{ "swagger": "2.0", "info": { "title": "UDB Control-Plane API", "version": "0.3.6", "description": "HTTP/JSON (gRPC-gateway) surface for UDB control-plane services. The core DataBroker data-plane RPCs are gRPC-native and are not represented here." }, "tags": [ { "name": "AnalyticsService" }, { "name": "ApiKeyService" }, { "name": "AssetService" }, { "name": "AuthnService" }, { "name": "AuthzService" }, { "name": "ControlPlaneService" }, { "name": "IdentityProviderService" }, { "name": "NotificationService" }, { "name": "StorageService" }, { "name": "TenantService" }, { "name": "RoomService" }, { "name": "PeerService" }, { "name": "TrackService" }, { "name": "TurnService" }, { "name": "SignalingService" }, { "name": "DataBroker" } ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "paths": { "/v1/analytics/executor_performance": { "get": { "summary": "Query daily executor performance roll-ups.", "operationId": "AnalyticsService_GetExecutorPerformance", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetExecutorPerformanceResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "executorIdentity", "description": "Empty = all executors", "in": "query", "required": false, "type": "string" }, { "name": "workloadKind", "in": "query", "required": false, "type": "string" }, { "name": "dateFrom", "in": "query", "required": false, "type": "string" }, { "name": "dateTo", "in": "query", "required": false, "type": "string" } ], "tags": [ "AnalyticsService" ] } }, "/v1/analytics/pipeline_metrics": { "post": { "summary": "Record a single pipeline stage request observation (called per-request).", "operationId": "AnalyticsService_RecordPipelineMetric", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RecordPipelineMetricResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1RecordPipelineMetricRequest" } } ], "tags": [ "AnalyticsService" ] } }, "/v1/analytics/pipeline_summaries": { "get": { "summary": "Query aggregated pipeline stage performance snapshots.", "operationId": "AnalyticsService_GetPipelineSummary", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetPipelineSummaryResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "stageName", "description": "Empty = all stages", "in": "query", "required": false, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "hourFrom", "description": "ISO 8601 hour string", "in": "query", "required": false, "type": "string" }, { "name": "hourTo", "in": "query", "required": false, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "AnalyticsService" ] } }, "/v1/analytics/reconciliation_stats": { "get": { "summary": "Query daily reconciliation and conflict analytics.", "operationId": "AnalyticsService_GetReconciliationAnalytics", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetReconciliationAnalyticsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "dateFrom", "in": "query", "required": false, "type": "string" }, { "name": "dateTo", "in": "query", "required": false, "type": "string" } ], "tags": [ "AnalyticsService" ] } }, "/v1/analytics/sla_compliance": { "get": { "summary": "Get SLA compliance report for a stage and time period.", "operationId": "AnalyticsService_GetSlaCompliance", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetSlaComplianceResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "stageName", "in": "query", "required": false, "type": "string" }, { "name": "dateFrom", "in": "query", "required": false, "type": "string" }, { "name": "dateTo", "in": "query", "required": false, "type": "string" }, { "name": "p99ThresholdMs", "in": "query", "required": false, "type": "number", "format": "double" }, { "name": "errorRateThreshold", "in": "query", "required": false, "type": "number", "format": "double" } ], "tags": [ "AnalyticsService" ] } }, "/v1/analytics/snapshots:trigger": { "post": { "summary": "Manually trigger hourly snapshot aggregation (normally a cron job).", "operationId": "AnalyticsService_TriggerSnapshot", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1TriggerSnapshotResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1TriggerSnapshotRequest" } } ], "tags": [ "AnalyticsService" ] } }, "/v1/analytics/throughput": { "get": { "summary": "Get throughput statistics over a time window.", "operationId": "AnalyticsService_GetThroughput", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetThroughputResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "hourFrom", "in": "query", "required": false, "type": "string" }, { "name": "hourTo", "in": "query", "required": false, "type": "string" } ], "tags": [ "AnalyticsService" ] } }, "/v1/api_keys": { "get": { "operationId": "ApiKeyService_ListApiKeys", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListApiKeysResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "ownerId", "in": "query", "required": false, "type": "string" }, { "name": "ownerType", "description": " - API_KEY_OWNER_TYPE_INTEGRATION: External system integration.\n - API_KEY_OWNER_TYPE_CICD: CI/CD pipeline\n - API_KEY_OWNER_TYPE_ANALYTICS: Read-only analytics / BI tool\n - API_KEY_OWNER_TYPE_TENANT: Tenant-scoped integration key\n - API_KEY_OWNER_TYPE_PROJECT: Project/application-scoped key", "in": "query", "required": false, "type": "string", "enum": [ "API_KEY_OWNER_TYPE_UNSPECIFIED", "API_KEY_OWNER_TYPE_INTEGRATION", "API_KEY_OWNER_TYPE_CICD", "API_KEY_OWNER_TYPE_ANALYTICS", "API_KEY_OWNER_TYPE_TENANT", "API_KEY_OWNER_TYPE_PROJECT", "API_KEY_OWNER_TYPE_SERVICE_ACCOUNT", "API_KEY_OWNER_TYPE_WORKLOAD" ], "default": "API_KEY_OWNER_TYPE_UNSPECIFIED" }, { "name": "status", "in": "query", "required": false, "type": "string", "enum": [ "API_KEY_STATUS_UNSPECIFIED", "API_KEY_STATUS_ACTIVE", "API_KEY_STATUS_REVOKED", "API_KEY_STATUS_EXPIRED" ], "default": "API_KEY_STATUS_UNSPECIFIED" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "ApiKeyService" ] }, "post": { "summary": "── Key lifecycle (admin-only) ────────────────────────────────────────────\nReturns the plain key ONCE in CreateApiKeyResponse — never again.", "operationId": "ApiKeyService_CreateApiKey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateApiKeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateApiKeyRequest" } } ], "tags": [ "ApiKeyService" ] } }, "/v1/api_keys/{keyId}": { "get": { "operationId": "ApiKeyService_GetApiKey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetApiKeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "keyId", "in": "path", "required": true, "type": "string" } ], "tags": [ "ApiKeyService" ] }, "delete": { "operationId": "ApiKeyService_RevokeApiKey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RevokeApiKeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "keyId", "in": "path", "required": true, "type": "string" }, { "name": "revokeReason", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "ApiKeyService" ] }, "patch": { "operationId": "ApiKeyService_UpdateApiKey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateApiKeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "keyId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/ApiKeyServiceUpdateApiKeyBody" } } ], "tags": [ "ApiKeyService" ] } }, "/v1/api_keys/{keyId}/stats": { "get": { "summary": "── Usage stats ───────────────────────────────────────────────────────────", "operationId": "ApiKeyService_GetApiKeyUsageStats", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetApiKeyUsageStatsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "keyId", "in": "path", "required": true, "type": "string" }, { "name": "from", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "to", "in": "query", "required": false, "type": "string", "format": "date-time" } ], "tags": [ "ApiKeyService" ] } }, "/v1/api_keys/{keyId}:rotate": { "post": { "summary": "Rotate a key's secret in place (same key_id + lineage). Returns the new\nplain key ONCE; the old secret is invalidated immediately.", "operationId": "ApiKeyService_RotateApiKey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RotateApiKeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "keyId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/ApiKeyServiceRotateApiKeyBody" } } ], "tags": [ "ApiKeyService" ] } }, "/v1/api_keys:emergency-revoke": { "post": { "summary": "Emergency bulk revoke by selector (prefix/owner/tenant/project/scope/before).", "operationId": "ApiKeyService_EmergencyRevokeApiKeys", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1EmergencyRevokeApiKeysResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "Emergency revoke matching keys by one or more selectors. At least one selector\nmust be set. Resolves matching records and revokes each (no prefix-only blind\nmutation): the caller's tenant/owner/admin authority is enforced per record.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1EmergencyRevokeApiKeysRequest" } } ], "tags": [ "ApiKeyService" ] } }, "/v1/api_keys:validate": { "post": { "summary": "── Validation (called by API gateway — internal, not public HTTP) ────────", "operationId": "ApiKeyService_ValidateApiKey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ValidateApiKeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ValidateApiKeyRequest" } } ], "tags": [ "ApiKeyService" ] } }, "/v1/asset/assets": { "get": { "summary": "List assets", "operationId": "AssetService_ListAssets", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListAssetsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "mediaType", "in": "query", "required": false, "type": "string" }, { "name": "status", "in": "query", "required": false, "type": "string" }, { "name": "page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" } ], "tags": [ "AssetService" ] }, "post": { "summary": "Register a managed asset wrapping a storage file", "operationId": "AssetService_RegisterAsset", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RegisterAssetResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1RegisterAssetRequest" } } ], "tags": [ "AssetService" ] } }, "/v1/asset/assets/{assetId}": { "get": { "summary": "Get an asset", "operationId": "AssetService_GetAsset", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetAssetResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "assetId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "AssetService" ] } }, "/v1/asset/pipeline-definitions": { "post": { "summary": "Create a reusable pipeline definition", "operationId": "AssetService_CreatePipelineDefinition", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreatePipelineDefinitionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreatePipelineDefinitionRequest" } } ], "tags": [ "AssetService" ] } }, "/v1/asset/pipeline-definitions/{definitionId}": { "get": { "summary": "Get a pipeline definition", "operationId": "AssetService_GetPipelineDefinition", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetPipelineDefinitionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "definitionId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "AssetService" ] } }, "/v1/asset/pipelines": { "post": { "summary": "Start a pipeline instance for an asset", "operationId": "AssetService_StartPipeline", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1StartPipelineResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1StartPipelineRequest" } } ], "tags": [ "AssetService" ] } }, "/v1/asset/pipelines/{instanceId}": { "get": { "summary": "Get a pipeline instance with its steps", "operationId": "AssetService_GetPipeline", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetPipelineResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "instanceId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "AssetService" ] } }, "/v1/asset/steps/{stepId}/complete": { "post": { "summary": "Complete (or skip/fail) a pipeline step", "operationId": "AssetService_CompleteStep", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CompleteStepResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "stepId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AssetServiceCompleteStepBody" } } ], "tags": [ "AssetService" ] } }, "/v1/auth/.well-known/jwks.json": { "get": { "summary": "JSON Web Key Set for verifying UDB-issued JWTs. Public.", "operationId": "AuthnService_GetJwks", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetJwksResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/admin/tenants/{tenantId}/sessions:revoke-all": { "post": { "operationId": "AuthnService_AdminRevokeAllTenantSessions", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AdminRevokeAllTenantSessionsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceAdminRevokeAllTenantSessionsBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/admin/users/{userId}/mfa:reset": { "post": { "operationId": "AuthnService_AdminResetMfa", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AdminResetMfaResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceAdminResetMfaBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/admin/users/{userId}/sessions:revoke": { "post": { "operationId": "AuthnService_AdminRevokeSession", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AdminRevokeSessionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceAdminRevokeSessionBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/admin/users/{userId}/sessions:revoke-all": { "post": { "operationId": "AuthnService_AdminRevokeAllUserSessions", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AdminRevokeAllUserSessionsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceAdminRevokeAllUserSessionsBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/admin:emergency-revoke": { "post": { "operationId": "AuthnService_EmergencyRevoke", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1EmergencyRevokeResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "Emergency global revoke by signing key / token family / tenant / principal.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1EmergencyRevokeRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/authenticate": { "post": { "summary": "── Authentication ───────────────────────────────────────────────────────", "operationId": "AuthnService_Authenticate", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AuthnResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1AuthnRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/csrf:validate": { "post": { "summary": "── CSRF (server-side sessions only) ────────────────────────────────────", "operationId": "AuthnService_ValidateCSRF", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ValidateCSRFResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ValidateCSRFRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/devices/{deviceId}": { "delete": { "operationId": "AuthnService_RevokeDevice", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RevokeDeviceResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "deviceId", "in": "path", "required": true, "type": "string" }, { "name": "reason", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/login": { "post": { "operationId": "AuthnService_Login", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1LoginResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1LoginRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/logout": { "post": { "operationId": "AuthnService_Logout", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1LogoutResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1LogoutRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/mfa/challenges:issue": { "post": { "summary": "── MFA challenge + factor lifecycle (Phase 3 / I2.6) ────────────────────", "operationId": "AuthnService_IssueMfaChallenge", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1IssueMfaChallengeResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1IssueMfaChallengeRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/mfa/challenges:verify": { "post": { "operationId": "AuthnService_VerifyMfaChallenge", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1VerifyMfaChallengeResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1VerifyMfaChallengeRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/otp:resend": { "post": { "operationId": "AuthnService_ResendOTP", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ResendOTPResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ResendOTPRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/otp:send": { "post": { "summary": "── OTP ──────────────────────────────────────────────────────────────────", "operationId": "AuthnService_SendOTP", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SendOTPResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1SendOTPRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/otp:verify": { "post": { "operationId": "AuthnService_VerifyOTP", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1VerifyOTPResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1VerifyOTPRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/password:change": { "post": { "operationId": "AuthnService_ChangePassword", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ChangePasswordResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ChangePasswordRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/password:forgot": { "post": { "summary": "User-initiated password reset: issues a PASSWORD_RESET OTP (delivered to the\naccount's channel). Public — no bearer required.", "operationId": "AuthnService_ForgotPassword", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ForgotPasswordResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ForgotPasswordRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/password:reset": { "post": { "summary": "Complete a password reset with the OTP from ForgotPassword (no current\npassword required). Public — the OTP is the proof of control.", "operationId": "AuthnService_ResetPassword", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ResetPasswordResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ResetPasswordRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/sessions": { "post": { "summary": "── Session management ───────────────────────────────────────────────────", "operationId": "AuthnService_CreateSession", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateSessionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateSessionRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/sessions/{sessionId}": { "get": { "operationId": "AuthnService_GetSession", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetSessionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "sessionId", "in": "path", "required": true, "type": "string" } ], "tags": [ "AuthnService" ] }, "delete": { "operationId": "AuthnService_RevokeSession", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RevokeSessionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "sessionId", "in": "path", "required": true, "type": "string" }, { "name": "revokeReason", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" }, { "name": "principalId", "in": "query", "required": false, "type": "string" }, { "name": "allForPrincipal", "in": "query", "required": false, "type": "boolean" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/sessions/{sessionId}:refresh": { "post": { "operationId": "AuthnService_RefreshSession", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RefreshSessionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "sessionId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceRefreshSessionBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/tenants/{tenantId}/mfa-policy": { "get": { "summary": "Read the per-tenant MFA enforcement policy.", "operationId": "AuthnService_GetMfaPolicy", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetMfaPolicyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] }, "put": { "summary": "Set the per-tenant MFA enforcement policy.", "operationId": "AuthnService_PutMfaPolicy", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PutMfaPolicyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServicePutMfaPolicyBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/token:introspect": { "post": { "summary": "OAuth2-style token introspection for a UDB-issued JWT.", "operationId": "AuthnService_IntrospectToken", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1IntrospectTokenResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1IntrospectTokenRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/token:refresh": { "post": { "operationId": "AuthnService_RefreshToken", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RefreshTokenResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1RefreshTokenRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/token:validate": { "post": { "summary": "── Token validation (called by gateway + per-service interceptors) ───────", "operationId": "AuthnService_ValidateToken", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ValidateTokenResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ValidateTokenRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users": { "get": { "operationId": "AuthnService_ListUsers", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListUsersResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "accountKind", "in": "query", "required": false, "type": "string", "enum": [ "ACCOUNT_KIND_UNSPECIFIED", "ACCOUNT_KIND_PERSON", "ACCOUNT_KIND_SERVICE_ACCOUNT", "ACCOUNT_KIND_WORKLOAD", "ACCOUNT_KIND_EXTERNAL_IDENTITY", "ACCOUNT_KIND_SYSTEM", "ACCOUNT_KIND_ANONYMOUS" ], "default": "ACCOUNT_KIND_UNSPECIFIED" }, { "name": "status", "description": " - USER_STATUS_PENDING_VERIFICATION: Email not yet verified\n - USER_STATUS_SUSPENDED: Temporarily suspended by admin\n - USER_STATUS_LOCKED: Locked after repeated failed logins\n - USER_STATUS_DEACTIVATED: Permanently deactivated", "in": "query", "required": false, "type": "string", "enum": [ "USER_STATUS_UNSPECIFIED", "USER_STATUS_PENDING_VERIFICATION", "USER_STATUS_ACTIVE", "USER_STATUS_SUSPENDED", "USER_STATUS_LOCKED", "USER_STATUS_DEACTIVATED" ], "default": "USER_STATUS_UNSPECIFIED" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] }, "post": { "summary": "── User management (admin-only) ─────────────────────────────────────────", "operationId": "AuthnService_CreateUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateUserRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}": { "get": { "operationId": "AuthnService_GetUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "description": "lookup by ID", "in": "path", "required": true, "type": "string" }, { "name": "username", "description": "or by username", "in": "query", "required": false, "type": "string" }, { "name": "email", "description": "or by email", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] }, "patch": { "operationId": "AuthnService_UpdateUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceUpdateUserBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/devices": { "get": { "summary": "── Device + session revocation lifecycle (Phase 3 / I2.4) ───────────────", "operationId": "AuthnService_ListDevices", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListDevicesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/mfa/factors": { "get": { "operationId": "AuthnService_ListMfaFactors", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListMfaFactorsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/mfa/factors:disable": { "post": { "operationId": "AuthnService_DisableMfaFactor", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DisableMfaFactorResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceDisableMfaFactorBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/mfa:confirm": { "post": { "summary": "Step 2: confirm with first TOTP code (or email OTP)", "operationId": "AuthnService_ConfirmMFAEnrollment", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ConfirmMFAEnrollmentResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceConfirmMFAEnrollmentBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/mfa:enroll": { "post": { "summary": "── MFA enrollment ───────────────────────────────────────────────────────\nStep 1: initiate enrollment — returns TOTP secret / QR URI", "operationId": "AuthnService_EnrollMFA", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1EnrollMFAResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceEnrollMFABody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/password:reset": { "post": { "summary": "Admin-triggered password reset — sends email OTP to complete flow", "operationId": "AuthnService_AdminResetPassword", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AdminResetPasswordResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceAdminResetPasswordBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/phone:verify": { "post": { "summary": "Set the user's phone number and send an SMS verification OTP. Complete with\nVerifyOTP (the response is verified the same way as email).", "operationId": "AuthnService_SendPhoneVerification", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SendPhoneVerificationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceSendPhoneVerificationBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/recovery-codes:generate": { "post": { "summary": "Generate a fresh set of single-use MFA recovery/backup codes (returned once;\nany prior codes for the user are invalidated).", "operationId": "AuthnService_GenerateRecoveryCodes", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GenerateRecoveryCodesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceGenerateRecoveryCodesBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/recovery-codes:revoke": { "post": { "operationId": "AuthnService_RevokeRecoveryCodes", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RevokeRecoveryCodesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceRevokeRecoveryCodesBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/sessions": { "get": { "operationId": "AuthnService_ListSessions", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListSessionsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "activeOnly", "in": "query", "required": false, "type": "boolean" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/webauthn/credentials": { "get": { "summary": "── WebAuthn enterprise credential lifecycle (Phase 3 / I2.7) ────────────", "operationId": "AuthnService_ListWebAuthnCredentials", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListWebAuthnCredentialsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/webauthn/credentials/{credentialId}": { "delete": { "operationId": "AuthnService_DeleteWebAuthnCredential", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DeleteWebAuthnCredentialResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "credentialId", "in": "path", "required": true, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/webauthn/credentials:rename": { "post": { "operationId": "AuthnService_RenamePasskey", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RenamePasskeyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceRenamePasskeyBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}/webauthn/registration:start": { "post": { "summary": "── WebAuthn / passkeys ─────────────────────────────────────────────────", "operationId": "AuthnService_StartWebAuthnRegistration", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1StartWebAuthnRegistrationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceStartWebAuthnRegistrationBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/users/{userId}:change-status": { "post": { "operationId": "AuthnService_ChangeUserStatus", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ChangeUserStatusResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthnServiceChangeUserStatusBody" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/webauthn/authentication:finish": { "post": { "operationId": "AuthnService_FinishWebAuthnAuthentication", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1FinishWebAuthnAuthenticationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1FinishWebAuthnAuthenticationRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/webauthn/authentication:start": { "post": { "operationId": "AuthnService_StartWebAuthnAuthentication", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1StartWebAuthnAuthenticationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1StartWebAuthnAuthenticationRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/auth/webauthn/registration:finish": { "post": { "operationId": "AuthnService_FinishWebAuthnRegistration", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1FinishWebAuthnRegistrationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1FinishWebAuthnRegistrationRequest" } } ], "tags": [ "AuthnService" ] } }, "/v1/authz/audits": { "get": { "operationId": "AuthzService_ListAccessDecisionAudits", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListAccessDecisionAuditsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "query", "required": false, "type": "string" }, { "name": "domain", "in": "query", "required": false, "type": "string" }, { "name": "correlationId", "in": "query", "required": false, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthzService" ] } }, "/v1/authz/authorize": { "post": { "operationId": "AuthzService_Authorize", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AuthzResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1AuthzRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/checks": { "post": { "operationId": "AuthzService_CheckAccess", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CheckAccessResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CheckAccessRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/checks:batch": { "post": { "summary": "Batch check multiple permissions at once.", "operationId": "AuthzService_BatchCheckPermissions", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1BatchCheckPermissionsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1BatchCheckPermissionsRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/bundles:invalidate": { "post": { "operationId": "AuthzService_InvalidatePolicyBundles", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1InvalidatePolicyBundlesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1InvalidatePolicyBundlesRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/canaries:activate": { "post": { "summary": "Activate a policy version to a canary scope (subset of the fleet) before\nfleet-wide. A metric-based evaluator then auto-rolls back on breach.", "operationId": "AuthzService_ActivateCanary", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CanaryResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "Activate a policy version to a CANARY scope (a subset of the fleet) rather\nthan fleet-wide. The version is served only to in-scope nodes/tenants (or a\npercentage slice) while a metric-based evaluator watches the success window;\nit then either promotes fleet-wide, auto-rolls back on breach, or pauses on\nan inconclusive signal. Additive to the Phase-K activation surface.