ForgeRock

ForgeRock Identity Cloud REST API

REST API for managing identities, authentication, and authorization in ForgeRock Identity Cloud, providing access management and identity management endpoints for Advanced Identity Cloud tenant environments.

GitHub OpenAPI

Documentation

📖
Documentation
https://backstage.forgerock.com/docs/idcloud/latest/
📖
APIReference
https://apidocs.id.forgerock.io/
📖
GettingStarted
https://backstage.forgerock.com/docs/idcloud/latest/home.html
📖
Authentication
https://backstage.forgerock.com/docs/idcloud/latest/developer-docs/authenticate-to-rest-api-overview.html

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/openapi/forgerock-identity-cloud-openapi.yml
OpenAPI
https://backstage.forgerock.com/docs/idcloud/latest/openapi/

Other Resources

🔗
SDKs
https://backstage.forgerock.com/docs/idcloud/latest/end-user/sdks.html
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-cloud-authentication.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-cloud-managed-roles.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-cloud-managed-users.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-cloud-oauth2-clients.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-cloud-server-info.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-cloud-sessions.yaml

OpenAPI Specification

forgerock-identity-cloud-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: ForgeRock Identity Cloud REST API
  description: >-
    REST API for managing identities, authentication, and authorization in
    ForgeRock Identity Cloud (PingOne Advanced Identity Cloud). Provides access
    management and identity management endpoints for Advanced Identity Cloud
    tenant environments, including authentication journeys, session management,
    managed object CRUD, OAuth 2.0 and OpenID Connect flows.
  version: 1.0.0
  contact:
    name: ForgeRock
    url: https://www.forgerock.com
  license:
    name: Proprietary
    url: https://www.forgerock.com/terms
  x-provider: forgerock
  x-api: identity-cloud

servers:
  - url: https://{tenant}.forgeblocks.com
    description: ForgeRock Identity Cloud tenant
    variables:
      tenant:
        default: mycompany
        description: The tenant identifier for your Identity Cloud environment

security:
  - bearerAuth: []
  - apiKeyAuth: []

tags:
  - name: Authentication
    description: Authenticate users through authentication trees (journeys)
  - name: Managed Roles
    description: CRUD operations on managed role objects
  - name: Managed Users
    description: CRUD operations on managed user objects
  - name: OAuth2 Clients
    description: Manage OAuth 2.0 client registrations
  - name: Server Info
    description: Retrieve server information and configuration

