Skip to main content

Cryptr API (2.0)

Download OpenAPI specification:Download

πŸ§‘β€πŸ€β€πŸ§‘ Organizations

The Organizations allows you to manage your business-to-business (B2B) customers, and segments strictly that end-users access their applications. Each end-user are stored in a distinct directory for a dedicated customer (Organization), and the end-user experience is customized in your colors with a white label User interface. An (Organization) represents a business customer or partner in your Cryptr service.

  • An (Organization) represents a business customer or partner in your Cryptr service.

Your Cryptr subscription plan you choose limit this feature. A free account is limited to 1 organization to manage.

The Organization type

Each new organization get a domain generated from its name. A domain is impossible to update, because it's the identifier of the organization.

country_name
enum

The ISO3166-1 Alpha2 of the Organization.

domain
slug

Immutable identifier of the organization in a "slug format": domain is a STRING value in "lowercase" with "underline", generated from the name.

id
uuid

Immutable identifier in the Universal Unique Identifier (UUID) format.

inserted_at
string <date-time>

Date time of the insertion

locality
string

The Head Quarter locality of the organization

name
string

The name of your organization will be "sluggified" & store at the domain field. "Awesome company" will become "awesome-company".

privacy_policy_url
url or null

Url of the privacy policy url of your service.

state
string

The state of the locality (of the Organization).

terms_of_service_url
url or null

Url of the terms of service url of your service.

updated_at
string <date-time>

Update timestamp

{
  • "__type__": "Organization",
  • "country_name": "FR",
  • "domain": "misapret",
  • "id": "bbc39a5a-905c-4def-90e6-605ed7b27098",
  • "inserted_at": "2021-10-18T10:02:31",
  • "locality": "Lille",
  • "name": "Misapret",
  • "privacy_policy_url": "https://misapret.com/policy",
  • "state": "Nord",
  • "terms_of_service_url": "https://misapret.com/terms",
  • "updated_at": "2021-10-18T10:02:31"
}

List all Organizations

Returns a list of your Organizations. The Organizations are returned sorted by creation date, with the most recent customers appearing first.

RETURNS

A dictionary with a data property that contains an array of up to limit Organizations. Each entry in the array is a separate Organization type. If no Organizations are available, the resulting array will be empty. This request should never return an error.

query Parameters
page
integer
Example: page=1

Precise the page of your listing, see how to paginate the Cryptr API.

per_page
integer
Example: per_page=8

Precise the size of the pages of the pagination of the list, see how to paginate the Cryptr API.

Responses

Request samples


curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/organizations

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [
    ],
  • "pagination": {
    },
  • "total": 1
}

Create an Organization

Creates a new Organization type with a name & a locality (the city of the organization).

RETURNS

Returns an Organization if the creation succeeded. Returns an error if create parameters are invalid (e.g. specifying an invalid code or an invalid source).

query Parameters
name
required
string
Example: name=Misapret

The name of your organization will be "sluggified" & store into the domain field. "Awesome company" will become "awesome-company".

autocomplete_address
string
Example: autocomplete_address=Dublin

Use this field to autocomplete address fields (state, locality , country_name) using our address engine.

Examples:

  • "autocomplete_address": "Dublin" will return "country_name": "IE", "locality": "Dublin", "state": "Leinster"
  • "autocomplete_address": "Dublin, CA" will return "country_name": "US", "locality": "Dublin", "state": "Californie"

Responses

Request samples


/* With Address engine */
curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/organizations/${ORGANIZATION_DOMAIN}           -d autocomplete_address="San Francisco"
  -d privacy_policy_url="https://misapret.com/policy"
/* OR Without Address engine */
curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/organizations/${ORGANIZATION_DOMAIN}           -d locality="Lille"
  -d state="Hauts-de-France"
  -d country_name="FR"
  -d privacy_policy_url="https://misapret.com/policy"

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "Organization",
  • "country_name": "FR",
  • "domain": "misapret",
  • "id": "4124141d-675e-4361-bc8b-6417b22bd4fc",
  • "inserted_at": "2017-09-12T12:34:55Z",
  • "locality": "Lille",
  • "name": "Misapret",
  • "privacy_policy_url": "https://misapret.com/policy",
  • "state": "Nord",
  • "terms_of_service_url": "https://misapret.com/terms",
  • "updated_at": "2017-09-13T10:11:12Z"
}

Retrieve an Organization

Fetch an Organization by its given domain. The domain is generated from its name. It's a unique and immutable value in your Cryptr service.

RETURNS

Returns the Organization for a valid identifier. If it’s for a deleted Organization, a subset of the Organization’s information is returned, including a deleted property that’s set to true.

path Parameters
org_domain
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

Responses

Request samples


curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/organizations/${ORGANIZATION_DOMAIN}

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "Organization",
  • "country_name": "FR",
  • "domain": "misapret",
  • "id": "4124141d-675e-4361-bc8b-6417b22bd4fc",
  • "inserted_at": "2017-09-12T12:34:55Z",
  • "locality": "Lille",
  • "name": "Misapret",
  • "privacy_policy_url": "https://misapret.com/policy",
  • "state": "Nord",
  • "terms_of_service_url": "https://misapret.com/terms",
  • "updated_at": "2017-09-13T10:11:12Z"
}

Update an Organization

You can't update the domain of an Organization. If you need to, you have to create a new one.

RETURNS

Returns the Organization if the update succeeded. Returns an error if create parameters are invalid (e.g. specifying an invalid code or an invalid source).

path Parameters
org_domain
required
string
Example: Misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
name
string
Example: name=Misapret

The name of your organization (won't change domain because already set at creation)

locality
string
Example: locality=San Francisco

You can describe, with an indication of the language as standard ISO 3166-2.

state
string
Example: state=Nord

The state (region/state district) of the organization.

country_name
string
Example: country_name=FR

The ISO 3166-2 code of the organization.

privacy_policy_url
string <url>
Example: privacy_policy_url=https://misapret.com/policy

Url of the privacy policy url of your service.

terms_of_service_url
string <url>
Example: terms_of_service_url=https://misapret.com/terms

Url of the terms of service url of your service.

Responses

Request samples


curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/organizations/${ORGANIZATION_DOMAIN}         -d locality="San Francisco"
-d privacy_policy_url="https://misapret.com/policy"

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "Organization",
  • "country_name": "US",
  • "domain": "misapret",
  • "id": "4124141d-675e-4361-bc8b-6417b22bd4fc",
  • "inserted_at": "2017-09-12T12:34:55Z",
  • "locality": "San Francisco",
  • "name": "Misapret",
  • "privacy_policy_url": "https://misapret.com/policy",
  • "state": "Californie",
  • "terms_of_service_url": "https://misapret.com/terms",
  • "updated_at": "2021-10-18T10:02:31"
}

πŸ‘©β€πŸ’» Users

Cryptr stores user profiles for your application in a dedicated hosted cloud database for a specific Organization. User profile information can come from your users directly. The sources are magic link signup, SSO (via SAML) logins, or Active Directory.

  • A (User) represents an end user of your customer or partner in your Cryptr service.

Your Cryptr subscription plan could limit the number of users. See our pricing for more details.

The User's Organization domain

Each end-user is stored in a distinct directory for a dedicated customer (Organization). You can figure out the domain of the user's Organization from this user's atttribute domain.

The User type

Each new user get a unique id (identifier) generated and which is impossible to update.

avatar_hexa_color
string

Each time a new user is created, a random color in hexadecimal format, like #4B0082 that is generated and associated to the user.

id
uuid

The immutable identifier.

metadata
Array of arrays
object (Profile)

The OpenID Connect profile specification defines a set of standard Claims. They can be requested to be returned either in the UserInfo Response or in the ID Token.

{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "8724da20-c140-4d01-82d2-bc87079a6f6e",
  • "metadata": [ ],
  • "profile": {
    }
}

The Profile type

object (Address)

User's postal address. The value of the address member is a Address type defined here.

birthdate
string

User's birthday represented as an ISO 8601:2004 [ISO8601-2004] YYYY-MM-DD format.

email
string <email>

Email

family_name
string

The last name is an Open Id Connect Profile attribute.

gender
enum

It's an Open Id Connect Profile attribute.

given_name
string

The first name is an Open Id Connect Profile attribute.

locale
enum

It's an Open Id Connect Profile attribute.

nickname
string

It's an Open Id Connect Profile attribute.

phone_number
string

User telephone number as E.164 format.

picture
url

It's an Open Id Connect Profile attribute.

profile
url

It's an Open Id Connect Profile attribute.

website
url

It's an Open Id Connect Profile attribute.

zoneinfo
enum

It's an Open Id Connect Profile attribute.

{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your-domain",
  • "__type__": "profile",
  • "address": {
    },
  • "birthdate": "1943-01-19",
  • "email": "janis.joplin@example.com",
  • "family_name": "Joplin",
  • "gender": "female",
  • "given_name": "Janis",
  • "locale": "fr",
  • "name": "Janis Joplin",
  • "nickname": "Jany",
  • "phone_number": "+1-555-415-1337",
  • "zoneinfo": "America/Los_Angeles"
}

The Address type

country
string

Country name component.

formatted
string

The Full mailing address is formatted to display or use on a mailing label. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair (" ") or as a single line feed character (" ").

locality
string

City or locality component.

postal_code
string

Zip code or postal code component of the User.

region
string

State, province, prefecture, or region component of the User.

street_address
string

The complete address includes house number, street name, PO box, and extended street address information on multiple lines. This field may contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair (" ") or as a single line feed character (" ").

