core_transactional_applications_update

PUT /api/v3//core/transactional/applications/

Convert data into a blueprint, validate it and apply it

Request

application/json

Body

required

app

object

required

provider_model ProviderModelEnum (string)required

Possible values: [authentik_providers_google_workspace.googleworkspaceprovider, authentik_providers_ldap.ldapprovider, authentik_providers_microsoft_entra.microsoftentraprovider, authentik_providers_oauth2.oauth2provider, authentik_providers_proxy.proxyprovider, authentik_providers_rac.racprovider, authentik_providers_radius.radiusprovider, authentik_providers_saml.samlprovider, authentik_providers_scim.scimprovider]

provider

object

required

oneOf

GoogleWorkspaceProvider Serializer

name stringrequired

Possible values: non-empty

property_mappings uuid[]

property_mappings_group uuid[]

Property mappings used for group creation/updating.

delegated_subject emailrequired

Possible values: non-empty and <= 254 characters

credentials required

scopes string

Possible values: non-empty

exclude_users_service_account boolean

filter_group uuidnullable

user_delete_action OutgoingSyncDeleteAction (string)

Possible values: [do_nothing, delete, suspend]

group_delete_action OutgoingSyncDeleteAction (string)

Possible values: [do_nothing, delete, suspend]

default_group_email_domain stringrequired

Possible values: non-empty

LDAPProvider Serializer

name stringrequired

Possible values: non-empty

authentication_flow uuidnullable

Flow used for authentication when the associated application is accessed by an un-authenticated user.

authorization_flow uuidrequired

Flow used when authorizing this provider.

property_mappings uuid[]

base_dn string

Possible values: non-empty

DN under which objects are accessible.

certificate uuidnullable

tls_server_name string

uid_start_number integer

Possible values: >= -2147483648 and <= 2147483647

The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber

gid_start_number integer

Possible values: >= -2147483648 and <= 2147483647

The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber

search_mode LDAPAPIAccessMode (string)

Possible values: [direct, cached]

bind_mode LDAPAPIAccessMode (string)

Possible values: [direct, cached]

mfa_support boolean

When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.

MicrosoftEntraProvider Serializer

name stringrequired

Possible values: non-empty

property_mappings uuid[]

property_mappings_group uuid[]

Property mappings used for group creation/updating.

client_id stringrequired

Possible values: non-empty

client_secret stringrequired

Possible values: non-empty

tenant_id stringrequired

Possible values: non-empty

exclude_users_service_account boolean

filter_group uuidnullable

user_delete_action OutgoingSyncDeleteAction (string)

Possible values: [do_nothing, delete, suspend]

group_delete_action OutgoingSyncDeleteAction (string)

Possible values: [do_nothing, delete, suspend]

OAuth2Provider Serializer

name stringrequired

Possible values: non-empty

authentication_flow uuidnullable

Flow used for authentication when the associated application is accessed by an un-authenticated user.

authorization_flow uuidrequired

Flow used when authorizing this provider.

property_mappings uuid[]

client_type ClientTypeEnum (string)

Possible values: [confidential, public]

client_id string

Possible values: non-empty and <= 255 characters

client_secret string

Possible values: <= 255 characters

access_code_validity string

Possible values: non-empty

Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

access_token_validity string

Possible values: non-empty

Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

refresh_token_validity string

Possible values: non-empty

Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

include_claims_in_id_token boolean

Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.

signing_key uuidnullable

Key used to sign the tokens. Only required when JWT Algorithm is set to RS256.

redirect_uris

object[]

required

sub_mode SubModeEnum (string)

Possible values: [hashed_user_id, user_id, user_uuid, user_username, user_email, user_upn]

issuer_mode IssuerModeEnum (string)

Possible values: [global, per_provider]

jwks_sources uuid[]

ProxyProvider Serializer

name stringrequired

Possible values: non-empty

authentication_flow uuidnullable

Flow used for authentication when the associated application is accessed by an un-authenticated user.

authorization_flow uuidrequired

Flow used when authorizing this provider.

property_mappings uuid[]

internal_host uri

external_host urirequired

Possible values: non-empty

internal_host_ssl_validation boolean

Validate SSL Certificates of upstream servers

certificate uuidnullable

skip_path_regex string

Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression.

basic_auth_enabled Set HTTP-Basic Authentication (boolean)

Set a custom HTTP-Basic Authentication header based on values from authentik.

basic_auth_password_attribute HTTP-Basic Password Key (string)

User/Group Attribute used for the password part of the HTTP-Basic Header.

basic_auth_user_attribute HTTP-Basic Username Key (string)

User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.

mode ProxyMode (string)

Possible values: [proxy, forward_single, forward_domain]

intercept_header_auth boolean

When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

cookie_domain string

jwks_sources uuid[]

access_token_validity string

Possible values: non-empty

Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

refresh_token_validity string

Possible values: non-empty

Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

RACProvider Serializer

name stringrequired

Possible values: non-empty

authentication_flow uuidnullable

Flow used for authentication when the associated application is accessed by an un-authenticated user.

authorization_flow uuidrequired

Flow used when authorizing this provider.

property_mappings uuid[]

settings

connection_expiry string

Possible values: non-empty

Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)

delete_token_on_disconnect boolean

When set to true, connection tokens will be deleted upon disconnect.