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ActivateCanaryRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/canaries:promote": { "post": { "summary": "Promote a baked, within-threshold canary to fleet-wide enforcement.", "operationId": "AuthzService_PromoteCanary", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CanaryResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "Promote a baked (within-threshold) canary to fleet-wide. Fails unless the\ncanary is promote-eligible (ACTIVE and its success window has elapsed within\nthreshold). On success the canaried version becomes the active version of its\npolicy set fleet-wide and the canary moves to PROMOTED.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1PromoteCanaryRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/canaries:status": { "post": { "summary": "Read a canary's current state + promote-eligibility.", "operationId": "AuthzService_GetCanaryStatus", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetCanaryStatusResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1GetCanaryStatusRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/drafts": { "post": { "operationId": "AuthzService_CreatePolicyDraft", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PolicyDraftResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreatePolicyDraftRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/drafts:approve": { "post": { "operationId": "AuthzService_ApprovePolicyDraft", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PolicyApprovalResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ApprovePolicyDraftRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/drafts:diff": { "post": { "operationId": "AuthzService_DiffPolicyDraft", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DiffPolicyDraftResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1DiffPolicyDraftRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/drafts:reject": { "post": { "operationId": "AuthzService_RejectPolicyDraft", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PolicyApprovalResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1RejectPolicyDraftRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/drafts:submit": { "post": { "operationId": "AuthzService_SubmitPolicyDraft", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PolicyDraftResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1SubmitPolicyDraftRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/drafts:update": { "post": { "operationId": "AuthzService_UpdatePolicyDraft", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PolicyDraftResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1UpdatePolicyDraftRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/explain": { "post": { "operationId": "AuthzService_ExplainPolicy", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ExplainPolicyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ExplainPolicyRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/legacy:migrate": { "post": { "operationId": "AuthzService_MigrateLegacyPolicies", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1MigrateLegacyPoliciesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1MigrateLegacyPoliciesRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/revision": { "post": { "operationId": "AuthzService_GetAuthzRevision", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetAuthzRevisionResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1GetAuthzRevisionRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/roles:seed": { "post": { "operationId": "AuthzService_SeedBuiltinRoles", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SeedBuiltinRolesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1SeedBuiltinRolesRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/simulate": { "post": { "operationId": "AuthzService_SimulatePolicy", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SimulatePolicyResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1SimulatePolicyRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/versions:activate": { "post": { "operationId": "AuthzService_ActivatePolicyVersion", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ActivationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ActivatePolicyVersionRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/versions:list": { "post": { "operationId": "AuthzService_ListPolicyVersions", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListPolicyVersionsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1ListPolicyVersionsRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/governance/versions:rollback": { "post": { "operationId": "AuthzService_RollbackPolicyVersion", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ActivationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1RollbackPolicyVersionRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/native-access": { "post": { "summary": "Stage 2: authorize and, when allowed, mint a short-lived native-access\ncontract (restricted role + scoped DSN + RLS session variables).", "operationId": "AuthzService_GetNativeAccess", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1NativeAccessResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "`GetNativeAccess` runs the same `Authorize` decision and, when allowed,\nmints a short-lived contract for the caller to talk to the backend\ndirectly: a restricted role, a scoped DSN, and the exact set of\n`app.current_*` session variables the SDK must `SET LOCAL` so the\nbroker-generated RLS policies still apply. UDB stays the source of the\nauthorization decision; the native grant only carries it forward.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1NativeAccessRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/policies": { "get": { "summary": "List policy rules with optional domain/subject/object filters.", "operationId": "AuthzService_ListPolicyRules", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListPolicyRulesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "domain", "in": "query", "required": false, "type": "string" }, { "name": "subject", "in": "query", "required": false, "type": "string" }, { "name": "object", "in": "query", "required": false, "type": "string" }, { "name": "activeOnly", "in": "query", "required": false, "type": "boolean" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthzService" ] }, "post": { "operationId": "AuthzService_CreatePolicyRule", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreatePolicyRuleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreatePolicyRuleRequest" } } ], "tags": [ "AuthzService" ] }, "put": { "operationId": "AuthzService_PutAuthzPolicy", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AuthMutationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1PutAuthzPolicyRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/policies/{policyId}": { "get": { "summary": "Get a single policy rule by ID.", "operationId": "AuthzService_GetPolicyRule", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetPolicyRuleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "policyId", "in": "path", "required": true, "type": "string" } ], "tags": [ "AuthzService" ] }, "delete": { "summary": "Delete a policy rule.", "operationId": "AuthzService_DeletePolicyRule", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DeletePolicyRuleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "policyId", "in": "path", "required": true, "type": "string" }, { "name": "deletedBy", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthzService" ] } }, "/v1/authz/policies:lint": { "post": { "operationId": "AuthzService_LintAuthzPolicies", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1LintAuthzPoliciesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1LintAuthzPoliciesRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/policy-bundle": { "post": { "summary": "Stage 2: return a signed policy bundle for local SDK authorization caches.", "operationId": "AuthzService_GetPolicyBundle", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PolicyBundleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "`GetPolicyBundle` serializes the live authorization snapshot (policies,\nrole bindings, relationship tuples) and signs it so an SDK can cache it\nand answer `can()` locally without a round-trip, while still being able\nto verify the bundle was issued by UDB and has not expired.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1PolicyBundleRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/relationships": { "put": { "operationId": "AuthzService_PutRelationship", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AuthMutationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1PutRelationshipRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/role-bindings": { "put": { "operationId": "AuthzService_PutRoleBinding", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AuthMutationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1PutRoleBindingRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/roles": { "get": { "summary": "List all roles for a domain/tenant.", "operationId": "AuthzService_ListRoles", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListRolesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "domain", "in": "query", "required": false, "type": "string" }, { "name": "activeOnly", "in": "query", "required": false, "type": "boolean" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthzService" ] }, "post": { "operationId": "AuthzService_CreateRole", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateRoleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateRoleRequest" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/roles/{roleId}": { "get": { "summary": "Get a role by ID.", "operationId": "AuthzService_GetRole", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetRoleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roleId", "in": "path", "required": true, "type": "string" }, { "name": "roleCode", "description": "Alternative lookup", "in": "query", "required": false, "type": "string" }, { "name": "domain", "in": "query", "required": false, "type": "string" } ], "tags": [ "AuthzService" ] }, "delete": { "summary": "Delete a role (soft-delete; existing assignments are revoked).", "operationId": "AuthzService_DeleteRole", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DeleteRoleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roleId", "in": "path", "required": true, "type": "string" }, { "name": "deletedBy", "in": "query", "required": true, "type": "string" } ], "tags": [ "AuthzService" ] }, "patch": { "summary": "Update a role's name, description, or active status.", "operationId": "AuthzService_UpdateRole", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateRoleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roleId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthzServiceUpdateRoleBody" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/users/{userId}/permissions": { "get": { "operationId": "AuthzService_ListUserPermissions", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListUserPermissionsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "domain", "in": "query", "required": true, "type": "string" } ], "tags": [ "AuthzService" ] } }, "/v1/authz/users/{userId}/roles": { "get": { "summary": "List all role assignments for a user.", "operationId": "AuthzService_ListUserRoles", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListUserRolesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "domain", "in": "query", "required": false, "type": "string" }, { "name": "activeOnly", "in": "query", "required": false, "type": "boolean" } ], "tags": [ "AuthzService" ] }, "post": { "operationId": "AuthzService_AssignRole", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AssignRoleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthzServiceAssignRoleBody" } } ], "tags": [ "AuthzService" ] } }, "/v1/authz/users/{userId}/roles/{userRoleId}:revoke": { "post": { "summary": "Revoke a role from a user.", "operationId": "AuthzService_RevokeRole", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RevokeRoleResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "userRoleId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/AuthzServiceRevokeRoleBody" } } ], "tags": [ "AuthzService" ] } }, "/v1/control/node-states": { "get": { "summary": "── Admin visibility ──────────────────────────────────────────────────────", "operationId": "ControlPlaneService_ListNodeStates", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListNodeStatesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "nodeId", "description": "Optional node filter. Empty == all nodes.", "in": "query", "required": false, "type": "string" }, { "name": "resourceType", "description": "Optional resource-type filter (UNSPECIFIED == all types).\n\n - RESOURCE_TYPE_ROUTING_POLICY: Request routing / backend selection policy (references backend targets).\n - RESOURCE_TYPE_METHOD_SECURITY_POLICY: Per-RPC method-security policy (the proto endpoint_security map).\n - RESOURCE_TYPE_RLS_TENANT_POLICY: Row-level-security / tenant isolation policy (references backend targets).\n - RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT: Which native control-plane services are enabled on a node.\n - RESOURCE_TYPE_BACKEND_TARGET_DEFINITION: Backend target/cluster definitions — the \"definitions\" that routing and\nRLS policies reference. Pushed BEFORE the referencing policies.", "in": "query", "required": false, "type": "string", "enum": [ "RESOURCE_TYPE_UNSPECIFIED", "RESOURCE_TYPE_ROUTING_POLICY", "RESOURCE_TYPE_METHOD_SECURITY_POLICY", "RESOURCE_TYPE_RLS_TENANT_POLICY", "RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT", "RESOURCE_TYPE_BACKEND_TARGET_DEFINITION" ], "default": "RESOURCE_TYPE_UNSPECIFIED" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "ControlPlaneService" ] } }, "/v1/control/node-states/{nodeId}:ack-status": { "get": { "operationId": "ControlPlaneService_AckStatus", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1AckStatusResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "nodeId", "in": "path", "required": true, "type": "string" }, { "name": "resourceType", "description": " - RESOURCE_TYPE_ROUTING_POLICY: Request routing / backend selection policy (references backend targets).\n - RESOURCE_TYPE_METHOD_SECURITY_POLICY: Per-RPC method-security policy (the proto endpoint_security map).\n - RESOURCE_TYPE_RLS_TENANT_POLICY: Row-level-security / tenant isolation policy (references backend targets).\n - RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT: Which native control-plane services are enabled on a node.\n - RESOURCE_TYPE_BACKEND_TARGET_DEFINITION: Backend target/cluster definitions — the \"definitions\" that routing and\nRLS policies reference. Pushed BEFORE the referencing policies.", "in": "query", "required": false, "type": "string", "enum": [ "RESOURCE_TYPE_UNSPECIFIED", "RESOURCE_TYPE_ROUTING_POLICY", "RESOURCE_TYPE_METHOD_SECURITY_POLICY", "RESOURCE_TYPE_RLS_TENANT_POLICY", "RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT", "RESOURCE_TYPE_BACKEND_TARGET_DEFINITION" ], "default": "RESOURCE_TYPE_UNSPECIFIED" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "ControlPlaneService" ] } }, "/v1/control/resources": { "get": { "summary": "── On-demand fetch (incl. by tenant) ─────────────────────────────────────", "operationId": "ControlPlaneService_GetResources", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetResourcesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "resourceType", "description": " - RESOURCE_TYPE_ROUTING_POLICY: Request routing / backend selection policy (references backend targets).\n - RESOURCE_TYPE_METHOD_SECURITY_POLICY: Per-RPC method-security policy (the proto endpoint_security map).\n - RESOURCE_TYPE_RLS_TENANT_POLICY: Row-level-security / tenant isolation policy (references backend targets).\n - RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT: Which native control-plane services are enabled on a node.\n - RESOURCE_TYPE_BACKEND_TARGET_DEFINITION: Backend target/cluster definitions — the \"definitions\" that routing and\nRLS policies reference. Pushed BEFORE the referencing policies.", "in": "query", "required": false, "type": "string", "enum": [ "RESOURCE_TYPE_UNSPECIFIED", "RESOURCE_TYPE_ROUTING_POLICY", "RESOURCE_TYPE_METHOD_SECURITY_POLICY", "RESOURCE_TYPE_RLS_TENANT_POLICY", "RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT", "RESOURCE_TYPE_BACKEND_TARGET_DEFINITION" ], "default": "RESOURCE_TYPE_UNSPECIFIED" }, { "name": "tenantId", "description": "Optional tenant filter for on-demand tenant-policy fetch. Empty == fleet-wide\nresources only (NULL tenant rows); set == fleet-wide + that tenant's rows.", "in": "query", "required": false, "type": "string" }, { "name": "resourceNames", "description": "Optional explicit name filter. Empty == all matching the type/tenant.", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "ControlPlaneService" ] } }, "/v1/idp/external-identities": { "get": { "operationId": "IdentityProviderService_ListExternalIdentities", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListExternalIdentitiesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "providerId", "description": "empty = all providers", "in": "query", "required": false, "type": "string" }, { "name": "userId", "description": "empty = all users", "in": "query", "required": false, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/external-identities/{externalIdentityId}:unlink": { "post": { "operationId": "IdentityProviderService_UnlinkIdentity", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UnlinkIdentityResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "externalIdentityId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceUnlinkIdentityBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/external-identities:link": { "post": { "operationId": "IdentityProviderService_LinkIdentity", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1LinkIdentityResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "description": "Explicitly link an IdP subject to an existing UDB user.", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1LinkIdentityRequest" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers": { "get": { "operationId": "IdentityProviderService_ListProviders", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListProvidersResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "kind", "description": "unspecified = all\n\n - IDP_KIND_NATIVE: UDB native password/MFA\n - IDP_KIND_OIDC: OpenID Connect (discovery + JWKS)\n - IDP_KIND_SAML: SAML 2.0 web SSO\n - IDP_KIND_LDAP: LDAP / Active Directory bind\n - IDP_KIND_CUSTOM_JWT: Bring-your-own signed JWT (jwks_url + claims)\n - IDP_KIND_EXTERNAL_SESSION: Upstream session handed off to UDB", "in": "query", "required": false, "type": "string", "enum": [ "IDP_KIND_UNSPECIFIED", "IDP_KIND_NATIVE", "IDP_KIND_OIDC", "IDP_KIND_SAML", "IDP_KIND_LDAP", "IDP_KIND_CUSTOM_JWT", "IDP_KIND_EXTERNAL_SESSION" ], "default": "IDP_KIND_UNSPECIFIED" }, { "name": "enabledOnly", "in": "query", "required": false, "type": "boolean" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "post": { "summary": "── Provider administration (J2.6) ────────────────────────────────────────", "operationId": "IdentityProviderService_CreateProvider", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateProviderResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateProviderRequest" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}": { "get": { "operationId": "IdentityProviderService_GetProvider", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetProviderResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "patch": { "operationId": "IdentityProviderService_UpdateProvider", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateProviderResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceUpdateProviderBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:disable": { "post": { "operationId": "IdentityProviderService_DisableProvider", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DisableProviderResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceDisableProviderBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:import-saml-metadata": { "post": { "summary": "── SAML 2.0 (J2.2) ───────────────────────────────────────────────────────", "operationId": "IdentityProviderService_ImportSamlMetadata", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ImportSamlMetadataResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceImportSamlMetadataBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:preview-claim-mapping": { "post": { "operationId": "IdentityProviderService_PreviewClaimMapping", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PreviewClaimMappingResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServicePreviewClaimMappingBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:preview-group-mapping": { "post": { "operationId": "IdentityProviderService_PreviewGroupMapping", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PreviewGroupMappingResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServicePreviewGroupMappingBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:refresh-jwks": { "post": { "operationId": "IdentityProviderService_ForceJwksRefresh", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ForceJwksRefreshResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceForceJwksRefreshBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:resolve-identity": { "post": { "summary": "── JIT provisioning + assurance (J2.4 / J2.5) ────────────────────────────", "operationId": "IdentityProviderService_ResolveExternalIdentity", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ResolveExternalIdentityResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceResolveExternalIdentityBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:saml-acs": { "post": { "operationId": "IdentityProviderService_SamlAcs", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SamlAcsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceSamlAcsBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:start-saml-login": { "post": { "operationId": "IdentityProviderService_StartSamlLogin", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1StartSamlLoginResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceStartSamlLoginBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/providers/{providerId}:test-discovery": { "post": { "operationId": "IdentityProviderService_TestProviderDiscovery", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1TestProviderDiscoveryResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceTestProviderDiscoveryBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/scim/{providerId}/Groups": { "get": { "operationId": "IdentityProviderService_ScimListGroups", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimListGroupsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "filter", "in": "query", "required": false, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "post": { "operationId": "IdentityProviderService_ScimCreateGroup", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimCreateGroupResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceScimCreateGroupBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/scim/{providerId}/Groups/{scimGroupId}": { "get": { "operationId": "IdentityProviderService_ScimGetGroup", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimGetGroupResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimGroupId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "delete": { "operationId": "IdentityProviderService_ScimDeleteGroup", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimDeleteGroupResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimGroupId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "patch": { "operationId": "IdentityProviderService_ScimPatchGroup", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimPatchGroupResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimGroupId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceScimPatchGroupBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/scim/{providerId}/Users": { "get": { "operationId": "IdentityProviderService_ScimListUsers", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimListUsersResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "filter", "description": "SCIM filter, e.g. userName eq \"x\"", "in": "query", "required": false, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "post": { "summary": "── SCIM 2.0 (J2.3) ───────────────────────────────────────────────────────", "operationId": "IdentityProviderService_ScimCreateUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimCreateUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceScimCreateUserBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/idp/scim/{providerId}/Users/{scimUserId}": { "get": { "operationId": "IdentityProviderService_ScimGetUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimGetUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimUserId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "delete": { "operationId": "IdentityProviderService_ScimDeleteUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimDeleteUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimUserId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.tenantId", "description": "Tenant or account boundary chosen by the caller or resolved by UDB.