate app, this field is the expiry date of the client certifiate. For a trusted CA app, this field is the maximum expiry date among all configured root CA certs in the app's config.\n\nFor all other apps, this field is omitted." }, "client_configurations": { "$ref": "#/components/schemas/ClientConfigurations" }, "created_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Timestamp when the application was created." }, "creator": { "$ref": "#/components/schemas/Principal" }, "default_group": { "type": "string", "format": "uuid", "nullable": true, "description": "The default group an application belongs to." }, "description": { "type": "string", "nullable": true, "description": "Description of this application." }, "enabled": { "type": "boolean", "description": "Whether this application is enabled." }, "groups": { "$ref": "#/components/schemas/AppGroups" }, "interface": { "type": "string", "nullable": true, "description": "Interface used with this application (PKCS11, CNG, JCE, KMIP, etc)." }, "ip_address_policy": { "$ref": "#/components/schemas/IpAddressPolicy" }, "last_operations": { "$ref": "#/components/schemas/LastAppOperationTimestamp" }, "lastused_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Timestamp when the application was most recently used." }, "legacy_access": { "type": "boolean", "description": "If a requester is updating an App or retrieving its credentials,\nthey must have the relevant permissions in all Groups that App has access to.\nBut for legacy Apps, requester is required to have relevant permissions\nin any of the groups that App has access to." }, "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "description": "Name of this application, which must be unique within an account." }, "oauth_config": { "$ref": "#/components/schemas/AppOauthConfig" }, "role": { "$ref": "#/components/schemas/AppRole" } }, "required": [ "acct_id", "app_id", "app_type", "client_configurations", "created_at", "creator", "enabled", "groups", "ip_address_policy", "last_operations", "legacy_access", "name", "role" ] }, { "$ref": "#/components/schemas/AppAuthType" } ] }, "GetAppParams": { "allOf": [ { "type": "object", "description": "Query params for individual App APIs", "properties": { "group_permissions": { "type": "boolean", "description": "Flag specifying if group permissions should be returned with the app group." }, "role": { "type": "string", "description": "The App's role." } } } ] }, "AppAccountMembership": { "allOf": [ { "type": "object", "properties": { "roles": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/AppAccountRoleDescriptor" } } }, "required": [ "roles" ] } ] }, "AppGroups": { "oneOf": [ { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/AppPermissions" } } }, { "type": "array", "items": { "type": "string", "format": "uuid" }, "uniqueItems": true } ] }, "ClientConfigurationsRequest": { "allOf": [ { "type": "object", "properties": { "common": { "$ref": "#/components/schemas/RemovableCommonClientConfig" }, "pkcs11": { "$ref": "#/components/schemas/RemovablePkcs11ClientConfig" }, "kmip": { "$ref": "#/components/schemas/RemovableKmipClientConfig" }, "tep": { "$ref": "#/components/schemas/RemovableTepClientConfig" } } } ] }, "AppCredentialRequest": { "oneOf": [ { "title": "AppCredentialRequestVariantAll", "type": "object", "properties": { "all": { "type": "array", "items": { "$ref": "#/components/schemas/OneAppCredentialRequest" }, "description": "Using `all`, clients can specify a combination of two credentials:\n- one must be a mutual TLS credential (either `certificate` or `trustedca`),\n- the other must be a general app credential (one of `secret`, `awsiam`, `signedjwt`, or `ldap`)\n\nApps authenticating with this variant must present both forms of credentials,\ni.e., they must present a client certificate during TLS handshake, and also\npresent the other form of credential in the HTTP request." } }, "required": [ "all" ] }, { "$ref": "#/components/schemas/OneAppCredentialRequest" } ] }, "IpAddressPolicy": { "description": "The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.", "oneOf": [ { "title": "IpAddressPolicyVariantAllowAll", "type": "string", "enum": [ "allow_all" ] }, { "title": "IpAddressPolicyVariantWhitelist", "type": "object", "properties": { "whitelist": { "type": "array", "uniqueItems": true, "items": { "type": "string" } } }, "required": [ "whitelist" ] } ] }, "AppOauthConfig": { "description": "OAuth settings for an app. If enabled, an app can request to act on behalf of a user.", "oneOf": [ { "$ref": "#/components/schemas/AppOauthConfigVariantEnabled" }, { "$ref": "#/components/schemas/AppOauthConfigVariantDisabled" } ], "discriminator": { "propertyName": "state", "mapping": { "enabled": "AppOauthConfigVariantEnabled", "disabled": "AppOauthConfigVariantDisabled" } } }, "AppRole": { "description": "App's role.", "type": "string", "enum": [ "admin", "crypto" ] }, "ClientConfigurations": { "allOf": [ { "type": "object", "properties": { "common": { "$ref": "#/components/schemas/CommonClientConfig" }, "pkcs11": { "$ref": "#/components/schemas/Pkcs11ClientConfig" }, "kmip": { "$ref": "#/components/schemas/KmipClientConfig" }, "tep": { "$ref": "#/components/schemas/TepClientConfig" } } } ] }, "Principal": { "description": "A security principal.", "oneOf": [ { "title": "PrincipalVariantApp", "type": "object", "properties": { "app": { "type": "string", "format": "uuid" } }, "required": [ "app" ] }, { "title": "PrincipalVariantUser", "type": "object", "properties": { "user": { "type": "string", "format": "uuid" } }, "required": [ "user" ] }, { "title": "PrincipalVariantPlugin", "type": "object", "properties": { "plugin": { "type": "string", "format": "uuid" } }, "required": [ "plugin" ] }, { "title": "PrincipalVariantUserViaApp", "type": "object", "properties": { "userviaapp": { "$ref": "#/components/schemas/PrincipalUserViaApp" } }, "required": [ "userviaapp" ] }, { "title": "PrincipalVariantSystem", "type": "string", "enum": [ "system" ] }, { "title": "PrincipalVariantUnregisteredUser", "type": "string", "enum": [ "unregistereduser" ] } ] }, "LastAppOperationTimestamp": { "allOf": [ { "type": "object", "properties": { "generic": { "type": "integer", "nullable": true }, "tokenization": { "type": "integer", "nullable": true }, "tep": { "type": "integer", "nullable": true }, "accelerator": { "type": "integer", "nullable": true }, "secrets_management": { "type": "integer", "nullable": true } } } ] }, "AppAuthType": { "allOf": [ { "type": "object", "properties": { "auth_type": { "$ref": "#/components/schemas/AppAuthTypeVariants" }, "auth_type_all": { "type": "array", "items": { "$ref": "#/components/schemas/OneAppAuthType" }, "nullable": true, "description": "If `auth_type` is `all`, this field will include the list of individual auth\ntypes for the app" } }, "required": [ "auth_type" ] } ] }, "AppAccountRoleDescriptor": { "oneOf": [ { "$ref": "#/components/schemas/AppAccountRoleDescriptorVariantSystemDefined" }, { "$ref": "#/components/schemas/AppAccountRoleDescriptorVariantCustom" } ], "discriminator": { "propertyName": "$type", "mapping": { "SystemDefined": "AppAccountRoleDescriptorVariantSystemDefined", "Custom": "AppAccountRoleDescriptorVariantCustom" } } }, "AppPermissions": { "description": "Operations allowed to be performed by an app.