IDAAS core
Getting started with the OneWelcome Identity Platform
Manage administrators
Authentication
- Authentication FAQ
- Password migration
Events
- Public event payload taxonomy
- Export events
IDAAS core - Access
- Securing resources
- Client authentication methods
- Client application configuration
  - Scope configuration
  - Identity providers
  - Resource gateway configuration
  - Scopes API
  - Scope Verification Service
  - Identity provider API
  - Protected data in single-page apps
- OAuth 2.0 and OpenID Connect
  - OpenID Connect
  - OpenID Connect authentication
  - OpenID Connect scopes and claims
  - User claims and attributes
  - OpenID provider configuration
  - ID token encryption
  - Web clients
    - Resource owner password credentials
    - Uniquely identify guests
    - Migration of web clients with hashed secrets
    - Web clients API
  - Tokens
    - Access tokens
    - ID tokens
    - Refresh tokens
    - Access token API
    - Token introspection API
  - iFrame session monitoring
    - Relying party iFrame
    - End session API
    - Session management APIs
  - OAuth endpoints
  - OAuth configuration
  - Discovery API
  - JSON Web Key Set API
  - User information API
  - OAuth consent API
  - OAuth Token Exchange
- SAML Applications
- Custom authenticators
- General system properties
  - Configure system features
  - Session configuration
  - CORS support
  - Extension engine properties
  - SAML service provider configuration
  - API clients API
  - Responsible disclosure policy
- Access events
  - Audit events
  - Audit log
  - Events API
  - Security events
- Web hooks
  - Web hooks configuration API
- User session API
IDAAS core - Tulip
- Tenants and brands
- Identity store and data model
  - SCIM API
  - SCIM schemas
  - SCIM user management
  - SCIM user attributes
  - SCIM API versions
- Credential store
  - Email address management
  - Password management
  - Password policies
- OAuth 2.0 and OpenID Connect
  - OAuth 2.0 and OpenID Connect setup
  - Device flow
  - OAuth client authentication methods
  - Proof Key for Code Exchange
  - Step-up authentication
  - OAuth 2.0 and OpenID Connect API
  - Dynamic client registration API
  - OAuth OIDC error handling
- Account lockout
- Session management
- Event store
- API rules
- Reports
- Email overview
- Core administration experience
  - Audit logs
- Locales and languages
Assurance levels
Customize the user interface

Access token API

The access token API provides access token management capabilities. The token endpoints are only accessible with valid API client credentials. A web application can use these endpoints to list or delete active tokens for a specific user. For example, the web application can show the user a list of devices with authenticated sessions, and allow the user to revoke access for a device (by deleting the corresponding token).

List access tokens

Endpoint: GET /oauth/api/v1/users/{userId}/tokens

Parameter	Description
`userId`	User identifier

This endpoint requires basic authentication, using the API client credentials. If the user does not exist, or if the user has no valid access tokens, a 404 Not Found message is returned. If the user has one or more valid tokens, an array is returned with the following attributes.

Attribute	Description
`id`	UUID identifying the token.
`client_name`	Name specified for the client that has access to the user's resources via this token.
`device_name`	Name of the device that this token is granted to. It might be not present, because this attribute only contains a value if there is a dynamically registered client.
`created_at`	Timestamp of the moment the access token was created.
`scopes`	String array with scopes that were granted for this access token.
`type`	The authentication method to be used with this access token.
`refresh_token_issued`	Indicates whether a refresh token has been issued alongside the access token.
`expired`	Indicates whether the access token has expired. Tokens without an issued refresh token are omitted from the response after they expire.

Example response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "tokens": [
    {
      "id": "7d507b7e-6221-4f06-a75e-ef6e6f06d32b",
      "client_name": "Client X",
      "device_name": "my iPad",
      "created_at": 1381322054000,
      "scopes": [
        "email",
        "profile"
      ],
      "type":"DEFAULT",
      "refresh_token_issued": true,
      "expired": false
    },
    {
      "id": "1c05119e-21b2-4905-bc93-8f67790a16d6",
      "client_name": "Client Y",
      "created_at": 1381321302000,
      "scopes": [
        "email"
      ],
      "type":"FINGER_PRINT",
      "refresh_token_issued": true,
      "expired": false
    }
  ]
 }

Example error response

{
  "error": "No tokens found"
}

Delete or revoke access token

Endpoint: DELETE /oauth/api/v1/users/{userId}/tokens/{tokenId}

Parameter	Description
`userId`	Identifier of the user
`tokenId`	Identifier of the access token

This endpoint requires basic authentication, using the API client credentials. This endpoint returns a 204 No Content message regardless of whether the user or token existed before deletion.

Suggest A Change

Access token API

List access tokens

Delete or revoke access token

On this page