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.organizationId", "description": "Optional owning organization/workspace above the tenant boundary.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.projectId", "description": "Project/application namespace inside the tenant.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.environment", "description": "Deployment environment, for example prod, staging, dev, or test.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.region", "description": "Region, shard, or residency boundary when routing matters.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.partitionId", "description": "Optional data partition or workspace identifier for fine-grained isolation.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.accessSurface", "description": "UI/API surface or workload channel such as web, mobile, api, worker.", "in": "query", "required": false, "type": "string" }, { "name": "context.tenant.attributes", "description": "Consumer-defined labels for policy routing and audit enrichment.", "in": "query", "required": false, "type": "string" }, { "name": "context.requestId", "in": "query", "required": false, "type": "string" }, { "name": "context.correlationId", "in": "query", "required": false, "type": "string" }, { "name": "context.userId", "in": "query", "required": false, "type": "string" }, { "name": "context.headers", "in": "query", "required": false, "type": "string" }, { "name": "context.traceId", "in": "query", "required": false, "type": "string" }, { "name": "context.spanId", "in": "query", "required": false, "type": "string" }, { "name": "context.ipAddress", "in": "query", "required": false, "type": "string" }, { "name": "context.userAgent", "in": "query", "required": false, "type": "string" }, { "name": "context.timestamp", "in": "query", "required": false, "type": "string", "format": "date-time" }, { "name": "context.principalId", "in": "query", "required": false, "type": "string" }, { "name": "context.serviceIdentity", "in": "query", "required": false, "type": "string" }, { "name": "context.scopes", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.roles", "in": "query", "required": false, "type": "array", "items": { "type": "string" }, "collectionFormat": "multi" }, { "name": "context.purpose", "in": "query", "required": false, "type": "string" }, { "name": "context.idempotencyKey", "in": "query", "required": false, "type": "string" }, { "name": "context.clientCatalogVersion", "in": "query", "required": false, "type": "string" }, { "name": "context.consistency", "in": "query", "required": false, "type": "string" }, { "name": "context.attributes", "in": "query", "required": false, "type": "string" }, { "name": "context.traceparent", "in": "query", "required": false, "type": "string" } ], "tags": [ "IdentityProviderService" ] }, "put": { "operationId": "IdentityProviderService_ScimReplaceUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimReplaceUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimUserId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceScimReplaceUserBody" } } ], "tags": [ "IdentityProviderService" ] }, "patch": { "operationId": "IdentityProviderService_ScimPatchUser", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ScimPatchUserResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "providerId", "in": "path", "required": true, "type": "string" }, { "name": "scimUserId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/IdentityProviderServiceScimPatchUserBody" } } ], "tags": [ "IdentityProviderService" ] } }, "/v1/notifications": { "get": { "summary": "List notification logs with rich filters.", "operationId": "NotificationService_ListNotifications", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListNotificationsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "recipientId", "in": "query", "required": false, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "projectId", "in": "query", "required": false, "type": "string" }, { "name": "resourceType", "in": "query", "required": false, "type": "string" }, { "name": "resourceId", "in": "query", "required": false, "type": "string" }, { "name": "eventType", "in": "query", "required": false, "type": "string" }, { "name": "channel", "description": " - NOTIFICATION_CHANNEL_PUSH: Mobile push via FCM/APNs\n - NOTIFICATION_CHANNEL_IN_APP: In-app notification bell\n - NOTIFICATION_CHANNEL_WEBHOOK: Outbound HTTP webhook", "in": "query", "required": false, "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ], "default": "NOTIFICATION_CHANNEL_UNSPECIFIED" }, { "name": "status", "description": " - NOTIFICATION_STATUS_SUPPRESSED: Rate-limited or user preference suppressed", "in": "query", "required": false, "type": "string", "enum": [ "NOTIFICATION_STATUS_UNSPECIFIED", "NOTIFICATION_STATUS_PENDING", "NOTIFICATION_STATUS_SENT", "NOTIFICATION_STATUS_DELIVERED", "NOTIFICATION_STATUS_FAILED", "NOTIFICATION_STATUS_SUPPRESSED" ], "default": "NOTIFICATION_STATUS_UNSPECIFIED" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "NotificationService" ] }, "post": { "summary": "Send a notification (or enqueue it for async delivery).", "operationId": "NotificationService_SendNotification", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SendNotificationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1SendNotificationRequest" } } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/preferences/{userId}": { "get": { "summary": "List all preferences for a user.", "operationId": "NotificationService_ListPreferences", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListPreferencesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/preferences/{userId}/{channel}": { "get": { "summary": "Get a single preference entry.", "operationId": "NotificationService_GetPreference", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetPreferenceResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "channel", "in": "path", "required": true, "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ] }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "eventType", "in": "query", "required": false, "type": "string" } ], "tags": [ "NotificationService" ] }, "put": { "summary": "Set (upsert) a per-user channel/event opt-out preference.", "operationId": "NotificationService_SetPreference", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1SetPreferenceResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "userId", "in": "path", "required": true, "type": "string" }, { "name": "channel", "in": "path", "required": true, "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ] }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/NotificationServiceSetPreferenceBody" } } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/stats": { "get": { "summary": "Get delivery statistics.", "operationId": "NotificationService_GetDeliveryStats", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetDeliveryStatsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "eventType", "in": "query", "required": false, "type": "string" }, { "name": "dateFrom", "description": "YYYY-MM-DD", "in": "query", "required": false, "type": "string" }, { "name": "dateTo", "in": "query", "required": false, "type": "string" } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/templates": { "get": { "summary": "List all templates.", "operationId": "NotificationService_ListTemplates", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListTemplatesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "eventType", "in": "query", "required": false, "type": "string" }, { "name": "channel", "description": " - NOTIFICATION_CHANNEL_PUSH: Mobile push via FCM/APNs\n - NOTIFICATION_CHANNEL_IN_APP: In-app notification bell\n - NOTIFICATION_CHANNEL_WEBHOOK: Outbound HTTP webhook", "in": "query", "required": false, "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ], "default": "NOTIFICATION_CHANNEL_UNSPECIFIED" }, { "name": "activeOnly", "in": "query", "required": false, "type": "boolean" }, { "name": "page.page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "page.pageToken", "in": "query", "required": false, "type": "string" } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/templates/{eventType}/{channel}": { "get": { "summary": "Get a template by event_type + channel + locale.", "operationId": "NotificationService_GetTemplate", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetTemplateResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "eventType", "in": "path", "required": true, "type": "string" }, { "name": "channel", "in": "path", "required": true, "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ] }, { "name": "locale", "in": "query", "required": false, "type": "string" } ], "tags": [ "NotificationService" ] }, "put": { "summary": "Upsert a notification template.", "operationId": "NotificationService_UpsertTemplate", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpsertTemplateResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "eventType", "in": "path", "required": true, "type": "string" }, { "name": "channel", "in": "path", "required": true, "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ] }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/NotificationServiceUpsertTemplateBody" } } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/{logId}": { "get": { "summary": "Get delivery status for a specific log entry.", "operationId": "NotificationService_GetNotification", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetNotificationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "logId", "in": "path", "required": true, "type": "string" } ], "tags": [ "NotificationService" ] } }, "/v1/notifications/{logId}:retry": { "post": { "summary": "Retry a failed notification.", "operationId": "NotificationService_RetryNotification", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RetryNotificationResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "logId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/NotificationServiceRetryNotificationBody" } } ], "tags": [ "NotificationService" ] } }, "/v1/storage/files": { "get": { "summary": "List files", "operationId": "StorageService_ListFiles", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListFilesResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "fileType", "in": "query", "required": false, "type": "string" }, { "name": "referenceId", "in": "query", "required": false, "type": "string" }, { "name": "referenceType", "in": "query", "required": false, "type": "string" }, { "name": "uploadedBy", "in": "query", "required": false, "type": "string" }, { "name": "page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" } ], "tags": [ "StorageService" ] } }, "/v1/storage/files/{fileId}": { "get": { "summary": "Get file metadata", "operationId": "StorageService_GetFile", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetFileResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "fileId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "StorageService" ] }, "delete": { "summary": "Delete a file (soft delete)", "operationId": "StorageService_DeleteFile", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1DeleteFileResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "fileId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "StorageService" ] }, "patch": { "summary": "Update file metadata", "operationId": "StorageService_UpdateFile", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateFileResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "fileId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/StorageServiceUpdateFileBody" } } ], "tags": [ "StorageService" ] } }, "/v1/storage/files/{fileId}/download": { "get": { "summary": "Stream a file's bytes directly through the broker. FALLBACK for clients\nthat cannot use the presigned `GetDownloadUrl` HTTP GET (no egress to the\nobject store, corporate proxy, etc.). The broker streams the object bytes\nin bounded chunks server-side; it never buffers the whole object.", "operationId": "StorageService_DownloadFile", "responses": { "200": { "description": "A successful response.(streaming responses)", "schema": { "type": "object", "properties": { "result": { "$ref": "#/definitions/v1DownloadFileChunk" }, "error": { "$ref": "#/definitions/rpcStatus" } }, "title": "Stream result of v1DownloadFileChunk" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "fileId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "chunkSizeBytes", "description": "Optional preferred chunk size in bytes. Absent/0 → server default; the\nserver clamps to a safe bound so a client cannot force an unbounded frame.", "in": "query", "required": false, "type": "integer", "format": "int32" } ], "tags": [ "StorageService" ] } }, "/v1/storage/files/{fileId}/download-url": { "get": { "summary": "Get a pre-signed download URL for a file", "operationId": "StorageService_GetDownloadUrl", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetDownloadUrlResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "fileId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "expiresInMinutes", "in": "query", "required": false, "type": "integer", "format": "int32" } ], "tags": [ "StorageService" ] } }, "/v1/storage/uploads": { "post": { "summary": "Register a new upload and obtain a pre-signed upload URL", "operationId": "StorageService_RegisterUpload", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1RegisterUploadResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1RegisterUploadRequest" } } ], "tags": [ "StorageService" ] } }, "/v1/storage/uploads/{fileId}/finalize": { "post": { "summary": "Finalize an upload after the object has been written to the store", "operationId": "StorageService_FinalizeUpload", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1FinalizeUploadResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "fileId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/StorageServiceFinalizeUploadBody" } } ], "tags": [ "StorageService" ] } }, "/v1/tenants": { "get": { "summary": "List tenants", "operationId": "TenantService_ListTenants", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListTenantsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "type", "in": "query", "required": false, "type": "string" }, { "name": "status", "in": "query", "required": false, "type": "string" }, { "name": "page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" } ], "tags": [ "TenantService" ] }, "post": { "summary": "Create tenant", "operationId": "TenantService_CreateTenant", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateTenantResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateTenantRequest" } } ], "tags": [ "TenantService" ] } }, "/v1/tenants/{tenantId}": { "get": { "summary": "Get tenant", "operationId": "TenantService_GetTenant", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetTenantResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" } ], "tags": [ "TenantService" ] }, "patch": { "summary": "Update tenant", "operationId": "TenantService_UpdateTenant", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateTenantResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/TenantServiceUpdateTenantBody" } } ], "tags": [ "TenantService" ] } }, "/v1/tenants/{tenantId}/config": { "get": { "summary": "Get tenant config", "operationId": "TenantService_GetTenantConfig", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetTenantConfigResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" } ], "tags": [ "TenantService" ] }, "put": { "summary": "Update tenant config", "operationId": "TenantService_UpdateTenantConfig", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateTenantConfigResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/TenantServiceUpdateTenantConfigBody" } } ], "tags": [ "TenantService" ] } }, "/v1/webrtc/peers/{peerId}": { "get": { "summary": "Get a peer", "operationId": "PeerService_GetPeer", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetPeerResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "peerId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "PeerService" ] } }, "/v1/webrtc/rooms": { "get": { "summary": "List rooms", "operationId": "RoomService_ListRooms", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListRoomsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "state", "in": "query", "required": false, "type": "string" }, { "name": "page", "in": "query", "required": false, "type": "integer", "format": "int32" }, { "name": "pageSize", "in": "query", "required": false, "type": "integer", "format": "int32" } ], "tags": [ "RoomService" ] }, "post": { "summary": "Create a room", "operationId": "RoomService_CreateRoom", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CreateRoomResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1CreateRoomRequest" } } ], "tags": [ "RoomService" ] } }, "/v1/webrtc/rooms/{roomId}": { "get": { "summary": "Get a room", "operationId": "RoomService_GetRoom", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1GetRoomResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" } ], "tags": [ "RoomService" ] }, "patch": { "summary": "Update a room", "operationId": "RoomService_UpdateRoom", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UpdateRoomResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/RoomServiceUpdateRoomBody" } } ], "tags": [ "RoomService" ] } }, "/v1/webrtc/rooms/{roomId}/close": { "post": { "summary": "Close a room", "operationId": "RoomService_CloseRoom", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1CloseRoomResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/RoomServiceCloseRoomBody" } } ], "tags": [ "RoomService" ] } }, "/v1/webrtc/rooms/{roomId}/peers": { "get": { "summary": "List peers", "operationId": "PeerService_ListPeers", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListPeersResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "state", "in": "query", "required": false, "type": "string" } ], "tags": [ "PeerService" ] }, "post": { "summary": "Join a room", "operationId": "PeerService_JoinRoom", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1JoinRoomResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/PeerServiceJoinRoomBody" } } ], "tags": [ "PeerService" ] } }, "/v1/webrtc/rooms/{roomId}/peers/{peerId}/leave": { "post": { "summary": "Leave a room", "operationId": "PeerService_LeaveRoom", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1LeaveRoomResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "peerId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/PeerServiceLeaveRoomBody" } } ], "tags": [ "PeerService" ] } }, "/v1/webrtc/rooms/{roomId}/tracks": { "get": { "summary": "List tracks", "operationId": "TrackService_ListTracks", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1ListTracksResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "roomId", "in": "path", "required": true, "type": "string" }, { "name": "tenantId", "in": "query", "required": false, "type": "string" }, { "name": "peerId", "in": "query", "required": false, "type": "string" }, { "name": "kind", "in": "query", "required": false, "type": "string" } ], "tags": [ "TrackService" ] } }, "/v1/webrtc/tracks": { "post": { "summary": "Publish a track", "operationId": "TrackService_PublishTrack", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1PublishTrackResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1PublishTrackRequest" } } ], "tags": [ "TrackService" ] } }, "/v1/webrtc/tracks/{trackId}/mute": { "post": { "summary": "Mute or unmute a track", "operationId": "TrackService_MuteTrack", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1MuteTrackResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "trackId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/TrackServiceMuteTrackBody" } } ], "tags": [ "TrackService" ] } }, "/v1/webrtc/tracks/{trackId}/unpublish": { "post": { "summary": "Unpublish a track", "operationId": "TrackService_UnpublishTrack", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1UnpublishTrackResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "trackId", "in": "path", "required": true, "type": "string" }, { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/TrackServiceUnpublishTrackBody" } } ], "tags": [ "TrackService" ] } }, "/v1/webrtc/turn/credentials": { "post": { "summary": "Issue ephemeral TURN/STUN credentials", "operationId": "TurnService_IssueCredentials", "responses": { "200": { "description": "A successful response.", "schema": { "$ref": "#/definitions/v1IssueCredentialsResponse" } }, "default": { "description": "An unexpected error response.", "schema": { "$ref": "#/definitions/rpcStatus" } } }, "parameters": [ { "name": "body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/v1IssueCredentialsRequest" } } ], "tags": [ "TurnService" ] } } }, "definitions": { "ApiKeyServiceRotateApiKeyBody": { "type": "object", "properties": { "rotationReason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "description": "Rotate a key: mint a fresh secret under the same key record + lineage, return\nthe new plain key ONCE, and invalidate the old secret. The rotated key keeps\nthe same key_id, owner, scopes, tenant, and project (rotation lineage)." }, "ApiKeyServiceUpdateApiKeyBody": { "type": "object", "properties": { "name": { "type": "string" }, "description": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "ipAllowlist": { "type": "array", "items": { "type": "string" } }, "rateLimitPerMinute": { "type": "integer", "format": "int32" }, "rateLimitPerDay": { "type": "string", "format": "int64" }, "expiresAt": { "type": "string", "format": "date-time" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "title": "Update mutable fields: name, description, scopes, ip_allowlist, rate limits, expires_at" }, "AssetServiceCompleteStepBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "status": { "type": "string", "title": "COMPLETED | SKIPPED | FAILED" }, "result": { "type": "string", "title": "JSON" }, "errorMessage": { "type": "string" } } }, "AuthnServiceAdminResetMfaBody": { "type": "object", "properties": { "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceAdminResetPasswordBody": { "type": "object", "properties": { "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "title": "Admin password reset (generates a temporary password + sends email OTP)" }, "AuthnServiceAdminRevokeAllTenantSessionsBody": { "type": "object", "properties": { "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceAdminRevokeAllUserSessionsBody": { "type": "object", "properties": { "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceAdminRevokeSessionBody": { "type": "object", "properties": { "sessionId": { "type": "string", "title": "public session handle" }, "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceChangeUserStatusBody": { "type": "object", "properties": { "newStatus": { "$ref": "#/definitions/v1UserStatus" }, "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceConfirmMFAEnrollmentBody": { "type": "object", "properties": { "otpId": { "type": "string" }, "code": { "type": "string", "title": "TOTP code or email OTP code to confirm" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceDisableMfaFactorBody": { "type": "object", "properties": { "factorKind": { "$ref": "#/definitions/v1AuthFactorKind" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceEnrollMFABody": { "type": "object", "properties": { "mfaType": { "$ref": "#/definitions/v1AuthFactorKind" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceGenerateRecoveryCodesBody": { "type": "object", "properties": { "count": { "type": "integer", "format": "int32", "title": "number of codes to generate (server clamps to a sane range; default 10)" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServicePutMfaPolicyBody": { "type": "object", "properties": { "requireMfa": { "type": "boolean" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceRefreshSessionBody": { "type": "object", "properties": { "ttlSeconds": { "type": "string", "format": "int64" } } }, "AuthnServiceRenamePasskeyBody": { "type": "object", "properties": { "credentialId": { "type": "string" }, "newLabel": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceRevokeRecoveryCodesBody": { "type": "object", "properties": { "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceSendPhoneVerificationBody": { "type": "object", "properties": { "phone": { "type": "string", "title": "E.164 number to set + verify" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceStartWebAuthnRegistrationBody": { "type": "object", "properties": { "label": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "AuthnServiceUpdateUserBody": { "type": "object", "properties": { "fullName": { "type": "string" }, "email": { "type": "string" }, "tenantId": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" }, "accountKind": { "$ref": "#/definitions/v1AccountKind" }, "projectId": { "type": "string" }, "profileAttributes": { "type": "object", "additionalProperties": { "type": "string" } }, "externalProviderId": { "type": "string" }, "externalSubject": { "type": "string" } } }, "AuthzServiceAssignRoleBody": { "type": "object", "properties": { "roleId": { "type": "string" }, "domain": { "type": "string" }, "assignedBy": { "type": "string" }, "expiresAt": { "type": "string", "format": "date-time" }, "principalId": { "type": "string" }, "principalKind": { "$ref": "#/definitions/v1PrincipalKind" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" } }, "required": [ "roleId", "domain", "assignedBy" ] }, "AuthzServiceRevokeRoleBody": { "type": "object", "properties": { "reason": { "type": "string" }, "revokedBy": { "type": "string" } } }, "AuthzServiceUpdateRoleBody": { "type": "object", "properties": { "name": { "type": "string" }, "description": { "type": "string" }, "isActive": { "type": "boolean" }, "updatedBy": { "type": "string" } }, "required": [ "updatedBy" ] }, "IdentityProviderServiceDisableProviderBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "updatedBy": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceForceJwksRefreshBody": { "type": "object", "properties": { "tenantId": { "type": "string" } } }, "IdentityProviderServiceImportSamlMetadataBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "metadataXml": { "type": "string", "description": "Raw SAML metadata XML; if empty the stored saml_metadata_url is fetched." }, "updatedBy": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "description": "Import IdP metadata (XML) into a provider record: SSO URL, entityID, certs." }, "IdentityProviderServicePreviewClaimMappingBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "claimsJson": { "type": "string", "description": "Raw claims as a JSON object (the IdP token payload)." }, "claimMappingJson": { "type": "string", "description": "Optional