\n\n\n\n SIGN:\n\n\n VERIFY:\n\n\n ENCRYPT:\n\n\n DECRYPT:\n\n\n WRAPKEY:\n\n\n UNWRAPKEY:\n\n\n DERIVEKEY:\n\n\n MACGENERATE:\n\n\n MACVERIFY:\n\n\n EXPORT:\n\n\n MANAGE:\n\n\n AGREEKEY:\n\n\n MASKDECRYPT:\n\n\n AUDIT:\n\n\n TRANSFORM:\n\n\n CREATE_SOBJECTS:\n\n\n COPY_SOBJECTS:\n\n\n ROTATE_SOBJECTS:\n\n\n ACTIVATE_SOBJECTS:\n\n\n REVOKE_SOBJECTS:\n\n\n REVERT_SOBJECTS:\n\n\n MOVE_SOBJECTS:\n\n\n UPDATE_SOBJECTS_PROFILE:\n\n\n UPDATE_SOBJECTS_ENABLED_STATE:\n\n\n UPDATE_SOBJECT_POLICIES:\n\n\n UPDATE_KEY_OPS:\n\n\n DELETE_KEY_MATERIAL:\n\n\n DELETE_SOBJECTS:\n\n\n DESTROY_SOBJECTS:\n\n\n RESTORE_EXTERNAL_SOBJECTS:\n\n\n CALCULATE_DIGEST:\n\n\n ENCAPSULATE:\n\n\n DECAPSULATE:\n\n", "type": "string", "enum": [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", "MACVERIFY", "EXPORT", "MANAGE", "AGREEKEY", "MASKDECRYPT", "AUDIT", "TRANSFORM", "CREATE_SOBJECTS", "COPY_SOBJECTS", "ROTATE_SOBJECTS", "ACTIVATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "MOVE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", "UPDATE_SOBJECT_POLICIES", "UPDATE_KEY_OPS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", "DESTROY_SOBJECTS", "RESTORE_EXTERNAL_SOBJECTS", "CALCULATE_DIGEST", "ENCAPSULATE", "DECAPSULATE" ] }, "RemovableCommonClientConfig": { "oneOf": [ { "type": "string", "enum": [ "remove" ] }, { "$ref": "#/components/schemas/CommonClientConfig" } ] }, "RemovablePkcs11ClientConfig": { "oneOf": [ { "type": "string", "enum": [ "remove" ] }, { "$ref": "#/components/schemas/Pkcs11ClientConfig" } ] }, "RemovableKmipClientConfig": { "oneOf": [ { "type": "string", "enum": [ "remove" ] }, { "$ref": "#/components/schemas/KmipClientConfig" } ] }, "RemovableTepClientConfig": { "oneOf": [ { "type": "string", "enum": [ "remove" ] }, { "$ref": "#/components/schemas/TepClientConfig" } ] }, "OneAppCredentialRequest": { "oneOf": [ { "title": "OneAppCredentialRequestVariantSecret", "type": "object", "properties": { "secret": { "$ref": "#/components/schemas/SecretCredentialRequest" } }, "required": [ "secret" ] }, { "title": "OneAppCredentialRequestVariantCertificate", "type": "object", "properties": { "certificate": { "type": "string", "format": "byte", "description": "PKI Certificate based authentication." } }, "required": [ "certificate" ] }, { "title": "OneAppCredentialRequestVariantTrustedCa", "type": "object", "properties": { "trustedca": { "$ref": "#/components/schemas/TrustedCaCredential" } }, "required": [ "trustedca" ] }, { "title": "OneAppCredentialRequestVariantGoogleServiceAccount", "type": "object", "properties": { "googleserviceaccount": { "$ref": "#/components/schemas/GoogleServiceAccountCredential" } }, "required": [ "googleserviceaccount" ] }, { "title": "OneAppCredentialRequestVariantSignedJwt", "type": "object", "properties": { "signedjwt": { "$ref": "#/components/schemas/SignedJwtCredential" } }, "required": [ "signedjwt" ] }, { "title": "OneAppCredentialRequestVariantLdap", "type": "object", "properties": { "ldap": { "type": "string", "format": "uuid", "description": "LDAP credentials of an App used for authentication." } }, "required": [ "ldap" ] }, { "title": "OneAppCredentialRequestVariantAwsIam", "type": "object", "properties": { "awsiam": { "type": "object", "properties": {} } }, "required": [ "awsiam" ] }, { "title": "OneAppCredentialRequestVariantAwsXks", "type": "object", "properties": { "awsxks": { "$ref": "#/components/schemas/AwsXksCredentialRequest" } }, "required": [ "awsxks" ] }, { "title": "OneAppCredentialRequestVariantGoogleWorkspaceCse", "type": "object", "properties": { "googleworkspacecse": { "type": "object", "properties": {} } }, "required": [ "googleworkspacecse" ] } ] }, "AppOauthConfigVariantEnabled": { "allOf": [ { "type": "object", "properties": { "state": { "type": "string", "enum": [ "enabled" ] } }, "required": [ "state" ] }, { "$ref": "#/components/schemas/AppOauthConfigEnabled" } ] }, "AppOauthConfigVariantDisabled": { "allOf": [ { "type": "object", "properties": { "state": { "type": "string", "enum": [ "disabled" ] } }, "required": [ "state" ] }, { "type": "object", "properties": {} } ] }, "CommonClientConfig": { "allOf": [ { "type": "object", "properties": { "retry_timeout_millis": { "type": "integer", "nullable": true }, "cache_ttl": { "type": "integer", "nullable": true }, "log": { "$ref": "#/components/schemas/ClientLogConfig" }, "h2_num_connections": { "type": "integer", "nullable": true }, "quorum_approval": { "$ref": "#/components/schemas/QuorumApprovalConfig" } } } ] }, "Pkcs11ClientConfig": { "allOf": [ { "type": "object", "properties": { "fake_rsa_x9_31_keygen_support": { "type": "boolean", "nullable": true }, "signing_aes_key_as_hmac": { "type": "boolean", "nullable": true }, "exact_key_ops": { "type": "boolean", "nullable": true }, "prevent_duplicate_opaque_objects": { "type": "boolean", "nullable": true }, "opaque_objects_are_not_certificates": { "type": "boolean", "nullable": true }, "max_concurrent_requests_per_slot": { "type": "integer", "nullable": true } } } ] }, "KmipClientConfig": { "allOf": [ { "type": "object", "properties": { "ignore_unknown_key_ops_for_secrets": { "type": "boolean", "nullable": true, "description": "Use `ignore_unknown_key_ops_for` with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``" }, "ignore_unknown_key_ops_for": { "$ref": "#/components/schemas/ObjectTypeFilter" }, "key_ops_override": { "$ref": "#/components/schemas/KeyOpsOverride" } } } ] }, "TepClientConfig": { "allOf": [ { "type": "object", "properties": { "schema": { "$ref": "#/components/schemas/TepSchema" }, "key_map": { "$ref": "#/components/schemas/TepKeyMapList" } }, "required": [ "schema", "key_map" ] } ] }, "PrincipalUserViaApp": { "allOf": [ { "type": "object", "description": "UserViaApp signifies a user authorizing some app to act on its behalf through OAuth.", "properties": { "user_id": { "type": "string", "format": "uuid" }, "scopes": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/OauthScope" } } }, "required": [ "user_id", "scopes" ] } ] }, "AppAuthTypeVariants": { "oneOf": [ { "title": "AppAuthTypeVariantsVariantAll", "type": "string", "enum": [ "All" ] }, { "$ref": "#/components/schemas/OneAppAuthType" } ] }, "OneAppAuthType": { "description": "Authentication method of an app.", "type": "string", "enum": [ "Secret", "GoogleServiceAccount", "SignedJwt", "Ldap", "AwsIam", "AwsXks", "GoogleWorkspaceCSE", "Certificate", "TrustedCa" ] }, "AppAccountRoleDescriptorVariantSystemDefined": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "SystemDefined" ] }, "value": { "$ref": "#/components/schemas/AppAccountRole" } }, "required": [ "$type", "value" ] } ] }, "AppAccountRoleDescriptorVariantCustom": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Custom" ] }, "value": { "type": "string", "format": "uuid" } }, "required": [ "$type", "value" ] } ] }, "SecretCredentialRequest": { "oneOf": [ { "type": "string", "description": "Use the existing secret (note that this must match the existing secret configured on the app)" }, { "$ref": "#/components/schemas/SecretCredentialRequestGenerate" } ] }, "TrustedCaCredential": { "allOf": [ { "type": "object", "description": "`TrustedCa` app auth configuration.", "properties": { "check_revocation": { "type": "boolean", "nullable": true, "description": "When `true`, revocation status of certificates is checked, and revoked\ncertificates are rejected" } } }, { "$ref": "#/components/schemas/TrustAnchorSubject" }, { "$ref": "#/components/schemas/TrustAnchor" } ] }, "GoogleServiceAccountCredential": { "allOf": [ { "type": "object", "properties": { "access_reason_policy": { "$ref": "#/components/schemas/GoogleAccessReasonPolicy" }, "groups": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/GcpAppPermissions" } }, "nullable": true, "description": "Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups." } } } ] }, "SignedJwtCredential": { "allOf": [ { "type": "object", "properties": { "valid_issuers": { "type": "array", "uniqueItems": true, "items": { "type": "string" } }, "signing_keys": { "$ref": "#/components/schemas/SigningKeys" }, "private_claims_policy": { "$ref": "#/components/schemas/PrivateClaimsPolicy" } }, "required": [ "valid_issuers", "signing_keys" ] } ] }, "AwsXksCredentialRequest": { "allOf": [ { "type": "object", "properties": { "access_key_id": { "type": "string", "nullable": true }, "secret_key": { "type": "string" } } } ] }, "AppOauthConfigEnabled": { "allOf": [ { "type": "object", "properties": { "redirect_uris": { "type": "array", "items": { "type": "string" } } }, "required": [ "redirect_uris" ] } ] }, "ClientLogConfig": { "allOf": [ { "type": "object", "properties": { "system": { "type": "boolean", "nullable": true }, "file": { "$ref": "#/components/schemas/ClientFileLogging" }, "level": { "type": "string", "nullable": true } } } ] }, "QuorumApprovalConfig": { "allOf": [ { "type": "object", "description": "Quorum Policy Configurations in clients", "properties": { "wait_for_quorum_approval": { "$ref": "#/components/schemas/ApprovalWaitConfig" } } } ] }, "ObjectTypeFilter": { "oneOf": [ { "$ref": "#/components/schemas/ObjectTypeFilterVariantAll" }, { "$ref": "#/components/schemas/ObjectTypeFilterVariantSelection" } ], "discriminator": { "propertyName": "$type", "mapping": { "All": "ObjectTypeFilterVariantAll", "Selection": "ObjectTypeFilterVariantSelection" } } }, "KeyOpsOverride": { "allOf": [ { "type": "object", "properties": { "add_key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" }, "nullable": true, "description": "The operations to add to any key creation request (only supported in KMIP).\n\nThe following operations can be specified:\n- `EXPORT`\n- `APPMANAGEABLE`\n- `HIGHVOLUME`\n\nThe operations specified cannot conflict with what's specified in the\n`key_ops` field of account and/or group policies (where applicable).\n\n**Note**: This is only enforced on (KMIP) creation requests since we assume\nupdates removing key operations are intentional." } } } ] }, "TepSchema": { "oneOf": [ { "$ref": "#/components/schemas/TepSchemaVariantOpenAPI" } ], "discriminator": { "propertyName": "$type", "mapping": { "OpenAPI": "TepSchemaVariantOpenAPI" } } }, "TepKeyMapList": { "allOf": [ { "type": "array", "items": { "$ref": "#/components/schemas/TepKeyMap" } } ] }, "OauthScope": { "description": "OAuth scope.", "type": "string", "enum": [ "app", "openid", "email", "profile" ] }, "AppAccountRole": { "type": "string", "enum": [ "AccountAdministrator", "AccountMember", "AccountAuditor" ] }, "SecretCredentialRequestGenerate": { "allOf": [ { "type": "object", "description": "Generate a new secret", "properties": { "size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Size of the secret to be generated in bytes" } } } ] }, "TrustAnchorSubject": { "description": "Subjects or subject alternative names (SANs) for trusted CA auth.\nDSM will check the subject field and any SANs inside incoming\nclient certificates and compare them against the subjects configured\nin the trusted CA auth config.", "oneOf": [ { "title": "TrustAnchorSubjectVariantSubject", "type": "object", "properties": { "subject": { "type": "array", "items": { "type": "array", "minItems": 2, "maxItems": 2, "items": { "type": "string" } }, "description": "A single subject as a list of OID/value string pairs\n(representing a sequence of relative distinguished names), which\nshould appear in the client cert's subject field and/or as one\nof its SANs.\n\nThis legacy variant is retained for backcompat purposes, and is\nequivalent to specifying a directoryName via the SubjectGeneral\nvariant." } }, "required": [ "subject" ] }, { "title": "TrustAnchorSubjectVariantSubjectGeneral", "type": "object", "properties": { "subject_general": { "$ref": "#/components/schemas/SubjectGeneral" } }, "required": [ "subject_general" ] }, { "title": "TrustAnchorSubjectVariantSubjects", "type": "object", "properties": { "subjects": { "type": "array", "items": { "$ref": "#/components/schemas/SubjectGeneral" }, "description": "List of allowed GeneralName subjects. At least one of the values\nin this list must appear in the client cert, under its subject\nfield and/or as one of its SANs.