{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your-domain",
  • "__type__": "Address",
  • "country": "FR",
  • "formatted": "165 avenue de Bretagne\n59000 Lille, France",
  • "locality": "Lille",
  • "postal_code": "59000",
  • "region": "Nord",
  • "street_address": "165 avenue de Bretagne"
}

Retrieve a User By Email

Fetch a User by its given email.

RETURNS

Returns a User for a valid identifier. If it’s for a deleted User, a subset of the User’s information is returned, including a deleted property that’s set to true.

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

user_email
required
string
Example: janis.joplin@example.com

Email is a required field as it is part of the security of the created end-user account.

Responses

Request samples


curl'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:org_domain/user-by-email/:user_email'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "8724da20-c140-4d01-82d2-bc87079a6f6e",
  • "metadata": [ ],
  • "profile": {
    }
}

List all Users

Returns a list of your Users. The Users are returned sorted by creation date, with the most recent users appearing first.

RETURNS

A dictionary with a data property that contains an array of up to limit users. Each entry in the array is a separate user type. If no users are available, the resulting array will be empty. This request should never return an error.

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
page
integer
Example: page=1

Precise the page of your listing, see how to paginate the Cryptr API.

per_page
integer
Example: per_page=8

Precise the size of the pages of the pagination of the list. See how to paginate the Cryptr API.

Responses

Request samples

curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:org_domain/users?environment=:environment

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "8724da20-c140-4d01-82d2-bc87079a6f6e",
  • "metadata": [ ],
  • "profile": {
    }
}

Create a User

Creates a new user in an Organization.

RETURNS

Returns a User attached to an Organization if the creation succeeded. Returns an error if create parameters are invalid (e.g. specifying an invalid code or an invalid source).

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
email
required
string
Example: email=janis.joplin@example.com

Email is a required field as it is part of the security of the created end-user account.

birthdate
string
Example: birthdate=1943-01-19

User's birthday represented as an ISO 8601:2004 [ISO8601-2004] YYYY-MM-DD format.

phone_number
string
Example: phone_number=+33668724080

User telephone number as E.164 format.

given_name
string
Example: given_name=Janis

The first name is an Open Id Connect Profile attribute.

family_name
string
Example: family_name=Joplin

The last name is an Open Id Connect Profile attribute.

nickname
string
Example: nickname=Jany

It's an Open Id Connect Profile attribute.

profile
string <url>
Example: profile=http://www.example.com/profile

It's an Open Id Connect Profile attribute.

picture
string <url>
Example: picture=http://www.example.com/avatar.jpeg

It's an Open Id Connect Profile attribute.

website
string <url>
Example: website=http://www.example.com

It's an Open Id Connect Profile attribute.

gender
string
Enum: "male" "female" null
Example: gender=female

It's an Open Id Connect Profile attribute, available options are male, female or null.

zoneinfo
string
Example: zoneinfo=America/Los_Angeles

It's an Open Id Connect Profile attribute.

locale
string
Example: locale=fr

It's an Open Id Connect Profile attribute.

Address (object)

User's postal address. The value of the address member is a Address type defined here.

Responses

Request samples

curl --request POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:org_domain/users' \
        --data-raw '{
          "domain": "misapret",
          "environment": "production",
          "profile": {
            "address": {
              "__type__": "Address",
              "formatted": "165 avenue de Bretagne
59000 Lille, France",
              "street_address": "165 avenue de Bretagne",
              "city": "Lille",
              "region": "Nord",
              "postal_code": "59000",
              "country": "FR"
            },
            "given_name": "Janis",
            "family_name": "Joplin",
            "name": "Janis Joplin",
            "nickname": "Jany",
            "profile": "http://www.example.com/profile",
            "phone_number": "+1-555-415-1337",
            "picture": "http://www.example.com/avatar.jpeg",
            "website": "http://www.example.com",
            "email": "josefa.farrell@yahoo.com",
            "gender": "female",
            "birthdate": "1943-01-19",
            "zoneinfo": "America/Los_Angeles",
            "locale": "fr"
          }
        }'
      

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "8724da20-c140-4d01-82d2-bc87079a6f6e",
  • "metadata": [ ],
  • "profile": {
    }
}

Retrieve a User By ID

Fetch a User by its given id.

RETURNS

Returns a User for a valid identifier. If it’s for a deleted User, a subset of the User’s information is returned, including a deleted property that’s set to true.

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

user_id
required
uuid
Example: 8724da20-c140-4d01-82d2-bc87079a6f6e

The immutable identifier.

Responses

Request samples

curl 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:org_domain/users/:user_id?environment=:environment'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "8724da20-c140-4d01-82d2-bc87079a6f6e",
  • "metadata": [ ],
  • "profile": {
    }
}

Update a User

Update an existing user.

RETURNS

Returns an updated Users from an Organization if the update succeeded. Returns an error if create parameters are invalid (e.g. specifying an invalid code or an invalid source).

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

user_id
required
uuid
Example: 8724da20-c140-4d01-82d2-bc87079a6f6e

The immutable identifier.

query Parameters
Profile (object)

The OpenID Connect profile specification defines a set of standard Claims. They can be requested to be returned either in the UserInfo Response or in the ID Token.

Responses

Request samples


curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:org_domain/users/${USER_ID} \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d profile="https://franksinatra.com"

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__environment__": "production",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "8724da20-c140-4d01-82d2-bc87079a6f6e",
  • "metadata": [ ],
  • "profile": {
    }
}

πŸ’» Applications

The term Application in Cryptr is for a single-page application that executes on a browser. It could be scoped globally to your own domain, or to a specific Organization.

When you create a new application, Cryptr generate for you a client_id. This is for security reasons, a unique identifier for your end users authentication via this specific authentification.

The Application type

Each new application is by default globally accessible from all you organization users directories. However you can scope the access to a specific organization with the organization_domain_scope. To do that, you need to specify an Organization domain which is generated from its name during its creation. Each authentication of end users from this dedicated application will be limited to its specific organization.

allowed_logout_urls
Array of url

The Allowed Logout URLs represents the addresses (URL) where Cryptr redirects the user after they logged out.

allowed_origins_cors
Array of url

CORS is the control of the origin by the user's browser where the application that seeks to authenticate with Cryptr is executed, the allowed origin represents the addresses (URL) of the application that we want to authorize to authenticate with Cryptr

allowed_redirect_urls
Array of url

The Allowed Redirect URLs represents the addresses (URL) where Cryptr sends the user once the app has been receive a successfully authorization code.

allowed_web_origins
Array of url

The Allowed Web Origins represents the addresses (URL) that are allowed to access the authentication process.

application_type
enum

The application technology (react, vue, angular)

client_id
uuid

Alias for the id. Usefull for authentication.

default_origin_cors
string

A default URL of the application that we want to authorize to authenticate with Cryptr

default_redirect_uri_after_login
string

A default URL where Cryptr redirects the user after they logged in

default_redirect_uri_after_logout
string

A default URL where Cryptr redirects the user after they logged out

default_web_origin
string

A Default Web Origin is a URL that is allowed to access the authentication process, this allows to manage for example the page refresh without being disconnected.

description
string

Your own custom information about the app.

id
uuid

Immutable identifier in the Universal Unique Identifier (UUID) format.

inserted_at
string

Insertion date time

name
string

The name of your application, a label to help you to understand which application is about.

updated_at
string

Updated date time

{}

List all Applications

Returns a list of your Applications. The Applications are returned sorted by creation date, with the most recent applications appearing first.

RETURNS

A dictionary with a data property that contains an array of up to limit Applications. Each entry in the array is a separate Application type. If no Applications are available, the resulting array will be empty. This request should never return an error.

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
page
integer
Example: page=1

Precise the page of your listing, see how to paginate the Cryptr API.

per_page
integer
Example: per_page=1

Precise the size of the pages of the pagination of the list. See how to paginate the Cryptr API.

Responses

Request samples

curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:domain/applications

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [],
  • "pagination": {
    },
  • "total_count": 1
}

Create an Application

Creates a new Application type with a name, then get locality.

RETURNS

Returns an Application if the creation succeeded. Returns an error if create parameters are invalid (e.g. specifying an invalid code or an invalid source).

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
allowed_origins_cors
required
Array of url
Example: allowed_origins_cors=http://localhost:3000

CORS is the control of the origin by the user's browser where the application that seeks to authenticate with Cryptr is executed, the allowed origin represents the addresses (URL) of the application that we want to authorize to authenticate with Cryptr

allowed_redirect_urls
required
Array of url
Example: allowed_redirect_urls=http://localhost:3000

The Allowed Redirect URLs represents the addresses (URL) where Cryptr sends the user once the app has been receive a successfully authorization code.

allowed_web_origins
required
Array of url
Example: allowed_web_origins=http://localhost:3000

The Allowed Web Origins represents the addresses (URL) that are allowed to access the authentication process.

allowed_logout_urls
required
Array of url
Example: allowed_logout_urls=http://localhost:3000

The Allowed Logout URLs represents the addresses (URL) where Cryptr redirects the user after they logged out.

application_type
required
string
Enum: "react" "vue" "angular"
Example: application_type=react

Your own custom information about the app.

name
required
string
Example: name=App of Misapret

The name of your application, a label to help you to understand which application is about.

description
string
Example: description=Everything to deal with bank

Your own custom information about the app.

default_origin_cors
string
Example: default_origin_cors=http://localhost:3000

A default URL of the application that we want to authorize to authenticate with Cryptr

default_web_origin
string
Example: default_web_origin=http://localhost:3000

A Default Web Origin is a URL that is allowed to access the authentication process, this allows to manage for example the page refresh without being disconnected.