override mapping; empty = use the stored provider mapping." } }, "description": "Preview how raw IdP claims would map to a UDB principal under a mapping." }, "IdentityProviderServicePreviewGroupMappingBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "groups": { "type": "array", "items": { "type": "string" } }, "groupMappingJson": { "type": "string", "title": "empty = use stored mapping" } }, "description": "Preview which UDB roles a set of IdP groups would grant under a group mapping." }, "IdentityProviderServiceResolveExternalIdentityBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "claimsJson": { "type": "string", "description": "Verified claims as JSON (already authenticated upstream)." } }, "description": "Resolve (and JIT-provision/link) a UDB user from verified external claims." }, "IdentityProviderServiceSamlAcsBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "samlResponse": { "type": "string", "description": "Base64-encoded SAMLResponse from the IdP (HTTP-POST binding)." }, "relayState": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "description": "Assertion Consumer Service: validate a posted SAMLResponse and authenticate." }, "IdentityProviderServiceScimCreateGroupBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "scimGroupJson": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceScimCreateUserBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "scimUserJson": { "type": "string", "title": "SCIM 2.0 User JSON" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceScimPatchGroupBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "operations": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ScimPatchOp" } }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceScimPatchUserBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "operations": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ScimPatchOp" } }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceScimReplaceUserBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "scimUserJson": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceStartSamlLoginBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "relayState": { "type": "string" } }, "description": "Build a signed (or unsigned) SAML AuthnRequest for redirect to the IdP." }, "IdentityProviderServiceTestProviderDiscoveryBody": { "type": "object", "properties": { "tenantId": { "type": "string" } }, "description": "Resolve discovery + key material for a provider without authenticating." }, "IdentityProviderServiceUnlinkIdentityBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "IdentityProviderServiceUpdateProviderBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "displayName": { "type": "string" }, "issuer": { "type": "string" }, "entityId": { "type": "string" }, "jwksUrl": { "type": "string" }, "samlMetadataUrl": { "type": "string" }, "clientIds": { "type": "array", "items": { "type": "string" } }, "audiences": { "type": "array", "items": { "type": "string" } }, "claimMappingJson": { "type": "string" }, "groupMappingJson": { "type": "string" }, "jitPolicyJson": { "type": "string" }, "accountLinkingPolicy": { "type": "string" }, "clientSecret": { "type": "string", "title": "empty = unchanged" }, "samlSigningKeyPem": { "type": "string", "title": "empty = unchanged" }, "updatedBy": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "NotificationServiceRetryNotificationBody": { "type": "object", "properties": { "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "NotificationServiceSetPreferenceBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "eventType": { "type": "string", "title": "Empty = channel-wide opt-out" }, "isOptedOut": { "type": "boolean" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "NotificationServiceUpsertTemplateBody": { "type": "object", "properties": { "locale": { "type": "string" }, "subjectTemplate": { "type": "string" }, "bodyTemplate": { "type": "string" }, "isActive": { "type": "boolean" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "PeerServiceJoinRoomBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "displayName": { "type": "string" }, "metadata": { "type": "string", "title": "JSON" }, "userAgent": { "type": "string" } } }, "PeerServiceLeaveRoomBody": { "type": "object", "properties": { "tenantId": { "type": "string" } } }, "RoomServiceCloseRoomBody": { "type": "object", "properties": { "tenantId": { "type": "string" } } }, "RoomServiceUpdateRoomBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "name": { "type": "string" }, "state": { "type": "string" }, "config": { "type": "string", "title": "JSON" } } }, "StorageServiceFinalizeUploadBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "contentType": { "type": "string" }, "fileType": { "type": "string" }, "referenceId": { "type": "string" }, "referenceType": { "type": "string" }, "isPublic": { "type": "boolean", "description": "Proto3 explicit presence: absent leaves the stored visibility unchanged." }, "sizeBytes": { "type": "string", "format": "int64", "description": "Actual uploaded size in bytes, persisted on finalize." }, "checksum": { "type": "string", "description": "Optional client-computed content checksum; persisted into File.checksum.\nOnly verified/stored when present." }, "etag": { "type": "string", "description": "Optional client-observed object ETag; compared against the store's HEAD\nETag when present (mismatch → FailedPrecondition / UPLOAD_SIZE_MISMATCH)." } } }, "StorageServiceUpdateFileBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "filename": { "type": "string" }, "contentType": { "type": "string" }, "fileType": { "type": "string" }, "referenceId": { "type": "string" }, "referenceType": { "type": "string" }, "isPublic": { "type": "boolean", "description": "Proto3 explicit presence: absent leaves the stored visibility unchanged —\na partial update can never silently flip a file public/private." } } }, "TenantServiceUpdateTenantBody": { "type": "object", "properties": { "name": { "type": "string" }, "status": { "type": "string" }, "config": { "type": "string", "title": "JSON" }, "branding": { "type": "string", "title": "JSON" } } }, "TenantServiceUpdateTenantConfigBody": { "type": "object", "properties": { "configKey": { "type": "string" }, "configValue": { "type": "string" }, "type": { "type": "string" } } }, "TrackServiceMuteTrackBody": { "type": "object", "properties": { "tenantId": { "type": "string" }, "muted": { "type": "boolean" } } }, "TrackServiceUnpublishTrackBody": { "type": "object", "properties": { "tenantId": { "type": "string" } } }, "coreAuthnServicesV1Principal": { "type": "object", "properties": { "principalId": { "type": "string" }, "subject": { "type": "string" }, "userId": { "type": "string" }, "serviceIdentity": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "roles": { "type": "array", "items": { "type": "string" } }, "providerId": { "type": "string" }, "authMethod": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "accountKind": { "$ref": "#/definitions/v1AccountKind" }, "domain": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } }, "description": "An authenticated caller, normalized to the claims UDB and project services\nneed after token/session/API-key validation." }, "coreAuthzServicesV1Principal": { "type": "object", "properties": { "principalId": { "type": "string" }, "subject": { "type": "string" }, "userId": { "type": "string" }, "serviceIdentity": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "roles": { "type": "array", "items": { "type": "string" } }, "providerId": { "type": "string" }, "authMethod": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "accountKind": { "type": "string" }, "domain": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } }, "description": "Authenticated caller claims copied from the UDB auth control plane and kept\nlocal so authorization can be used by any project without importing broker\nservice protos." }, "coreCommonV1RequestContext": { "type": "object", "properties": { "tenant": { "$ref": "#/definitions/v1TenantContext" }, "requestId": { "type": "string" }, "correlationId": { "type": "string" }, "userId": { "type": "string" }, "headers": { "type": "object", "additionalProperties": { "type": "string" } }, "traceId": { "type": "string" }, "spanId": { "type": "string" }, "ipAddress": { "type": "string" }, "userAgent": { "type": "string" }, "timestamp": { "type": "string", "format": "date-time" }, "principalId": { "type": "string" }, "serviceIdentity": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "roles": { "type": "array", "items": { "type": "string" } }, "purpose": { "type": "string" }, "idempotencyKey": { "type": "string" }, "clientCatalogVersion": { "type": "string" }, "consistency": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } }, "traceparent": { "type": "string" } } }, "protobufAny": { "type": "object", "properties": { "@type": { "type": "string", "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics." } }, "additionalProperties": {}, "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n Foo foo = ...;\n Any any;\n any.PackFrom(foo);\n ...\n if (any.UnpackTo(\u0026foo)) {\n ...\n }\n\nExample 2: Pack and unpack a message in Java.\n\n Foo foo = ...;\n Any any = Any.pack(foo);\n ...\n if (any.is(Foo.class)) {\n foo = any.unpack(Foo.class);\n }\n // or ...\n if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n foo = any.unpack(Foo.getDefaultInstance());\n }\n\n Example 3: Pack and unpack a message in Python.\n\n foo = Foo(...)\n any = Any()\n any.Pack(foo)\n ...\n if any.Is(Foo.DESCRIPTOR):\n any.Unpack(foo)\n ...\n\n Example 4: Pack and unpack a message in Go\n\n foo := \u0026pb.Foo{...}\n any, err := anypb.New(foo)\n if err != nil {\n ...\n }\n ...\n foo := \u0026pb.Foo{}\n if err := any.UnmarshalTo(foo); err != nil {\n ...\n }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n package google.profile;\n message Person {\n string first_name = 1;\n string last_name = 2;\n }\n\n {\n \"@type\": \"type.googleapis.com/google.profile.Person\",\n \"firstName\": \u003cstring\u003e,\n \"lastName\": \u003cstring\u003e\n }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n {\n \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n \"value\": \"1.212s\"\n }" }, "rpcStatus": { "type": "object", "properties": { "code": { "type": "integer", "format": "int32" }, "message": { "type": "string" }, "details": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/protobufAny" } } } }, "v1AccessContext": { "type": "object", "properties": { "ipAddress": { "type": "string" }, "userAgent": { "type": "string" }, "deviceId": { "type": "string" }, "tokenId": { "type": "string" }, "sessionId": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } } }, "v1AccessDecisionAudit": { "type": "object", "properties": { "decisionAuditId": { "type": "string" }, "userId": { "type": "string" }, "domain": { "type": "string" }, "object": { "type": "string" }, "action": { "type": "string" }, "effect": { "$ref": "#/definitions/v1PolicyEffect" }, "decisionSource": { "$ref": "#/definitions/v1DecisionSource" }, "matchedRule": { "type": "string" }, "reason": { "type": "string" }, "ipAddress": { "type": "string" }, "correlationId": { "type": "string" }, "decidedAt": { "type": "string", "format": "date-time" }, "tenantId": { "type": "string" }, "decisionId": { "type": "string", "description": "── Phase L3 task4: expanded compliance columns ───────────────────────────\nStable decision id linking this audit row to the gRPC Decision returned to\nthe caller and to the access-deny domain event." }, "policyVersion": { "type": "string", "description": "Authz snapshot versions at decision time." }, "relationshipVersion": { "type": "string" }, "purpose": { "type": "string", "description": "Declared purpose of the access (purpose-binding / GDPR)." }, "scopes": { "type": "string", "description": "Scopes required by the matched policy (comma-joined)." }, "matchedPolicyIds": { "type": "array", "items": { "type": "string" }, "description": "Every policy id that matched (Postgres text array), not just the first." }, "projectId": { "type": "string", "description": "Project domain (tenant lives on tenant_id)." }, "actorKind": { "type": "string", "description": "Actor kind: \"user\" | \"service\" | \"external\"." }, "resourceType": { "type": "string", "description": "Resource type/reference for the object being acted upon." }, "traceId": { "type": "string", "description": "Distributed-trace correlation (OpenTelemetry)." }, "spanId": { "type": "string" }, "userAgentHash": { "type": "string", "description": "Hashed user-agent (never raw) from the request context." }, "decisionInput": { "type": "string", "description": "Redacted decision-input attributes (JSON; credential-shaped keys scrubbed)." } } }, "v1AccountKind": { "type": "string", "enum": [ "ACCOUNT_KIND_UNSPECIFIED", "ACCOUNT_KIND_PERSON", "ACCOUNT_KIND_SERVICE_ACCOUNT", "ACCOUNT_KIND_WORKLOAD", "ACCOUNT_KIND_EXTERNAL_IDENTITY", "ACCOUNT_KIND_SYSTEM", "ACCOUNT_KIND_ANONYMOUS" ], "default": "ACCOUNT_KIND_UNSPECIFIED", "description": "Generic principal category used by native authn, external identity mapping,\nAPI keys, and workload/service accounts." }, "v1AckStatusResponse": { "type": "object", "properties": { "nodeState": { "$ref": "#/definitions/v1NodeAckState" }, "currentVersion": { "type": "string", "description": "The current version-of-the-world for this resource_type." }, "acknowledged": { "type": "boolean", "description": "True iff the node has applied the current version with no outstanding NACK." }, "nacked": { "type": "boolean", "description": "True iff the node's last response was rejected (NACK) and not yet recovered." } } }, "v1ActivateCanaryRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "policyVersionId": { "type": "string" }, "scopeKind": { "$ref": "#/definitions/v1CanaryScopeKind" }, "scopeValues": { "type": "array", "items": { "type": "string" }, "description": "NODE/TENANT: explicit id list. PERCENT: a single value 1..=100." }, "successWindowSecs": { "type": "string", "format": "int64", "description": "Evaluator settings (zero = service defaults)." }, "metricThreshold": { "type": "number", "format": "double" }, "minSamples": { "type": "string", "format": "int64" }, "expectedRevision": { "type": "string", "format": "int64", "description": "Optimistic concurrency over the candidate version's own revision." } }, "description": "Activate a policy version to a CANARY scope (a subset of the fleet) rather\nthan fleet-wide. The version is served only to in-scope nodes/tenants (or a\npercentage slice) while a metric-based evaluator watches the success window;\nit then either promotes fleet-wide, auto-rolls back on breach, or pauses on\nan inconclusive signal. Additive to the Phase-K activation surface." }, "v1ActivatePolicyVersionRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "policyVersionId": { "type": "string" }, "expectedRevision": { "type": "string", "format": "int64" }, "expectedPolicyRevision": { "type": "string", "format": "int64", "description": "Optimistic concurrency over the live authz revision counters." }, "expectedRelationshipRevision": { "type": "string", "format": "int64" } } }, "v1ActivationResponse": { "type": "object", "properties": { "version": { "$ref": "#/definitions/v1PolicyVersion" }, "policySet": { "$ref": "#/definitions/v1PolicySet" }, "policyRevision": { "type": "string", "format": "int64", "description": "The authz revision the activation/rollback produced (for cluster reload)." }, "relationshipRevision": { "type": "string", "format": "int64" }, "contentHash": { "type": "string" } } }, "v1AdminResetMfaResponse": { "type": "object", "properties": { "reset": { "type": "boolean" } } }, "v1AdminResetPasswordResponse": { "type": "object", "properties": { "otpId": { "type": "string", "title": "OTP to complete the reset flow" } } }, "v1AdminRevokeAllTenantSessionsResponse": { "type": "object", "properties": { "sessionsRevoked": { "type": "string", "format": "int64" } } }, "v1AdminRevokeAllUserSessionsResponse": { "type": "object", "properties": { "sessionsRevoked": { "type": "string", "format": "int64" } } }, "v1AdminRevokeSessionResponse": { "type": "object", "properties": { "revoked": { "type": "boolean" }, "sessionsRevoked": { "type": "string", "format": "int64" } } }, "v1ApiError": { "type": "object", "properties": { "code": { "type": "string" }, "message": { "type": "string" }, "errorId": { "type": "string" }, "httpStatusCode": { "type": "integer", "format": "int32" }, "retryable": { "type": "boolean" }, "fieldViolations": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1FieldViolation" } } }, "description": "ApiError holds structured error information for failed responses." }, "v1ApiKey": { "type": "object", "properties": { "keyId": { "type": "string" }, "keyPrefix": { "type": "string", "description": "Prefix stored for display (for example \"udb_ab1c\"). Not secret; only for UX." }, "keyHash": { "type": "string", "description": "Keyed digest of the full plain key — used for lookup + equality check." }, "name": { "type": "string" }, "description": { "type": "string" }, "ownerType": { "$ref": "#/definitions/v1ApiKeyOwnerType" }, "ownerId": { "type": "string", "description": "Owning principal, tenant, project, integration, service account, or workload id." }, "scopesJson": { "type": "string", "description": "JSON array of scopes granted to this key." }, "status": { "$ref": "#/definitions/v1ApiKeyStatus" }, "ipAllowlistJson": { "type": "string", "description": "IP allowlist — JSON array of CIDR strings. Empty = unrestricted." }, "rateLimitPerMinute": { "type": "integer", "format": "int32", "title": "Rate limits (0 = unlimited)" }, "rateLimitPerDay": { "type": "string", "format": "int64" }, "createdBy": { "type": "string" }, "revokedBy": { "type": "string" }, "revokeReason": { "type": "string" }, "expiresAt": { "type": "string", "format": "date-time" }, "lastUsedAt": { "type": "string", "format": "date-time" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "allowedResourcesJson": { "type": "string" }, "metadataJson": { "type": "string" } } }, "v1ApiKeyDailyStat": { "type": "object", "properties": { "date": { "type": "string", "title": "YYYY-MM-DD" }, "totalRequests": { "type": "string", "format": "int64" }, "rateLimitedCount": { "type": "string", "format": "int64" }, "avgLatencyMs": { "type": "number", "format": "double" }, "statusCounts": { "type": "object", "additionalProperties": { "type": "string", "format": "int64" }, "title": "HTTP status → count" } } }, "v1ApiKeyOwnerType": { "type": "string", "enum": [ "API_KEY_OWNER_TYPE_UNSPECIFIED", "API_KEY_OWNER_TYPE_INTEGRATION", "API_KEY_OWNER_TYPE_CICD", "API_KEY_OWNER_TYPE_ANALYTICS", "API_KEY_OWNER_TYPE_TENANT", "API_KEY_OWNER_TYPE_PROJECT", "API_KEY_OWNER_TYPE_SERVICE_ACCOUNT", "API_KEY_OWNER_TYPE_WORKLOAD" ], "default": "API_KEY_OWNER_TYPE_UNSPECIFIED", "description": "- API_KEY_OWNER_TYPE_INTEGRATION: External system integration.\n - API_KEY_OWNER_TYPE_CICD: CI/CD pipeline\n - API_KEY_OWNER_TYPE_ANALYTICS: Read-only analytics / BI tool\n - API_KEY_OWNER_TYPE_TENANT: Tenant-scoped integration key\n - API_KEY_OWNER_TYPE_PROJECT: Project/application-scoped key", "title": "Owner types — who this key belongs to" }, "v1ApiKeyStatus": { "type": "string", "enum": [ "API_KEY_STATUS_UNSPECIFIED", "API_KEY_STATUS_ACTIVE", "API_KEY_STATUS_REVOKED", "API_KEY_STATUS_EXPIRED" ], "default": "API_KEY_STATUS_UNSPECIFIED" }, "v1ApprovePolicyDraftRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "draftId": { "type": "string" }, "reviewer": { "type": "string" }, "reason": { "type": "string" } } }, "v1Asset": { "type": "object", "properties": { "assetId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:asset_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "projectId": { "type": "string", "title": "@inject_tag: gorm:\"column:project_id\"" }, "fileId": { "type": "string", "title": "@inject_tag: gorm:\"column:file_id;not null\"" }, "name": { "type": "string", "title": "@inject_tag: gorm:\"column:name\"" }, "mediaType": { "type": "string", "title": "@inject_tag: gorm:\"column:media_type\"" }, "status": { "$ref": "#/definitions/v1AssetStatus", "title": "@inject_tag: gorm:\"column:status;not null;serializer:proto_enum\"" }, "metadata": { "type": "string", "title": "@inject_tag: gorm:\"column:metadata\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" } }, "description": "Asset wraps a storage File and tracks its processing lifecycle." }, "v1AssetStatus": { "type": "string", "enum": [ "ASSET_STATUS_UNSPECIFIED", "ASSET_STATUS_PENDING", "ASSET_STATUS_READY", "ASSET_STATUS_FAILED" ], "default": "ASSET_STATUS_UNSPECIFIED" }, "v1AssignRoleResponse": { "type": "object", "properties": { "userRole": { "$ref": "#/definitions/v1UserRole" } } }, "v1AssuranceLevel": { "type": "string", "enum": [ "ASSURANCE_LEVEL_UNSPECIFIED", "ASSURANCE_LEVEL_NONE", "ASSURANCE_LEVEL_LOW", "ASSURANCE_LEVEL_SINGLE_FACTOR", "ASSURANCE_LEVEL_MULTI_FACTOR", "ASSURANCE_LEVEL_HARDWARE" ], "default": "ASSURANCE_LEVEL_UNSPECIFIED", "description": "Normalized authentication assurance level derived from IdP auth-context /\nMFA claims. Higher ordinal == stronger assurance. Authz policies (Phase K)\nmay require a minimum assurance level; the value is stamped onto sessions and\naudit records so a decision can be correlated to how the subject authenticated.\n\n - ASSURANCE_LEVEL_NONE: unauthenticated / anonymous\n - ASSURANCE_LEVEL_LOW: single factor, unverified context\n - ASSURANCE_LEVEL_SINGLE_FACTOR: single factor, verified (pwd / IdP w/o MFA)\n - ASSURANCE_LEVEL_MULTI_FACTOR: MFA asserted by IdP (amr/acr)\n - ASSURANCE_LEVEL_HARDWARE: phishing-resistant / hardware-backed (WebAuthn, smartcard)" }, "v1AuditInfo": { "type": "object", "properties": { "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "createdBy": { "type": "string" }, "updatedBy": { "type": "string" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" } } }, "v1AuthCredentialType": { "type": "string", "enum": [ "AUTH_CREDENTIAL_TYPE_UNSPECIFIED", "AUTH_CREDENTIAL_TYPE_BEARER_TOKEN", "AUTH_CREDENTIAL_TYPE_SESSION", "AUTH_CREDENTIAL_TYPE_API_KEY", "AUTH_CREDENTIAL_TYPE_MTLS", "AUTH_CREDENTIAL_TYPE_OIDC_TOKEN", "AUTH_CREDENTIAL_TYPE_SAML_ASSERTION", "AUTH_CREDENTIAL_TYPE_PASSWORD", "AUTH_CREDENTIAL_TYPE_CUSTOM" ], "default": "AUTH_CREDENTIAL_TYPE_UNSPECIFIED" }, "v1AuthFactorKind": { "type": "string", "enum": [ "AUTH_FACTOR_KIND_UNSPECIFIED", "AUTH_FACTOR_KIND_PASSWORD", "AUTH_FACTOR_KIND_EMAIL_OTP", "AUTH_FACTOR_KIND_SMS_OTP", "AUTH_FACTOR_KIND_TOTP", "AUTH_FACTOR_KIND_WEBAUTHN", "AUTH_FACTOR_KIND_RECOVERY_CODE" ], "default": "AUTH_FACTOR_KIND_UNSPECIFIED" }, "v1AuthMutationResponse": { "type": "object", "properties": { "ok": { "type": "boolean" }, "message": { "type": "string" } } }, "v1AuthnRequest": { "type": "object", "properties": { "bearerToken": { "type": "string" }, "sessionId": { "type": "string" }, "apiKey": { "type": "string" }, "externalProviderId": { "type": "string" }, "externalToken": { "type": "string" }, "tenantHint": { "type": "string" }, "projectHint": { "type": "string" }, "requestedScopes": { "type": "array", "items": { "type": "string" } }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } }, "credentialType": { "$ref": "#/definitions/v1AuthCredentialType" }, "clientId": { "type": "string" }, "audience": { "type": "string" }, "issuer": { "type": "string" } } }, "v1AuthnResponse": { "type": "object", "properties": { "principal": { "$ref": "#/definitions/coreAuthnServicesV1Principal" }, "sessionId": { "type": "string" }, "accessToken": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "relationshipVersion": { "type": "string" }, "warnings": { "type": "array", "items": { "type": "string" } } } }, "v1AuthzPolicyRecord": { "type": "object", "properties": { "id": { "type": "string" }, "priority": { "type": "integer", "format": "int32" }, "enabled": { "type": "boolean" }, "effect": { "type": "string" }, "tenant": { "type": "string" }, "project": { "type": "string" }, "subject": { "type": "string" }, "role": { "type": "string" }, "action": { "type": "string" }, "resource": { "type": "string" }, "purpose": { "type": "string" }, "relationship": { "type": "string" }, "conditions": { "type": "object", "additionalProperties": { "type": "string" } }, "requiredScopes": { "type": "array", "items": { "type": "string" } } } }, "v1AuthzRequest": { "type": "object", "properties": { "principal": { "$ref": "#/definitions/coreAuthzServicesV1Principal" }, "sessionId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "resource": { "$ref": "#/definitions/v1ResourceRef" }, "action": { "type": "string" }, "purpose": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } }, "context": { "$ref": "#/definitions/v1AccessContext" }, "requestedScopes": { "type": "array", "items": { "type": "string" } }, "domain": { "type": "string" } } }, "v1AuthzResponse": { "type": "object", "properties": { "decision": { "$ref": "#/definitions/v1Decision" } } }, "v1BatchCheckPermissionsRequest": { "type": "object", "properties": { "userId": { "type": "string" }, "domain": { "type": "string" }, "checks": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PermissionCheck" } }, "context": { "$ref": "#/definitions/v1AccessContext" } } }, "v1BatchCheckPermissionsResponse": { "type": "object", "properties": { "results": { "type": "object", "additionalProperties": { "type": "boolean" }, "title": "\"object:action\" → allowed" } } }, "v1CanaryResponse": { "type": "object", "properties": { "canary": { "$ref": "#/definitions/v1PolicyCanary" }, "version": { "$ref": "#/definitions/v1PolicyVersion" }, "policySet": { "$ref": "#/definitions/v1PolicySet" } } }, "v1CanaryScopeKind": { "type": "string", "enum": [ "CANARY_SCOPE_KIND_UNSPECIFIED", "CANARY_SCOPE_KIND_NODE", "CANARY_SCOPE_KIND_TENANT", "CANARY_SCOPE_KIND_PERCENT" ], "default": "CANARY_SCOPE_KIND_UNSPECIFIED", "description": "How a canary's exposure is scoped before fleet-wide promotion. A canary\nversion is only served to in-scope nodes/tenants (or a percentage slice)\nwhile it bakes; the metric evaluator then either promotes it fleet-wide or\nauto-rolls it back.\n\n - CANARY_SCOPE_KIND_NODE: scope_values is an explicit list of control-plane node ids.\n - CANARY_SCOPE_KIND_TENANT: scope_values is an explicit list of tenant ids.\n - CANARY_SCOPE_KIND_PERCENT: scope_values[0] is an integer 1..=100 percentage; membership is a stable\nhash bucket of the node/tenant id." }, "v1CanaryState": { "type": "string", "enum": [ "CANARY_STATE_UNSPECIFIED", "CANARY_STATE_ACTIVE", "CANARY_STATE_PROMOTED", "CANARY_STATE_ROLLED_BACK", "CANARY_STATE_PAUSED" ], "default": "CANARY_STATE_UNSPECIFIED", "description": "Lifecycle state of a progressive-rollout canary.\n\n - CANARY_STATE_ACTIVE: Baking: the version is live for the in-scope subset and the evaluator is\nwatching the success metric over the success window.\n - CANARY_STATE_PROMOTED: The success window passed within threshold and the canary was promoted\nfleet-wide (the version is now the active version of its policy set).\n - CANARY_STATE_ROLLED_BACK: A metric breach inside the window triggered an automatic rollback to the\npolicy set's prior (rollback) version.