\n\nCurrently, DSM supports at most 16 subjects." } }, "required": [ "subjects" ] } ] }, "TrustAnchor": { "description": "Trust anchors (i.e., root CA certificiates) for a [`TrustedCaCredential`].", "oneOf": [ { "title": "TrustAnchorVariantCaCertificate", "type": "object", "properties": { "ca_certificate": { "type": "string", "format": "byte", "description": "A single root CA certificate." } }, "required": [ "ca_certificate" ] }, { "title": "TrustAnchorVariantCaCertificates", "type": "object", "properties": { "ca_certificates": { "type": "array", "items": { "type": "string", "format": "byte" }, "description": "Multiple root CA certificates. DSM currently supports up to 16 certs." } }, "required": [ "ca_certificates" ] } ] }, "GoogleAccessReasonPolicy": { "allOf": [ { "type": "object", "description": "Policy specifying acceptable access reasons\nby Google Service Account at App or Sobject level.", "properties": { "allow": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/GoogleAccessReason" }, "description": "Set of allowed Google Access reasons." }, "allow_missing_reason": { "type": "boolean", "description": "Accept incoming requests which do not specify any access reasons." } }, "required": [ "allow", "allow_missing_reason" ] } ] }, "GcpAppPermissions": { "description": "\n\n\n CRYPTO_SPACE_GET_INFO:\n\n\n CRYPTO_SPACE_GET_PUBLIC_KEY:\n\n", "type": "string", "enum": [ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ] }, "SigningKeys": { "description": "Signing keys used to validate JSON Web Signature objects including signed\nJSON Web Tokens.", "oneOf": [ { "$ref": "#/components/schemas/SigningKeysVariantStored" }, { "$ref": "#/components/schemas/SigningKeysVariantFetched" } ], "discriminator": { "propertyName": "kind", "mapping": { "stored": "SigningKeysVariantStored", "fetched": "SigningKeysVariantFetched" } } }, "PrivateClaimsPolicy": { "allOf": [ { "type": "object", "properties": { "definition": { "$ref": "#/components/schemas/PolicyDefinition" } }, "required": [ "definition" ] } ] }, "ClientFileLogging": { "oneOf": [ { "$ref": "#/components/schemas/ClientFileLoggingVariantEnabled" }, { "$ref": "#/components/schemas/ClientFileLoggingVariantDisabled" } ], "discriminator": { "propertyName": "mode", "mapping": { "enabled": "ClientFileLoggingVariantEnabled", "disabled": "ClientFileLoggingVariantDisabled" } } }, "ApprovalWaitConfig": { "allOf": [ { "type": "object", "description": "Configurations for waiting for quorum approval.", "properties": { "enabled": { "type": "boolean", "description": "Indicates whether waiting for quorum approval is activated or disabled" }, "poll_interval_secs": { "type": "integer", "nullable": true, "description": "Time interval in seconds for client lib to check quorum status." }, "max_wait_for_secs": { "type": "integer", "nullable": true, "description": "Maximum time in seconds for client lib to wait for quorum reply." } }, "required": [ "enabled" ] } ] }, "ObjectTypeFilterVariantAll": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "All" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "ObjectTypeFilterVariantSelection": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Selection" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/ObjectTypeFilterSelection" } ] }, "KeyOperations": { "description": "Operations allowed to be performed on a given key.\n\n\n\n SIGN:\n If this is set, the key can be used to for signing.\n\n\n VERIFY:\n If this is set, the key can used for verifying a signature.\n\n\n ENCRYPT:\n If this is set, the key can be used for encryption.\n\n\n DECRYPT:\n If this is set, the key can be used for decryption.\n\n\n WRAPKEY:\n If this is set, the key can be used wrapping other keys.\n The key being wrapped must have the EXPORT operation enabled.\n\n\n UNWRAPKEY:\n If this is set, the key can be used to unwrap a wrapped key.\n\n\n DERIVEKEY:\n If this is set, the key can be used to derive another key.\n\n\n TRANSFORM:\n If this is set, the key can be transformed.\n\n\n MACGENERATE:\n If this is set, the key can be used to compute a cryptographic\n Message Authentication Code (MAC) on a message.