Responses

Request samples


curl --request POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:domain/applications' \
--header 'Authorization: Bearer your_api_key_generated_token' \
--header 'Content-Type: application/json' \
--data-raw '{
  "allowed_logout_urls": ["http://localhost:3000"],
  "allowed_origins_cors": ["http://localhost:3000"],
  "allowed_redirect_urls": ["http://localhost:3000"],
  "allowed_web_origins": ["http://localhost:3000"],
  "application_type": "react",
  "name": "App of Misapret"
}'

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [],
  • "pagination": {
    },
  • "total_count": 1
}

Retrieve an Application

Fetch an Application by its given id.

Note: When you fetch an Application, the environment of your API key determine where is stored your application. For exemple your application in sandbox is fetched if and only if this resource is stored in sandbox. You can't fetch an Application from the Production environment with this API KEY, you need an API KEY dedicated to this environment.

RETURNS

Returns the Application for a valid identifier. If it’s for a deleted Application, a subset of the Application’s information is returned, including a deleted property that’s set to true.

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

client_id
required
uuid
Example: 81a81b21-93b9-441b-a861-a33dc8c06fea

The immutable identifier.

Responses

Request samples

curl https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:domain/applications/:client_id

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [],
  • "pagination": {
    },
  • "total_count": 1
}

Update an Application

Fetch an Application by its given id.

Note: When you fetch an Application, the environment of your API key determine where is stored your application. For exemple your application in sandbox is fetched if and only if this resource is stored in sandbox. You can't fetch an Application from the Production environment with this API KEY, you need an API KEY dedicated to this environment.

RETURNS

Returns the Application updated for a valid identifier.

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

client_id
required
uuid
Example: 81a81b21-93b9-441b-a861-a33dc8c06fea

Alias for the id. Usefull for authentication.

query Parameters
allowed_origins_cors
required
Array of url
Example: allowed_origins_cors=http://localhost:3000

CORS is the control of the origin by the user's browser where the application that seeks to authenticate with Cryptr is executed, the allowed origin represents the addresses (URL) of the application that we want to authorize to authenticate with Cryptr

allowed_redirect_urls
required
Array of url
Example: allowed_redirect_urls=http://localhost:3000

The Allowed Redirect URLs represents the addresses (URL) where Cryptr sends the user once the app has been receive a successfully authorization code.

allowed_web_origins
required
Array of url
Example: allowed_web_origins=http://localhost:3000

The Allowed Web Origins represents the addresses (URL) that are allowed to access the authentication process.

allowed_logout_urls
required
Array of url
Example: allowed_logout_urls=http://localhost:3000

The Allowed Logout URLs represents the addresses (URL) where Cryptr redirects the user after they logged out.

application_type
required
string
Enum: "react" "vue" "angular"
Example: application_type=react

Your own custom information about the app.

name
required
string
Example: name=App of Misapret

The name of your application, a label to help you to understand which application is about.

description
string
Example: description=Everything to deal with bank

Your own custom information about the app.

default_origin_cors
string
Example: default_origin_cors=http://localhost:3000

A default URL of the application that we want to authorize to authenticate with Cryptr

default_web_origin
string
Example: default_web_origin=http://localhost:3000

A Default Web Origin is a URL that is allowed to access the authentication process, this allows to manage for example the page refresh without being disconnected.

Responses

Request samples


curl 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:domain/applications/:client_id' \
  --request PUT \
  --data-raw '{
    "application_type": "angular"
}'

Response samples

Content type
application/json
{}

πŸ”Œ SSO Connections

You can create or update SSO connection preferences for an Organization (usualy your Enterprise customer). Everything to setup, attach, create a redirection a end-user login or interact with administrator of the SSO.

Cryptr supports the following SSO provider solutions :

  • Azure Active Directory
  • ADFS
  • Google
  • Okta
  • Ping Federate (Ping Identity)
  • Ping One (Ping Identity)
  • Auth0
  • One Login
  • Custom SAML By default, user profile attributes provided by identity providers (the SSO solution of your customers) are not directly editable because they are updated from the identity provider each time the user logs in.

To be able to edit the name, nickname, given_name, family_name, or picture root attributes on the normalized user profile, you must configure your connection sync with Cryptr so that user attributes will be updated from the identity provider only on user profile creation.

You can add & edit root attributes individually or as a bulk import using the Management API. You'll find these attributes in the final JWT (Json Web Token) after the successfull SSO authentifcation.

  • A (User) represents an end user ofr your customer or partner in your Cryptr service.

Your Cryptr subscription plan could limit the number of users. See our pricing for more details.

The SSO Connection type

Each new SSO connection get an unique idp_id (identity provider identifier) generated from its Organization name. This identifier is impossible to update, because it's the immutable identifier of the connection.

object (DefaultRedirection)

This refers to DefaultRedirection type. This default redirection will redirect SSO users to your application with an OAuth process.

idp_id
uuid

The immutable identifier.

inserted_at
string

Insertion date time

metadata
string
object (SsoAdminOnboarding)

This refers to SsoAdminOnboarding type . At creation or when preloaded you'll have the nested structure, else only id reference will be given.

seats_limit
integer

Change the limit of simultaneously possible sso sessions for the targetted Sso Connection

⚠️ Depending on user_security_type value

sp_id
uuid
updated_at
string

Updated date time

user_security_type
string

Change the rule of end-user openning session for the targetted Sso Connection

{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "SsoConnection",
  • "active": true,
  • "default_redirection": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "inserted_at": "2022-03-04T17:55:12",
  • "metadata": [ ],
  • "onboarding": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "provider_type": "azure_ad",
  • "seats_limit": 0,
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
  • "updated_at": "2022-03-04T17:55:12",
  • "user_security_type": "none"
}

The SsoAdminOnboarding type

When you have the email contact of the SSO manager of the organization you want to work with, an onboarding can be created to help this admin to configure the SSO on his side. The onboarding reflects progression, provider type choice, and allow metadata XML file upload.

When created you can also choose to send (or not) directly a magic link email to this onboarding.

provider_type
string

Chosen Provider type by the SSO administrator (Okta, Azure AD, ADFS, Google Workspace ...)

sso_admin_email
string <email>

Administrator's Email of the SSO

state
enum

One value of below:

  • not_initialized Onboarding at first step (no provider type chosen, no XML provided)

  • provider_type_chosen SSO Administrator chose its Provider type and is currently in dedicated step-by-step provider type tutorial

  • xml_provided Tutorial step is done and SSO Administrator uploaded the SSO Connection metadata XML file

{
  • "provider_type": "azure_ad",
  • "sso_admin_email": "it_sso_person@sso.client.com",
  • "state": "not_initialized"
}

The Default Redirection type

To ensure direct mapping between Your front application, the SSO connection configured by the SSO admin and Cryptr, a default redirection can be created. This default redirection will redirect SSO users to your application with an OAuth process.

app_id
uuid

The Application unique identifier

id
uuid

The Default redirection unique identifier

uri
url

The target URI where SSO users will be redirected after successful SSO session.

{
  • "app_id": "60d91698-e3b9-4779-a781-bea2b1a6cfea",
  • "id": "119eb0b9-b99b-436e-ada9-5721603ab96e",
}

List all SSO Connections

List all your SSOConnection currently created, regardless of the progress of the configuration.

RETURNS

Returns list of SSO Connection with nested objects if preload_associations set and paginated if related attributes

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
page
integer
Example: page=1

Precise the page of your listing, see how to paginate the Cryptr API.

per_page
integer
Example: per_page=1

Precise the size of the pages of the pagination of the list. See how to paginate the Cryptr API.

preload_associations
Array of strings

By default all nested resources are returned by their ids. If you would like the nested object returned in the body, you can set default_redirection and/or enterprise_connection_onboarding into this parameter.

Responses

Request samples

curl -X GET https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [
    ],
  • "paginate": {
    },
  • "total_count": 1
}

Create a SSO Connection

Creates a new SSO Connection type. The response auto expand default_redirection and onboarding nested elements

RETURNS

Returns a SSO Connection if the creation succeed. Returns an error if create parameters are invalid (e.g specifying an invalid organization_id)

path Parameters
org_domain
required
string
Example: well-agency

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
organization_id
required
uuid
Example: organization_id=8d860a1d-997f-41a9-8c63-a8bcdf465ec4

The organization ID for which you want to create this connection.

application_id
required
uuid
Example: application_id=34459d4f-e328-4256-9f0a-a04bd721d82d

The application ID where you want to redirect end-user after SSO success. (default redirection will be used)

If you do not provide an uri parameter either application's default_redirect_url value or first allowed_redirect_urls value will be used.

sso_admin_email
string <email>
Example: sso_admin_email=it_sso_person@sso.client.com

The email of the SSO admin of the organization if you already know it.

send_email
boolean
Example: send_email=it_sso_person@sso.client.com

⚠️ requires it_admin_email to be set if used

If set to true an invitation email to configure this SSO Connection will be automatically sent to the sso_admin_email.