\n - CANARY_STATE_PAUSED: The signal was inconclusive (insufficient samples): the canary is held —\nneither promoted nor rolled back — pending more data / operator action." }, "v1ChangePasswordRequest": { "type": "object", "properties": { "userId": { "type": "string" }, "currentPassword": { "type": "string" }, "newPassword": { "type": "string" }, "otpId": { "type": "string", "title": "2FA OTP confirming the change" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1ChangePasswordResponse": { "type": "object", "properties": { "userId": { "type": "string" }, "changedAt": { "type": "string", "format": "date-time" }, "operationId": { "type": "string" } } }, "v1ChangeUserStatusResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1User" } } }, "v1ChannelStats": { "type": "object", "properties": { "channel": { "$ref": "#/definitions/v1NotificationChannel" }, "sent": { "type": "string", "format": "int64" }, "delivered": { "type": "string", "format": "int64" }, "failed": { "type": "string", "format": "int64" }, "suppressed": { "type": "string", "format": "int64" }, "deliveryRate": { "type": "number", "format": "double" } } }, "v1CheckAccessRequest": { "type": "object", "properties": { "userId": { "type": "string" }, "domain": { "type": "string" }, "object": { "type": "string" }, "action": { "type": "string" }, "context": { "$ref": "#/definitions/v1AccessContext" }, "principal": { "$ref": "#/definitions/coreAuthzServicesV1Principal" }, "resource": { "$ref": "#/definitions/v1ResourceRef" }, "purpose": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } }, "required": [ "userId", "domain", "object", "action" ] }, "v1CheckAccessResponse": { "type": "object", "properties": { "allowed": { "type": "boolean" }, "effect": { "$ref": "#/definitions/v1PolicyEffect" }, "matchedRule": { "type": "string" }, "reason": { "type": "string" }, "decision": { "$ref": "#/definitions/v1Decision" } } }, "v1CloseRoomResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1CompleteStepResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ConfigType": { "type": "string", "enum": [ "CONFIG_TYPE_UNSPECIFIED", "CONFIG_TYPE_STRING", "CONFIG_TYPE_NUMBER", "CONFIG_TYPE_BOOLEAN", "CONFIG_TYPE_JSON" ], "default": "CONFIG_TYPE_UNSPECIFIED" }, "v1ConfirmMFAEnrollmentResponse": { "type": "object", "properties": { "enrolled": { "type": "boolean" } } }, "v1CreateApiKeyRequest": { "type": "object", "properties": { "name": { "type": "string" }, "description": { "type": "string" }, "ownerType": { "$ref": "#/definitions/v1ApiKeyOwnerType" }, "ownerId": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" }, "title": "e.g. [\"resource:write\", \"project:read\"]" }, "ipAllowlist": { "type": "array", "items": { "type": "string" }, "title": "CIDR strings; empty = unrestricted" }, "rateLimitPerMinute": { "type": "integer", "format": "int32", "title": "0 = use default (60)" }, "rateLimitPerDay": { "type": "string", "format": "int64", "title": "0 = use default (10000)" }, "expiresAt": { "type": "string", "format": "date-time", "title": "null = never expires" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1CreateApiKeyResponse": { "type": "object", "properties": { "key": { "$ref": "#/definitions/v1ApiKey" }, "plainKey": { "type": "string", "title": "Plain key returned ONCE — not stored, must be saved by caller" } } }, "v1CreatePipelineDefinitionRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "name": { "type": "string" }, "description": { "type": "string" }, "mediaType": { "type": "string" }, "steps": { "type": "string", "title": "JSON" }, "version": { "type": "integer", "format": "int32" } } }, "v1CreatePipelineDefinitionResponse": { "type": "object", "properties": { "definitionId": { "type": "string" }, "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1CreatePolicyDraftRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "policySetName": { "type": "string" }, "title": { "type": "string" }, "changeReason": { "type": "string" }, "highRisk": { "type": "boolean" }, "document": { "$ref": "#/definitions/v1PolicyDocument", "description": "Initial document. Empty + branch_from_active=true clones the active snapshot." }, "branchFromActive": { "type": "boolean" } } }, "v1CreatePolicyRuleRequest": { "type": "object", "properties": { "subject": { "type": "string" }, "domain": { "type": "string" }, "object": { "type": "string" }, "action": { "type": "string" }, "effect": { "$ref": "#/definitions/v1PolicyEffect" }, "condition": { "type": "string" }, "description": { "type": "string" }, "createdBy": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "resourceType": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } }, "required": [ "subject", "domain", "object", "action", "effect", "createdBy" ] }, "v1CreatePolicyRuleResponse": { "type": "object", "properties": { "policy": { "$ref": "#/definitions/v1PolicyRule" } } }, "v1CreateProviderRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "kind": { "$ref": "#/definitions/v1IdpKind" }, "displayName": { "type": "string" }, "issuer": { "type": "string" }, "entityId": { "type": "string" }, "jwksUrl": { "type": "string" }, "samlMetadataUrl": { "type": "string" }, "clientIds": { "type": "array", "items": { "type": "string" } }, "audiences": { "type": "array", "items": { "type": "string" } }, "claimMappingJson": { "type": "string", "description": "JSON objects/strings for the mapping policies." }, "groupMappingJson": { "type": "string" }, "jitPolicyJson": { "type": "string" }, "accountLinkingPolicy": { "type": "string" }, "enabled": { "type": "boolean" }, "clientSecret": { "type": "string", "description": "Optional confidential-client secret (OIDC) / SCIM bearer (write-only)." }, "samlSigningKeyPem": { "type": "string", "description": "Optional SP signing key (PEM) for SAML request signing (write-only)." }, "createdBy": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1CreateProviderResponse": { "type": "object", "properties": { "provider": { "$ref": "#/definitions/v1IdentityProvider" } } }, "v1CreateRoleRequest": { "type": "object", "properties": { "name": { "type": "string" }, "description": { "type": "string" }, "createdBy": { "type": "string" }, "roleCode": { "type": "string" }, "domain": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "scopeType": { "$ref": "#/definitions/v1RoleScopeType" }, "accessSurface": { "type": "string" }, "metadata": { "type": "object", "additionalProperties": { "type": "string" } } }, "required": [ "name", "createdBy" ] }, "v1CreateRoleResponse": { "type": "object", "properties": { "role": { "$ref": "#/definitions/v1Role" } } }, "v1CreateRoomRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "name": { "type": "string" }, "maxParticipants": { "type": "integer", "format": "int32" }, "config": { "type": "string", "title": "JSON" }, "createdBy": { "type": "string" } } }, "v1CreateRoomResponse": { "type": "object", "properties": { "roomId": { "type": "string" }, "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1CreateSessionRequest": { "type": "object", "properties": { "principal": { "$ref": "#/definitions/coreAuthnServicesV1Principal" }, "ttlSeconds": { "type": "string", "format": "int64" }, "clientFingerprint": { "type": "string" } } }, "v1CreateSessionResponse": { "type": "object", "properties": { "sessionId": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" } } }, "v1CreateTenantRequest": { "type": "object", "properties": { "code": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "parentTenantId": { "type": "string" }, "config": { "type": "string", "title": "JSON" }, "branding": { "type": "string", "title": "JSON" } } }, "v1CreateTenantResponse": { "type": "object", "properties": { "tenantId": { "type": "string" }, "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1CreateUserRequest": { "type": "object", "properties": { "username": { "type": "string" }, "email": { "type": "string" }, "password": { "type": "string", "title": "Min 10 chars; 1 upper, 1 lower, 1 digit, 1 special" }, "tenantId": { "type": "string" }, "fullName": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" }, "accountKind": { "$ref": "#/definitions/v1AccountKind" }, "projectId": { "type": "string" }, "externalProviderId": { "type": "string" }, "externalSubject": { "type": "string" }, "profileAttributes": { "type": "object", "additionalProperties": { "type": "string" } } } }, "v1CreateUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1User" }, "otpId": { "type": "string", "title": "Verification OTP sent to email" } } }, "v1Decision": { "type": "object", "properties": { "decisionId": { "type": "string" }, "allowed": { "type": "boolean" }, "effect": { "type": "string" }, "denyReason": { "type": "string" }, "matchedPolicyIds": { "type": "array", "items": { "type": "string" } }, "requiredScopes": { "type": "array", "items": { "type": "string" } }, "policyVersion": { "type": "string" }, "relationshipVersion": { "type": "string" }, "cacheTtlSeconds": { "type": "string", "format": "uint64" }, "auditRequired": { "type": "boolean" } } }, "v1DecisionSource": { "type": "string", "enum": [ "DECISION_SOURCE_UNSPECIFIED", "DECISION_SOURCE_ROLE_POLICY", "DECISION_SOURCE_DIRECT_POLICY", "DECISION_SOURCE_NO_MATCH" ], "default": "DECISION_SOURCE_UNSPECIFIED" }, "v1DeleteFileResponse": { "type": "object", "properties": { "success": { "type": "boolean" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1DeletePolicyRuleResponse": { "type": "object", "properties": { "deleted": { "type": "boolean" } } }, "v1DeleteRoleResponse": { "type": "object", "properties": { "deleted": { "type": "boolean" } } }, "v1DeleteWebAuthnCredentialResponse": { "type": "object", "properties": { "deleted": { "type": "boolean" } } }, "v1Device": { "type": "object", "properties": { "deviceId": { "type": "string" }, "userId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "deviceName": { "type": "string" }, "deviceType": { "$ref": "#/definitions/v1DeviceType" }, "fingerprintHash": { "type": "string", "description": "Keyed-HMAC digest of the device fingerprint. STORAGE_ONLY." }, "lastIpMasked": { "type": "string", "description": "Source IP truncated to a network prefix (e.g. /24 or /48) — never the full\nclient IP." }, "lastUserAgentHash": { "type": "string" }, "lastSeenAt": { "type": "string", "format": "date-time" }, "createdAt": { "type": "string", "format": "date-time" }, "revokedAt": { "type": "string", "format": "date-time" }, "revokedBy": { "type": "string" } }, "description": "---------------------------------------------------------------------------\nDevice — a user's registered device for session/refresh binding (I1, I2.4).\n\nSessions and token families bind to a device; revoking a device blocks future\nrefresh + session validation for that device. The fingerprint is a keyed-HMAC\ndigest (STORAGE_ONLY); IP is stored masked and the user agent only as a hash.\n\nMigration order 23.\n---------------------------------------------------------------------------" }, "v1DeviceType": { "type": "string", "enum": [ "DEVICE_TYPE_UNSPECIFIED", "DEVICE_TYPE_WEB", "DEVICE_TYPE_API", "DEVICE_TYPE_DESKTOP", "DEVICE_TYPE_MOBILE", "DEVICE_TYPE_WORKER", "DEVICE_TYPE_CLI" ], "default": "DEVICE_TYPE_UNSPECIFIED" }, "v1DiffPolicyDraftRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "draftId": { "type": "string" }, "againstVersionId": { "type": "string", "description": "When set, diff against this version instead of the active snapshot." } } }, "v1DiffPolicyDraftResponse": { "type": "object", "properties": { "entries": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PolicyDiffEntry" } }, "diffJson": { "type": "string", "description": "Machine-readable diff document." } } }, "v1DisableMfaFactorResponse": { "type": "object", "properties": { "disabled": { "type": "boolean" } } }, "v1DisableProviderResponse": { "type": "object", "properties": { "provider": { "$ref": "#/definitions/v1IdentityProvider" } } }, "v1DownloadFileChunk": { "type": "object", "properties": { "data": { "type": "string", "format": "byte", "description": "Raw object bytes for this frame." }, "contentType": { "type": "string", "description": "First-chunk-only object metadata (absent on subsequent chunks): the file's\ncontent type, total size in bytes, and object ETag." }, "totalSize": { "type": "string", "format": "int64" }, "etag": { "type": "string" } } }, "v1EffectivePermission": { "type": "object", "properties": { "object": { "type": "string" }, "action": { "type": "string" }, "viaRole": { "type": "string" }, "resourceType": { "type": "string" }, "domain": { "type": "string" } } }, "v1EmergencyRevokeApiKeysRequest": { "type": "object", "properties": { "keyPrefix": { "type": "string" }, "ownerId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "scope": { "type": "string" }, "createdBefore": { "type": "string", "format": "date-time" }, "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "description": "Emergency revoke matching keys by one or more selectors. At least one selector\nmust be set. Resolves matching records and revokes each (no prefix-only blind\nmutation): the caller's tenant/owner/admin authority is enforced per record." }, "v1EmergencyRevokeApiKeysResponse": { "type": "object", "properties": { "revokedCount": { "type": "string", "format": "int64" }, "revokedKeyIds": { "type": "array", "items": { "type": "string" } }, "operationId": { "type": "string" } } }, "v1EmergencyRevokeRequest": { "type": "object", "properties": { "signingKeyId": { "type": "string" }, "tokenFamilyId": { "type": "string" }, "tenantId": { "type": "string" }, "principalId": { "type": "string" }, "reason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "description": "Emergency global revoke by signing key / token family / tenant / principal." }, "v1EmergencyRevokeResponse": { "type": "object", "properties": { "familiesRevoked": { "type": "string", "format": "int64" }, "sessionsRevoked": { "type": "string", "format": "int64" }, "keysCompromised": { "type": "string", "format": "int64" }, "operationId": { "type": "string" } } }, "v1EnrollMFAResponse": { "type": "object", "properties": { "totpSecret": { "type": "string", "description": "base32 raw secret (shown once, not stored in plaintext)", "title": "For TOTP: base32 secret + QR code URI so user can scan with authenticator app" }, "totpQrUri": { "type": "string", "title": "otpauth:// URI for QR rendering" }, "verifyOtpId": { "type": "string", "title": "OTP ID to confirm enrollment" } } }, "v1ExecutorPerformanceSummary": { "type": "object", "properties": { "summaryId": { "type": "string" }, "summaryDate": { "type": "string", "format": "date-time" }, "executorIdentity": { "type": "string" }, "workloadKind": { "type": "string" }, "totalDispatches": { "type": "string", "format": "int64" }, "successfulResults": { "type": "string", "format": "int64" }, "timeoutCount": { "type": "string", "format": "int64" }, "errorCount": { "type": "string", "format": "int64" }, "avgExecutionMs": { "type": "number", "format": "double" }, "p99ExecutionMs": { "type": "number", "format": "double" }, "avgConfidence": { "type": "number", "format": "double" }, "successRate": { "type": "number", "format": "double" }, "avgCapacityUtilisation": { "type": "number", "format": "double" }, "recordedAt": { "type": "string", "format": "date-time" } }, "description": "Daily executor performance roll-up for project-defined workers, handlers,\ndata pipelines, or backend executors." }, "v1ExplainPolicyRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "draftId": { "type": "string", "description": "Empty = explain against the active snapshot." }, "candidate": { "$ref": "#/definitions/v1PolicyDocument" }, "testCase": { "$ref": "#/definitions/v1SimulationCase" } } }, "v1ExplainPolicyResponse": { "type": "object", "properties": { "decision": { "$ref": "#/definitions/v1Decision" }, "matchedPolicyIds": { "type": "array", "items": { "type": "string" }, "description": "Ids of every policy that matched the request (post ABAC pre-filter)." }, "denyReason": { "type": "string", "description": "Human-readable deny reason (empty on allow)." }, "explanation": { "type": "array", "items": { "type": "string" }, "description": "Per-matched-policy explanation lines." } } }, "v1ExternalIdentity": { "type": "object", "properties": { "externalIdentityId": { "type": "string" }, "tenantId": { "type": "string" }, "providerId": { "type": "string" }, "subject": { "type": "string", "description": "Stable IdP subject (sub / NameID)." }, "userId": { "type": "string" }, "email": { "type": "string" }, "emailVerified": { "type": "boolean" }, "linkedAt": { "type": "string", "format": "date-time" }, "lastLoginAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" } }, "description": "---------------------------------------------------------------------------\nExternalIdentity — Mapping from an IdP subject to a UDB user/principal.\n\nOne row per (tenant, provider, subject). Established at first login (JIT) or\nvia an explicit account-linking flow. RLS scopes rows to the current tenant.\n\nMigration order 11 — after identity_providers + authn users.\n---------------------------------------------------------------------------" }, "v1FieldViolation": { "type": "object", "properties": { "field": { "type": "string" }, "description": { "type": "string" } }, "description": "FieldViolation describes a single field-level validation failure." }, "v1File": { "type": "object", "properties": { "fileId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:file_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "projectId": { "type": "string", "title": "@inject_tag: gorm:\"column:project_id\"" }, "filename": { "type": "string", "title": "@inject_tag: gorm:\"column:filename;not null\"" }, "contentType": { "type": "string", "title": "@inject_tag: gorm:\"column:content_type\"" }, "sizeBytes": { "type": "string", "format": "int64", "title": "@inject_tag: gorm:\"column:size_bytes;not null\"" }, "backend": { "type": "string", "title": "@inject_tag: gorm:\"column:backend\"" }, "bucket": { "type": "string", "title": "@inject_tag: gorm:\"column:bucket\"" }, "objectKey": { "type": "string", "title": "@inject_tag: gorm:\"column:object_key;not null\"" }, "url": { "type": "string", "title": "@inject_tag: gorm:\"column:url\"" }, "cdnUrl": { "type": "string", "title": "@inject_tag: gorm:\"column:cdn_url\"" }, "fileType": { "$ref": "#/definitions/v1FileType", "title": "@inject_tag: gorm:\"column:file_type;serializer:proto_enum\"" }, "referenceId": { "type": "string", "title": "@inject_tag: gorm:\"column:reference_id\"" }, "referenceType": { "type": "string", "title": "@inject_tag: gorm:\"column:reference_type\"" }, "isPublic": { "type": "boolean", "title": "@inject_tag: gorm:\"column:is_public;not null\"" }, "status": { "$ref": "#/definitions/v1FileStatus", "title": "@inject_tag: gorm:\"column:status;not null;serializer:proto_enum\"" }, "checksum": { "type": "string", "title": "@inject_tag: gorm:\"column:checksum\"" }, "expiresAt": { "type": "string", "format": "date-time", "title": "@inject_tag: gorm:\"column:expires_at\"" }, "uploadedBy": { "type": "string", "title": "@inject_tag: gorm:\"column:uploaded_by\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" } }, "title": "File (object-storage metadata)" }, "v1FileStatus": { "type": "string", "enum": [ "FILE_STATUS_UNSPECIFIED", "FILE_STATUS_PENDING", "FILE_STATUS_ACTIVE", "FILE_STATUS_DELETED" ], "default": "FILE_STATUS_UNSPECIFIED" }, "v1FileType": { "type": "string", "enum": [ "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_IMAGE", "FILE_TYPE_VIDEO", "FILE_TYPE_AUDIO", "FILE_TYPE_PDF", "FILE_TYPE_DOCUMENT", "FILE_TYPE_ARCHIVE", "FILE_TYPE_OTHER" ], "default": "FILE_TYPE_UNSPECIFIED" }, "v1FinalizeUploadResponse": { "type": "object", "properties": { "file": { "$ref": "#/definitions/v1File" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1FinishWebAuthnAuthenticationRequest": { "type": "object", "properties": { "challengeId": { "type": "string" }, "publicKeyCredentialJson": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1FinishWebAuthnAuthenticationResponse": { "type": "object", "properties": { "principal": { "$ref": "#/definitions/coreAuthnServicesV1Principal" }, "sessionId": { "type": "string" }, "accessToken": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "credentialId": { "type": "string" } } }, "v1FinishWebAuthnRegistrationRequest": { "type": "object", "properties": { "challengeId": { "type": "string" }, "publicKeyCredentialJson": { "type": "string" }, "label": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1FinishWebAuthnRegistrationResponse": { "type": "object", "properties": { "registered": { "type": "boolean" }, "credentialId": { "type": "string" }, "userId": { "type": "string" } } }, "v1ForceJwksRefreshResponse": { "type": "object", "properties": { "ok": { "type": "boolean" }, "keyCount": { "type": "integer", "format": "int32" }, "keyIds": { "type": "array", "items": { "type": "string" } }, "refreshedAt": { "type": "string", "format": "date-time" }, "status": { "type": "string" } } }, "v1ForgotPasswordRequest": { "type": "object", "properties": { "identifier": { "type": "string", "title": "username or email" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1ForgotPasswordResponse": { "type": "object", "properties": { "otpId": { "type": "string", "description": "Id of the PASSWORD_RESET OTP issued (empty when the account is unknown; the\nresponse shape is uniform so it is not an account-enumeration oracle)." }, "devOtpCode": { "type": "string", "description": "Dev-only echo of the plaintext PASSWORD_RESET OTP code, populated ONLY when the\nbroker runs with UDB_OTP_DEV_ECHO=1 (non-production posture). Empty in\nproduction. Lets conformance harnesses complete ResetPassword without a\ndelivery channel. bug_report.md F/Lane-2." } } }, "v1GenerateRecoveryCodesResponse": { "type": "object", "properties": { "codes": { "type": "array", "items": { "type": "string" }, "description": "Plaintext codes, returned exactly ONCE. Only keyed hashes are stored; any\npreviously-issued codes for the user are invalidated." }, "generated": { "type": "integer", "format": "int32" } } }, "v1GetApiKeyResponse": { "type": "object", "properties": { "key": { "$ref": "#/definitions/v1ApiKey" } } }, "v1GetApiKeyUsageStatsResponse": { "type": "object", "properties": { "stats": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ApiKeyDailyStat" } }, "totalRequests": { "type": "string", "format": "int64" } } }, "v1GetAssetResponse": { "type": "object", "properties": { "asset": { "$ref": "#/definitions/v1Asset" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetAuthzRevisionRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "projectId": { "type": "string" } } }, "v1GetAuthzRevisionResponse": { "type": "object", "properties": { "policyRevision": { "type": "string", "format": "int64" }, "relationshipRevision": { "type": "string", "format": "int64" }, "contentHash": { "type": "string" }, "changedAt": { "type": "string", "format": "date-time" } } }, "v1GetCanaryStatusRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "canaryId": { "type": "string" } } }, "v1GetCanaryStatusResponse": { "type": "object", "properties": { "canary": { "$ref": "#/definitions/v1PolicyCanary" }, "promoteEligible": { "type": "boolean", "description": "True when the success window has elapsed and the canary is ACTIVE within\nthreshold — i.e. PromoteCanary would succeed right now." }, "windowRemainingSecs": { "type": "string", "format": "int64", "description": "Seconds remaining in the success window (0 once elapsed)." } } }, "v1GetDeliveryStatsResponse": { "type": "object", "properties": { "totalSent": { "type": "string", "format": "int64" }, "totalDelivered": { "type": "string", "format": "int64" }, "totalFailed": { "type": "string", "format": "int64" }, "overallDeliveryRate": { "type": "number", "format": "double" }, "byChannel": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ChannelStats" } } } }, "v1GetDownloadUrlResponse": { "type": "object", "properties": { "downloadUrl": { "type": "string" }, "expiresAt": { "type": "string", "format": "date-time" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetExecutorPerformanceResponse": { "type": "object", "properties": { "summaries": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ExecutorPerformanceSummary" } } } }, "v1GetFileResponse": { "type": "object", "properties": { "file": { "$ref": "#/definitions/v1File" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetJwksResponse": { "type": "object", "properties": { "jwksJson": { "type": "string", "title": "RFC 7517 JWK Set document for verifying UDB-issued JWTs" } } }, "v1GetMfaPolicyResponse": { "type": "object", "properties": { "tenantId": { "type": "string" }, "requireMfa": { "type": "boolean" } } }, "v1GetNotificationResponse": { "type": "object", "properties": { "log": { "$ref": "#/definitions/v1NotificationLog" } } }, "v1GetPeerResponse": { "type": "object", "properties": { "peer": { "$ref": "#/definitions/v1Peer" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetPipelineDefinitionResponse": { "type": "object", "properties": { "definition": { "$ref": "#/definitions/v1PipelineDefinition" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetPipelineResponse": { "type": "object", "properties": { "instance": { "$ref": "#/definitions/v1PipelineInstance" }, "steps": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PipelineStep" } }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetPipelineSummaryResponse": { "type": "object", "properties": { "snapshots": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PipelineMetricSnapshot" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1GetPolicyRuleResponse": { "type": "object", "properties": { "policy": { "$ref": "#/definitions/v1PolicyRule" } } }, "v1GetPreferenceResponse": { "type": "object", "properties": { "preference": { "$ref": "#/definitions/v1NotificationPreference" } } }, "v1GetProviderResponse": { "type": "object", "properties": { "provider": { "$ref": "#/definitions/v1IdentityProvider" } } }, "v1GetReconciliationAnalyticsResponse": { "type": "object", "properties": { "summaries": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ReconciliationAnalyticsSummary" } }, "overallResolutionRate": { "type": "number", "format": "double" }, "avgReconciliationMs": { "type": "number", "format": "double" } } }, "v1GetResourcesResponse": { "type": "object", "properties": { "resources": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Resource" } }, "versionInfo": { "type": "string", "description": "Aggregate content version for the returned set (the version-of-the-world)." }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1GetRoleResponse": { "type": "object", "properties": { "role": { "$ref": "#/definitions/v1Role" } } }, "v1GetRoomResponse": { "type": "object", "properties": { "room": { "$ref": "#/definitions/v1Room" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetSessionResponse": { "type": "object", "properties": { "session": { "$ref": "#/definitions/v1Session" } } }, "v1GetSlaComplianceResponse": { "type": "object", "properties": { "entries": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1SlaComplianceEntry" } }, "overallP99ComplianceRate": { "type": "number", "format": "double" }, "overallErrorRateComplianceRate": { "type": "number", "format": "double" } } }, "v1GetTemplateResponse": { "type": "object", "properties": { "template": { "$ref": "#/definitions/v1NotificationTemplate" } } }, "v1GetTenantConfigResponse": { "type": "object", "properties": { "configs": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1TenantConfig" } }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetTenantResponse": { "type": "object", "properties": { "tenant": { "$ref": "#/definitions/v1Tenant" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1GetThroughputResponse": { "type": "object", "properties": { "avgRps": { "type": "number", "format": "double" }, "peakRps": { "type": "number", "format": "double" }, "totalRequests": { "type": "string", "format": "int64" }, "overallSuccessRate": { "type": "number", "format": "double" } } }, "v1GetUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1User" } } }, "v1GovernanceActor": { "type": "object", "properties": { "subject": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "roles": { "type": "array", "items": { "type": "string" } }, "breakGlass": { "type": "boolean", "description": "Break-glass: when set, a short-TTL emergency bypass with a recorded reason." }, "breakGlassReason": { "type": "string" }, "breakGlassExpiresAtUnix": { "type": "string", "format": "int64" } }, "description": "The governance actor whose authorization is checked under\n`native.authz.governance` for every governance mutation. The AUTHORITATIVE\ncaller identity and scopes come from the verified claim (the bearer token),\nNOT from this message. The `subject` / `scopes` / `roles` fields here are\naccepted ONLY as cross-tenant-admin / impersonation TARGET hints; they never\ngrant capability and are ignored for authorizing the caller. The\n`break_glass*` fields below are the only authoritative body fields on this\nmessage (a short-TTL emergency bypass with a recorded reason)." }, "v1IceServer": { "type": "object", "properties": { "urls": { "type": "array", "items": { "type": "string" } }, "username": { "type": "string" }, "credential": { "type": "string" } } }, "v1IdentityProvider": { "type": "object", "properties": { "providerId": { "type": "string" }, "tenantId": { "type": "string" }, "kind": { "$ref": "#/definitions/v1IdpKind" }, "displayName": { "type": "string" }, "issuer": { "type": "string", "description": "OIDC issuer URL." }, "entityId": { "type": "string", "description": "SAML entity id (a.k.a. IdP entityID)." }, "jwksUrl": { "type": "string" }, "samlMetadataUrl": { "type": "string" }, "clientIdsJson": { "type": "string", "description": "JSON array of accepted OIDC client_ids for this provider." }, "audiencesJson": { "type": "string", "description": "JSON array of accepted token audiences." }, "claimMappingJson": { "type": "string", "description": "claim_mapping: maps IdP claims → UDB principal fields (subject, email, ...)