Pomerium Zero API Reference (0.1.0)
Download OpenAPI specification:Download
The Pomerium Zero API requires authenticated access for both personal accounts and organizations. To send a valid, authenticated request to the Pomerium Zero API:
- Generate an API User Token in the Zero Console
- Exchange the API User Token for an ID Token at the
/token
endpoint - Pass the ID token in an
Authorization: Bearer {TOKEN}
header to authenticate your request
The user service enables you to manage users and user information within an organization or namespace.
This service also enables you to create API access user accounts and renew API refresh tokens.
updateCurrentUserInfo
Fetch and update currently logged in user information from the identity provider
Authorizations:
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "email": "user@example.com",
- "displayName": "string",
- "needsOnboarding": true,
- "photoUrl": "string",
- "type": "user_type_interactive",
- "legalTerms": {
- "property1": {
- "title": "string",
- "url": "string"
}, - "property2": {
- "title": "string",
- "url": "string"
}
}
}
listUsersInOrganization
List users
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
userType | string (UserType) Enum: "user_type_interactive" "user_type_api_access" Type of user |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "email": "user@example.com",
- "displayName": "string",
- "needsOnboarding": true,
- "photoUrl": "string",
- "type": "user_type_interactive",
- "organizationRole": "owner"
}
]
createApiAccessUser
Create API access user account
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
name required | string Freetext user name |
role | string (OrganizationRole) Enum: "owner" "admin" "auditor" "member" A high level role that describes the level of access a user has to an organization.
|
Responses
Request samples
- Payload
{- "name": "string",
- "role": "owner"
}
Response samples
- 201
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "email": "user@example.com",
- "displayName": "string",
- "needsOnboarding": true,
- "photoUrl": "string",
- "type": "user_type_interactive",
- "refreshToken": "string"
}
RenewApiUserRefreshToken
Renews API user refresh token. The userId must be an API user. Obtaining a new refresh token invalidates any previously issued refresh tokens.
Authorizations:
path Parameters
organizationId required | string ID of organization |
userId required | string ID of user |
Responses
Response samples
- 200
{- "refreshToken": "string"
}
The invitation service is where you can view and respond to pending invitations to join a professional
type organization.
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "invitedBy": {
- "email": "user@example.com",
- "displayName": "string",
- "photoUrl": "string"
}, - "organization": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "logoURL": "string",
- "organizationType": "personal",
- "ownerUserId": "string",
- "role": "owner",
- "joinedAt": "2019-08-24T14:15:22Z",
- "quotas": {
- "administrators": 0,
- "certificates": 0,
- "clusters": 0,
- "customDomains": 0,
- "policies": 0,
- "replicas": 0,
- "routes": 0,
- "serviceAccounts": 0
}
}, - "organizationRole": "owner"
}
]
The invite service is where you can manage invitations sent to users to join your organization.
listOrganizationInvites
List invites
Authorizations:
path Parameters
organizationId required | string ID of organization |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "email": "user@example.com",
- "role": "owner"
}
]
createOrganizationInvite
Create invite
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
emails required | Array of strings <email> [ items <email > ] |
role required | string (OrganizationRole) Enum: "owner" "admin" "auditor" "member" A high level role that describes the level of access a user has to an organization.
|
Responses
Request samples
- Payload
{- "emails": [
- "user@example.com"
], - "role": "owner"
}
Response samples
- 201
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "email": "user@example.com",
- "role": "owner"
}
]
The policy service is where you can manage policies within a namespace in your organization.
You can build a policy by configuring a Pomerium Policy Language (PPL) rule and apply it to a route.
