Modules§
- api_key
- api_
key_ rid - authorization_
request - claim
- create_
api_ key_ request - create_
api_ key_ response - get_
access_ token_ from_ api_ key_ request - get_
access_ token_ request - get_
access_ token_ response - get_
idp_ end_ session_ endpoint_ request - get_
idp_ end_ session_ endpoint_ response - get_
user_ orgs_ request - get_
user_ orgs_ response - is_
email_ allowed_ request - is_
email_ allowed_ response - issue_
sandbox_ token_ request - issue_
sandbox_ token_ response - list_
api_ key_ request - list_
api_ key_ response - okta_
registration_ error - okta_
registration_ error_ cause - okta_
registration_ event_ data - okta_
registration_ request - okta_
registration_ response - okta_
registration_ status - okta_
registration_ user_ profile - okta_
update_ action_ command - okta_
update_ action_ value - refresh_
access_ token_ request - refresh_
access_ token_ response - register_
in_ workspace_ request - set_
user_ org_ request
Structs§
- ApiKey
- ApiKey
Rid - Authorization
Request - Create
ApiKey Request - Create
ApiKey Response - GetAccess
Token From ApiKey Request - GetAccess
Token Request - We accept an OIDC ID token issued by a trusted identity provider as proof of authentication. The ID token is validated and exchanged for a Nominal access token with a 24h expiry. This ID token should generally be short lived since it is fungible with a Nominal access token via this endpoint. An access token, if provided, is used to get user information from the OIDC userinfo endpoint. A workspace rid or an org rid should be provided if the user is a guest or a member of multiple orgs. These will be resolved to determine what org the Nominal token should be minted for.
- GetAccess
Token Response - GetIdp
EndSession Endpoint Request - We use an OIDC id token issued by a trusted identity provider to access the end session endpoint. This is only used to get the issuer
- GetIdp
EndSession Endpoint Response - GetUser
Orgs Request - We use the claims in the id + access token to determine which orgs the user belongs to.
- GetUser
Orgs Response - IsEmail
Allowed Request - IsEmail
Allowed Response - Issue
Sandbox Token Request - Request a short-lived bearer token for the sandbox workspace configured on the gatekeeper service. Intended for in-cluster integration test runners.
- Issue
Sandbox Token Response - List
ApiKey Request - List
ApiKey Response - Okta
Registration Error - Okta inline hook error object displayed to the end user when registration is denied. Custom messages are surfaced from errorCauses[].errorSummary with a location pointing at a user profile attribute; the top-level errorSummary alone is not shown to users.
- Okta
Registration Error Cause - Okta
Registration Event Data - Okta
Registration Request - Okta
Registration Response - Okta
Registration User Profile - Okta
Update Action Command - Okta
Update Action Value - Refresh
Access Token Request - We accept an OIDC access token issued by a trusted identity provider to refresh a Nominal access token. The access token is validated and exchanged for a Nominal access token. To be used in this endpoint, the OIDC access token must contain an email claim. The org rid from the expiring session should be provided. It is required for guest users and multi-org users to determine what org the Nominal token should be minted for.
- Refresh
Access Token Response - Register
InWorkspace Request - SetUser
OrgRequest - Switch the authenticated session to the provided org rid. The user must belong to that org. Returns a new Nominal access token scoped to the org, with expiry bounded by the current token’s remaining lifetime (capped at 24h).