Retrieve Tenant Identity Configuration for current Org

GET

https://nico-rest-api.nico.svc.cluster.local/v2/org/:org/nico/site/:siteID/tenant-identity/config

GET

/v2/org/:org/nico/site/:siteID/tenant-identity/config

$ curl https://nico-rest-api.nico.svc.cluster.local/v2/org/org/nico/site/siteID/tenant-identity/config \
>      -H "Authorization: Bearer <token>" \
>      -H "Content-Type: application/json"

1 {
2   "org": "acme-corp",
3   "enabled": true,
4   "issuer": "https://auth.acme-corp.com/tenant-identity",
5   "defaultAudience": "https://api.acme-corp.com",
6   "allowedAudiences": [
7     "https://api.acme-corp.com",
8     "https://services.acme-corp.com"
9   ],
10   "tokenTtlSeconds": 3600,
11   "subjectPrefix": "spiffe://auth.acme-corp.com",
12   "signingKeys": [
13     {
14       "kid": "a1b2c3d4e5f6g7h8i9j0",
15       "alg": "ES256",
16       "currentSigner": true,
17       "expireAt": null
18     }
19   ],
20   "created": "2024-04-10T12:00:00Z",
21   "updated": "2024-05-01T08:30:00Z"
22 }

Retrieve the tenant identity configuration and signing key metadata.

User must have authorization role with TENANT_ADMIN suffix in the URL {org}.

The response reflects the stored configuration. Fields you omitted on PUT may be filled in by Core: allowedAudiences defaults to [defaultAudience], and subjectPrefix defaults to the issuer’s trust domain. signingKeys lists one entry normally, or two during a key-rotation overlap.

Retrieve the tenant identity configuration and signing key metadata. User must have authorization role with `TENANT_ADMIN` suffix in the URL `{org}`. The response reflects the stored configuration. Fields you omitted on PUT may be filled in by Core: `allowedAudiences` defaults to `[defaultAudience]`, and `subjectPrefix` defaults to the issuer's trust domain. `signingKeys` lists one entry normally, or two during a key-rotation overlap.

Authentication

AuthorizationBearer

export JWT_BEARER_TOKEN="<jwt-bearer-token>"
# Example org name: "acme-inc
export ORG_NAME=<org-name>
# Use the JWT bearer token in your API request auth header:
curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current

``` export JWT_BEARER_TOKEN="<jwt-bearer-token>" # Example org name: "acme-inc export ORG_NAME=<org-name> # Use the JWT bearer token in your API request auth header: curl -v -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $JWT_BEARER_TOKEN" https://nico-rest-api.nico.svc.cluster.local/v2/org/$ORG_NAME/nico/user/current ```

Path parameters

orgstringRequired

Name of the Org

siteIDstringRequiredformat: "uuid"

ID of the Site

Response

Tenant identity configuration retrieved

orgstring

Organization that owns the Tenant identity configuration

enabledboolean

Whether Tenant identity token delegation is enabled

issuerstring

Issuer URL for Tenant identity tokens

defaultAudiencestring

Default audience used for Tenant identity tokens

allowedAudienceslist of strings

Stored allowlist of audience strings. Always non-empty: when a PUT supplied an empty list, the Core gRPC API substituted [defaultAudience] before persisting. Issuance rejects audiences outside this list.

tokenTtlSecondsinteger

Lifetime of issued Tenant identity tokens, in seconds

subjectPrefixstring

SPIFFE ID prefix used in the JWT sub claim. When the PUT body omitted subjectPrefix, Core stored spiffe://<trust-domain-from-issuer> here, so the value returned by GET may differ from what was submitted.

signingKeyslist of objects

Per-org signing keys currently published in JWKS. Exactly one entry has currentSigner: true. During a rotation overlap window a second entry is present with currentSigner: false and a populated expireAt; once the overlap window elapses the Core gRPC API deletes the expired entry and only the current signer remains.

createddatetime

Date/time when the Tenant identity configuration was created

updateddatetime

Date/time when the Tenant identity configuration was last updated

Errors

400

Bad Request Error

403

Forbidden Error

404

Not Found Error

500

Internal Server Error

503

Service Unavailable Error