listPolicies
List policies
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
namespaceId required | string ID of namespace |
includeDescendants | boolean include resources from descendant namespaces |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "enforced": true,
- "ppl": {
- "allow": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}, - "deny": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}
}, - "description": "string",
- "explanation": "string",
- "remediation": "string",
- "routes": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedRoutes": [
- {
- "id": "string",
- "name": "string"
}
]
}
]
createPolicy
Create policy
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
namespaceId required | string |
name required | string (entityName) [ 1 .. 128 ] characters |
enforced required | boolean |
required | PPLRule (object) or Array of PPLRule (objects) |
description required | string |
explanation required | string |
remediation required | string |
Responses
Request samples
- Payload
{- "namespaceId": "string",
- "name": "string",
- "enforced": true,
- "ppl": {
- "allow": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}, - "deny": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}
}, - "description": "string",
- "explanation": "string",
- "remediation": "string"
}
Response samples
- 201
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "enforced": true,
- "ppl": {
- "allow": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}, - "deny": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}
}, - "description": "string",
- "explanation": "string",
- "remediation": "string",
- "routes": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedRoutes": [
- {
- "id": "string",
- "name": "string"
}
]
}
getPolicy
Get policy
Authorizations:
path Parameters
organizationId required | string ID of organization |
policyId required | string ID of policy |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "enforced": true,
- "ppl": {
- "allow": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}, - "deny": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}
}, - "description": "string",
- "explanation": "string",
- "remediation": "string",
- "routes": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedRoutes": [
- {
- "id": "string",
- "name": "string"
}
]
}
updatePolicy
Update policy
Authorizations:
path Parameters
organizationId required | string ID of organization |
policyId required | string ID of policy |
Request Body schema: application/jsonrequired
namespaceId required | string |
name required | string (entityName) [ 1 .. 128 ] characters |
enforced required | boolean |
required | PPLRule (object) or Array of PPLRule (objects) |
description required | string |
explanation required | string |
remediation required | string |
Responses
Request samples
- Payload
{- "namespaceId": "string",
- "name": "string",
- "enforced": true,
- "ppl": {
- "allow": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}, - "deny": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}
}, - "description": "string",
- "explanation": "string",
- "remediation": "string"
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "enforced": true,
- "ppl": {
- "allow": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}, - "deny": {
- "and": [
- { }
], - "or": [
- { }
], - "not": [
- { }
], - "nor": [
- { }
]
}
}, - "description": "string",
- "explanation": "string",
- "remediation": "string",
- "routes": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedRoutes": [
- {
- "id": "string",
- "name": "string"
}
]
}
listActivityLogs
List activity logs
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
activityType | string (ActivityType) Enum: "create" "delete" "update" Type of activity |
entityId | string ID of entity |
entityType | string (EntityType) Enum: "changeset" "custom_domain" "domain" "key_pair" "namespace" "organization" "policy" "route" "settings" "service_account" Type of entity |
changesetId | string id of changeset |
namespaceId | string ID of namespace |
userId | string ID of user |
offset | integer offset of the resources |
limit | integer limit number of resources returned |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "activityType": "create",
- "applied": {
- "at": "2019-08-24T14:15:22Z",
- "by": {
- "id": "string",
- "email": "user@example.com",
- "displayName": "string",
- "photoUrl": "string"
}, - "changesetId": "string"
}, - "entity": {
- "type": "changeset",
- "id": "string",
- "data": { }
}, - "namespace": {
- "id": "string",
- "name": "string"
}, - "user": {
- "id": "string",
- "email": "user@example.com",
- "displayName": "string",
- "photoUrl": "string"
}
}
]
updateSettings
Update settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
logLevel required | string Sets the global logging level for Pomerium. Only logs of the desired level and above will be logged. |
