PersonalAccessTokens
Use this API to implement personal access token (PAT) functionality. With this functionality in place, users can use PATs as an alternative to passwords for authentication in Identity Security Cloud.
PATs embed user information into the client ID and secret. This replaces the API clients' need to store and provide a username and password to establish a connection, improving Identity Security Cloud organizations' integration security.
In Identity Security Cloud, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens. They must then provide a description about the token's purpose. They can then select 'Create Token' at the bottom of the page to generate and view the Secret and Client ID.
Refer to Managing Personal Access Tokens for more information about PATs.
All URIs are relative to https://sailpoint.api.identitynow.com
| Method | HTTP request | Description |
|---|---|---|
| New-PersonalAccessTokenV1 | POST /personal-access-tokens/v1 | Create personal access token |
| Remove-PersonalAccessTokenV1 | DELETE /personal-access-tokens/v1/{id} | Delete personal access token |
| Get-PersonalAccessTokensV1 | GET /personal-access-tokens/v1 | List personal access tokens |
| Update-PersonalAccessTokenV1 | PATCH /personal-access-tokens/v1/{id} | Patch personal access token |
create-personal-access-token-v1
This creates a personal access token.
expirationDate and userAwareTokenNeverExpires Relationship:
Important: When expirationDate is null or empty (not included in the request body), the token will never expire.
Required Validation: If expirationDate is null or empty, userAwareTokenNeverExpires must be set to true. This is a required validation rule.
The valid values for expirationDate depend on the value provided for userAwareTokenNeverExpires:
- When
userAwareTokenNeverExpiresistrue(or required to betrue):expirationDatecan benullor omitted from the request body. WhenexpirationDateisnullor empty, the token will never expire. This creates a PAT that never expires and serves as an explicit acknowledgment that the user is aware of the security implications of creating a non-expiring token. * WhenuserAwareTokenNeverExpiresisfalseor omitted:expirationDatemust be provided and must be a valid date-time string representing a future date (there is no upper limit).expirationDatecannot benullin this case. In this scenario,userAwareTokenNeverExpirescan be omitted. Validation Rules: * IfexpirationDateisnullor not included in the request body:userAwareTokenNeverExpiresmust be set totrue(required). The token will never expire. * IfexpirationDateis provided and is notnull:userAwareTokenNeverExpirescan be omitted. Security Considerations: TheuserAwareTokenNeverExpiresfield is designed to ensure that users explicitly acknowledge the security implications of creating tokens that never expire. Setting this field totrueindicates that the user understands the increased security risks and has made an informed decision to proceed. Note: TheuserAwareTokenNeverExpiresfield indicates that the user acknowledges they are creating a token that will never expire. It does not affect token behavior beyond indicating this acknowledgment.
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|---|---|---|---|
| Body | Createpersonalaccesstokenrequest | Createpersonalaccesstokenrequest | True | Configuration for creating a personal access token, including name, scope, expiration settings, and user acknowledgment of never-expiring tokens. Important: See the endpoint description for validation rules regarding the relationship between expirationDate and userAwareTokenNeverExpires. |
Return type
Createpersonalaccesstokenresponse
Responses
| Code | Description | Data Type |
|---|---|---|
| 200 | Created. Note - this is the only time Personal Access Tokens' secret attribute will be displayed. | Createpersonalaccesstokenresponse |
| 400 | Client Error - Returned if the request body is invalid. | Errorresponsedto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListPersonalAccessTokensV1401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | Errorresponsedto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListPersonalAccessTokensV1429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | Errorresponsedto |
HTTP request headers
- Content-Type: application/json
- Accept: application/json
Example
$Createpersonalaccesstokenrequest = @""@
# Create personal access token
try {
$Result = ConvertFrom-JsonToCreatepersonalaccesstokenrequest -Json $Createpersonalaccesstokenrequest
New-PersonalAccessTokenV1 -Createpersonalaccesstokenrequest $Result
# Below is a request that includes all optional parameters
# New-PersonalAccessTokenV1 -Createpersonalaccesstokenrequest $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling New-PersonalAccessTokenV1"
Write-Host $_.ErrorDetails
}
delete-personal-access-token-v1
This deletes a personal access token.
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|---|---|---|---|
| Path | Id | String | True | The personal access token id |
Return type
(empty response body)
Responses
| Code | Description | Data Type |
|---|---|---|
| 204 | No content. | |
| 400 | Client Error - Returned if the request body is invalid. | Errorresponsedto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListPersonalAccessTokensV1401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | Errorresponsedto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | Errorresponsedto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListPersonalAccessTokensV1429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | Errorresponsedto |
HTTP request headers
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f94347e94562b5bb8424a56397d8" # String | The personal access token id
# Delete personal access token
try {
Remove-PersonalAccessTokenV1 -Id $Id
# Below is a request that includes all optional parameters
# Remove-PersonalAccessTokenV1 -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Remove-PersonalAccessTokenV1"
Write-Host $_.ErrorDetails
}
list-personal-access-tokens-v1
This gets a collection of personal access tokens associated with the optional owner-id. query parameter. If the owner-id query parameter is omitted, all personal access tokens for a tenant will be retrieved, but the caller must have the 'idn:all-personal-access-tokens:read' right.