  - name: Sessions
    description: Manage authenticated sessions
paths:
  /am/json/realms/root/realms/{realm}/authenticate:
    post:
      operationId: authenticateUser
      summary: ForgeRock Authenticate a user
      description: >-
        Initiates or continues an authentication journey (tree) in the specified
        realm. Returns callbacks that the client must respond to, or a tokenId
        on successful completion of the journey.
      tags:
        - Authentication
      parameters:
        - $ref: '#/components/parameters/RealmPath'
        - name: authIndexType
          in: query
          description: The type of authentication index to use (e.g., service, module)
          schema:
            type: string
            enum:
              - service
              - module
              - resource
              - level
        - name: authIndexValue
          in: query
          description: The value of the authentication index (e.g., the tree/journey name)
          schema:
            type: string
        - name: Accept-API-Version
          in: header
          required: true
          description: API version protocol header
          schema:
            type: string
            default: resource=2.0,protocol=1.0
      requestBody:
        description: Callback responses from a previous authentication step
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthenticationRequest'
      responses:
        '200':
          description: >-
            Authentication step response containing callbacks or a successful
            authentication result with tokenId
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthenticationResponse'
        '401':
          description: Authentication failed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /am/json/realms/root/realms/{realm}/sessions:
    post:
      operationId: manageSessions
      summary: ForgeRock Perform session actions
      description: >-
        Perform actions on sessions such as getting session info, refreshing
        idle timeout, or logging out. The action is specified via the _action
        query parameter.
      tags:
        - Sessions
      parameters:
        - $ref: '#/components/parameters/RealmPath'
        - name: _action
          in: query
          required: true
          description: The action to perform on the session
          schema:
            type: string
            enum:
              - getSessionInfo
              - refresh
              - logout
              - validate
        - name: Accept-API-Version
          in: header
          required: true
          description: API version protocol header
          schema:
            type: string
            default: resource=2.0,protocol=1.0
      requestBody:
        description: Session token identifier
        content:
          application/json:
            schema:
              type: object
              properties:
                tokenId:
                  type: string
                  description: The SSO token ID for the session
      responses:
        '200':
          description: Session action completed successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SessionInfo'
        '401':
          description: Session is invalid or expired
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /openidm/managed/{realm}_user:
    get:
      operationId: listManagedUsers
      summary: ForgeRock List managed users
      description: >-
        Query managed user objects in the specified realm. Supports filtering,
        sorting, and pagination through query parameters.
      tags:
        - Managed Users
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
        - $ref: '#/components/parameters/SortKeys'
        - $ref: '#/components/parameters/Fields'
      responses:
        '200':
          description: List of managed users
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedUserList'
        '403':
          description: Forbidden - insufficient permissions
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    post:
      operationId: createManagedUser
      summary: ForgeRock Create a managed user
      description: >-
        Create a new managed user object in the specified realm. The user object
        must include required properties such as userName.
      tags:
        - Managed Users
      parameters:
        - $ref: '#/components/parameters/RealmName'
      requestBody:
        required: true
        description: The managed user object to create
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ManagedUser'
      responses:
        '201':
          description: Managed user created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedUser'
        '400':
          description: Bad request - invalid user data
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '409':
          description: Conflict - user already exists
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /openidm/managed/{realm}_user/{userId}:
    get:
      operationId: getManagedUser
      summary: ForgeRock Get a managed user
      description: >-
        Retrieve a specific managed user object by its identifier from the
        specified realm.
      tags:
        - Managed Users
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - $ref: '#/components/parameters/UserId'
        - $ref: '#/components/parameters/Fields'
      responses:
        '200':
          description: The managed user object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedUser'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    put:
      operationId: updateManagedUser
      summary: ForgeRock Replace a managed user
      description: >-
        Replace an entire managed user object. The request body must contain
        the complete user representation.
      tags:
        - Managed Users
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - $ref: '#/components/parameters/UserId'
        - name: If-Match
          in: header
          description: Revision identifier for optimistic concurrency control
          schema:
            type: string
            default: '*'
      requestBody:
        required: true
        description: The complete managed user object
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ManagedUser'
      responses:
        '200':
          description: Managed user updated successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedUser'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '412':
          description: Precondition failed - revision mismatch
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    patch:
      operationId: patchManagedUser
      summary: ForgeRock Patch a managed user
      description: >-
        Partially update a managed user object using JSON Patch operations.
      tags:
        - Managed Users
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - $ref: '#/components/parameters/UserId'
        - name: If-Match
          in: header
          description: Revision identifier for optimistic concurrency control
          schema:
            type: string
            default: '*'
      requestBody:
        required: true
        description: JSON Patch operations to apply
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchOperations'
      responses:
        '200':
          description: Managed user patched successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedUser'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    delete:
      operationId: deleteManagedUser
      summary: ForgeRock Delete a managed user
      description: >-
        Delete a managed user object from the specified realm.
      tags:
        - Managed Users
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - $ref: '#/components/parameters/UserId'
        - name: If-Match
          in: header
          description: Revision identifier for optimistic concurrency control
          schema:
            type: string
            default: '*'
      responses:
        '200':
          description: Managed user deleted successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedUser'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /openidm/managed/{realm}_role:
    get:
      operationId: listManagedRoles
      summary: ForgeRock List managed roles
      description: >-
        Query managed role objects in the specified realm. Supports filtering,
        sorting, and pagination.
      tags:
        - Managed Roles
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
        - $ref: '#/components/parameters/Fields'
      responses:
        '200':
          description: List of managed roles
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedRoleList'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    post:
      operationId: createManagedRole
      summary: ForgeRock Create a managed role
      description: Create a new managed role object in the specified realm.
      tags:
        - Managed Roles
      parameters:
        - $ref: '#/components/parameters/RealmName'
      requestBody:
        required: true
        description: The managed role object to create
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ManagedRole'
      responses:
        '201':
          description: Managed role created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedRole'
        '400':
          description: Bad request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /openidm/managed/{realm}_role/{roleId}:
    get:
      operationId: getManagedRole
      summary: ForgeRock Get a managed role
      description: Retrieve a specific managed role object by its identifier.
      tags:
        - Managed Roles
      parameters:
        - $ref: '#/components/parameters/RealmName'
        - name: roleId
          in: path
          required: true
          description: The unique identifier of the managed role
          schema:
            type: string
      responses:
        '200':
          description: The managed role object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ManagedRole'
        '404':
          description: Role not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /am/json/realms/root/realms/{realm}/serverinfo/*:
    get:
      operationId: getServerInfo
      summary: ForgeRock Get server information
      description: >-
        Retrieve server information including supported features, cookie name,
        and realm configuration.
      tags:
        - Server Info
      parameters:
        - $ref: '#/components/parameters/RealmPath'
      responses:
        '200':
          description: Server information
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServerInfo'