Responses

Request samples


curl --request POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections'           --header 'Authorization: Bearer your_api_key_generated_token'           --header 'Content-Type: application/json'           --data-raw '{
    "application_id": "front_app_client_id",
    "sso_admin_email": "it_sso_person@sso.client.com",
    "organization_id": "organization_id"
}'

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [
    ],
  • "paginate": {
    },
  • "total_count": 1
}

List all SSO Connections

List all your SSOConnection currently created, regardless of the progress of the configuration.

RETURNS

Returns list of SSO Connection with nested objects if preload_associations set and paginated if related attributes

path Parameters
org_domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
page
integer
Example: page=1

Precise the page of your listing, see how to paginate the Cryptr API.

per_page
integer
Example: per_page=1

Precise the size of the pages of the pagination of the list. See how to paginate the Cryptr API.

preload_associations
Array of strings

By default all nested resources are returned by their ids. If you would like the nested object returned in the body, you can set default_redirection and/or enterprise_connection_onboarding into this parameter.

Responses

Request samples

curl -X GET https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [
    ],
  • "paginate": {
    },
  • "total_count": 1
}

Create a SSO Connection

Creates a new SSO Connection type. The response auto expand default_redirection and onboarding nested elements

RETURNS

Returns a SSO Connection if the creation succeed. Returns an error if create parameters are invalid (e.g specifying an invalid organization_id)

path Parameters
org_domain
required
string
Example: well-agency

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
organization_id
required
uuid
Example: organization_id=8d860a1d-997f-41a9-8c63-a8bcdf465ec4

The organization ID for which you want to create this connection.

application_id
required
uuid
Example: application_id=34459d4f-e328-4256-9f0a-a04bd721d82d

The application ID where you want to redirect end-user after SSO success. (default redirection will be used)

If you do not provide an uri parameter either application's default_redirect_url value or first allowed_redirect_urls value will be used.

sso_admin_email
string <email>
Example: sso_admin_email=it_sso_person@sso.client.com

The email of the SSO admin of the organization if you already know it.

send_email
boolean
Example: send_email=it_sso_person@sso.client.com

⚠️ requires it_admin_email to be set if used

If set to true an invitation email to configure this SSO Connection will be automatically sent to the sso_admin_email.

Responses

Request samples


curl --request POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections'           --header 'Authorization: Bearer your_api_key_generated_token'           --header 'Content-Type: application/json'           --data-raw '{
    "application_id": "front_app_client_id",
    "sso_admin_email": "it_sso_person@sso.client.com",
    "organization_id": "organization_id"
}'

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [
    ],
  • "paginate": {
    },
  • "total_count": 1
}

Retrieve a SSO Connection

Fetch an SSO Connection, usefull to known its configuration and also fetch nested object as default_redirection and onboarding.

RETURNS

Returns the SSO Connection

path Parameters
idp_id
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9S

The reference of the SSO Connection

query Parameters
preload_associations
Array of strings
Example: preload_associations=http://localhost:3000

By default all nested resources are returned by their ids. If you would like the nested object returned in the body, you can set default_redirection and/or enterprise_connection_onboarding into this parameter.

Responses

Request samples

curl --request GET 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "SsoConnection",
  • "active": true,
  • "default_redirection": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "inserted_at": "2022-03-04T17:55:12",
  • "metadata": [ ],
  • "onboarding": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "provider_type": "azure_ad",
  • "seats_limit": 0,
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
  • "updated_at": "2022-03-04T17:55:12",
  • "user_security_type": "none"
}

Update a SSO Connection

Fetch an SSO Connection, usefull to known its configuration and also fetch nested object as default_redirection and onboarding.

RETURNS

Returns the updated SSO Connection

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

query Parameters
active
boolean
Example: active=true

Change the state of the SSO Connection see Turn on/off requests

default_redirection_id
uuid
Example: default_redirection_id=3d5245f2-194a-498c-ad28-736ca9fffb3b

Change the Default redirection for Sso Connection

metadata
string
Example: metadata=3d5245f2-194a-498c-ad28-736ca9fffb3b

This should be the XML Metadata String content.

If you want to change the XML for the targetted Sso Connection.

For example if the SSO Administrator send you a new XML Metadata for the connection you can change it here.

provider_type
string
Example: provider_type=azure_ad

Change the provider type (Okta, Google Workspace, ADFS ...) of targetted Sso Connection

seats_limit
integer

Change the limit of simultaneously possible sso sessions for the targetted Sso Connection

⚠️ Depending on user_security_type value

user_security_type
string
Example: user_security_type=user_registered

Change the rule of end-user openning session for the targetted Sso Connection

preload_associations
Array of strings

By default all nested resources are returned by their ids. If you would like the nested object returned in the body, you can set default_redirection and/or enterprise_connection_onboarding into this parameter.

Responses

Request samples


curl -X PUT 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id' \
  --header 'Authorization: Bearer your_api_key_generated_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "seats_limit": 99
}'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "SsoConnection",
  • "active": true,
  • "default_redirection": "3d5245f2-194a-498c-ad28-736ca9fffb3b",
  • "id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "inserted_at": "2022-03-04T17:55:12",
  • "metadata": [ ],
  • "onboarding": "6ab338de-a92b-4b1f-9590-0694d151f971",
  • "provider_type": "azure_ad",
  • "seats_limit": 99,
  • "sp_id": "cryptr_Tr3YREKMiaahKHJosBp8Pb",
  • "updated_at": "2022-03-14T10:58:36",
  • "user_security_type": "user_registered"
}

Activate the Connection

If you would like to activate the SSO Connection

⚠️ These requests are in Early access and has for now no impact on Sso Connection availability

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

Responses

Request samples


curl -X PATCH 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/activate'           --header 'Authorization: Bearer your_api_key_generated_token'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "SsoConnection",
  • "active": true,
  • "default_redirection": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "inserted_at": "2022-03-04T17:55:12",
  • "metadata": [ ],
  • "onboarding": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "provider_type": "azure_ad",
  • "seats_limit": 0,
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
  • "updated_at": "2022-03-04T17:55:12",
  • "user_security_type": "none"
}

Create the Admin Onboarding

See SsoAdminOnboarding type

RETURNS

The updated SSOAdminOnboarding with proper attributes

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

query Parameters
sso_admin_email*
string <email>
Example: sso_admin_email*=81a81b21-93b9-441b-a861-a33dc8c06fea

The email of the SSO admin of your client that has access to the SSO tool.

provider_type
string or null
Default: "null"
Example: provider_type=81a81b21-93b9-441b-a861-a33dc8c06fea

If you already know the Provider type (Okta, Azure AD, ADFS, Google Workspace ...) of your client you can preset that and SSO administrator won't have to choose . The SSO Administrator can still change this as soon as he wishes.

Responses

Request samples


curl -X POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/admin-onboarding' \
  --header 'Authorization: Bearer your_api_key_generated_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "sso_admin_email": "Mathew_Murazik92@yahoo.com"
}'

Response samples

Content type
application/json
{
  • "__access__": "all_organizations_of:your_domain",
  • "__domain__": "your_domain",
  • "__managed_by__": "your_domain",
  • "__type__": "EnterpriseConnectionOnboarding",
  • "id": "6ab338de-a92b-4b1f-9590-0694d151f971",
  • "inserted_at": "2022-03-14T09:15:28",
  • "provider_type": "azure_ad",
  • "sso_admin_email": "Mathew_Murazik92@yahoo.com",
  • "state": "not_initialized",
  • "tutorial_step": 0,
  • "updated_at": "2022-03-14T09:15:28"
}

Update the Admin Onboarding

This request will helps you update the Onboarding associated to the SSO Connection, for example if the SSO Administrator changed and it's a new email.

RETURNS

The updated SsoAdminOnboarding with new values.

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

query Parameters
sso_admin_email
string <email>
Example: sso_admin_email=new_it_guy@sample.co

New desired email for the SsoAdminOnboarding.

provider_type
string
Example: provider_type=okta

New desired provider type (Okta, Google, Azure AD, ADFS ...) for the SsoAdminOnboarding.

Responses

Request samples


curl -X PUT 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/admin-onboarding'           --header 'Authorization: Bearer your_api_key_generated_token'           --header 'Content-Type: application/json'           --data-raw '{
      "sso_admin_email": "new_it_guy@sample.co",
      "provider_type": "okta"
}'

Response samples

Content type
application/json
{
  • "__access__": "all_organizations_of:your_domain",
  • "__domain__": "your_domain",
  • "__managed_by__": "your_domain",
  • "__type__": "EnterpriseConnectionOnboarding",
  • "id": "6ab338de-a92b-4b1f-9590-0694d151f971",
  • "inserted_at": "2022-03-14T09:15:28",
  • "provider_type": "okta",
  • "sso_admin_email": "new_it_guy@sample.co",
  • "state": "not_initialized",
  • "tutorial_step": 0,
  • "updated_at": "2022-03-14T09:15:28"
}

Retrieve a Default Redirection

RETURNS

Returns the current Default Redirection for the SSO Connection ID provided (idp_idp)

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

Responses

Request samples

curl -X GET 'http://{{YOUR_CRYPTR_SERVICE_URL}}/api/v2/sso-connections/:idp_id/default-redirection'

Response samples

Content type
application/json
{
  • "__access__": "all_organizations_of:your_domain",
  • "__domain__": "your_domain",
  • "__managed_by__": "your_domain",
  • "__type__": "Redirection",
  • "app_id": "81a81b21-93b9-441b-a861-a33dc8c06fea",
  • "id": "2ff74d35-5eba-4ab0-9231-4ae2b9efcadd",
  • "idp_id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
}

Precise the Default Redirection

If you want to create the Default Redirection for a specific SSO Connection.