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|---|---|---|---|
| Query | OwnerId | String | (optional) | The identity ID of the owner whose personal access tokens should be listed. If ""me"", the caller should have the following right: 'idn:my-personal-access-tokens:read' If an actual owner ID or if the owner-id parameter is omitted in the request, the caller should have the following right: 'idn:all-personal-access-tokens:read'. If the caller has the following right, then managed personal access tokens associated with owner-id will be retrieved: 'idn:managed-personal-access-tokens:read' |
| Query | Filters | String | (optional) | Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators: lastUsed: le, isnull |
Return type
Getpersonalaccesstokenresponse[]
Responses
| Code | Description | Data Type |
|---|---|---|
| 200 | List of personal access tokens. | Getpersonalaccesstokenresponse[] |
| 400 | Client Error - Returned if the request body is invalid. | Errorresponsedto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListPersonalAccessTokensV1401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | Errorresponsedto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListPersonalAccessTokensV1429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | Errorresponsedto |
HTTP request headers
- Content-Type: Not defined
- Accept: application/json
Example
$OwnerId = "2c9180867b50d088017b554662fb281e" # String | The identity ID of the owner whose personal access tokens should be listed. If ""me"", the caller should have the following right: 'idn:my-personal-access-tokens:read' If an actual owner ID or if the `owner-id` parameter is omitted in the request, the caller should have the following right: 'idn:all-personal-access-tokens:read'. If the caller has the following right, then managed personal access tokens associated with `owner-id` will be retrieved: 'idn:managed-personal-access-tokens:read' (optional)
$Filters = 'lastUsed le 2023-02-05T10:59:27.214Z' # String | Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **lastUsed**: *le, isnull* (optional)
# List personal access tokens
try {
Get-PersonalAccessTokensV1
# Below is a request that includes all optional parameters
# Get-PersonalAccessTokensV1 -OwnerId $OwnerId -Filters $Filters
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-PersonalAccessTokensV1"
Write-Host $_.ErrorDetails
}
patch-personal-access-token-v1
This performs a targeted update to the field(s) of a Personal Access Token.
Changing scopes for a Personal Access Token does not impact existing bearer tokens. You will need to create a new bearer token to have the new scopes. Please note that it can take up to 20 minutes for scope changes to be seen on new bearer tokens.
expirationDate and userAwareTokenNeverExpires Relationship:
Important: When expirationDate is null or empty (replaced to null or omitted from the patch request), the token will never expire.
Required Validation: If expirationDate is being replaced to null or is empty, userAwareTokenNeverExpires must be set to true in the patch request. This is a required validation rule.
When patching expirationDate and userAwareTokenNeverExpires, the valid values for expirationDate depend on the value provided for userAwareTokenNeverExpires:
- When
userAwareTokenNeverExpiresis being set totrue(or required to betrue):expirationDatecan be replaced tonullor omitted from the patch request. WhenexpirationDateisnullor empty, the token will never expire. This sets the PAT to never expire and serves as an explicit acknowledgment that the user is aware of the security implications of creating a non-expiring token. * WhenuserAwareTokenNeverExpiresisfalseor omitted:expirationDatemust be provided and must be a valid date-time string representing a future date (there is no upper limit).expirationDatecannot benullin this case. In this scenario,userAwareTokenNeverExpirescan be omitted. Validation Rules: * IfexpirationDateis being replaced tonull:userAwareTokenNeverExpiresmust also be present in the patch request with a value oftrue(required). The token will never expire. * IfexpirationDateis not being replaced tonull(i.e., set to a future date):userAwareTokenNeverExpirescan be omitted. Security Considerations: TheuserAwareTokenNeverExpiresfield is designed to ensure that users explicitly acknowledge the security implications of creating tokens that never expire. Setting this field totrueindicates that the user understands the increased security risks and has made an informed decision to proceed. Note: TheuserAwareTokenNeverExpiresfield indicates that the user acknowledges they are creating a token that will never expire. It does not affect token behavior beyond indicating this acknowledgment.
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|---|---|---|---|
| Path | Id | String | True | The Personal Access Token id |
| Body | Jsonpatchoperation | []Jsonpatchoperation | True | A list of OAuth client update operations according to the JSON Patch standard. The following fields are patchable: * name * scope * expirationDate * userAwareTokenNeverExpires Important: See the endpoint description for validation rules regarding the relationship between expirationDate and userAwareTokenNeverExpires. |
Return type
Getpersonalaccesstokenresponse
Responses
| Code | Description | Data Type |
|---|---|---|
| 200 | Indicates the PATCH operation succeeded, and returns the PAT's new representation. | Getpersonalaccesstokenresponse |
| 400 | Client Error - Returned if the request body is invalid. | Errorresponsedto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListPersonalAccessTokensV1401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | Errorresponsedto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | Errorresponsedto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListPersonalAccessTokensV1429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | Errorresponsedto |
HTTP request headers
- Content-Type: application/json-patch+json
- Accept: application/json
Example
$Id = "ef38f94347e94562b5bb8424a56397d8" # String | The Personal Access Token id
$Jsonpatchoperation = @"[{"op":"replace","path":"/name","value":"New name"},{"op":"replace","path":"/scope","value":["sp:scopes:all"]},{"op":"replace","path":"/expirationDate","value":"2027-12-31T23:59:59.999Z"}]"@ # Jsonpatchoperation[] | A list of OAuth client update operations according to the [JSON Patch](https://tools.ietf.org/html/rfc6902) standard. The following fields are patchable: * name * scope * expirationDate * userAwareTokenNeverExpires **Important:** See the endpoint description for validation rules regarding the relationship between `expirationDate` and `userAwareTokenNeverExpires`.
# Patch personal access token
try {
$Result = ConvertFrom-JsonToJsonpatchoperation -Json $Jsonpatchoperation
Update-PersonalAccessTokenV1 -Id $Id -Jsonpatchoperation $Result
# Below is a request that includes all optional parameters
# Update-PersonalAccessTokenV1 -Id $Id -Jsonpatchoperation $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Update-PersonalAccessTokenV1"
Write-Host $_.ErrorDetails
}