." }, "groupMappingJson": { "type": "string", "description": "group_mapping: maps IdP groups → UDB roles (the ONLY way groups grant roles)." }, "jitPolicyJson": { "type": "string", "description": "jit_policy: JIT provisioning rules (allowed_domains, require_verified_email,\ndefault_project, default_roles, ...)." }, "accountLinkingPolicy": { "type": "string", "description": "account_linking_policy: how an external identity is linked to a UDB user\nwhen the email already exists (e.g. \"explicit\", \"auto_verified\", \"deny\")." }, "enabled": { "type": "boolean" }, "clientSecret": { "type": "string", "description": "Operator-supplied client secret (OIDC confidential clients / SCIM bearer).\nStorage-only + encrypted: never returned on read, redacted in logs/events." }, "samlSigningKeyPem": { "type": "string", "description": "SP-side private key (PEM) for SAML AuthnRequest signing. Storage-only." }, "samlIdpCertsJson": { "type": "string", "description": "IdP signing certificate(s) (PEM, JSON array) imported from SAML metadata —\nused to verify assertion signatures. Public material, not secret." }, "samlSsoUrl": { "type": "string", "description": "SAML SingleSignOnService location (redirect/POST binding URL)." }, "health": { "$ref": "#/definitions/v1ProviderHealth", "title": "── Provider health (J2.1) ────────────────────────────────────────────────" }, "lastJwksRefreshAt": { "type": "string", "format": "date-time" }, "lastJwksRefreshStatus": { "type": "string" }, "createdBy": { "type": "string", "title": "── Audit (J4: changes are audited + rollbackable) ────────────────────────" }, "updatedBy": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" } }, "description": "---------------------------------------------------------------------------\nIdentityProvider — Tenant-scoped SSO/identity provider configuration.\n\nOne row per (tenant, provider). The kind determines which fields are\nmeaningful: OIDC uses issuer/jwks_url/client_ids/audiences; SAML uses\nentity_id/saml_metadata_url. claim/group/jit mappings are JSON-encoded\npolicies consumed by the IdP runtime. RLS scopes rows to the current tenant.\n\nMigration order 10 — after the authn tables so external identities can FK to\nusers; before SCIM directory state.\n---------------------------------------------------------------------------" }, "v1IdpKind": { "type": "string", "enum": [ "IDP_KIND_UNSPECIFIED", "IDP_KIND_NATIVE", "IDP_KIND_OIDC", "IDP_KIND_SAML", "IDP_KIND_LDAP", "IDP_KIND_CUSTOM_JWT", "IDP_KIND_EXTERNAL_SESSION" ], "default": "IDP_KIND_UNSPECIFIED", "description": "Kind of identity provider configured for a tenant.\n\n - IDP_KIND_NATIVE: UDB native password/MFA\n - IDP_KIND_OIDC: OpenID Connect (discovery + JWKS)\n - IDP_KIND_SAML: SAML 2.0 web SSO\n - IDP_KIND_LDAP: LDAP / Active Directory bind\n - IDP_KIND_CUSTOM_JWT: Bring-your-own signed JWT (jwks_url + claims)\n - IDP_KIND_EXTERNAL_SESSION: Upstream session handed off to UDB" }, "v1ImportSamlMetadataResponse": { "type": "object", "properties": { "entityId": { "type": "string" }, "ssoUrl": { "type": "string" }, "certCount": { "type": "integer", "format": "int32" }, "provider": { "$ref": "#/definitions/v1IdentityProvider" } } }, "v1IntrospectTokenRequest": { "type": "object", "properties": { "token": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1IntrospectTokenResponse": { "type": "object", "properties": { "active": { "type": "boolean" }, "subject": { "type": "string" }, "tenantId": { "type": "string" }, "serviceIdentity": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "expiresAtUnix": { "type": "string", "format": "int64" }, "keyId": { "type": "string", "description": "Real introspection metadata (Phase 3 / I2.1).\n\nkid of the signing key that produced the token" }, "tokenType": { "type": "string", "title": "jwt_access | jwt_refresh | session | api_key" }, "sessionId": { "type": "string", "title": "issuing session handle, when present" }, "revocationReason": { "type": "string", "title": "populated when active=false due to revocation" } } }, "v1InvalidatePolicyBundlesRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "reason": { "type": "string" } } }, "v1InvalidatePolicyBundlesResponse": { "type": "object", "properties": { "ok": { "type": "boolean" }, "policyRevision": { "type": "string", "format": "int64" }, "relationshipRevision": { "type": "string", "format": "int64" } } }, "v1IssueCredentialsRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "roomId": { "type": "string" }, "peerId": { "type": "string" }, "ttlSeconds": { "type": "integer", "format": "int32" } } }, "v1IssueCredentialsResponse": { "type": "object", "properties": { "iceServers": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1IceServer" } }, "username": { "type": "string" }, "credential": { "type": "string" }, "ttlSeconds": { "type": "integer", "format": "int32" }, "expiresAt": { "type": "string", "format": "date-time" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" }, "allowedAction": { "type": "string", "description": "The action bound into the signed TURN REST username. Credentials issued by\nthis RPC authorize media relay only, not arbitrary WebRTC control-plane RPCs." } } }, "v1IssueMfaChallengeRequest": { "type": "object", "properties": { "userId": { "type": "string" }, "factorKind": { "$ref": "#/definitions/v1AuthFactorKind" }, "purpose": { "$ref": "#/definitions/v1MfaChallengePurpose" }, "deviceFingerprint": { "type": "string" }, "ipAddress": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1IssueMfaChallengeResponse": { "type": "object", "properties": { "challengeId": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "factorKind": { "$ref": "#/definitions/v1AuthFactorKind" } } }, "v1JoinRoomResponse": { "type": "object", "properties": { "peer": { "$ref": "#/definitions/v1Peer" }, "existingPeers": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Peer" } }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1LeaveRoomResponse": { "type": "object", "properties": { "success": { "type": "boolean" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1LinkIdentityRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "providerId": { "type": "string" }, "subject": { "type": "string" }, "userId": { "type": "string" }, "email": { "type": "string" }, "emailVerified": { "type": "boolean" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } }, "description": "Explicitly link an IdP subject to an existing UDB user." }, "v1LinkIdentityResponse": { "type": "object", "properties": { "identity": { "$ref": "#/definitions/v1ExternalIdentity" } } }, "v1LintAuthzPoliciesRequest": { "type": "object" }, "v1LintAuthzPoliciesResponse": { "type": "object", "properties": { "findings": { "type": "array", "items": { "type": "string" } } } }, "v1ListAccessDecisionAuditsResponse": { "type": "object", "properties": { "audits": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1AccessDecisionAudit" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListApiKeysResponse": { "type": "object", "properties": { "keys": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ApiKey" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListAssetsResponse": { "type": "object", "properties": { "assets": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Asset" } }, "totalCount": { "type": "integer", "format": "int32" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ListDevicesResponse": { "type": "object", "properties": { "devices": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Device" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListExternalIdentitiesResponse": { "type": "object", "properties": { "identities": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ExternalIdentity" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListFilesResponse": { "type": "object", "properties": { "files": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1File" } }, "totalCount": { "type": "integer", "format": "int32" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ListMfaFactorsResponse": { "type": "object", "properties": { "factors": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1MfaFactorSummary" } } } }, "v1ListNodeStatesResponse": { "type": "object", "properties": { "nodeStates": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1NodeAckState" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListNotificationsResponse": { "type": "object", "properties": { "logs": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1NotificationLog" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListPeersResponse": { "type": "object", "properties": { "peers": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Peer" } }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ListPolicyRulesResponse": { "type": "object", "properties": { "policies": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PolicyRule" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListPolicyVersionsRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "policySetId": { "type": "string" }, "state": { "$ref": "#/definitions/v1PolicyVersionState" }, "page": { "$ref": "#/definitions/v1PageRequest" } } }, "v1ListPolicyVersionsResponse": { "type": "object", "properties": { "versions": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PolicyVersion" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListPreferencesResponse": { "type": "object", "properties": { "preferences": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1NotificationPreference" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListProvidersResponse": { "type": "object", "properties": { "providers": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1IdentityProvider" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListRolesResponse": { "type": "object", "properties": { "roles": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Role" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListRoomsResponse": { "type": "object", "properties": { "rooms": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Room" } }, "totalCount": { "type": "integer", "format": "int32" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ListSessionsResponse": { "type": "object", "properties": { "sessions": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Session" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListTemplatesResponse": { "type": "object", "properties": { "templates": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1NotificationTemplate" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListTenantsResponse": { "type": "object", "properties": { "tenants": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Tenant" } }, "totalCount": { "type": "integer", "format": "int32" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ListTracksResponse": { "type": "object", "properties": { "tracks": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1Track" } }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1ListUserPermissionsResponse": { "type": "object", "properties": { "permissions": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1EffectivePermission" } } } }, "v1ListUserRolesResponse": { "type": "object", "properties": { "userRoles": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1UserRole" } } } }, "v1ListUsersResponse": { "type": "object", "properties": { "users": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1User" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ListWebAuthnCredentialsResponse": { "type": "object", "properties": { "credentials": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1WebAuthnCredentialSummary" } } } }, "v1LoginRequest": { "type": "object", "properties": { "username": { "type": "string" }, "password": { "type": "string" }, "deviceType": { "$ref": "#/definitions/v1DeviceType" }, "deviceName": { "type": "string", "title": "human-readable" }, "ipAddress": { "type": "string", "title": "forwarded by gateway" }, "userAgent": { "type": "string" }, "deviceId": { "type": "string", "title": "client device fingerprint (optional; for JWT device binding)" }, "mfaOtpId": { "type": "string", "description": "MFA step-2 fields — set on the second Login call after receiving mfa_required=true.\nThe password (first factor) is ALWAYS verified; these only supply the second\nfactor and never substitute for it. Provide totp_code for an authenticator app,\nor mfa_otp_id plus the one-time code (carried in totp_code) for a LOGIN_2FA\nemail/SMS code previously issued to this same user.\n\nid of a LOGIN_2FA OTP issued to this user (email/SMS second factor)" }, "totpCode": { "type": "string", "title": "6-digit TOTP code, or the one-time code when mfa_otp_id is set" }, "tenantHint": { "type": "string" }, "projectHint": { "type": "string" }, "accessSurface": { "type": "string" }, "recoveryCode": { "type": "string", "title": "single-use MFA recovery/backup code (alternative second factor)" } } }, "v1LoginResponse": { "type": "object", "properties": { "userId": { "type": "string" }, "sessionId": { "type": "string" }, "accessToken": { "type": "string", "title": "JWT fields (only when device_type != WEB)" }, "refreshToken": { "type": "string" }, "accessTokenExpiresIn": { "type": "integer", "format": "int32", "title": "seconds" }, "sessionToken": { "type": "string", "title": "Server-side session fields (only when device_type = WEB)\nsession_token returned to gateway which sets it as HttpOnly cookie" }, "csrfToken": { "type": "string", "title": "injected into a readable cookie" }, "mfaRequired": { "type": "boolean", "title": "true = client must re-call Login with password + second factor" }, "mfaOtpId": { "type": "string", "title": "reserved for a future server-issued MFA challenge id (currently empty)" }, "refreshTokenExpiresIn": { "type": "integer", "format": "int32", "description": "Absolute lifetime (seconds) of the rotating refresh token (field 4). The\nrefresh token is a token-family credential (rt_\u003cfamily\u003e.\u003cjti\u003e), rotated on\nevery RefreshToken call; reuse of a superseded value revokes the family." } } }, "v1LogoutRequest": { "type": "object", "properties": { "sessionId": { "type": "string" }, "allSessions": { "type": "boolean", "title": "if true, revoke all sessions for this user" }, "revokeReason": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1LogoutResponse": { "type": "object", "properties": { "sessionsRevoked": { "type": "integer", "format": "int32" } } }, "v1MfaChallengePurpose": { "type": "string", "enum": [ "MFA_CHALLENGE_PURPOSE_UNSPECIFIED", "MFA_CHALLENGE_PURPOSE_LOGIN_STEP_UP", "MFA_CHALLENGE_PURPOSE_SENSITIVE_OPERATION", "MFA_CHALLENGE_PURPOSE_ENROLLMENT", "MFA_CHALLENGE_PURPOSE_RECOVERY" ], "default": "MFA_CHALLENGE_PURPOSE_UNSPECIFIED", "description": "Purpose a step-up MFA challenge is issued for. Binds the challenge record to\nthe operation that requested it so a challenge minted for login cannot be\nreplayed to authorize a sensitive mutation." }, "v1MfaFactorSummary": { "type": "object", "properties": { "factorKind": { "$ref": "#/definitions/v1AuthFactorKind" }, "enabled": { "type": "boolean" }, "label": { "type": "string" } } }, "v1MigrateLegacyPoliciesRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "apply": { "type": "boolean", "description": "When true, write a governed draft; when false, only produce the report." }, "policySetName": { "type": "string" } } }, "v1MigrateLegacyPoliciesResponse": { "type": "object", "properties": { "draft": { "$ref": "#/definitions/v1PolicyDraft", "description": "Draft created when apply=true (empty otherwise)." }, "diff": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PolicyDiffEntry" }, "description": "Migration diff report (added/removed/changed)." }, "simulation": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1SimulationResult" }, "description": "Per-sample-case simulation report proving parity." }, "reportJson": { "type": "string" } } }, "v1MuteTrackResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1NativeAccessGrant": { "type": "object", "properties": { "dsn": { "type": "string", "description": "Connection string scoped to the restricted role. Secret — redact in logs." }, "role": { "type": "string", "description": "Restricted database role the DSN authenticates as." }, "backend": { "type": "string" }, "database": { "type": "string" }, "schema": { "type": "string" }, "sessionVariables": { "type": "object", "additionalProperties": { "type": "string" }, "description": "`app.current_*` session variables the caller must apply per transaction\n(`SET LOCAL`) so broker RLS policies see the same context the broker did." }, "expiresAtUnix": { "type": "string", "format": "int64" }, "ttlSeconds": { "type": "string", "format": "uint64" } }, "description": "The minted native-access contract. Present only when the embedded\n`Decision` allowed the request." }, "v1NativeAccessRequest": { "type": "object", "properties": { "principal": { "$ref": "#/definitions/coreAuthzServicesV1Principal" }, "sessionId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "resource": { "$ref": "#/definitions/v1ResourceRef" }, "action": { "type": "string" }, "purpose": { "type": "string" }, "requestedScopes": { "type": "array", "items": { "type": "string" } }, "context": { "$ref": "#/definitions/v1AccessContext" }, "backend": { "type": "string", "description": "Requested backend (default \"postgres\"); other backends are reserved." }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } }, "description": "`GetNativeAccess` runs the same `Authorize` decision and, when allowed,\nmints a short-lived contract for the caller to talk to the backend\ndirectly: a restricted role, a scoped DSN, and the exact set of\n`app.current_*` session variables the SDK must `SET LOCAL` so the\nbroker-generated RLS policies still apply. UDB stays the source of the\nauthorization decision; the native grant only carries it forward.", "title": "── Stage 2: native database fast-path access ──────────────────────────────" }, "v1NativeAccessResponse": { "type": "object", "properties": { "decision": { "$ref": "#/definitions/v1Decision" }, "grant": { "$ref": "#/definitions/v1NativeAccessGrant" } } }, "v1NodeAckState": { "type": "object", "properties": { "nodeId": { "type": "string" }, "resourceType": { "$ref": "#/definitions/v1ResourceType" }, "subscribedNames": { "type": "array", "items": { "type": "string" } }, "acceptedVersion": { "type": "string" }, "lastGoodVersion": { "type": "string" }, "lastResponseNonce": { "type": "string" }, "nackErrorDetail": { "type": "string" }, "inSync": { "type": "boolean", "description": "True when the node's accepted_version matches the current version-of-world." }, "updatedAt": { "type": "string", "format": "date-time" } }, "description": "Admin-visible projection of one ControlPlaneNodeState row." }, "v1NotificationChannel": { "type": "string", "enum": [ "NOTIFICATION_CHANNEL_UNSPECIFIED", "NOTIFICATION_CHANNEL_EMAIL", "NOTIFICATION_CHANNEL_SMS", "NOTIFICATION_CHANNEL_PUSH", "NOTIFICATION_CHANNEL_IN_APP", "NOTIFICATION_CHANNEL_WEBHOOK" ], "default": "NOTIFICATION_CHANNEL_UNSPECIFIED", "title": "- NOTIFICATION_CHANNEL_PUSH: Mobile push via FCM/APNs\n - NOTIFICATION_CHANNEL_IN_APP: In-app notification bell\n - NOTIFICATION_CHANNEL_WEBHOOK: Outbound HTTP webhook" }, "v1NotificationLog": { "type": "object", "properties": { "logId": { "type": "string" }, "templateId": { "type": "string" }, "eventType": { "type": "string" }, "channel": { "$ref": "#/definitions/v1NotificationChannel" }, "recipientId": { "type": "string" }, "recipientAddress": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "resourceType": { "type": "string" }, "resourceId": { "type": "string" }, "resourceName": { "type": "string" }, "correlationId": { "type": "string" }, "status": { "$ref": "#/definitions/v1NotificationStatus" }, "errorMessage": { "type": "string" }, "providerMessageId": { "type": "string" }, "retryCount": { "type": "integer", "format": "int32" }, "sentAt": { "type": "string", "format": "date-time" }, "deliveredAt": { "type": "string", "format": "date-time" }, "createdAt": { "type": "string", "format": "date-time" }, "renderedSubject": { "type": "string" }, "renderedBody": { "type": "string" } } }, "v1NotificationPreference": { "type": "object", "properties": { "preferenceId": { "type": "string" }, "userId": { "type": "string" }, "tenantId": { "type": "string" }, "channel": { "$ref": "#/definitions/v1NotificationChannel" }, "eventType": { "type": "string", "description": "Empty string = channel-wide opt-out; non-empty = opt-out of specific event type." }, "isOptedOut": { "type": "boolean" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "createdBy": { "type": "string" } } }, "v1NotificationStatus": { "type": "string", "enum": [ "NOTIFICATION_STATUS_UNSPECIFIED", "NOTIFICATION_STATUS_PENDING", "NOTIFICATION_STATUS_SENT", "NOTIFICATION_STATUS_DELIVERED", "NOTIFICATION_STATUS_FAILED", "NOTIFICATION_STATUS_SUPPRESSED" ], "default": "NOTIFICATION_STATUS_UNSPECIFIED", "title": "- NOTIFICATION_STATUS_SUPPRESSED: Rate-limited or user preference suppressed" }, "v1NotificationTemplate": { "type": "object", "properties": { "templateId": { "type": "string" }, "eventType": { "type": "string", "description": "Machine code such as RESOURCE_CREATED, SLA_BREACH_WARNING, REVIEW_ASSIGNED.\nHybrid uniqueness: (event_type, channel, tenant_id). A tenant override and the\nglobal default (tenant_id NULL) for the same (event_type, channel) coexist;\nresolution prefers the per-tenant row over the global default. The unique\nindex stays on (event_type, channel) for now (global dedupe); when a\nper-tenant write path lands, split into partial unique indexes keyed on\ntenant_id IS NULL vs IS NOT NULL." }, "channel": { "$ref": "#/definitions/v1NotificationChannel" }, "subjectTemplate": { "type": "string" }, "bodyTemplate": { "type": "string" }, "locale": { "type": "string" }, "isActive": { "type": "boolean" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" }, "createdBy": { "type": "string" }, "deletedBy": { "type": "string" }, "tenantId": { "type": "string", "description": "NULLABLE: NULL = platform-global default template; non-null = per-tenant override." } } }, "v1OTPType": { "type": "string", "enum": [ "OTP_TYPE_UNSPECIFIED", "OTP_TYPE_EMAIL_VERIFICATION", "OTP_TYPE_LOGIN_2FA", "OTP_TYPE_PASSWORD_RESET", "OTP_TYPE_SENSITIVE_OPERATION", "OTP_TYPE_PHONE_VERIFICATION" ], "default": "OTP_TYPE_UNSPECIFIED", "description": " - OTP_TYPE_EMAIL_VERIFICATION: New account email confirmation\n - OTP_TYPE_LOGIN_2FA: Login second-factor (email OTP)\n - OTP_TYPE_PASSWORD_RESET: Password reset\n - OTP_TYPE_SENSITIVE_OPERATION: Step-up auth for a protected action.\n - OTP_TYPE_PHONE_VERIFICATION: Phone-number confirmation via SMS OTP." }, "v1PageRequest": { "type": "object", "properties": { "page": { "type": "integer", "format": "int32" }, "pageSize": { "type": "integer", "format": "int32" }, "pageToken": { "type": "string" } } }, "v1PageResponse": { "type": "object", "properties": { "page": { "type": "integer", "format": "int32" }, "pageSize": { "type": "integer", "format": "int32" }, "totalItems": { "type": "string", "format": "int64" }, "totalPages": { "type": "integer", "format": "int32" }, "nextPageToken": { "type": "string" }, "totalCount": { "type": "string", "format": "int64" }, "hasNext": { "type": "boolean" }, "hasPrevious": { "type": "boolean" } } }, "v1Peer": { "type": "object", "properties": { "peerId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:peer_id;not null\"" }, "roomId": { "type": "string", "title": "@inject_tag: gorm:\"column:room_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "displayName": { "type": "string", "title": "@inject_tag: gorm:\"column:display_name\"" }, "state": { "$ref": "#/definitions/v1PeerState", "title": "@inject_tag: gorm:\"column:state;not null;serializer:proto_enum\"" }, "metadata": { "type": "string", "title": "@inject_tag: gorm:\"column:metadata\"" }, "userAgent": { "type": "string", "title": "@inject_tag: gorm:\"column:user_agent\"" }, "joinedAt": { "type": "string", "format": "date-time" }, "leftAt": { "type": "string", "format": "date-time" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" } }, "description": "Peer: a participant connection within a room." }, "v1PeerState": { "type": "string", "enum": [ "PEER_STATE_UNSPECIFIED", "PEER_STATE_NEW", "PEER_STATE_CONNECTING", "PEER_STATE_CONNECTED", "PEER_STATE_DISCONNECTED", "PEER_STATE_FAILED", "PEER_STATE_CLOSED" ], "default": "PEER_STATE_UNSPECIFIED" }, "v1PermissionCheck": { "type": "object", "properties": { "object": { "type": "string" }, "action": { "type": "string" } } }, "v1PipelineDefinition": { "type": "object", "properties": { "definitionId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:definition_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "name": { "type": "string", "title": "@inject_tag: gorm:\"column:name;not null\"" }, "description": { "type": "string", "title": "@inject_tag: gorm:\"column:description\"" }, "mediaType": { "type": "string", "title": "@inject_tag: gorm:\"column:media_type\"" }, "steps": { "type": "string", "title": "@inject_tag: gorm:\"column:steps;not null\"" }, "version": { "type": "integer", "format": "int32", "title": "@inject_tag: gorm:\"column:version;not null\"" }, "status": { "type": "string", "title": "@inject_tag: gorm:\"column:status;not null\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" } }, "description": "PipelineDefinition is a reusable, versioned processing-pipeline template." }, "v1PipelineInstance": { "type": "object", "properties": { "instanceId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:instance_id;not null\"" }, "definitionId": { "type": "string", "title": "@inject_tag: gorm:\"column:definition_id;not null\"" }, "assetId": { "type": "string", "title": "@inject_tag: gorm:\"column:asset_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "status": { "$ref": "#/definitions/v1PipelineStatus", "title": "@inject_tag: gorm:\"column:status;not null;serializer:proto_enum\"" }, "currentStep": { "type": "string", "title": "@inject_tag: gorm:\"column:current_step\"" }, "context": { "type": "string", "title": "@inject_tag: gorm:\"column:context\"" }, "correlationId": { "type": "string", "title": "@inject_tag: gorm:\"column:correlation_id\"" }, "startedAt": { "type": "string", "format": "date-time", "title": "@inject_tag: gorm:\"column:started_at\"" }, "completedAt": { "type": "string", "format": "date-time", "title": "@inject_tag: gorm:\"column:completed_at\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" } }, "description": "PipelineInstance is a single execution of a PipelineDefinition against an Asset." }, "v1PipelineMetricSnapshot": { "type": "object", "properties": { "snapshotId": { "type": "string" }, "snapshotHour": { "type": "string", "format": "date-time", "title": "ISO 8601 truncated to the hour: 2025-07-15T14:00:00Z" }, "stageName": { "type": "string" }, "tenantId": { "type": "string" }, "totalRequests": { "type": "string", "format": "int64" }, "successful": { "type": "string", "format": "int64" }, "failed": { "type": "string", "format": "int64" }, "p50LatencyMs": { "type": "number", "format": "double" }, "p95LatencyMs": { "type": "number", "format": "double" }, "p99LatencyMs": { "type": "number", "format": "double" }, "avgLatencyMs": { "type": "number", "format": "double" }, "errorRate": { "type": "number", "format": "double" }, "throughputRps": { "type": "number", "format": "double" }, "recordedAt": { "type": "string", "format": "date-time" } } }, "v1PipelineStatus": { "type": "string", "enum": [ "PIPELINE_STATUS_UNSPECIFIED", "PIPELINE_STATUS_PENDING", "PIPELINE_STATUS_RUNNING", "PIPELINE_STATUS_COMPLETED", "PIPELINE_STATUS_FAILED" ], "default": "PIPELINE_STATUS_UNSPECIFIED" }, "v1PipelineStep": { "type": "object", "properties": { "stepId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:step_id;not null\"" }, "instanceId": { "type": "string", "title": "@inject_tag: gorm:\"column:instance_id;not null\"" }, "tenantId": { "type": "string", "description": "Denormalized from the owning pipeline_instance so the tenant RLS policy can\nfilter steps directly (steps are created by the service from the instance).