If one already exists, this request will create a new one set as default. You will be able to manage these multiples redirection through SSO Connection update request.

RETURNS

Returns the created Default Redirection associated to the SSO Connection

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

query Parameters
application_id
uuid
Example: application_id=81a81b21-93b9-441b-a861-a33dc8c06fea

The reference of application where you want your end-user redirected to.

organization_id
uuid
Example: organization_id=1cad5a97-457c-4a7b-940c-07f5aa22b7f3

The reference of organization that owns the application and where your end-user will be stored in

uri
url
Example: uri=http://localhost:3000

The target URI where SSO users will be redirected after successful SSO session. If you do not provide a value either application's default_redirect_url value or first allowed_redirect_urls value will be used.

Responses

Request samples


curl -X POST 'http://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/default-redirection' \
  --header 'Authorization: Bearer your_api_key_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "application_id": "81a81b21-93b9-441b-a861-a33dc8c06fea",
      "organization_id": "1cad5a97-457c-4a7b-940c-07f5aa22b7f3",
      "uri": "http://localhost:3000"
}'

Response samples

Content type
application/json
{
  • "__access__": "all_organizations_of:your_domain",
  • "__domain__": "your_domain",
  • "__managed_by__": "your_domain",
  • "__type__": "Redirection",
  • "app_id": "81a81b21-93b9-441b-a861-a33dc8c06fea",
  • "id": "2ff74d35-5eba-4ab0-9231-4ae2b9efcadd",
  • "idp_id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
}

Disable the Connection

If you would like to disable the SSO Connection

⚠️ These requests are in Early access and has for now no impact on Sso Connection availability

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

Responses

Request samples


curl -X PATCH 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/disable'           --header 'Authorization: Bearer your_api_key_generated_token'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "SsoConnection",
  • "active": false,
  • "default_redirection": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "inserted_at": "2022-03-04T17:55:12",
  • "metadata": [ ],
  • "onboarding": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "provider_type": "azure_ad",
  • "seats_limit": 0,
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
  • "updated_at": "2022-03-04T17:55:12",
  • "user_security_type": "none"
}

Send invitation

As soon as you created an SSOAdminOnboarding for a SSO Connection, you can use the following request to send immediately an email to the defined SSO Administrator. It could be useful if you want to do it live with him during a meeting.

It is also helpful when the SSO Administrator lost the configuration link and needs to do it.

⚠️ If no SSOAdminOnboarding nor sso_admin_email the request will fail.

RETURNS

An Email is sent to sso_admin_email while the current SSOConnection is rendered

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

Responses

Request samples


curl -X POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/invite-admin'           --header 'Authorization: Bearer your_api_key_generated_token'

Response samples

Content type
application/json
{
  • "__access__": "all_organizations_of:your_domain",
  • "__domain__": "your_domain",
  • "__managed_by__": "your_domain",
  • "__type__": "EnterpriseConnectionOnboarding",
  • "id": "6ab338de-a92b-4b1f-9590-0694d151f971",
  • "inserted_at": "2022-03-14T09:15:28",
  • "provider_type": "azure_ad",
  • "sso_admin_email": "Mathew_Murazik92@yahoo.com",
  • "state": "not_initialized",
  • "tutorial_step": 0,
  • "updated_at": "2022-03-14T09:15:28"
}

Reset the Admin Onboarding

In some cases the best way to help the SSO Administrator with the configuration is to start from beginning.

This request will reset provider_type , reset tutorial to initial step but sso_admin_email won't be unset

RETURNS

The SSOConnection with reseted SsoAdminOnboarding

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

Responses

Request samples


curl -X PATCH 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/reset-onboarding'           --header 'Authorization: Bearer your_api_key_generated_token'

Response samples

Content type
application/json
{
  • "__access__": "all_organizations_of:your_domain",
  • "__domain__": "your_domain",
  • "__managed_by__": "your_domain",
  • "__type__": "EnterpriseConnectionOnboarding",
  • "id": "6ab338de-a92b-4b1f-9590-0694d151f971",
  • "inserted_at": "2022-03-14T09:15:28",
  • "provider_type": "azure_ad",
  • "sso_admin_email": "Mathew_Murazik92@yahoo.com",
  • "state": "not_initialized",
  • "tutorial_step": 0,
  • "updated_at": "2022-03-14T09:15:28"
}

User Policy Configuration

You can change the User policy Configuration with the below request. The User policy is the rule for user coming from the SSO Connection. Posibilities are multiple, if everyone can open a ssession, only ones you registered or only a limited number of seats.

RETURNS

The updated SSO Connection with updated user_security_type value

path Parameters
idp_id
required
uuid
Example: misapret_EFBpWGQRVBCUSagNu2Tp9Sa

The reference of the SSO Connection

query Parameters
user_security_type*
string
Example: user_security_type*=user_registered

The value of User policy you want for this SSO Connection. Values are none, user_registered and user_provisionned

Responses

Request samples


curl -X PUT 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/sso-connections/:idp_id/sso-user-policy' \
  --header 'Authorization: Bearer your_api_key_generated_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "user_security_type": "user_registered"
}'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "SsoConnection",
  • "active": true,
  • "default_redirection": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "id": "misapret_EFBpWGQRVBCUSagNu2Tp9S",
  • "inserted_at": "2022-03-04T17:55:12",
  • "metadata": [ ],
  • "onboarding": "c652374d-0cd0-4040-9fd0-ea144885259a",
  • "provider_type": "azure_ad",
  • "seats_limit": 0,
  • "sp_id": "your_domain_Tr3YREKMiaahKHJosBp8Pb",
  • "updated_at": "2022-03-04T17:55:12",
  • "user_security_type": "none"
}

πŸ”‘ Token Customization

The MetaKey type

name
string

The domain is the User's Organization domain.

required
boolean

If set to true, all Organization users should have a matadata link to this MetaKey

type
enum

The basic type (string, integer, date ...) that value should be compatible to.

{
  • "__domain__": "misapret",
  • "__type__": "MetaKey",
  • "name": "department",
  • "required": true,
  • "type": "STRING"
}

The JwtSample type

When an Oauth session is created (after a successful Magic link or SSO Connection process), JWT are generated to authenticate and identify user.

These tokens are dependant of MetaKey and Metadata associated to resources (user and application for example).

The JwtSample type is there to inform about current structure of JWT that will be generated for your end-user sessions.

access_token_jwt
jwt

A JWT access token sample base on a sample user with all MetaKey registered on the Organization.

object (AccessToken)

The "treeview" of keys present in the JWT access token. This will contains at root all default keys and all keys of MetaKey registered for the organization

id_token_jwt
object

A JWT ID token sample base on a sample user with all MetaKey registered on the Organization.

id_token_keys
object

The "treeview" of keys present in the JWT ID token. This will contains at root all default keys and all keys of MetaKey registered for the organization