  /am/oauth2/realms/root/realms/{realm}/authorize:
    get:
      operationId: authorizeOAuth2
      summary: ForgeRock OAuth 2.0 authorization endpoint
      description: >-
        Initiates an OAuth 2.0 authorization flow. Redirects the user agent to
        the authorization server for authentication and consent.
      tags:
        - OAuth2 Clients
      parameters:
        - $ref: '#/components/parameters/RealmPath'
        - name: client_id
          in: query
          required: true
          description: The OAuth 2.0 client identifier
          schema:
            type: string
        - name: response_type
          in: query
          required: true
          description: The OAuth 2.0 response type
          schema:
            type: string
            enum:
              - code
              - token
              - id_token
              - code token
              - code id_token
        - name: redirect_uri
          in: query
          required: true
          description: The URI to redirect to after authorization
          schema:
            type: string
            format: uri
        - name: scope
          in: query
          description: Space-delimited list of requested scopes
          schema:
            type: string
        - name: state
          in: query
          description: Opaque value to maintain state between request and callback
          schema:
            type: string
      responses:
        '302':
          description: Redirect to login or consent page
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /am/oauth2/realms/root/realms/{realm}/access_token:
    post:
      operationId: getAccessToken
      summary: ForgeRock OAuth 2.0 token endpoint
      description: >-
        Exchange an authorization code, refresh token, or client credentials
        for an access token.
      tags:
        - OAuth2 Clients
      parameters:
        - $ref: '#/components/parameters/RealmPath'
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - grant_type
              properties:
                grant_type:
                  type: string
                  description: The OAuth 2.0 grant type
                  enum:
                    - authorization_code
                    - client_credentials
                    - refresh_token
                    - password
                    - urn:ietf:params:oauth:grant-type:device_code
                code:
                  type: string
                  description: Authorization code (for authorization_code grant)
                redirect_uri:
                  type: string
                  description: Redirect URI (must match the authorization request)
                refresh_token:
                  type: string
                  description: Refresh token (for refresh_token grant)
                scope:
                  type: string
                  description: Requested scopes
                username:
                  type: string
                  description: Resource owner username (for password grant)
                password:
                  type: string
                  description: Resource owner password (for password grant)
      responses:
        '200':
          description: Token response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '400':
          description: Invalid grant or request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthErrorResponse'
        '401':
          description: Invalid client credentials
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthErrorResponse'

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        OAuth 2.0 access token obtained from the token endpoint. Required for
        access management and identity management operations.
    apiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key
      description: >-
        API key for tenant read-only operations. Used together with
        x-api-secret header.

  parameters:
    RealmPath:
      name: realm
      in: path
      required: true
      description: The realm name (e.g., alpha, bravo)
      schema:
        type: string
        default: alpha
    RealmName:
      name: realm
      in: path
      required: true
      description: The realm name prefix for managed objects (e.g., alpha, bravo)
      schema:
        type: string
        default: alpha
    UserId:
      name: userId
      in: path
      required: true
      description: The unique identifier of the managed user
      schema:
        type: string
    QueryFilter:
      name: _queryFilter
      in: query
      description: >-
        CREST query filter expression (e.g., userName eq "jdoe" or true for all)
      schema:
        type: string
    PageSize:
      name: _pageSize
      in: query
      description: Number of results to return per page
      schema:
        type: integer
        minimum: 1
    PagedResultsOffset:
      name: _pagedResultsOffset
      in: query
      description: Offset for paginated results
      schema:
        type: integer
        minimum: 0
    SortKeys:
      name: _sortKeys
      in: query
      description: Comma-separated list of fields to sort by (prefix with - for descending)
      schema:
        type: string
    Fields:
      name: _fields
      in: query
      description: Comma-separated list of fields to include in the response
      schema:
        type: string

  schemas:
    AuthenticationRequest:
      type: object
      description: Authentication callback response payload
      properties:
        authId:
          type: string
          description: Authentication session identifier from the previous step
        callbacks:
          type: array
          description: Completed callback responses
          items:
            $ref: '#/components/schemas/Callback'

    AuthenticationResponse:
      type: object
      description: Authentication step result
      properties:
        authId:
          type: string
          description: Authentication session identifier for the next step
        tokenId:
          type: string
          description: SSO token ID returned on successful authentication
        successUrl:
          type: string
          description: URL to redirect to after successful authentication
        realm:
          type: string
          description: The realm in which authentication occurred
        callbacks:
          type: array
          description: Callbacks requiring user input
          items:
            $ref: '#/components/schemas/Callback'

    Callback:
      type: object
      description: An authentication callback
      properties:
        type:
          type: string
          description: The callback type
          examples:
            - NameCallback
            - PasswordCallback
            - ChoiceCallback
            - TextOutputCallback
        output:
          type: array
          description: Output values from the server
          items:
            type: object
            properties:
              name:
                type: string
              value:
                description: The output value
        input:
          type: array
          description: Input values to be provided by the client
          items:
            type: object
            properties:
              name:
                type: string
              value:
                description: The input value