RadiusProvider Serializer

name stringrequired

Possible values: non-empty

authentication_flow uuidnullable

Flow used for authentication when the associated application is accessed by an un-authenticated user.

authorization_flow uuidrequired

Flow used when authorizing this provider.

property_mappings uuid[]

client_networks string

Possible values: non-empty

List of CIDRs (comma-separated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.

shared_secret string

Possible values: non-empty

Shared secret between clients and server to hash packets.

mfa_support boolean

SAMLProvider Serializer

name stringrequired

Possible values: non-empty

authentication_flow uuidnullable

Flow used for authentication when the associated application is accessed by an un-authenticated user.

authorization_flow uuidrequired

Flow used when authorizing this provider.

property_mappings uuid[]

acs_url urirequired

Possible values: non-empty and <= 200 characters

audience string

Value of the audience restriction field of the assertion. When left empty, no audience restriction will be added.

issuer string

Possible values: non-empty

Also known as EntityID

assertion_valid_not_before string

Possible values: non-empty

Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3).

assertion_valid_not_on_or_after string

Possible values: non-empty

Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

session_valid_not_on_or_after string

Possible values: non-empty

Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).

name_id_mapping uuidnullable

Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be considered

digest_algorithm DigestAlgorithmEnum (string)

Possible values: [http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512]

signature_algorithm SignatureAlgorithmEnum (string)

Possible values: [http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2000/09/xmldsig#dsa-sha1]

signing_kp uuidnullable

Keypair used to sign outgoing Responses going to the Service Provider.

verification_kp uuidnullable

When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.

encryption_kp uuidnullable

When selected, incoming assertions are encrypted by the IdP using the public key of the encryption keypair. The assertion is decrypted by the SP using the the private key.

sign_assertion boolean

sign_response boolean

sp_binding SpBindingEnum (string)

Possible values: [redirect, post]

default_relay_state string

Default relay_state value for IDP-initiated logins

SCIMProvider Serializer

name stringrequired

Possible values: non-empty

property_mappings uuid[]

property_mappings_group uuid[]

Property mappings used for group creation/updating.

url stringrequired

Possible values: non-empty

Base URL to SCIM requests, usually ends in /v2

token stringrequired

Possible values: non-empty

Authentication token

exclude_users_service_account boolean

filter_group uuidnullable

Responses

application/json

Schema
Example (from schema)

Schema

applied booleanrequired

logs string[]required

{
  "applied": true,
  "logs": [
    "string"
  ]
}

application/json

Schema
Example (from schema)

Schema

non_field_errors string[]

code string

property name* any

Validation Error

{
  "non_field_errors": [
    "string"
  ],
  "code": "string"
}

application/json

Schema
Example (from schema)

Schema

detail stringrequired

code string

{
  "detail": "string",
  "code": "string"
}

CURL

curl -L -X PUT '/api/v3/core/transactional/applications/' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "app": {
    "name": "string",
    "slug": "string",
    "provider": 0,
    "backchannel_providers": [
      0
    ],
    "open_in_new_tab": true,
    "meta_launch_url": "string",
    "meta_description": "string",
    "meta_publisher": "string",
    "policy_engine_mode": "all",
    "group": "string"
  },
  "provider_model": "authentik_providers_google_workspace.googleworkspaceprovider",
  "provider": {
    "name": "string",
    "property_mappings": [
      "3fa85f64-5717-4562-b3fc-2c963f66afa6"
    ],
    "property_mappings_group": [
      "3fa85f64-5717-4562-b3fc-2c963f66afa6"
    ],
    "delegated_subject": "[email protected]",
    "credentials": {},
    "scopes": "string",
    "exclude_users_service_account": true,
    "filter_group": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "user_delete_action": "do_nothing",
    "group_delete_action": "do_nothing",
    "default_group_email_domain": "string"
  }
}'

Base URL

/api/v3

Auth

Bearer Token

Body required

{
  "app": {
    "name": "string",
    "slug": "string",
    "provider": 0,
    "backchannel_providers": [
      0
    ],
    "open_in_new_tab": true,
    "meta_launch_url": "string",
    "meta_description": "string",
    "meta_publisher": "string",
    "policy_engine_mode": "all",
    "group": "string"
  },
  "provider_model": "authentik_providers_google_workspace.googleworkspaceprovider",
  "provider": {
    "name": "string",
    "property_mappings": [
      "3fa85f64-5717-4562-b3fc-2c963f66afa6"
    ],
    "property_mappings_group": [
      "3fa85f64-5717-4562-b3fc-2c963f66afa6"
    ],
    "delegated_subject": "[email protected]",
    "credentials": {},
    "scopes": "string",
    "exclude_users_service_account": true,
    "filter_group": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "user_delete_action": "do_nothing",
    "group_delete_action": "do_nothing",
    "default_group_email_domain": "string"
  }
}

core_transactional_applications_update

/api/v3//core/transactional/applications/

Request​

Body

Responses​

Request

Responses