{
  • "__domain__": "shark-academy",
  • "__type__": "__JwtSamples__",
  • "access_token_jwt": "eyJhbGciOiJSUzI1NiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC90L3NoYXJrLWFjYWRlbXkiLCJraWQiOiI5ZjhlNTE1MC1lNWIxLTQ4MWEtOTAyNS1mYzc2YmQ1Y2JlYmUiLCJ0eXAiOiJKV1QifQ.eyJhcHBsaWNhdGlvbl9tZXRhZGF0YSI6e30sImF1ZCI6bnVsbCwiY2lkIjpudWxsLCJkYnMiOiJkZWZhdWx0IiwiZW1haWwiOm51bGwsImV4cCI6MTY0NzMwMTg2NiwiaWF0IjoxNjQ3MjY1ODY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQwMDAvdC9zaGFyay1hY2FkZW15IiwianRpIjoiZWQ3N2Y3ZDAtYTJkOS00NGI0LTgwMzItYWYxMTZjYTgxZDg0IiwianR0IjoiYWNjZXNzIiwic2NwIjpudWxsLCJzdWIiOm51bGwsInRudCI6InNoYXJrLWFjYWRlbXkiLCJ2ZXIiOjF9.OFjV1A7eKL1r9YrHNUN0cydffB4R8C2nOgbDvzyedy1-ySLYA3akponMAqwqELzMlpoCINBJrgKUTn-k346h3O8E7rx-Dav6LUF2nf_R24-ctwEY5IgpBIg72meaTqUEbrpSR8YiyR9QamnpiBcP9LEl05iQJwt49d7bwWmf6-NHcr6FWgMNcLkiJRzhUDPmhtt74gwOkXB2x8BU6I3ePxVlmAMCgUxuueaJr-OTH2_kE0StrT0VvFHBYNaCfPPpv_ssEaOjdHQecZ-b5Lv1yQSGue8j_mhfuonqJSq869XPGQpwNWI-YCyo0Ua5ST0vksUyvNJELLZLeQlXXcAYNrA4UJaAOGDUVr8TLK1d9yT7RsXTDkfYSbOIFXucjgEqZEbXmX_oLJjx8rDhxCVQNu44GYZYEKjWg0cZcLa7VaFCfZ85TlYlEMHnNfVck-eky44K-LpIYVTYDtD0njvsEI269HEJnBeNFALNfMjPdSP3q9uP7p-qv-LDTaZYFiu6CnaFoCyuUjt9Hq8U7NdWCvhekhdhITCAXLYE9Es0wh_N0AhD4nuNTBJtOk0PQT0AEWw1CqeDOZo3M4clmE-Sb0UqkUVGyFvZygxQY60QrmlLxYhnx_dxud54WyPCjM_doJPrWwMaLko8UryOj8xGST4fqlhC2tTlSLW8WqbcAdI",
  • "access_token_keys": [
    ],
  • "id_token_jwt": "eyJhbGciOiJSUzI1NiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC90L3NoYXJrLWFjYWRlbXkiLCJraWQiOiI5ZjhlNTE1MC1lNWIxLTQ4MWEtOTAyNS1mYzc2YmQ1Y2JlYmUiLCJ0eXAiOiJKV1QifQ.eyJhcHBsaWNhdGlvbl9tZXRhZGF0YSI6e30sImF0X2hhc2giOiIwb3R0aENZMFdldXMzZXVNM05adV9BIiwiY19oYXNoIjoiVnBUUWlpNVRfOHJnd3hBLVd0YjJCdyIsImRicyI6ImRlZmF1bHQiLCJleHAiOjE2NDczMDE4NjYsImlhdCI6MTY0NzI2NTg2NiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0MDAwL3Qvc2hhcmstYWNhZGVteSIsImp0aSI6IjNlMDRhZTM3LTc5ZTctNDAwYy1hMGRiLWVjZDIxZjUwNWU5ZCIsImp0dCI6Im9wZW5pZCIsIm5vbmNlIjoiKiIsInJlc291cmNlX293bmVyX21ldGFkYXRhIjp7ImF1dGhubWV0aG9kc3JlZmVyZW5jZXMiOnsiaWQiOiIxNTM0NjgzNi0xMjJhLTRhMTAtYjNlYy04ODc4YjVjMTBkNzgiLCJuYW1lIjoiYXV0aG5tZXRob2RzcmVmZXJlbmNlcyIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJkaXNwbGF5bmFtZSI6eyJpZCI6IjI4ODFkYWZkLTliZjEtNDQwOS1hOTEyLWRlZTZhMDM5ZDZiYiIsIm5hbWUiOiJkaXNwbGF5bmFtZSIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJlbWFpbCI6eyJpZCI6IjRjNzhlNTQyLWRlOTEtNDFmOC1hMzVmLTI0NGM0MmVhZmQ5OCIsIm5hbWUiOiJlbWFpbCIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJlbWFpbGFkZHJlc3MiOnsiaWQiOiI4ZWY0ZDBlMS02OTA1LTRlMDktOWZmOC1kNWFlNTI4OTFhODUiLCJuYW1lIjoiZW1haWxhZGRyZXNzIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sImZpcnN0X25hbWUiOnsiaWQiOiIzZTNmZjZiOC1iMDgwLTQ1MDQtYjhlMC02OTQ0ODJlMzI2OTEiLCJuYW1lIjoiZmlyc3RfbmFtZSIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJnaXZlbm5hbWUiOnsiaWQiOiI2MzgyN2JhMy04Zjc3LTQzNmMtODM5Ny04ZDZlMGEyODYwMDYiLCJuYW1lIjoiZ2l2ZW5uYW1lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sImlkZW50aXR5cHJvdmlkZXIiOnsiaWQiOiJhMDYyMWMzMi0zZGQwLTQ0OTQtYThjNC1mNDQwOWM1NDk1ZTIiLCJuYW1lIjoiaWRlbnRpdHlwcm92aWRlciIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJsYXN0X25hbWUiOnsiaWQiOiIzN2NhNTM3MS02MzM0LTQ3NzEtOTEyOS0zMzEwMDBjOTFmMTQiLCJuYW1lIjoibGFzdF9uYW1lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sIm5hbWUiOnsiaWQiOiI1YTI3NzAwNC0wN2E2LTQxMGYtOTE2NC03Y2JhYmQzNDdmNGQiLCJuYW1lIjoibmFtZSIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJvYmplY3RHdWlkIjp7ImlkIjoiMzQ2ZDI4ZTAtODllMi00ZjIyLTljMDYtZTA5OGViNGRiY2YwIiwibmFtZSI6Im9iamVjdEd1aWQiLCJyZXF1aXJlZCI6ZmFsc2UsInR5cGUiOiJzdHJpbmcifSwib2JqZWN0aWRlbnRpZmllciI6eyJpZCI6ImI1OWU2OTViLTNhMDctNDNmYi04MTkzLTkxYTM5ZjFkNjI1OCIsIm5hbWUiOiJvYmplY3RpZGVudGlmaWVyIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInBob25lIjp7ImlkIjoiYjJlZWNlZTYtYWYzYS00YWY0LTg4ZjYtNjU4YzQ1MDc0MzQ1IiwibmFtZSI6InBob25lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInNhbWxfbmFtZWlkIjp7ImlkIjoiOTViODA2ZDgtMzRlYS00ZjYxLWJiOWEtYzlhNmUzZTVkZmM4IiwibmFtZSI6InNhbWxfbmFtZWlkIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInNhbWxfc3ViamVjdCI6eyJpZCI6IjQ0NjkzZDhjLTVhOWQtNDQ3Ni1hNTYzLTFkMTQxYWE5MzIyNSIsIm5hbWUiOiJzYW1sX3N1YmplY3QiLCJyZXF1aXJlZCI6ZmFsc2UsInR5cGUiOiJzdHJpbmcifSwic3VybmFtZSI6eyJpZCI6IjQ2MDdjZjY4LWY3NDItNDBhNS04MTgzLWQyNDRkODU1NmZhOSIsIm5hbWUiOiJzdXJuYW1lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInRlbmFudGlkIjp7ImlkIjoiMDIxMDViMjEtNDI1Yy00ZGU2LTkyODQtZTFlNTQ1Mzg1NmRmIiwibmFtZSI6InRlbmFudGlkIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInVpZCI6eyJpZCI6IjBmZGE3NTFmLWZmNTctNDYwNC04ZjU1LTFmN2MxYjcxYjkxYyIsIm5hbWUiOiJ1aWQiLCJyZXF1aXJlZCI6ZmFsc2UsInR5cGUiOiJzdHJpbmcifSwidW5pdF9wYXRoIjp7ImlkIjoiZjkwZTc2MjUtMjEwNi00ODRmLTgwNzEtYTliMTQ2Mzg3Mzc2IiwibmFtZSI6InVuaXRfcGF0aCIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9fSwic19oYXNoIjoiUzZhWE5jcFRkbDdXcHdudHRXeHVvZyIsInRudCI6InNoYXJrLWFjYWRlbXkiLCJ2ZXIiOjF9.klcxIBu2gggfXY-ac5EvF92RYYT0mAVSIZuWr-SqVBR2iWFhEQLRQ7IMGVCKYnOqbmKD-gRgwGAsZNj486WwkYiWjDsrdtl47dTBpKKL_UxO28zl4AnywdODXqxZEQUul40Z0mn-B9dq7SJtZmCYOK1z-9AlIr1KEY7P0FyTX-Q4TMzSFeJIqyWtPd5-x1hfGqAduuiADv0API6Lr12sylspOuweH8Hyx3xBn82tOTcdPDmjl0cIY4EBsCytXAJyzlVxjYhr8gTDJPJn5dLRnEDQsahzpwBaITI4YkoI19COfqDdf3pF-R2-s35NsVWDIt9_PeNzmFagDR4QuInwzM6-euOlhH1LU1QlISkhwu-9huWvAAR1PtRtC8T31GUTmTbIDUjjxp1z_3JRya3oRmXXIClaiVCdLWFRWzYbAkfSrFo_GFsQ90zrbwAgVPNG-BPlOKryU6bnKCTCqWPBqB1xflk3VkvJMLITpQjZ-SCuYGnKH1K_b60WoyFax2GU_Pk4E1Q8n_nSgiy2qWaxKYSRfLHfeWPGJieJz3aiM3CbI5cfdshh8UbBUUDaHEIwHyzXpq7wW_tjnCjpQdVDfXmZInJFG-5kHKhdXsqH87j2h-SLQunasF3dPc1mmXVGkZ9GcNGW6wHDXV_EzZz-ctvXvvLiv1fF87vWSgGUK2c",
  • "id_token_keys": [
    ]
}

The Access Token type

aud|AUDIENCE
string

The audience of the service that access token gives access to

cid|CLIENT ID
uuid

The reference of JWT consumer (generally application's id)

dbs|DATABASE
string

The environment of the resource

exp|EXPIRATION
string <date-time>

The expiration date of the token

iat|ISSUED AT
string <date-time>

The issue date of the token

iss|ISSUER
stringhttps://{{YOUR_CRYPTR_SERVER_URL}}/t/{{organi...