    SessionInfo:
      type: object
      description: Session information
      properties:
        username:
          type: string
          description: The username of the session owner
        universalId:
          type: string
          description: Universal identifier for the session owner
        realm:
          type: string
          description: The realm the session belongs to
        latestAccessTime:
          type: string
          format: date-time
          description: Most recent access time for the session
        maxIdleExpirationTime:
          type: string
          format: date-time
          description: Time at which the session will expire due to inactivity
        maxSessionExpirationTime:
          type: string
          format: date-time
          description: Maximum session expiration time
        properties:
          type: object
          description: Session properties
          additionalProperties:
            type: string

    ManagedUser:
      type: object
      description: A managed user identity object
      properties:
        _id:
          type: string
          description: Unique identifier
          readOnly: true
        _rev:
          type: string
          description: Object revision for concurrency control
          readOnly: true
        userName:
          type: string
          description: Unique login username
        givenName:
          type: string
          description: First name
        sn:
          type: string
          description: Last name (surname)
        mail:
          type: string
          format: email
          description: Email address
        telephoneNumber:
          type: string
          description: Phone number
        password:
          type: string
          format: password
          description: Password (write-only)
          writeOnly: true
        accountStatus:
          type: string
          description: Account status
          enum:
            - active
            - inactive
        effectiveRoles:
          type: array
          description: Computed effective roles
          readOnly: true
          items:
            type: object
        effectiveAssignments:
          type: array
          description: Computed effective assignments
          readOnly: true
          items:
            type: object

    ManagedUserList:
      type: object
      description: Paginated list of managed users
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/ManagedUser'
        resultCount:
          type: integer
          description: Number of results in this page
        pagedResultsCookie:
          type: string
          description: Cookie for fetching the next page
        totalPagedResultsPolicy:
          type: string
          description: Policy for total result count
        totalPagedResults:
          type: integer
          description: Total number of results (-1 if unknown)
        remainingPagedResults:
          type: integer
          description: Remaining results after this page

    ManagedRole:
      type: object
      description: A managed role object
      properties:
        _id:
          type: string
          description: Unique identifier
          readOnly: true
        _rev:
          type: string
          description: Object revision
          readOnly: true
        name:
          type: string
          description: Role name
        description:
          type: string
          description: Role description
        condition:
          type: string
          description: Conditional role membership filter expression
        temporalConstraints:
          type: array
          description: Time-based constraints for role activation
          items:
            type: object
            properties:
              duration:
                type: string
                description: ISO 8601 time interval

    ManagedRoleList:
      type: object
      description: Paginated list of managed roles
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/ManagedRole'
        resultCount:
          type: integer
        pagedResultsCookie:
          type: string
        totalPagedResults:
          type: integer

    ServerInfo:
      type: object
      description: Server configuration information
      properties:
        cookieName:
          type: string
          description: Name of the SSO cookie
        domains:
          type: array
          items:
            type: string
          description: Cookie domains
        protectedUserAttributes:
          type: array
          items:
            type: string
        forgotPassword:
          type: string
        selfRegistration:
          type: string
        lang:
          type: string
        successfulUserRegistrationDestination:
          type: string
        socialImplementations:
          type: array
          items:
            type: object

    TokenResponse:
      type: object
      description: OAuth 2.0 token response
      properties:
        access_token:
          type: string
          description: The access token
        token_type:
          type: string
          description: Token type (e.g., Bearer)
        expires_in:
          type: integer
          description: Token lifetime in seconds
        refresh_token:
          type: string
          description: Refresh token (if applicable)
        scope:
          type: string
          description: Granted scopes
        id_token:
          type: string
          description: OpenID Connect ID token (if applicable)

    OAuthErrorResponse:
      type: object
      description: OAuth 2.0 error response
      properties:
        error:
          type: string
          description: Error code
        error_description:
          type: string
          description: Human-readable error description

    PatchOperations:
      type: array
      description: JSON Patch operations
      items:
        type: object
        required:
          - operation
          - field
        properties:
          operation:
            type: string
            description: The patch operation type
            enum:
              - add
              - remove
              - replace
              - increment
          field:
            type: string
            description: JSON pointer to the field to patch
          value:
            description: The value for add, replace, or increment operations

    ErrorResponse:
      type: object
      description: Standard error response
      properties:
        code:
          type: integer
          description: HTTP status code
        reason:
          type: string
          description: HTTP status reason phrase
        message:
          type: string
          description: Detailed error message