\n\n@inject_tag: gorm:\"column:tenant_id;not null\"" }, "stepName": { "type": "string", "title": "@inject_tag: gorm:\"column:step_name;not null\"" }, "stepType": { "$ref": "#/definitions/v1StepType", "title": "@inject_tag: gorm:\"column:step_type;not null;serializer:proto_enum\"" }, "status": { "$ref": "#/definitions/v1StepStatus", "title": "@inject_tag: gorm:\"column:status;not null;serializer:proto_enum\"" }, "result": { "type": "string", "title": "@inject_tag: gorm:\"column:result\"" }, "error": { "type": "string", "title": "@inject_tag: gorm:\"column:error\"" }, "retryCount": { "type": "integer", "format": "int32", "title": "@inject_tag: gorm:\"column:retry_count;not null\"" }, "startedAt": { "type": "string", "format": "date-time", "title": "@inject_tag: gorm:\"column:started_at\"" }, "completedAt": { "type": "string", "format": "date-time", "title": "@inject_tag: gorm:\"column:completed_at\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" } }, "description": "PipelineStep is one executable unit within a PipelineInstance." }, "v1PolicyApproval": { "type": "object", "properties": { "approvalId": { "type": "string" }, "draftId": { "type": "string" }, "tenantId": { "type": "string" }, "actor": { "type": "string" }, "role": { "type": "string" }, "decision": { "type": "string" }, "reason": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" } }, "description": "A single reviewer/approver decision recorded against a PolicyDraft (Phase K\ndraft/approval workflow). Separation of duties is enforced in the handler: the\ndraft author cannot record an APPROVE decision (author != approver). Each row\nis one actor's REVIEWER/APPROVER decision with a mandatory reason.\n\n⚠️ CROSS-SESSION: field set reconstructed to EXACTLY match the governance\nsession's `governance_store.rs::load_approval` struct literal (the source of\ntruth). The governance-session owner should confirm / restore their canonical\nfile." }, "v1PolicyApprovalResponse": { "type": "object", "properties": { "draft": { "$ref": "#/definitions/v1PolicyDraft" }, "approval": { "$ref": "#/definitions/v1PolicyApproval" }, "version": { "$ref": "#/definitions/v1PolicyVersion", "description": "The promoted version, present once the draft is approved." } } }, "v1PolicyBundleRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "domain": { "type": "string" } }, "description": "`GetPolicyBundle` serializes the live authorization snapshot (policies,\nrole bindings, relationship tuples) and signs it so an SDK can cache it\nand answer `can()` locally without a round-trip, while still being able\nto verify the bundle was issued by UDB and has not expired.", "title": "── Stage 2: signed policy bundles for local SDK authorization caches ───────" }, "v1PolicyBundleResponse": { "type": "object", "properties": { "bundle": { "$ref": "#/definitions/v1SignedPolicyBundle" } } }, "v1PolicyCanary": { "type": "object", "properties": { "canaryId": { "type": "string" }, "policySetId": { "type": "string" }, "policyVersionId": { "type": "string" }, "scopeKind": { "$ref": "#/definitions/v1CanaryScopeKind" }, "scopeValues": { "type": "string", "description": "For NODE/TENANT: the list of in-scope ids. For PERCENT: a single-element\nlist whose value is the integer percentage (1..=100)." }, "state": { "$ref": "#/definitions/v1CanaryState" }, "startedAt": { "type": "string", "format": "date-time" }, "successWindowSecs": { "type": "string", "format": "int64", "description": "The evaluator waits at least this long before declaring success." }, "metricThreshold": { "type": "number", "format": "double", "description": "The success metric breach threshold (e.g. fractional authz deny/error rate).\nA measured value strictly greater than this inside the window auto-rolls back." }, "createdBy": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "minSamples": { "type": "string", "format": "int64", "description": "Minimum sample count required for a conclusive evaluation. Below this the\ncanary PAUSES instead of promoting or rolling back." }, "rollbackVersionId": { "type": "string", "description": "The version a rollback restores to (the policy set's active version at\ncanary-creation time). Recorded so auto-rollback is deterministic." }, "outcomeReason": { "type": "string", "description": "Why the canary left ACTIVE (breach reason, 'promoted', 'inconclusive')." }, "revision": { "type": "string", "format": "int64" } }, "description": "A progressive-rollout canary: a `PolicyVersion` exposed to a SUBSET of the\nfleet (by node id, tenant id, or percentage) and watched by a metric-based\nevaluator before fleet-wide promotion. If the success metric breaches\n`metric_threshold` within `success_window_secs`, the canary auto-rolls back\nto the policy set's prior version BEFORE fleet-wide impact; if the window\npasses within threshold it becomes promote-eligible; if samples are\ninsufficient it pauses. Every state transition is audited." }, "v1PolicyDiffEntry": { "type": "object", "properties": { "change": { "type": "string", "title": "\"added\" | \"removed\" | \"changed\"" }, "kind": { "type": "string", "title": "\"policy\" | \"role_binding\" | \"relationship_tuple\"" }, "id": { "type": "string" }, "beforeJson": { "type": "string" }, "afterJson": { "type": "string" } } }, "v1PolicyDocument": { "type": "object", "properties": { "policies": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1AuthzPolicyRecord" } }, "roleBindings": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1RoleBinding" } }, "relationshipTuples": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1RelationshipTuple" } } }, "description": "A candidate policy document the governance APIs operate on (drafts and\nsimulations). Unifies the full field richness of CreatePolicyRule and\nPutAuthzPolicy (role, purpose, relationship, priority, required scopes,\nconditions, tenant, project, domain) so every governed surface is parity." }, "v1PolicyDraft": { "type": "object", "properties": { "draftId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "title": { "type": "string" }, "description": { "type": "string" }, "proposedPoliciesJson": { "type": "string" }, "proposedTuplesJson": { "type": "string" }, "baseVersionId": { "type": "string" }, "status": { "type": "string" }, "author": { "type": "string" }, "highRisk": { "type": "boolean" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" } }, "description": "An editable, in-progress policy change set under review (Phase K draft/approval\nworkflow). Holds the proposed policies/tuples as JSON; when approved it is\npromoted into an immutable numbered PolicyVersion. Drafts never affect live\ndecisions.\n\n⚠️ CROSS-SESSION: field set reconstructed to EXACTLY match the governance\nsession's `governance_store.rs::load_draft` struct literal (the source of\ntruth). The governance-session owner should still confirm this is their\nintended schema / restore their canonical file." }, "v1PolicyDraftResponse": { "type": "object", "properties": { "draft": { "$ref": "#/definitions/v1PolicyDraft" }, "policySet": { "$ref": "#/definitions/v1PolicySet" }, "document": { "$ref": "#/definitions/v1PolicyDocument", "description": "Document parsed back from the stored draft (convenience)." } } }, "v1PolicyEffect": { "type": "string", "enum": [ "POLICY_EFFECT_UNSPECIFIED", "POLICY_EFFECT_ALLOW", "POLICY_EFFECT_DENY" ], "default": "POLICY_EFFECT_UNSPECIFIED" }, "v1PolicyRule": { "type": "object", "properties": { "policyId": { "type": "string" }, "subject": { "type": "string" }, "domain": { "type": "string" }, "object": { "type": "string" }, "action": { "type": "string" }, "effect": { "$ref": "#/definitions/v1PolicyEffect" }, "condition": { "type": "string" }, "description": { "type": "string" }, "isActive": { "type": "boolean" }, "createdBy": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" }, "tenantId": { "type": "string" }, "deletedBy": { "type": "string" }, "projectId": { "type": "string" }, "resourceType": { "type": "string" }, "attributesJson": { "type": "string" } }, "description": "Managed permission rule mapped into UDB authorization policy rows." }, "v1PolicySet": { "type": "object", "properties": { "policySetId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "name": { "type": "string" }, "activeVersionId": { "type": "string" }, "rollbackVersionId": { "type": "string" }, "description": { "type": "string" }, "createdBy": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" } }, "description": "A governed collection of policy versions. Each tenant/project/name names one\npolicy set; its `active_version_id` points at the currently-enforced\n`PolicyVersion`, and `rollback_version_id` records the version a rollback\nrestored to. Drafts are created against a policy set and only take effect\nonce a version is activated (Phase K governance workflow)." }, "v1PolicyVersion": { "type": "object", "properties": { "policyVersionId": { "type": "string" }, "policySetId": { "type": "string" }, "versionNumber": { "type": "string", "format": "int64" }, "state": { "$ref": "#/definitions/v1PolicyVersionState" }, "snapshotHash": { "type": "string" }, "createdBy": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "activatedBy": { "type": "string" }, "activatedAt": { "type": "string", "format": "date-time" }, "rollbackOf": { "type": "string" }, "changeReason": { "type": "string" }, "revision": { "type": "string", "format": "int64" }, "contentHash": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "payloadJson": { "type": "string", "description": "Frozen candidate document: { \"policies\": [...], \"role_bindings\": [...], \"relationship_tuples\": [...] }." }, "highRisk": { "type": "boolean" }, "submittedBy": { "type": "string" }, "sourceDraftId": { "type": "string", "description": "The PolicyDraft this version was promoted from, if any." } }, "description": "An immutable, numbered version of a policy set. A `PolicyDraft` that passes\nreview is promoted into a `PolicyVersion` whose frozen `payload_json`\n(policies + role bindings + relationship tuples) is what\n`ActivatePolicyVersion` loads into the live authorization snapshot. Drafts\nremain editable; versions never change once created — they only transition\nstate (draft -\u003e pending_review -\u003e approved -\u003e active -\u003e superseded /\nrejected / rolled_back). `revision` provides optimistic concurrency over the\nversion's state transitions; `content_hash` detects no-op promotions." }, "v1PolicyVersionState": { "type": "string", "enum": [ "POLICY_VERSION_STATE_UNSPECIFIED", "POLICY_VERSION_STATE_DRAFT", "POLICY_VERSION_STATE_PENDING_REVIEW", "POLICY_VERSION_STATE_APPROVED", "POLICY_VERSION_STATE_ACTIVE", "POLICY_VERSION_STATE_SUPERSEDED", "POLICY_VERSION_STATE_REJECTED", "POLICY_VERSION_STATE_ROLLED_BACK" ], "default": "POLICY_VERSION_STATE_UNSPECIFIED", "description": "Lifecycle state of a governed policy version (Phase K draft/approval workflow)." }, "v1PreviewClaimMappingResponse": { "type": "object", "properties": { "subject": { "type": "string" }, "email": { "type": "string" }, "emailVerified": { "type": "boolean" }, "displayName": { "type": "string" }, "groups": { "type": "array", "items": { "type": "string" } }, "assurance": { "$ref": "#/definitions/v1AssuranceLevel" }, "mappedPrincipalJson": { "type": "string", "description": "Fully-resolved principal fields as JSON for inspection." } } }, "v1PreviewGroupMappingResponse": { "type": "object", "properties": { "roles": { "type": "array", "items": { "type": "string" }, "description": "Roles granted (only roles explicitly present in the mapping)." }, "unmappedGroups": { "type": "array", "items": { "type": "string" }, "description": "Input groups that matched no mapping entry (granted nothing)." } } }, "v1PrincipalKind": { "type": "string", "enum": [ "PRINCIPAL_KIND_UNSPECIFIED", "PRINCIPAL_KIND_USER", "PRINCIPAL_KIND_SERVICE_ACCOUNT", "PRINCIPAL_KIND_WORKLOAD", "PRINCIPAL_KIND_GROUP", "PRINCIPAL_KIND_ROLE", "PRINCIPAL_KIND_EXTERNAL_SUBJECT" ], "default": "PRINCIPAL_KIND_UNSPECIFIED" }, "v1PromoteCanaryRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "canaryId": { "type": "string" }, "expectedRevision": { "type": "string", "format": "int64" } }, "description": "Promote a baked (within-threshold) canary to fleet-wide. Fails unless the\ncanary is promote-eligible (ACTIVE and its success window has elapsed within\nthreshold). On success the canaried version becomes the active version of its\npolicy set fleet-wide and the canary moves to PROMOTED." }, "v1ProviderHealth": { "type": "string", "enum": [ "PROVIDER_HEALTH_UNSPECIFIED", "PROVIDER_HEALTH_HEALTHY", "PROVIDER_HEALTH_DEGRADED", "PROVIDER_HEALTH_UNREACHABLE" ], "default": "PROVIDER_HEALTH_UNSPECIFIED", "description": "Health of a provider's discovery + key material.\n\n - PROVIDER_HEALTH_DEGRADED: last refresh failed, serving cached keys\n - PROVIDER_HEALTH_UNREACHABLE: discovery/JWKS unreachable, no usable keys" }, "v1PublishTrackRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "roomId": { "type": "string" }, "peerId": { "type": "string" }, "kind": { "type": "string" }, "label": { "type": "string" }, "settings": { "type": "string", "title": "JSON" }, "metadata": { "type": "string", "title": "JSON" } } }, "v1PublishTrackResponse": { "type": "object", "properties": { "trackId": { "type": "string" }, "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1PutAuthzPolicyRequest": { "type": "object", "properties": { "policy": { "$ref": "#/definitions/v1AuthzPolicyRecord" } } }, "v1PutMfaPolicyResponse": { "type": "object", "properties": { "tenantId": { "type": "string" }, "requireMfa": { "type": "boolean" } } }, "v1PutRelationshipRequest": { "type": "object", "properties": { "tuple": { "$ref": "#/definitions/v1RelationshipTuple" } } }, "v1PutRoleBindingRequest": { "type": "object", "properties": { "binding": { "$ref": "#/definitions/v1RoleBinding" } } }, "v1ReconciliationAnalyticsSummary": { "type": "object", "properties": { "summaryId": { "type": "string" }, "summaryDate": { "type": "string", "format": "date-time" }, "totalReconciliations": { "type": "string", "format": "int64" }, "exactMatches": { "type": "string", "format": "int64" }, "partialConflicts": { "type": "string", "format": "int64" }, "hardConflicts": { "type": "string", "format": "int64" }, "lowConfidenceFlagged": { "type": "string", "format": "int64" }, "avgReconciliationMs": { "type": "number", "format": "double" }, "resolutionRate": { "type": "number", "format": "double" }, "avgRecordConfidence": { "type": "number", "format": "double" }, "recordedAt": { "type": "string", "format": "date-time" } }, "description": "Daily reconciliation/conflict roll-up for projections, imports, replicated\nstores, and project-defined resolution workflows." }, "v1RecordPipelineMetricRequest": { "type": "object", "properties": { "stageName": { "type": "string" }, "tenantId": { "type": "string" }, "latencyMs": { "type": "number", "format": "double", "description": "Raw observation for a single request (will be aggregated hourly)." }, "isSuccess": { "type": "boolean" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1RecordPipelineMetricResponse": { "type": "object", "properties": { "accepted": { "type": "boolean" } } }, "v1RefreshSessionResponse": { "type": "object", "properties": { "expiresAtUnix": { "type": "string", "format": "int64" }, "active": { "type": "boolean" } } }, "v1RefreshTokenRequest": { "type": "object", "properties": { "refreshToken": { "type": "string" }, "sessionId": { "type": "string" } } }, "v1RefreshTokenResponse": { "type": "object", "properties": { "accessToken": { "type": "string" }, "accessTokenExpiresIn": { "type": "integer", "format": "int32" }, "refreshToken": { "type": "string", "description": "Rotated refresh token (token-family credential). Issued on every successful\nrefresh: the presented refresh token is single-use and is invalidated as the\nnew one is minted (atomic rotation). Empty when the caller refreshed with a\nlegacy server-side session id rather than a token-family credential." }, "refreshTokenExpiresIn": { "type": "integer", "format": "int32" } } }, "v1RegisterAssetRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "fileId": { "type": "string" }, "name": { "type": "string" }, "mediaType": { "type": "string" }, "metadata": { "type": "string", "title": "JSON" } } }, "v1RegisterAssetResponse": { "type": "object", "properties": { "assetId": { "type": "string" }, "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1RegisterUploadRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "filename": { "type": "string" }, "contentType": { "type": "string" }, "fileType": { "type": "string" }, "referenceId": { "type": "string" }, "referenceType": { "type": "string" }, "isPublic": { "type": "boolean", "description": "Optional initial visibility; absent defaults to private (false)." }, "expiresInMinutes": { "type": "integer", "format": "int32" }, "sizeBytes": { "type": "string", "format": "int64", "description": "Declared upload size in bytes, used for the pre-upload tenant quota check." } } }, "v1RegisterUploadResponse": { "type": "object", "properties": { "fileId": { "type": "string" }, "uploadUrl": { "type": "string" }, "objectKey": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" }, "expiresAt": { "type": "string", "format": "int64", "description": "Unix-seconds expiry of the presigned PUT `upload_url`; 0 when no URL was\nminted (metadata-only mode / presign error). Lets the client know when the\nURL dies without a follow-up call." } } }, "v1RejectPolicyDraftRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "draftId": { "type": "string" }, "reviewer": { "type": "string" }, "reason": { "type": "string" } } }, "v1RelationshipTuple": { "type": "object", "properties": { "subject": { "type": "string" }, "relation": { "type": "string" }, "object": { "type": "string" }, "tenant": { "type": "string" }, "project": { "type": "string" }, "version": { "type": "string", "format": "int64" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "source": { "type": "string" } }, "description": "ReBAC tuple scoped to a tenant/project domain." }, "v1RenamePasskeyResponse": { "type": "object", "properties": { "renamed": { "type": "boolean" } } }, "v1ResendOTPRequest": { "type": "object", "properties": { "originalOtpId": { "type": "string" }, "reason": { "type": "string", "title": "\"not_received\" | \"expired\" | \"delivery_failed\"" } } }, "v1ResendOTPResponse": { "type": "object", "properties": { "otpId": { "type": "string" }, "expiresInSeconds": { "type": "integer", "format": "int32" }, "cooldownSeconds": { "type": "integer", "format": "int32" }, "attemptsRemaining": { "type": "integer", "format": "int32" } } }, "v1ResetPasswordRequest": { "type": "object", "properties": { "otpId": { "type": "string" }, "code": { "type": "string" }, "newPassword": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1ResetPasswordResponse": { "type": "object", "properties": { "userId": { "type": "string" }, "changedAtUnix": { "type": "string", "format": "int64" } } }, "v1ResolveExternalIdentityResponse": { "type": "object", "properties": { "userId": { "type": "string" }, "subject": { "type": "string" }, "email": { "type": "string" }, "provisioned": { "type": "boolean", "title": "a new user was created (JIT)" }, "linked": { "type": "boolean", "title": "linked to an existing user" }, "roles": { "type": "array", "items": { "type": "string" } }, "assurance": { "$ref": "#/definitions/v1AssuranceLevel" }, "detail": { "type": "string" } } }, "v1Resource": { "type": "object", "properties": { "name": { "type": "string" }, "version": { "type": "string" }, "payloadJson": { "type": "string" }, "resourceType": { "$ref": "#/definitions/v1ResourceType" } }, "description": "One versioned resource on the wire (a single ControlPlaneResource projection)." }, "v1ResourceRef": { "type": "object", "properties": { "resourceType": { "type": "string" }, "resourceName": { "type": "string" }, "messageType": { "type": "string" }, "schema": { "type": "string" }, "table": { "type": "string" }, "backend": { "type": "string" }, "instance": { "type": "string" }, "resourceId": { "type": "string" }, "collection": { "type": "string" }, "bucket": { "type": "string" }, "path": { "type": "string" }, "service": { "type": "string" }, "api": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } } }, "v1ResourceType": { "type": "string", "enum": [ "RESOURCE_TYPE_UNSPECIFIED", "RESOURCE_TYPE_ROUTING_POLICY", "RESOURCE_TYPE_METHOD_SECURITY_POLICY", "RESOURCE_TYPE_RLS_TENANT_POLICY", "RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT", "RESOURCE_TYPE_BACKEND_TARGET_DEFINITION" ], "default": "RESOURCE_TYPE_UNSPECIFIED", "description": "- RESOURCE_TYPE_ROUTING_POLICY: Request routing / backend selection policy (references backend targets).\n - RESOURCE_TYPE_METHOD_SECURITY_POLICY: Per-RPC method-security policy (the proto endpoint_security map).\n - RESOURCE_TYPE_RLS_TENANT_POLICY: Row-level-security / tenant isolation policy (references backend targets).\n - RESOURCE_TYPE_NATIVE_SERVICE_ENABLEMENT: Which native control-plane services are enabled on a node.\n - RESOURCE_TYPE_BACKEND_TARGET_DEFINITION: Backend target/cluster definitions — the \"definitions\" that routing and\nRLS policies reference. Pushed BEFORE the referencing policies.", "title": "---------------------------------------------------------------------------\nResourceType — the kinds of control-plane configuration a node can subscribe\nto in the xDS-style versioned distribution stream. \"Definition\" resources\n(backend targets) MUST be pushed before referencing policies so a referencing\npolicy is never applied before its target exists (make-before-break).