proxyLogLevel | string Sets the logging level for the Pomerium Proxy service access logs. Only logs of the desired level and above will be logged. |
address required | string <hostport> Specifies the Host and Port to serve HTTP requests from. If empty, |
dnsLookupFamily required | string (DNSLookupFamily) Enum: "V4_ONLY" "V6_ONLY" "V4_PREFERRED" "AUTO" "ALL" Sets the DNS IP address resolution policy. |
httpRedirectAddr | string <hostport> Specifies the Host and Port to redirect HTTP to HTTPS traffic on. If unset, no redirect server is started. |
timeoutRead required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the amount of time for the entire request stream to be received from the client. |
timeoutWrite required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the max stream duration is the maximum time that a stream’s lifetime will span. |
timeoutIdle required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the idle timeout is the time at which a downstream or upstream connection will be terminated if there are no active streams. |
cookieName required | |
cookieSecret | string Sets the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you. |
cookieDomain | string Sets the scope of session cookies issued by Pomerium. If you specify the domain explicitly, then subdomains would also be included. |
cookieHttpOnly required | boolean If true, this setting forbids JavaScript from accessing the cookie. |
cookieExpire required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the lifetime of session cookies. After this interval, users must reauthenticate. |
cookieSameSite | string Sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests. |
certificateAuthorityKeyPairId | string ID of CA's public and private key pair. |
object (StringMap) Specifies a mapping of HTTP Headers added globally to all managed routes and Pomerium's Authenticate Service. | |
object (StringMap) Pass specific user session data to upstream applications as unsigned HTTP request headers. | |
defaultUpstreamTimeout required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ The default timeout applied to a proxied route when no timeout key is specified by the policy. |
metricsAddress | |
tracingProvider | |
tracingSampleRate required | number Percentage of requests to sample in decimal notation. The default is 0.0001, or .01%. |
tracingDatadogAddress | string <hostport> The |
tracingJaegerCollectorEndpoint | |
tracingJaegerAgentEndpoint | |
tracingZipkinEndpoint | |
clientCa | string The X.509 public-key used to validate a client certificate. |
clientCaFile | |
clientCaKeyPairId | string ID of the client CA's public and private key pair. |
googleCloudServerlessAuthenticationServiceAccount | string Specifies the Service Account credentials to support GCP's Authorization Header format. |
skipXffAppend required | boolean If true, the incoming X-Forwarded-For HTTP header would not be modified. |
databrokerStorageConnection | |
accessLogFields | Array of strings Controls which fields are included in the access logs. |
authorizeLogFields | Array of strings Controls which fields are included in the authorize logs. |
passIdentityHeaders required | boolean |
autoApplyChangesets required | boolean |
authenticateServiceUrl | string <url> Specifies the URL to use for the authenticate service, if not using the Hosted Authenticate Service. (This URL should resolve to your Pomerium deployment.) |
identityProvider | string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" Identity provider type, if not using the Hosted Authenticate Service. |
identityProviderClientId | string Identity provider client ID, if not using the Hosted Authenticate Service. |
identityProviderClientSecret | string Identity provider client secret, if not using the Hosted Authenticate Service. |
object (StringMap) Identity provider request params, if not using the Hosted Authenticate Service. | |
identityProviderScopes | Array of strings (StringList) Identity provider scopes, if not using the Hosted Authenticate Service. |
identityProviderUrl | string <url> Identity provider URL, if not using the Hosted Authenticate Service. (This is required only for certain identity providers types.) |
Responses
Request samples
- Payload
{- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
patchSettings
Patch settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
op required | string Enum: "add" "remove" "replace" "copy" "move" "test" |
path required | string |
value | any |
from | string |
Responses
Request samples
- Payload
[- {
- "op": "add",
- "path": "string",
- "value": null,
- "from": "string"
}
]
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
The route service is where you can build and manage routes defined in a namespace within your organization.
listRoutes
List routes