The issuer of the access token.

jti|JWT ID
uuid

The unique identifier of the token

jtt|JWT TYPE
string

The type of the JWT, in this case "access_token"

nbf|NOT BEFORE
string <date-time>

The datetime before which the access token cannot be used

scp|SCOPE
Array of arrays

The scope of the token (mainly used for magic link product)

sub|SUBJECT
uuid

Reference of the resource (generally user's uuid)

See uid

uid|USER ID
uuid
{
  • "access_token_keys": [
    ]
}

Get a JWT Sample

Fetch the JwtSample for the selected Organization

RETURNS

Returns the JwtSample with access and id sample tokens alongside their key claims "treeview"

path Parameters
org_domain
required
id
Example: misapret

The domain of the organization

query Parameters
user_id
uuid
Example: user_id=534dcbe0-c88d-441d-84cd-1daa8dbc8393

Existing user to use for token

authorization_id
uuid
Example: authorization_id=f407cafd-b58a-472f-b857-475a863b69b6

Existing auth to use

expired
boolean
Example: expired=true

⚠️ This parameter is not present if the expiration_in_seconds parameter is present

To generate an expired token

expiration_in_seconds
integer
Example: expiration_in_seconds=31536000

⚠️ This parameter is not present if the expired parameter is present

Duration validity of generated token

application_id
uuid
Example: application_id=f407cafd-b58a-472f-b857-475a863b69b6

Existing application to use for generation (requires id in db to be set as cid in jwt claims)

Responses

Request samples

curl --location --request GET 'http://localhost:4000/api/v2/org/:domain/token-customization/sample?expiration_in_seconds=31536000&user_id=:user_id&application_id=:application_id&authorization_id=:authorization_id' \
          --header 'Authorization: Bearer your_api_key_generated_token'

Response samples

Content type
application/json
{
  • "__domain__": "misapret",
  • "__type__": "__JwtSamples__",
  • "access_token_jwt": "eyJhbGciOiJSUzI1NiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC90L3NoYXJrLWFjYWRlbXkiLCJraWQiOiI5ZjhlNTE1MC1lNWIxLTQ4MWEtOTAyNS1mYzc2YmQ1Y2JlYmUiLCJ0eXAiOiJKV1QifQ.eyJhcHBsaWNhdGlvbl9tZXRhZGF0YSI6e30sImF1ZCI6bnVsbCwiY2lkIjpudWxsLCJkYnMiOiJkZWZhdWx0IiwiZW1haWwiOm51bGwsImV4cCI6MTY0NzMwMTg2NiwiaWF0IjoxNjQ3MjY1ODY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQwMDAvdC9zaGFyay1hY2FkZW15IiwianRpIjoiZWQ3N2Y3ZDAtYTJkOS00NGI0LTgwMzItYWYxMTZjYTgxZDg0IiwianR0IjoiYWNjZXNzIiwic2NwIjpudWxsLCJzdWIiOm51bGwsInRudCI6InNoYXJrLWFjYWRlbXkiLCJ2ZXIiOjF9.OFjV1A7eKL1r9YrHNUN0cydffB4R8C2nOgbDvzyedy1-ySLYA3akponMAqwqELzMlpoCINBJrgKUTn-k346h3O8E7rx-Dav6LUF2nf_R24-ctwEY5IgpBIg72meaTqUEbrpSR8YiyR9QamnpiBcP9LEl05iQJwt49d7bwWmf6-NHcr6FWgMNcLkiJRzhUDPmhtt74gwOkXB2x8BU6I3ePxVlmAMCgUxuueaJr-OTH2_kE0StrT0VvFHBYNaCfPPpv_ssEaOjdHQecZ-b5Lv1yQSGue8j_mhfuonqJSq869XPGQpwNWI-YCyo0Ua5ST0vksUyvNJELLZLeQlXXcAYNrA4UJaAOGDUVr8TLK1d9yT7RsXTDkfYSbOIFXucjgEqZEbXmX_oLJjx8rDhxCVQNu44GYZYEKjWg0cZcLa7VaFCfZ85TlYlEMHnNfVck-eky44K-LpIYVTYDtD0njvsEI269HEJnBeNFALNfMjPdSP3q9uP7p-qv-LDTaZYFiu6CnaFoCyuUjt9Hq8U7NdWCvhekhdhITCAXLYE9Es0wh_N0AhD4nuNTBJtOk0PQT0AEWw1CqeDOZo3M4clmE-Sb0UqkUVGyFvZygxQY60QrmlLxYhnx_dxud54WyPCjM_doJPrWwMaLko8UryOj8xGST4fqlhC2tTlSLW8WqbcAdI",
  • "access_token_keys": [
    ],
  • "id_token_jwt": "eyJhbGciOiJSUzI1NiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC90L3NoYXJrLWFjYWRlbXkiLCJraWQiOiI5ZjhlNTE1MC1lNWIxLTQ4MWEtOTAyNS1mYzc2YmQ1Y2JlYmUiLCJ0eXAiOiJKV1QifQ.eyJhcHBsaWNhdGlvbl9tZXRhZGF0YSI6e30sImF0X2hhc2giOiIwb3R0aENZMFdldXMzZXVNM05adV9BIiwiY19oYXNoIjoiVnBUUWlpNVRfOHJnd3hBLVd0YjJCdyIsImRicyI6ImRlZmF1bHQiLCJleHAiOjE2NDczMDE4NjYsImlhdCI6MTY0NzI2NTg2NiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0MDAwL3Qvc2hhcmstYWNhZGVteSIsImp0aSI6IjNlMDRhZTM3LTc5ZTctNDAwYy1hMGRiLWVjZDIxZjUwNWU5ZCIsImp0dCI6Im9wZW5pZCIsIm5vbmNlIjoiKiIsInJlc291cmNlX293bmVyX21ldGFkYXRhIjp7ImF1dGhubWV0aG9kc3JlZmVyZW5jZXMiOnsiaWQiOiIxNTM0NjgzNi0xMjJhLTRhMTAtYjNlYy04ODc4YjVjMTBkNzgiLCJuYW1lIjoiYXV0aG5tZXRob2RzcmVmZXJlbmNlcyIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJkaXNwbGF5bmFtZSI6eyJpZCI6IjI4ODFkYWZkLTliZjEtNDQwOS1hOTEyLWRlZTZhMDM5ZDZiYiIsIm5hbWUiOiJkaXNwbGF5bmFtZSIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJlbWFpbCI6eyJpZCI6IjRjNzhlNTQyLWRlOTEtNDFmOC1hMzVmLTI0NGM0MmVhZmQ5OCIsIm5hbWUiOiJlbWFpbCIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJlbWFpbGFkZHJlc3MiOnsiaWQiOiI4ZWY0ZDBlMS02OTA1LTRlMDktOWZmOC1kNWFlNTI4OTFhODUiLCJuYW1lIjoiZW1haWxhZGRyZXNzIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sImZpcnN0X25hbWUiOnsiaWQiOiIzZTNmZjZiOC1iMDgwLTQ1MDQtYjhlMC02OTQ0ODJlMzI2OTEiLCJuYW1lIjoiZmlyc3RfbmFtZSIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJnaXZlbm5hbWUiOnsiaWQiOiI2MzgyN2JhMy04Zjc3LTQzNmMtODM5Ny04ZDZlMGEyODYwMDYiLCJuYW1lIjoiZ2l2ZW5uYW1lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sImlkZW50aXR5cHJvdmlkZXIiOnsiaWQiOiJhMDYyMWMzMi0zZGQwLTQ0OTQtYThjNC1mNDQwOWM1NDk1ZTIiLCJuYW1lIjoiaWRlbnRpdHlwcm92aWRlciIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJsYXN0X25hbWUiOnsiaWQiOiIzN2NhNTM3MS02MzM0LTQ3NzEtOTEyOS0zMzEwMDBjOTFmMTQiLCJuYW1lIjoibGFzdF9uYW1lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sIm5hbWUiOnsiaWQiOiI1YTI3NzAwNC0wN2E2LTQxMGYtOTE2NC03Y2JhYmQzNDdmNGQiLCJuYW1lIjoibmFtZSIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9LCJvYmplY3RHdWlkIjp7ImlkIjoiMzQ2ZDI4ZTAtODllMi00ZjIyLTljMDYtZTA5OGViNGRiY2YwIiwibmFtZSI6Im9iamVjdEd1aWQiLCJyZXF1aXJlZCI6ZmFsc2UsInR5cGUiOiJzdHJpbmcifSwib2JqZWN0aWRlbnRpZmllciI6eyJpZCI6ImI1OWU2OTViLTNhMDctNDNmYi04MTkzLTkxYTM5ZjFkNjI1OCIsIm5hbWUiOiJvYmplY3RpZGVudGlmaWVyIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInBob25lIjp7ImlkIjoiYjJlZWNlZTYtYWYzYS00YWY0LTg4ZjYtNjU4YzQ1MDc0MzQ1IiwibmFtZSI6InBob25lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInNhbWxfbmFtZWlkIjp7ImlkIjoiOTViODA2ZDgtMzRlYS00ZjYxLWJiOWEtYzlhNmUzZTVkZmM4IiwibmFtZSI6InNhbWxfbmFtZWlkIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInNhbWxfc3ViamVjdCI6eyJpZCI6IjQ0NjkzZDhjLTVhOWQtNDQ3Ni1hNTYzLTFkMTQxYWE5MzIyNSIsIm5hbWUiOiJzYW1sX3N1YmplY3QiLCJyZXF1aXJlZCI6ZmFsc2UsInR5cGUiOiJzdHJpbmcifSwic3VybmFtZSI6eyJpZCI6IjQ2MDdjZjY4LWY3NDItNDBhNS04MTgzLWQyNDRkODU1NmZhOSIsIm5hbWUiOiJzdXJuYW1lIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInRlbmFudGlkIjp7ImlkIjoiMDIxMDViMjEtNDI1Yy00ZGU2LTkyODQtZTFlNTQ1Mzg1NmRmIiwibmFtZSI6InRlbmFudGlkIiwicmVxdWlyZWQiOmZhbHNlLCJ0eXBlIjoic3RyaW5nIn0sInVpZCI6eyJpZCI6IjBmZGE3NTFmLWZmNTctNDYwNC04ZjU1LTFmN2MxYjcxYjkxYyIsIm5hbWUiOiJ1aWQiLCJyZXF1aXJlZCI6ZmFsc2UsInR5cGUiOiJzdHJpbmcifSwidW5pdF9wYXRoIjp7ImlkIjoiZjkwZTc2MjUtMjEwNi00ODRmLTgwNzEtYTliMTQ2Mzg3Mzc2IiwibmFtZSI6InVuaXRfcGF0aCIsInJlcXVpcmVkIjpmYWxzZSwidHlwZSI6InN0cmluZyJ9fSwic19oYXNoIjoiUzZhWE5jcFRkbDdXcHdudHRXeHVvZyIsInRudCI6InNoYXJrLWFjYWRlbXkiLCJ2ZXIiOjF9.klcxIBu2gggfXY-ac5EvF92RYYT0mAVSIZuWr-SqVBR2iWFhEQLRQ7IMGVCKYnOqbmKD-gRgwGAsZNj486WwkYiWjDsrdtl47dTBpKKL_UxO28zl4AnywdODXqxZEQUul40Z0mn-B9dq7SJtZmCYOK1z-9AlIr1KEY7P0FyTX-Q4TMzSFeJIqyWtPd5-x1hfGqAduuiADv0API6Lr12sylspOuweH8Hyx3xBn82tOTcdPDmjl0cIY4EBsCytXAJyzlVxjYhr8gTDJPJn5dLRnEDQsahzpwBaITI4YkoI19COfqDdf3pF-R2-s35NsVWDIt9_PeNzmFagDR4QuInwzM6-euOlhH1LU1QlISkhwu-9huWvAAR1PtRtC8T31GUTmTbIDUjjxp1z_3JRya3oRmXXIClaiVCdLWFRWzYbAkfSrFo_GFsQ90zrbwAgVPNG-BPlOKryU6bnKCTCqWPBqB1xflk3VkvJMLITpQjZ-SCuYGnKH1K_b60WoyFax2GU_Pk4E1Q8n_nSgiy2qWaxKYSRfLHfeWPGJieJz3aiM3CbI5cfdshh8UbBUUDaHEIwHyzXpq7wW_tjnCjpQdVDfXmZInJFG-5kHKhdXsqH87j2h-SLQunasF3dPc1mmXVGkZ9GcNGW6wHDXV_EzZz-ctvXvvLiv1fF87vWSgGUK2c",
  • "id_token_keys": [
    ]
}