\n---------------------------------------------------------------------------" }, "v1RetryNotificationResponse": { "type": "object", "properties": { "log": { "$ref": "#/definitions/v1NotificationLog" } } }, "v1RevokeApiKeyResponse": { "type": "object", "properties": { "keyId": { "type": "string" }, "revokedAt": { "type": "string", "format": "date-time" }, "operationId": { "type": "string" } } }, "v1RevokeDeviceResponse": { "type": "object", "properties": { "revoked": { "type": "boolean" }, "deviceId": { "type": "string" }, "sessionsRevoked": { "type": "string", "format": "int64" } } }, "v1RevokeRecoveryCodesResponse": { "type": "object", "properties": { "revokedCount": { "type": "string", "format": "int64" } } }, "v1RevokeRoleResponse": { "type": "object", "properties": { "revoked": { "type": "boolean" } } }, "v1RevokeSessionResponse": { "type": "object", "properties": { "sessionId": { "type": "string" }, "revokedAt": { "type": "string", "format": "date-time" }, "operationId": { "type": "string" }, "revokedCount": { "type": "integer", "format": "int32" } } }, "v1Role": { "type": "object", "properties": { "roleId": { "type": "string" }, "name": { "type": "string" }, "description": { "type": "string" }, "isSystem": { "type": "boolean" }, "isActive": { "type": "boolean" }, "createdBy": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" }, "tenantId": { "type": "string" }, "deletedBy": { "type": "string" }, "roleCode": { "type": "string" }, "domain": { "type": "string" }, "projectId": { "type": "string" }, "scopeType": { "$ref": "#/definitions/v1RoleScopeType" }, "accessSurface": { "type": "string" }, "metadataJson": { "type": "string" } } }, "v1RoleBinding": { "type": "object", "properties": { "subject": { "type": "string" }, "role": { "type": "string" }, "tenant": { "type": "string" }, "project": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "source": { "type": "string" } }, "description": "RBAC binding scoped to a tenant/project domain." }, "v1RoleScopeType": { "type": "string", "enum": [ "ROLE_SCOPE_TYPE_UNSPECIFIED", "ROLE_SCOPE_TYPE_GLOBAL", "ROLE_SCOPE_TYPE_TENANT", "ROLE_SCOPE_TYPE_PROJECT", "ROLE_SCOPE_TYPE_RESOURCE", "ROLE_SCOPE_TYPE_EXTERNAL" ], "default": "ROLE_SCOPE_TYPE_UNSPECIFIED" }, "v1RollbackPolicyVersionRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "policySetId": { "type": "string" }, "targetVersionId": { "type": "string", "description": "Version to restore. Empty = the policy set's rollback_version_id." }, "changeReason": { "type": "string" } } }, "v1Room": { "type": "object", "properties": { "roomId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:room_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "name": { "type": "string", "title": "@inject_tag: gorm:\"column:name;not null\"" }, "state": { "$ref": "#/definitions/v1RoomState", "title": "@inject_tag: gorm:\"column:state;not null;serializer:proto_enum\"" }, "maxParticipants": { "type": "integer", "format": "int32", "title": "@inject_tag: gorm:\"column:max_participants;not null\"" }, "participantCount": { "type": "integer", "format": "int32", "title": "@inject_tag: gorm:\"column:participant_count;not null\"" }, "config": { "type": "string", "title": "@inject_tag: gorm:\"column:config\"" }, "createdBy": { "type": "string", "title": "@inject_tag: gorm:\"column:created_by\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" } }, "description": "Room: a WebRTC conferencing room." }, "v1RoomState": { "type": "string", "enum": [ "ROOM_STATE_UNSPECIFIED", "ROOM_STATE_ACTIVE", "ROOM_STATE_IDLE", "ROOM_STATE_CLOSED" ], "default": "ROOM_STATE_UNSPECIFIED" }, "v1RotateApiKeyResponse": { "type": "object", "properties": { "key": { "$ref": "#/definitions/v1ApiKey" }, "plainKey": { "type": "string", "description": "New plain key returned ONCE; the prior secret is invalidated immediately." }, "previousKeyId": { "type": "string" } } }, "v1SamlAcsResponse": { "type": "object", "properties": { "authenticated": { "type": "boolean" }, "subject": { "type": "string", "title": "NameID" }, "userId": { "type": "string" }, "email": { "type": "string" }, "emailVerified": { "type": "boolean" }, "groups": { "type": "array", "items": { "type": "string" } }, "roles": { "type": "array", "items": { "type": "string" }, "title": "roles granted via configured group mapping" }, "assurance": { "$ref": "#/definitions/v1AssuranceLevel" }, "signatureVerified": { "type": "boolean", "description": "True when the assertion signature could be verified; false + reason when the\nverification step is host-blocked (fail-closed: authenticated stays false)." }, "detail": { "type": "string" }, "attributesJson": { "type": "string", "description": "Mapped attributes for inspection (JSON object)." } } }, "v1ScimCreateGroupResponse": { "type": "object", "properties": { "group": { "$ref": "#/definitions/v1ScimGroup" } } }, "v1ScimCreateUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1ScimUser" } } }, "v1ScimDeleteGroupResponse": { "type": "object", "properties": { "deleted": { "type": "boolean" } } }, "v1ScimDeleteUserResponse": { "type": "object", "properties": { "deactivated": { "type": "boolean", "title": "mapped to deactivate + session revoke" } } }, "v1ScimGetGroupResponse": { "type": "object", "properties": { "group": { "$ref": "#/definitions/v1ScimGroup" } } }, "v1ScimGetUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1ScimUser" } } }, "v1ScimGroup": { "type": "object", "properties": { "id": { "type": "string" }, "displayName": { "type": "string" }, "members": { "type": "array", "items": { "type": "string" }, "title": "member SCIM ids" }, "rawJson": { "type": "string" } } }, "v1ScimListGroupsResponse": { "type": "object", "properties": { "groups": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ScimGroup" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ScimListUsersResponse": { "type": "object", "properties": { "users": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1ScimUser" } }, "page": { "$ref": "#/definitions/v1PageResponse" } } }, "v1ScimPatchGroupResponse": { "type": "object", "properties": { "group": { "$ref": "#/definitions/v1ScimGroup" }, "grantedRoles": { "type": "array", "items": { "type": "string" }, "description": "Roles granted/revoked as a result of group membership changes (only via\nconfigured group→role mappings)." } } }, "v1ScimPatchOp": { "type": "object", "properties": { "op": { "type": "string", "title": "add | replace | remove" }, "path": { "type": "string", "title": "e.g. \"active\", \"members\"" }, "valueJson": { "type": "string", "title": "JSON-encoded value" } }, "description": "SCIM PATCH operations (RFC 7644 §3.5.2): add/replace/remove on a path." }, "v1ScimPatchUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1ScimUser" } } }, "v1ScimReplaceUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1ScimUser" } } }, "v1ScimUser": { "type": "object", "properties": { "id": { "type": "string", "title": "SCIM id (== external_identity_id)" }, "userName": { "type": "string", "title": "SCIM userName (subject)" }, "displayName": { "type": "string" }, "email": { "type": "string" }, "active": { "type": "boolean" }, "groups": { "type": "array", "items": { "type": "string" } }, "rawJson": { "type": "string", "title": "full SCIM user JSON" } }, "description": "A SCIM resource carried as its canonical JSON body. CRUD handlers persist\ninto the native external_identities / role-binding tables under the\nconfigured mappings; the JSON keeps full SCIM 2.0 schema fidelity for the\nconnector while the broker stays schema-agnostic." }, "v1SeedBuiltinRolesRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" } } }, "v1SeedBuiltinRolesResponse": { "type": "object", "properties": { "seededRoleCodes": { "type": "array", "items": { "type": "string" } }, "created": { "type": "integer", "format": "int32" }, "existing": { "type": "integer", "format": "int32" } } }, "v1SendNotificationRequest": { "type": "object", "properties": { "eventType": { "type": "string", "title": "Must match a template event_type" }, "recipientId": { "type": "string" }, "recipientAddress": { "type": "string", "title": "Resolved by caller or looked up in User service" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "resourceType": { "type": "string" }, "resourceId": { "type": "string" }, "resourceName": { "type": "string" }, "correlationId": { "type": "string" }, "locale": { "type": "string", "title": "Defaults to 'en'" }, "variables": { "type": "object", "additionalProperties": { "type": "string" }, "title": "Template variable substitutions" }, "channels": { "type": "array", "items": { "$ref": "#/definitions/v1NotificationChannel" }, "title": "Empty = use template-default channels" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1SendNotificationResponse": { "type": "object", "properties": { "logs": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1NotificationLog" } } } }, "v1SendOTPRequest": { "type": "object", "properties": { "userId": { "type": "string" }, "otpType": { "$ref": "#/definitions/v1OTPType" }, "correlationId": { "type": "string", "title": "correlation_id to link the OTP to an in-flight operation" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1SendOTPResponse": { "type": "object", "properties": { "otpId": { "type": "string" }, "expiresInSeconds": { "type": "integer", "format": "int32" }, "cooldownSeconds": { "type": "integer", "format": "int32", "title": "Wait before next resend" }, "devOtpCode": { "type": "string", "description": "Dev-only echo of the plaintext OTP code, populated ONLY when the broker runs\nwith UDB_OTP_DEV_ECHO=1 (non-production posture). Empty in production. Lets\nconformance harnesses complete VerifyOTP/ResetPassword without a delivery\nchannel. bug_report.md F/Lane-2." } } }, "v1SendPhoneVerificationResponse": { "type": "object", "properties": { "otpId": { "type": "string" }, "devOtpCode": { "type": "string", "description": "Dev-only echo of the plaintext PHONE_VERIFICATION OTP code, populated ONLY when\nthe broker runs with UDB_OTP_DEV_ECHO=1 (non-production posture). Empty in\nproduction. Lets conformance harnesses complete VerifyOTP without an SMS\ndelivery channel. bug_report.md F/Lane-2." } } }, "v1Session": { "type": "object", "properties": { "sessionId": { "type": "string" }, "userId": { "type": "string" }, "sessionType": { "$ref": "#/definitions/v1SessionType" }, "sessionTokenLookup": { "type": "string", "description": "── SERVER-SIDE fields ──────────────────────────────────────────────────\nKeyed lookup digest of the opaque session token (for fast index lookup)." }, "sessionTokenHash": { "type": "string", "description": "Keyed HMAC digest of the session token (for secure verify after lookup)." }, "csrfTokenHash": { "type": "string", "description": "CSRF token hash (double-submit cookie pattern)." }, "accessTokenJti": { "type": "string", "description": "── JWT fields ──────────────────────────────────────────────────────────\nJWT ID of the currently-valid access token (for revocation check)." }, "refreshTokenJti": { "type": "string" }, "deviceType": { "$ref": "#/definitions/v1DeviceType", "title": "── Common fields ───────────────────────────────────────────────────────" }, "deviceName": { "type": "string" }, "ipAddress": { "type": "string" }, "userAgent": { "type": "string" }, "isActive": { "type": "boolean" }, "expiresAt": { "type": "string", "format": "date-time" }, "lastActiveAt": { "type": "string", "format": "date-time" }, "revokedBy": { "type": "string" }, "revokeReason": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "principalId": { "type": "string" }, "providerId": { "type": "string" }, "authMethod": { "type": "string" }, "scopesJson": { "type": "string" }, "metadataJson": { "type": "string" } }, "description": "---------------------------------------------------------------------------\nSession — Authenticated session for a user, service account, workload, or\nexternal identity mapped into UDB.\n\nHybrid model:\n SERVER_SIDE: cookie-based; session_token_lookup (keyed HMAC) → hash verify\n JWT: access_token_jti + refresh_token_jti tracked for revocation\n\nMigration order 2. RLS scopes rows to the current tenant.\n---------------------------------------------------------------------------" }, "v1SessionType": { "type": "string", "enum": [ "SESSION_TYPE_UNSPECIFIED", "SESSION_TYPE_SERVER_SIDE", "SESSION_TYPE_JWT", "SESSION_TYPE_API_KEY", "SESSION_TYPE_MTLS", "SESSION_TYPE_EXTERNAL" ], "default": "SESSION_TYPE_UNSPECIFIED", "description": " - SESSION_TYPE_SERVER_SIDE: Cookie + CSRF token.\n - SESSION_TYPE_JWT: Access + refresh JWT." }, "v1SetPreferenceResponse": { "type": "object", "properties": { "preference": { "$ref": "#/definitions/v1NotificationPreference" } } }, "v1SignedPolicyBundle": { "type": "object", "properties": { "bundle": { "type": "string", "format": "byte", "description": "Serialized snapshot payload (canonical JSON). Opaque to transport." }, "signature": { "type": "string", "description": "Base64 signature over `bundle`." }, "keyId": { "type": "string", "description": "Identifier of the signing key so callers can rotate/verify." }, "algorithm": { "type": "string", "description": "Signature algorithm, e.g. \"HMAC-SHA256\"." }, "policyVersion": { "type": "string" }, "relationshipVersion": { "type": "string" }, "issuedAtUnix": { "type": "string", "format": "int64" }, "expiresAtUnix": { "type": "string", "format": "int64" }, "ttlSeconds": { "type": "string", "format": "uint64" } } }, "v1SimulatePolicyRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "draftId": { "type": "string", "description": "Draft to evaluate the candidate decision against (its document is loaded\nin-memory). Empty + candidate set = simulate an ad-hoc document." }, "candidate": { "$ref": "#/definitions/v1PolicyDocument", "description": "Candidate authz inputs evaluated in-memory WITHOUT mutating durable state." }, "cases": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1SimulationCase" }, "description": "One or more cases to evaluate (single + batch share one shape)." }, "persist": { "type": "boolean", "description": "Persist a PolicySimulation row per case (impact-analysis record)." }, "policyVersionId": { "type": "string", "description": "Optional draft version id to stamp on persisted PolicySimulation rows." } } }, "v1SimulatePolicyResponse": { "type": "object", "properties": { "results": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1SimulationResult" } }, "diffJson": { "type": "string", "description": "Aggregate machine-readable diff over all cases." } } }, "v1SimulationCase": { "type": "object", "properties": { "principal": { "$ref": "#/definitions/coreAuthzServicesV1Principal" }, "resource": { "$ref": "#/definitions/v1ResourceRef" }, "action": { "type": "string" }, "purpose": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } }, "label": { "type": "string", "description": "Optional label echoed in the result for batch correlation." } } }, "v1SimulationResult": { "type": "object", "properties": { "label": { "type": "string" }, "activeDecision": { "$ref": "#/definitions/v1Decision" }, "draftDecision": { "$ref": "#/definitions/v1Decision" }, "changed": { "type": "boolean", "description": "True when active and draft decisions differ on `allowed`." }, "diffJson": { "type": "string" } } }, "v1SlaComplianceEntry": { "type": "object", "properties": { "stageName": { "type": "string" }, "period": { "type": "string" }, "p99LatencyMs": { "type": "number", "format": "double" }, "errorRate": { "type": "number", "format": "double" }, "p99SlaMet": { "type": "boolean" }, "errorRateSlaMet": { "type": "boolean" } } }, "v1StartPipelineRequest": { "type": "object", "properties": { "tenantId": { "type": "string" }, "definitionId": { "type": "string" }, "assetId": { "type": "string" }, "context": { "type": "string", "title": "JSON" }, "correlationId": { "type": "string" } } }, "v1StartPipelineResponse": { "type": "object", "properties": { "instanceId": { "type": "string" }, "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" }, "steps": { "type": "array", "items": { "type": "object", "$ref": "#/definitions/v1PipelineStep" } } } }, "v1StartSamlLoginResponse": { "type": "object", "properties": { "redirectUrl": { "type": "string", "description": "Full redirect URL (SSO endpoint with SAMLRequest + optional Signature)." }, "samlRequest": { "type": "string", "description": "Base64 deflate-encoded AuthnRequest." }, "requestId": { "type": "string" }, "signed": { "type": "boolean" } } }, "v1StartWebAuthnAuthenticationRequest": { "type": "object", "properties": { "userId": { "type": "string" }, "tenantId": { "type": "string" }, "projectId": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1StartWebAuthnAuthenticationResponse": { "type": "object", "properties": { "challengeId": { "type": "string" }, "publicKeyCredentialRequestOptionsJson": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" } } }, "v1StartWebAuthnRegistrationResponse": { "type": "object", "properties": { "challengeId": { "type": "string" }, "publicKeyCredentialCreationOptionsJson": { "type": "string" }, "expiresAtUnix": { "type": "string", "format": "int64" } } }, "v1StepStatus": { "type": "string", "enum": [ "STEP_STATUS_UNSPECIFIED", "STEP_STATUS_PENDING", "STEP_STATUS_RUNNING", "STEP_STATUS_COMPLETED", "STEP_STATUS_SKIPPED", "STEP_STATUS_FAILED" ], "default": "STEP_STATUS_UNSPECIFIED" }, "v1StepType": { "type": "string", "enum": [ "STEP_TYPE_UNSPECIFIED", "STEP_TYPE_EMBED", "STEP_TYPE_THUMBNAIL", "STEP_TYPE_RESIZE", "STEP_TYPE_TRANSCODE", "STEP_TYPE_CAPTION", "STEP_TYPE_EXTRACT" ], "default": "STEP_TYPE_UNSPECIFIED" }, "v1SubmitPolicyDraftRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "draftId": { "type": "string" }, "expectedUpdatedAtUnix": { "type": "string", "format": "int64" } } }, "v1Tenant": { "type": "object", "properties": { "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:tenant_id;not null\"" }, "code": { "type": "string", "title": "@inject_tag: gorm:\"column:code;not null\"" }, "name": { "type": "string", "title": "@inject_tag: gorm:\"column:name;not null\"" }, "type": { "$ref": "#/definitions/v1TenantType", "title": "@inject_tag: gorm:\"column:type;not null;serializer:proto_enum\"" }, "status": { "$ref": "#/definitions/v1TenantStatus", "title": "@inject_tag: gorm:\"column:status;not null;serializer:proto_enum\"" }, "parentTenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:parent_tenant_id\"" }, "config": { "type": "string", "title": "@inject_tag: gorm:\"column:config\"" }, "branding": { "type": "string", "title": "@inject_tag: gorm:\"column:branding\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo" }, "deletedAt": { "type": "string", "format": "date-time", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" }, "deletedBy": { "type": "string" } }, "title": "Tenant (FR-016)" }, "v1TenantConfig": { "type": "object", "properties": { "id": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:config_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "configKey": { "type": "string", "title": "@inject_tag: gorm:\"column:config_key;not null\"" }, "configValue": { "type": "string", "title": "@inject_tag: gorm:\"column:config_value;not null\"" }, "type": { "$ref": "#/definitions/v1ConfigType", "title": "@inject_tag: gorm:\"column:type;not null;serializer:proto_enum\"" }, "description": { "type": "string", "title": "@inject_tag: gorm:\"column:description\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" } }, "title": "Tenant configuration" }, "v1TenantContext": { "type": "object", "properties": { "tenantId": { "type": "string", "description": "Tenant or account boundary chosen by the caller or resolved by UDB." }, "organizationId": { "type": "string", "description": "Optional owning organization/workspace above the tenant boundary." }, "projectId": { "type": "string", "description": "Project/application namespace inside the tenant." }, "environment": { "type": "string", "description": "Deployment environment, for example prod, staging, dev, or test." }, "region": { "type": "string", "description": "Region, shard, or residency boundary when routing matters." }, "partitionId": { "type": "string", "description": "Optional data partition or workspace identifier for fine-grained isolation." }, "accessSurface": { "type": "string", "description": "UI/API surface or workload channel such as web, mobile, api, worker." }, "attributes": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Consumer-defined labels for policy routing and audit enrichment." } } }, "v1TenantStatus": { "type": "string", "enum": [ "TENANT_STATUS_UNSPECIFIED", "TENANT_STATUS_ACTIVE", "TENANT_STATUS_SUSPENDED", "TENANT_STATUS_INACTIVE" ], "default": "TENANT_STATUS_UNSPECIFIED" }, "v1TenantType": { "type": "string", "enum": [ "TENANT_TYPE_UNSPECIFIED", "TENANT_TYPE_PLATFORM", "TENANT_TYPE_PARTNER", "TENANT_TYPE_ORGANIZATION", "TENANT_TYPE_WORKSPACE", "TENANT_TYPE_CUSTOMER_ACCOUNT", "TENANT_TYPE_DEPARTMENT", "TENANT_TYPE_SANDBOX" ], "default": "TENANT_TYPE_UNSPECIFIED" }, "v1TestProviderDiscoveryResponse": { "type": "object", "properties": { "reachable": { "type": "boolean" }, "health": { "$ref": "#/definitions/v1ProviderHealth" }, "resolvedIssuer": { "type": "string" }, "resolvedJwksUrl": { "type": "string" }, "keyCount": { "type": "integer", "format": "int32" }, "keyIds": { "type": "array", "items": { "type": "string" }, "title": "JWKS kid list / SAML cert fingerprints" }, "detail": { "type": "string" } } }, "v1TokenType": { "type": "string", "enum": [ "TOKEN_TYPE_UNSPECIFIED", "TOKEN_TYPE_JWT_ACCESS", "TOKEN_TYPE_JWT_REFRESH", "TOKEN_TYPE_SESSION", "TOKEN_TYPE_API_KEY", "TOKEN_TYPE_EXTERNAL" ], "default": "TOKEN_TYPE_UNSPECIFIED" }, "v1Track": { "type": "object", "properties": { "trackId": { "type": "string", "title": "@inject_tag: gorm:\"primaryKey;column:track_id;not null\"" }, "roomId": { "type": "string", "title": "@inject_tag: gorm:\"column:room_id;not null\"" }, "peerId": { "type": "string", "title": "@inject_tag: gorm:\"column:peer_id;not null\"" }, "tenantId": { "type": "string", "title": "@inject_tag: gorm:\"column:tenant_id;not null\"" }, "kind": { "$ref": "#/definitions/v1TrackKind", "title": "@inject_tag: gorm:\"column:kind;not null;serializer:proto_enum\"" }, "label": { "type": "string", "title": "@inject_tag: gorm:\"column:label\"" }, "state": { "$ref": "#/definitions/v1TrackState", "title": "@inject_tag: gorm:\"column:state;not null;serializer:proto_enum\"" }, "settings": { "type": "string", "title": "@inject_tag: gorm:\"column:settings\"" }, "metadata": { "type": "string", "title": "@inject_tag: gorm:\"column:metadata\"" }, "auditInfo": { "$ref": "#/definitions/v1AuditInfo", "title": "@inject_tag: gorm:\"column:audit_info;not null\"" } }, "description": "Track: a media or data track published by a peer." }, "v1TrackKind": { "type": "string", "enum": [ "TRACK_KIND_UNSPECIFIED", "TRACK_KIND_AUDIO", "TRACK_KIND_VIDEO", "TRACK_KIND_SCREEN", "TRACK_KIND_DATA" ], "default": "TRACK_KIND_UNSPECIFIED" }, "v1TrackState": { "type": "string", "enum": [ "TRACK_STATE_UNSPECIFIED", "TRACK_STATE_ACTIVE", "TRACK_STATE_MUTED", "TRACK_STATE_ENDED" ], "default": "TRACK_STATE_UNSPECIFIED" }, "v1TriggerSnapshotRequest": { "type": "object", "properties": { "stageName": { "type": "string", "title": "Empty = all stages" }, "hour": { "type": "string", "title": "ISO 8601 hour; empty = previous complete hour" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1TriggerSnapshotResponse": { "type": "object", "properties": { "snapshotsWritten": { "type": "integer", "format": "int32" } } }, "v1UnlinkIdentityResponse": { "type": "object", "properties": { "unlinked": { "type": "boolean" } } }, "v1UnpublishTrackResponse": { "type": "object", "properties": { "success": { "type": "boolean" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1UpdateApiKeyResponse": { "type": "object", "properties": { "key": { "$ref": "#/definitions/v1ApiKey" } } }, "v1UpdateFileResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1UpdatePolicyDraftRequest": { "type": "object", "properties": { "actor": { "$ref": "#/definitions/v1GovernanceActor" }, "draftId": { "type": "string" }, "document": { "$ref": "#/definitions/v1PolicyDocument" }, "changeReason": { "type": "string" }, "expectedUpdatedAtUnix": { "type": "string", "format": "int64", "description": "Optimistic concurrency: must equal the draft's current updated_at epoch." }, "highRisk": { "type": "boolean" }, "title": { "type": "string" } } }, "v1UpdateProviderResponse": { "type": "object", "properties": { "provider": { "$ref": "#/definitions/v1IdentityProvider" } } }, "v1UpdateRoleResponse": { "type": "object", "properties": { "role": { "$ref": "#/definitions/v1Role" } } }, "v1UpdateRoomResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1UpdateTenantConfigResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1UpdateTenantResponse": { "type": "object", "properties": { "message": { "type": "string" }, "error": { "$ref": "#/definitions/v1ApiError", "title": "Error information if operation failed" } } }, "v1UpdateUserResponse": { "type": "object", "properties": { "user": { "$ref": "#/definitions/v1User" } } }, "v1UpsertTemplateResponse": { "type": "object", "properties": { "template": { "$ref": "#/definitions/v1NotificationTemplate" } } }, "v1User": { "type": "object", "properties": { "userId": { "type": "string" }, "username": { "type": "string" }, "email": { "type": "string", "title": "SCIM-2 (bug_report.md G): email stays NOT NULL (always a value, maybe '');\nthe column-level `unique` is dropped and uniqueness is enforced by the\nTABLE-level PARTIAL unique index `idx_users_email` (WHERE email \u003c\u003e '')\ndeclared in the pg_table option above — so email-less SCIM users don't\ncollide. (The column's singular `index` is intentionally NOT used: the\ndescriptor decode drops its where_clause.)" }, "passwordHash": { "type": "string" }, "accountKind": { "$ref": "#/definitions/v1AccountKind" }, "status": { "$ref": "#/definitions/v1UserStatus" }, "tenantId": { "type": "string" }, "fullName": { "type": "string" }, "totpSecretEnc": { "type": "string", "title": "MFA: totp_secret populated only when MFA is enrolled (TOTP authenticator app)" }, "mfaEnabled": { "type": "boolean" }, "failedLoginCount": { "type": "integer", "format": "int32", "title": "Failed login tracking" }, "lockedUntil": { "type": "string", "format": "date-time" }, "emailVerifiedAt": { "type": "string", "format": "date-time" }, "lastLoginAt": { "type": "string", "format": "date-time" }, "createdBy": { "type": "string" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "deletedAt": { "type": "string", "format": "date-time" }, "deletedBy": { "type": "string" }, "projectId": { "type": "string" }, "externalProviderId": { "type": "string" }, "externalSubject": { "type": "string" }, "locale": { "type": "string" }, "timezone": { "type": "string" }, "profileAttributesJson": { "type": "string" }, "externalReferencesJson": { "type": "string" }, "phone": { "type": "string" }, "phoneVerifiedAt": { "type": "string", "format": "date-time" } }, "description": "---------------------------------------------------------------------------\nUser — a human, service, workload, or externally-mapped account that can be\nauthenticated by UDB and authorized by the UDB policy engine.\n\nMigration order 1 in schema udb_authn.\nThe password_hash uses Argon2id PHC strings; legacy keyed-HMAC values are upgraded on login.\nAll PII fields are masked in application logs via (pii) + (log_masked).\n---------------------------------------------------------------------------" }, "v1UserRole": { "type": "object", "properties": { "userRoleId": { "type": "string" }, "userId": { "type": "string" }, "roleId": { "type": "string" }, "domain": { "type": "string" }, "assignedBy": { "type": "string" }, "assignedAt": { "type": "string", "format": "date-time" }, "expiresAt": { "type": "string", "format": "date-time" }, "createdAt": { "type": "string", "format": "date-time" }, "updatedAt": { "type": "string", "format": "date-time" }, "createdBy": { "type": "string" }, "tenantId": { "type": "string" } }, "description": "User-to-role assignment scoped by an authorization domain such as\ntenant:tenant_a, project:project_a, or resource:invoice/123." }, "v1UserStatus": { "type": "string", "enum": [ "USER_STATUS_UNSPECIFIED", "USER_STATUS_PENDING_VERIFICATION", "USER_STATUS_ACTIVE", "USER_STATUS_SUSPENDED", "USER_STATUS_LOCKED", "USER_STATUS_DEACTIVATED" ], "default": "USER_STATUS_UNSPECIFIED", "title": "- USER_STATUS_PENDING_VERIFICATION: Email not yet verified\n - USER_STATUS_SUSPENDED: Temporarily suspended by admin\n - USER_STATUS_LOCKED: Locked after repeated failed logins\n - USER_STATUS_DEACTIVATED: Permanently deactivated" }, "v1ValidateApiKeyRequest": { "type": "object", "properties": { "plainKey": { "type": "string", "title": "Raw key from Authorization header" }, "endpoint": { "type": "string", "title": "gRPC method or HTTP path being accessed" }, "requiredScope": { "type": "string", "title": "e.g. \"resource:write\"" }, "ipAddress": { "type": "string", "title": "source IP for allowlist check" } } }, "v1ValidateApiKeyResponse": { "type": "object", "properties": { "valid": { "type": "boolean" }, "keyId": { "type": "string" }, "ownerId": { "type": "string" }, "ownerType": { "$ref": "#/definitions/v1ApiKeyOwnerType" }, "scopes": { "type": "array", "items": { "type": "string" }, "title": "Granted scopes list (caller checks required_scope membership)" }, "rateLimited": { "type": "boolean" } } }, "v1ValidateCSRFRequest": { "type": "object", "properties": { "sessionId": { "type": "string" }, "csrfToken": { "type": "string", "title": "value from the csrf cookie / header" } } }, "v1ValidateCSRFResponse": { "type": "object", "properties": { "valid": { "type": "boolean" } } }, "v1ValidateTokenRequest": { "type": "object", "properties": { "token": { "type": "string", "title": "raw JWT or session_token" }, "tokenType": { "$ref": "#/definitions/v1TokenType" } } }, "v1ValidateTokenResponse": { "type": "object", "properties": { "valid": { "type": "boolean" }, "userId": { "type": "string" }, "sessionId": { "type": "string" }, "accountKind": { "$ref": "#/definitions/v1AccountKind" }, "tenantId": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "title": "Resolved roles (from authz domain)" }, "expiresAt": { "type": "string", "format": "date-time" }, "accessSurface": { "type": "string" }, "deviceId": { "type": "string", "title": "device fingerprint (JWT sessions only)" }, "tokenId": { "type": "string", "title": "JWT jti (JWT sessions) or session_token SHA256 prefix" }, "sessionType": { "$ref": "#/definitions/v1SessionType" }, "principal": { "$ref": "#/definitions/coreAuthnServicesV1Principal" }, "projectId": { "type": "string" }, "scopes": { "type": "array", "items": { "type": "string" } }, "attributes": { "type": "object", "additionalProperties": { "type": "string" } } } }, "v1VerifyMfaChallengeRequest": { "type": "object", "properties": { "challengeId": { "type": "string" }, "code": { "type": "string", "title": "TOTP / OTP / recovery code proof" }, "deviceFingerprint": { "type": "string" }, "context": { "$ref": "#/definitions/coreCommonV1RequestContext" } } }, "v1VerifyMfaChallengeResponse": { "type": "object", "properties": { "verified": { "type": "boolean" }, "userId": { "type": "string" } } }, "v1VerifyOTPRequest": { "type": "object", "properties": { "otpId": { "type": "string" }, "code": { "type": "string", "title": "Plain 6-digit code (transmitted over TLS; hashed server-side)" } } }, "v1VerifyOTPResponse": { "type": "object", "properties": { "verified": { "type": "boolean" }, "userId": { "type": "string" }, "otpType": { "$ref": "#/definitions/v1OTPType" } } }, "v1WebAuthnCredentialSummary": { "type": "object", "properties": { "credentialId": { "type": "string" }, "label": { "type": "string" }, "createdAtUnix": { "type": "string", "format": "int64" }, "lastUsedAtUnix": { "type": "string", "format": "int64" } } } } }