Tokens & Credentials

Overview

The Tokens & Credentials API provides endpoints for managing JWT signing keys, SCIM provisioning tokens, Initial Access Tokens (IAT), and other credentials.

Endpoint List

Method	Endpoint	Description
GET	/api/admin/signing-keys	List signing keys
POST	/api/admin/signing-keys/rotate	Rotate signing keys
GET	/api/admin/scim/tokens	List SCIM tokens
POST	/api/admin/scim/tokens	Create SCIM token
DELETE	/api/admin/scim/tokens/:id	Delete SCIM token
GET	/api/admin/initial-access-tokens	List IATs
POST	/api/admin/initial-access-tokens	Create IAT
DELETE	/api/admin/initial-access-tokens/:id	Delete IAT
GET	/api/admin/api-tokens	List API tokens
POST	/api/admin/api-tokens	Create API token
DELETE	/api/admin/api-tokens/:id	Delete API token

---

List Signing Keys

Retrieve a list of keys used for JWT signing.

Endpoint

GET /api/admin/signing-keys

Request Example

curl -X GET "https://{tenant-domain}/api/admin/signing-keys" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "keys": [
    {
      "kid": "key_abc123",
      "algorithm": "RS256",
      "status": "active",
      "use": "sig",
      "created_at": 1705881600,
      "rotated_at": null,
      "expires_at": null
    },
    {
      "kid": "key_old456",
      "algorithm": "RS256",
      "status": "rotated",
      "use": "sig",
      "created_at": 1673345600,
      "rotated_at": 1705881600,
      "expires_at": 1706486400
    }
  ],
  "current_kid": "key_abc123"
}

---

Rotate Signing Keys

Generate a new signing key and rotate existing keys.

Endpoint

POST /api/admin/signing-keys/rotate

Request Body

Field	Type	Required	Description
algorithm	string	-	Algorithm (default: RS256)
grace_period	integer	-	Grace period for old key (seconds, default: 604800)

Request Example

curl -X POST "https://{tenant-domain}/api/admin/signing-keys/rotate" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "algorithm": "RS256",
    "grace_period": 604800
  }'

Response Example

{
  "new_key": {
    "kid": "key_xyz789",
    "algorithm": "RS256",
    "status": "active",
    "created_at": 1706140800
  },
  "old_key": {
    "kid": "key_abc123",
    "status": "rotated",
    "expires_at": 1706745600
  }
}

Key Rotation

Regular key rotation is a security best practice. During the grace period, both old and new keys are valid for signature verification.

---

List SCIM Tokens

Retrieve a list of SCIM provisioning tokens.

Endpoint

GET /api/admin/scim/tokens

Request Example

curl -X GET "https://{tenant-domain}/api/admin/scim/tokens" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "items": [
    {
      "id": "scim_token_abc123",
      "name": "Okta SCIM",
      "description": "For provisioning from Okta",
      "last_used_at": 1706054400,
      "created_at": 1705881600,
      "expires_at": null
    }
  ],
  "total": 1
}

---

Create SCIM Token

Create a new SCIM token.

Endpoint

POST /api/admin/scim/tokens

Request Body

Field	Type	Required	Description
name	string	✓	Token name
description	string	-	Description
expires_in	integer	-	Validity period (seconds, unlimited if not specified)

Request Example

curl -X POST "https://{tenant-domain}/api/admin/scim/tokens" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Azure AD SCIM",
    "description": "For provisioning from Azure AD"
  }'

Response Example

{
  "id": "scim_token_xyz789",
  "name": "Azure AD SCIM",
  "token": "scim_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "created_at": 1706140800
}

Token Storage

The token is only displayed in the response when created. Store it securely.

---

Delete SCIM Token

Delete a SCIM token.

Endpoint

DELETE /api/admin/scim/tokens/:id

Request Example

curl -X DELETE "https://{tenant-domain}/api/admin/scim/tokens/scim_token_abc123" \
  -H "Authorization: Bearer {token}"

---

List Initial Access Tokens (IAT)

Retrieve Initial Access Tokens for dynamic client registration.

Endpoint

GET /api/admin/initial-access-tokens

Request Example

curl -X GET "https://{tenant-domain}/api/admin/initial-access-tokens" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "items": [
    {
      "id": "iat_abc123",
      "name": "Partner IAT",
      "uses_remaining": 5,
      "max_uses": 10,
      "expires_at": 1706745600,
      "created_at": 1705881600
    }
  ],
  "total": 1
}

---

Create IAT

Create a new Initial Access Token.

Endpoint

POST /api/admin/initial-access-tokens

Request Body

Field	Type	Required	Description
name	string	✓	Token name
max_uses	integer	-	Maximum number of uses (default: 1)
expires_in	integer	-	Validity period (seconds)
allowed_scopes	string[]	-	Allowed scopes

Request Example

curl -X POST "https://{tenant-domain}/api/admin/initial-access-tokens" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "New Partner",
    "max_uses": 5,
    "expires_in": 86400,
    "allowed_scopes": ["openid", "profile"]
  }'

Response Example

{
  "id": "iat_xyz789",
  "name": "New Partner",
  "token": "iat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "max_uses": 5,
  "expires_at": 1706227200,
  "created_at": 1706140800
}

---

Delete IAT

Delete an Initial Access Token.

Endpoint

DELETE /api/admin/initial-access-tokens/:id

Request Example

curl -X DELETE "https://{tenant-domain}/api/admin/initial-access-tokens/iat_abc123" \
  -H "Authorization: Bearer {token}"

---

List API Tokens

Retrieve a list of Admin API tokens.

Endpoint

GET /api/admin/api-tokens

Request Example

curl -X GET "https://{tenant-domain}/api/admin/api-tokens" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "items": [
    {
      "id": "api_token_abc123",
      "name": "CI/CD Pipeline",
      "scopes": ["users:read", "users:write"],
      "last_used_at": 1706054400,
      "created_at": 1705881600,
      "expires_at": 1737417600
    }
  ],
  "total": 1
}

---

Create API Token

Create a new Admin API token.

Endpoint

POST /api/admin/api-tokens

Request Body

Field	Type	Required	Description
name	string	✓	Token name
scopes	string[]	✓	Permission scopes
expires_in	integer	-	Validity period (seconds)

Request Example

curl -X POST "https://{tenant-domain}/api/admin/api-tokens" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Automation Script",
    "scopes": ["users:read", "audit:read"],
    "expires_in": 31536000
  }'

Response Example

{
  "id": "api_token_xyz789",
  "name": "Automation Script",
  "token": "api_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "scopes": ["users:read", "audit:read"],
  "expires_at": 1737676800,
  "created_at": 1706140800
}

---

Delete API Token

Delete an API token.

Endpoint

DELETE /api/admin/api-tokens/:id

Request Example

curl -X DELETE "https://{tenant-domain}/api/admin/api-tokens/api_token_abc123" \
  -H "Authorization: Bearer {token}"