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
namespaceId required | string ID of namespace |
includeDescendants | boolean include resources from descendant namespaces |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "from": "string",
- "to": [
- "string"
], - "response": {
- "status": 200,
- "body": "string"
}, - "prefix": "string",
- "path": "string",
- "regex": "string",
- "prefixRewrite": "string",
- "regexRewritePattern": "string",
- "regexRewriteSubstitution": "string",
- "hostRewrite": "string",
- "hostRewriteHeader": "string",
- "hostPathRegexRewritePattern": "string",
- "hostPathRegexRewriteSubstitution": "string",
- "regexPriorityOrder": 0,
- "timeout": "string",
- "idleTimeout": "string",
- "allowWebsockets": true,
- "allowSpdy": true,
- "tlsSkipVerify": true,
- "tlsUpstreamServerName": "string",
- "tlsDownstreamServerName": "string",
- "tlsCustomCaKeyPairId": "string",
- "tlsClientKeyPairId": "string",
- "tlsDownstreamClientCaKeyPairId": "string",
- "tlsUpstreamAllowRenegotiation": true,
- "setRequestHeaders": {
- "property1": "string",
- "property2": "string"
}, - "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "removeRequestHeaders": [
- "string"
], - "rewriteResponseHeaders": [
- {
- "header": "string",
- "matcher": {
- "prefix": "string"
}, - "value": "string"
}
], - "preserveHostHeader": true,
- "passIdentityHeaders": true,
- "kubernetesServiceAccountToken": "string",
- "redirect": {
- "httpsRedirect": true,
- "schemeRedirect": "string",
- "hostRedirect": "string",
- "portRedirect": 0,
- "pathRedirect": "string",
- "prefixRewrite": "string",
- "responseCode": 0,
- "stripQuery": true
}, - "enableGoogleCloudServerlessAuthentication": true,
- "showErrorDetails": true,
- "healthCheck": {
- "timeout": "string",
- "interval": "string",
- "unhealthyThreshold": 0,
- "healthyThreshold": 0,
- "type": "http",
- "host": "string",
- "path": "string",
- "expectedStatuses": [
- {
- "start": 0,
- "end": 0
}
], - "codecClientType": "http1"
}, - "loadBalancingPolicy": "round_robin",
- "policyIds": [
- "string"
], - "enforcedPolicies": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedPolicyIds": [
- "string"
], - "policies": [
- {
- "id": "string",
- "name": "string"
}
]
}
]
createRoute
Create route
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
namespaceId required | string |
name required | string (entityName) [ 1 .. 128 ] characters |
from required | string <url> |
to | Array of strings <url> [ items <url > ] |
object (RouteDirectResponse) | |
prefix | string |
path | string |
regex | string |
prefixRewrite | string |
regexRewritePattern | string |
regexRewriteSubstitution | string |
hostRewrite | string |
hostRewriteHeader | string |
hostPathRegexRewritePattern | string |
hostPathRegexRewriteSubstitution | string |
regexPriorityOrder | integer <int64> |
timeout | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ |
idleTimeout | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ |
allowWebsockets required | boolean |
allowSpdy required | boolean |
tlsSkipVerify required | boolean |
tlsUpstreamServerName | string |
tlsDownstreamServerName | string |
tlsCustomCaKeyPairId | string |
tlsClientKeyPairId | string |
tlsDownstreamClientCaKeyPairId | string |
tlsUpstreamAllowRenegotiation required | boolean |
object (StringMap) | |
object (StringMap) | |
removeRequestHeaders | Array of strings |
Array of objects (RouteRewriteHeader) | |
preserveHostHeader required | boolean |
passIdentityHeaders | boolean |
kubernetesServiceAccountToken | string |
object (RouteRedirect) | |
enableGoogleCloudServerlessAuthentication required | boolean |
showErrorDetails required | boolean |
RouteHttpHealthCheck (object) or RouteTcpHealthCheck (object) or RouteGrpcHealthCheck (object) (RouteHealthCheck) | |
loadBalancingPolicy | string (RouteLoadBalancingPolicy) Enum: "round_robin" "least_request" "ring_hash" "random" "maglev" |
policyIds required | Array of strings |
Responses
Request samples
- Payload
{- "namespaceId": "string",
- "name": "string",
- "from": "string",
- "to": [
- "string"
], - "response": {
- "status": 200,
- "body": "string"
}, - "prefix": "string",
- "path": "string",
- "regex": "string",
- "prefixRewrite": "string",
- "regexRewritePattern": "string",
- "regexRewriteSubstitution": "string",
- "hostRewrite": "string",
- "hostRewriteHeader": "string",
- "hostPathRegexRewritePattern": "string",
- "hostPathRegexRewriteSubstitution": "string",
- "regexPriorityOrder": 0,
- "timeout": "string",
- "idleTimeout": "string",
- "allowWebsockets": true,
- "allowSpdy": true,
- "tlsSkipVerify": true,
- "tlsUpstreamServerName": "string",
- "tlsDownstreamServerName": "string",
- "tlsCustomCaKeyPairId": "string",
- "tlsClientKeyPairId": "string",
- "tlsDownstreamClientCaKeyPairId": "string",
- "tlsUpstreamAllowRenegotiation": true,
- "setRequestHeaders": {