\n\n\n MACVERIFY:\n If they is set, the key can be used to verify a MAC.\n\n\n EXPORT:\n If this is set, the value of the key can be retrieved\n with an authenticated request. This shouldn't be set unless\n required. It is more secure to keep the key's value inside DSM only.\n\n\n APPMANAGEABLE:\n Without this operation, management operations like delete, destroy,\n rotate, activate, restore, revoke, revert, update, remove_private, etc.\n cannot be performed by a crypto App.\n A user with access or admin app can still perform these operations.\n This option is only relevant for crypto apps.\n\n\n HIGHVOLUME:\n If this is set, audit logs will not be recorded for the key.\n High volume here tries to signify a key that is being used a lot\n and will produce lots of logs. Setting this operation disables\n audit logs for the key.\n\n\n AGREEKEY:\n If this is set, the key can be used for key agreement.\n Both the private and public key should have this option enabled\n to perform an agree operation.\n\n\n ENCAPSULATE:\n If this is set, the key can be used for key encapsulation. The\n result is a new symmetric key and a ciphertext.\n\n\n DECAPSULATE:\n If this is set, the key can be used for key decapsulation. If\n decapsulation succeeds, the result is a new symmetric key.\n\n", "type": "string", "enum": [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ] }, "TepSchemaVariantOpenAPI": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "OpenAPI" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": { "openapi": { "type": "string" } } } ] }, "TepKeyMap": { "allOf": [ { "type": "object", "properties": { "path": { "$ref": "#/components/schemas/ApiPath" }, "kid": { "type": "string", "format": "uuid" }, "mode": { "$ref": "#/components/schemas/CipherMode" } }, "required": [ "path", "kid", "mode" ] } ] }, "SubjectGeneral": { "description": "A GeneralName that can be used as a [subject alternative name][SAN] in\na certificate.\n\nToday, the directoryName, dNSName, and iPAddress choices are supported.\nNote that directoryName can also be used to represent the subject field\nin a certificate.\n\n[SAN]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6", "oneOf": [ { "title": "SubjectGeneralVariantDirectoryName", "type": "object", "properties": { "directory_name": { "type": "array", "items": { "type": "array", "minItems": 2, "maxItems": 2, "items": { "type": "string" } }, "description": "A directoryName, which consists of a sequence of (type, value)\npairs, where type is an OID, and value is a DER-encoded ASN.1\nvalue. (This represents a sequence of relative distinguished\nnames.)" } }, "required": [ "directory_name" ] }, { "title": "SubjectGeneralVariantDnsName", "type": "object", "properties": { "dns_name": { "type": "string", "description": "A DNS name." } }, "required": [ "dns_name" ] }, { "title": "SubjectGeneralVariantIpAddress", "type": "object", "properties": { "ip_address": { "oneOf": [ { "type": "string", "format": "ipv4" }, { "type": "string", "format": "ipv6" } ], "description": "An IP address." } }, "required": [ "ip_address" ] } ] }, "GoogleAccessReason": { "description": "An access reason provided by Google when making EKMS API calls.", "type": "string", "enum": [ "REASON_UNSPECIFIED", "CUSTOMER_INITIATED_SUPPORT", "GOOGLE_INITIATED_SERVICE", "THIRD_PARTY_DATA_REQUEST", "GOOGLE_INITIATED_REVIEW", "CUSTOMER_INITIATED_ACCESS", "GOOGLE_INITIATED_SYSTEM_OPERATION", "REASON_NOT_EXPECTED", "MODIFIED_CUSTOMER_INITIATED_ACCESS", "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION", "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT", "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING" ] }, "SigningKeysVariantStored": { "allOf": [ { "type": "object", "properties": { "kind": { "type": "string", "enum": [ "stored" ] } }, "required": [ "kind" ] }, { "$ref": "#/components/schemas/SigningKeysStored" } ] }, "SigningKeysVariantFetched": { "allOf": [ { "type": "object", "properties": { "kind": { "type": "string", "enum": [ "fetched" ] } }, "required": [ "kind" ] }, { "$ref": "#/components/schemas/SigningKeysFetched" } ] }, "PolicyDefinition": { "oneOf": [ { "$ref": "#/components/schemas/PolicyDefinitionVariantRego" } ], "discriminator": { "propertyName": "$type", "mapping": { "rego": "PolicyDefinitionVariantRego" } } }, "ClientFileLoggingVariantEnabled": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "enabled" ] } }, "required": [ "mode" ] }, { "$ref": "#/components/schemas/ClientFileLoggingConfig" } ] }, "ClientFileLoggingVariantDisabled": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "disabled" ] } }, "required": [ "mode" ] }, { "type": "object", "properties": {} } ] }, "ObjectTypeFilterSelection": { "allOf": [ { "type": "object", "properties": { "selection": { "type": "array", "items": { "$ref": "#/components/schemas/ObjectType" } } }, "required": [ "selection" ] } ] }, "ApiPath": { "allOf": [ { "type": "object", "properties": { "api_path": { "type": "string" }, "method": { "type": "string" }, "context": { "$ref": "#/components/schemas/TepKeyContext" }, "key_path": { "type": "string" } }, "required": [ "api_path", "method", "context", "key_path" ] } ] }, "CipherMode": { "description": "Cipher mode used for symmetric key algorithms.", "type": "string", "enum": [ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ] }, "SigningKeysStored": { "allOf": [ { "type": "object", "properties": { "keys": { "type": "object", "additionalProperties": { "type": "string", "format": "byte" }, "description": "Mapping key ids to DER-encoded public key." } }, "required": [ "keys" ] } ] }, "SigningKeysFetched": { "allOf": [ { "type": "object", "properties": { "url": { "type": "string" }, "cache_duration": { "type": "integer", "description": "Number of seconds that the service is allowed to cache the fetched keys." } }, "required": [ "url", "cache_duration" ] } ] }, "PolicyDefinitionVariantRego": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "rego" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/PolicyDefinitionRego" } ] }, "ClientFileLoggingConfig": { "allOf": [ { "type": "object", "properties": { "path": { "type": "string", "nullable": true }, "file_size_kb": { "type": "integer", "nullable": true }, "max_files": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true } } } ] }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "TepKeyContext": { "type": "string", "enum": [ "request", "response" ] }, "PolicyDefinitionRego": { "allOf": [ { "type": "object", "description": "A policy definition defined using the Rego policy language as outlined in\nthe [Open Policy Agent](https://www.openpolicyagent.org/docs/policy-language) docs.\n\nThe DSM backend will pass an input to the Rego engine and the format is defined as such:\n- A JSON object that nests the JWT body one level, where the root key is `jwt_body`.\n- From the policy, this object is accessible via the `input` (OPA defined) variable.\n\nAn example of the input object:\n```json\n{\n\"jwt_body\": { < jwt body contents > }\n}\n```\n\nAn example policy indexing into the input:\n\n```rego\npackage my_example\n\ndefault allow := false\n\nallow if {\ninput.jwt_body.my_private_claims.employee == \"Alice\"\n}\n```\n\nThe expected policy format is defined as such:\n- A **required** variable defined as `allow` of type boolean. This should be updated true or false based on any other processing done.\n- An **optional** field defined as `additional_logging` if the client wishes to include other information not captured in existing audit logs for JWT auth apps.\n- Note: `additional_logging` is *limited to a max length of 128 UTF-8 bytes* and corresponds to the `client_provided_context` field on the `AuditLog` model.", "properties": { "value": { "type": "string" } }, "required": [ "value" ] } ] } } } } ````