Set User MetaData

After creating a MetaKey assignable to any user, it's possible to assign a specific value for a specific user for this MetaKey and that is a MetaData that will be present in future user's JWT.

⚠️ If a value is already set for the selected MetaKey for the User, the value will be updated with the new value.

RETURNS

The updated user

path Parameters
org_domain
required
id
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
user_id
required
string
Example: user_id=1fec57ed-b014-47f7-8322-955c8aad58ed

The user to update the metadata key/value

key_name
required
string
Example: key_name=displayname

The key of the value to set

key_value
required
string
Example: key_value=awesome-astronaut

The value of the key

Responses

Request samples


curl -X PATCH 'https://{{YOUR_CRYPTR_SERVICE_URL}}/api/v2/org/:domain/token-customization/set-user-metadata' \
  --header 'Authorization: Bearer YOUR_API_TOKEN' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "user_id": "1fec57ed-b014-47f7-8322-955c8aad58ed",
      "key_name": "displayname",
      "key_value": "awesome-astronaut"
  }'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "1fec57ed-b014-47f7-8322-955c8aad58ed",
  • "inserted_at": "2022-03-10T08:15:16",
  • "metadata": [
    ],
  • "profile": {
    },
  • "updated_at": "2022-03-11T10:34:44"
}

Remove a MetaKey

Use the below request when a MetaKey is no more useful

RETURNS

The deleted key-value metadata with a confirmation it is deleted.

path Parameters
org_domain
required
id
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
key_name
required
string
Example: key_name=my user metakey

The name of the MetaKey

Responses

Request samples


curl -X DELETE 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:domain/token-customization/user-metakey' \
  --header 'Authorization: Bearer your_api_key_generated_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "key_name": "my user metakey"
}'

Response samples

Content type
application/json
{
  • "deleted": true,
  • "resource": {
    },
  • "type": "__Deleted__"
}

List all User MetaKey

List all stored user MetaKey of the organization.

RETURNS

The list of all user MetaKey stored on Organization

path Parameters
org_domain
required
id
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

Responses

Request samples


curl -v -X GET 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/:domain/token-customization/user-metakey' \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Domain: ${YOUR_OWN_DOMAIN}" \
-d '{
      {
        "name": "department",
        "type": "STRING",
        "required": "true"
      }
}'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "1fec57ed-b014-47f7-8322-955c8aad58ed",
  • "inserted_at": "2022-03-10T08:15:16",
  • "metadata": [
    ],
  • "profile": {
    },
  • "updated_at": "2022-03-11T10:34:44"
}

Create new key values in your JWT

RETURNS

The created MetaKey

path Parameters
org_domain
required
id
Example: misapret

The domain of the organization

query Parameters
name
required
string
Example: name=my user metakey

The desired name for this new MetaKey, use something understandable for your use case

type
required
string
Example: type=string

Type of the MetaData that will be associated to the created MetaKey (ex string , integer, date etc)

required
required
boolean

If set to true all users have to have a MetaData related to this key.

Responses

Request samples


curl --location -g --request POST 'https://${YOUR_CRYPTR_SERVICE_URL}/api/v2/org/organization-domain/token-customization/user-metakey' \
  --header 'Authorization: Bearer your_api_key_generated_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "user_metakey": {
    "name": "my user metakey",
    "required": false,
    "type": "string"
  }
}'

Response samples

Content type
application/json
{
  • "__access__": "limited_to:misapret",
  • "__domain__": "misapret",
  • "__managed_by__": "your_domain",
  • "__type__": "User",
  • "id": "1fec57ed-b014-47f7-8322-955c8aad58ed",
  • "inserted_at": "2022-03-10T08:15:16",
  • "metadata": [
    ],
  • "profile": {
    },
  • "updated_at": "2022-03-11T10:34:44"
}

πŸ“Š Log Events

The Log Event type

client_id
uuid or null

If the event is related to an application, the client_id will be the application identifier

database
enum or null

Event environment, see page dedicated to the management of your Development/Pre-production VS Production environment

email
string or null

Email of the user associated to the event

event_code
enum

Type of event, see full list of events

id
integer

Event identifier

inserted_at
string

Timestamp of the event declaration

resource_owner_id
uuid or null

User resource ID reference associated to the event

saml_identity_provider_id
id

If the event is related to an SSO, the ID will be the identifier of the SSO identity provider, otherwise its value will be empty.

tenant_domain
string

Identifier of the organization in lowercase with a dash, generated from the name.

{
  • "__access__": "limited_to:shark-academy",
  • "__domain__": "shark-academy",
  • "__managed_by__": "cryptr",
  • "__type__": "Event",
  • "client_id": "81a81b21-93b9-441b-a861-a33dc8c06fea",
  • "database": "sandbox",
  • "email": "janis.joplin@example.com",
  • "event_code": "SSO_END_USER_SAML_STARTED",
  • "id": 6,
  • "inserted_at": "2022-09-29T15:24:45",
  • "resource_owner_id": "75da33e9-2260-4e9e-89cc-528544b4a9a3",
  • "saml_identity_provider_id": "shark_academy_GvApidtT9SDEcRoLebjKr9",
  • "tenant_domain": "shark-academy"
}

List all Log Events

path Parameters
domain
required
string
Example: misapret

Domain is a STRING value in "lowercase" with "dash", generated from the organization name.

query Parameters
code
enum
Example: code=SSO_END_USER_SAML_STARTED

Filter log event by this code

per_page
integer
Example: per_page=8

Precise the size of the pages of the pagination of the list, see how to paginate the Cryptr API.

page
integer
Example: page=12

Page number to return

saml_identity_provider_id
id
Example: saml_identity_provider_id=shark_academy_GvApidtT9SDEcRoLebjKr9

Events related to SSO may be filtered using

client_id
uuid
Example: client_id=81a81b21-93b9-441b-a861-a33dc8c06fea

If event related to front process it could be filtered with client_id

Responses

Request samples

curl --location --request GET 'http://localhost:4000/api/v2/org/shark-academy/log-events?code=:code&client_id=:client_id&per_page=:per_page&s=code%2Bdesc&page=:page         --header 'Authorization: Bearer your_api_key_generated_token'

Response samples

Content type
application/json
{
  • "__type__": "List",
  • "data": [
    ],
  • "paginate": {
    },
  • "total_count": 2
}