- "property1": "string",
- "property2": "string"
}, - "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "removeRequestHeaders": [
- "string"
], - "rewriteResponseHeaders": [
- {
- "header": "string",
- "matcher": {
- "prefix": "string"
}, - "value": "string"
}
], - "preserveHostHeader": true,
- "passIdentityHeaders": true,
- "kubernetesServiceAccountToken": "string",
- "redirect": {
- "httpsRedirect": true,
- "schemeRedirect": "string",
- "hostRedirect": "string",
- "portRedirect": 0,
- "pathRedirect": "string",
- "prefixRewrite": "string",
- "responseCode": 0,
- "stripQuery": true
}, - "enableGoogleCloudServerlessAuthentication": true,
- "showErrorDetails": true,
- "healthCheck": {
- "timeout": "string",
- "interval": "string",
- "unhealthyThreshold": 0,
- "healthyThreshold": 0,
- "type": "http",
- "host": "string",
- "path": "string",
- "expectedStatuses": [
- {
- "start": 0,
- "end": 0
}
], - "codecClientType": "http1"
}, - "loadBalancingPolicy": "round_robin",
- "policyIds": [
- "string"
]
}
Response samples
- 201
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "from": "string",
- "to": [
- "string"
], - "response": {
- "status": 200,
- "body": "string"
}, - "prefix": "string",
- "path": "string",
- "regex": "string",
- "prefixRewrite": "string",
- "regexRewritePattern": "string",
- "regexRewriteSubstitution": "string",
- "hostRewrite": "string",
- "hostRewriteHeader": "string",
- "hostPathRegexRewritePattern": "string",
- "hostPathRegexRewriteSubstitution": "string",
- "regexPriorityOrder": 0,
- "timeout": "string",
- "idleTimeout": "string",
- "allowWebsockets": true,
- "allowSpdy": true,
- "tlsSkipVerify": true,
- "tlsUpstreamServerName": "string",
- "tlsDownstreamServerName": "string",
- "tlsCustomCaKeyPairId": "string",
- "tlsClientKeyPairId": "string",
- "tlsDownstreamClientCaKeyPairId": "string",
- "tlsUpstreamAllowRenegotiation": true,
- "setRequestHeaders": {
- "property1": "string",
- "property2": "string"
}, - "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "removeRequestHeaders": [
- "string"
], - "rewriteResponseHeaders": [
- {
- "header": "string",
- "matcher": {
- "prefix": "string"
}, - "value": "string"
}
], - "preserveHostHeader": true,
- "passIdentityHeaders": true,
- "kubernetesServiceAccountToken": "string",
- "redirect": {
- "httpsRedirect": true,
- "schemeRedirect": "string",
- "hostRedirect": "string",
- "portRedirect": 0,
- "pathRedirect": "string",
- "prefixRewrite": "string",
- "responseCode": 0,
- "stripQuery": true
}, - "enableGoogleCloudServerlessAuthentication": true,
- "showErrorDetails": true,
- "healthCheck": {
- "timeout": "string",
- "interval": "string",
- "unhealthyThreshold": 0,
- "healthyThreshold": 0,
- "type": "http",
- "host": "string",
- "path": "string",
- "expectedStatuses": [
- {
- "start": 0,
- "end": 0
}
], - "codecClientType": "http1"
}, - "loadBalancingPolicy": "round_robin",
- "policyIds": [
- "string"
], - "enforcedPolicies": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedPolicyIds": [
- "string"
], - "policies": [
- {
- "id": "string",
- "name": "string"
}
]
}
getRoute
Get route
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "from": "string",
- "to": [
- "string"
], - "response": {
- "status": 200,
- "body": "string"
}, - "prefix": "string",
- "path": "string",
- "regex": "string",
- "prefixRewrite": "string",
- "regexRewritePattern": "string",
- "regexRewriteSubstitution": "string",
- "hostRewrite": "string",
- "hostRewriteHeader": "string",
- "hostPathRegexRewritePattern": "string",
- "hostPathRegexRewriteSubstitution": "string",
- "regexPriorityOrder": 0,
- "timeout": "string",
- "idleTimeout": "string",
- "allowWebsockets": true,
- "allowSpdy": true,
- "tlsSkipVerify": true,
- "tlsUpstreamServerName": "string",
- "tlsDownstreamServerName": "string",
- "tlsCustomCaKeyPairId": "string",
- "tlsClientKeyPairId": "string",
- "tlsDownstreamClientCaKeyPairId": "string",
- "tlsUpstreamAllowRenegotiation": true,
- "setRequestHeaders": {
- "property1": "string",
- "property2": "string"
}, - "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "removeRequestHeaders": [
- "string"
], - "rewriteResponseHeaders": [
- {
- "header": "string",
- "matcher": {
- "prefix": "string"
}, - "value": "string"
}
], - "preserveHostHeader": true,
- "passIdentityHeaders": true,
- "kubernetesServiceAccountToken": "string",
- "redirect": {
- "httpsRedirect": true,
- "schemeRedirect": "string",
- "hostRedirect": "string",
- "portRedirect": 0,
- "pathRedirect": "string",
- "prefixRewrite": "string",
- "responseCode": 0,
- "stripQuery": true
}, - "enableGoogleCloudServerlessAuthentication": true,
- "showErrorDetails": true,
- "healthCheck": {
- "timeout": "string",
- "interval": "string",
- "unhealthyThreshold": 0,
- "healthyThreshold": 0,
- "type": "http",
- "host": "string",
- "path": "string",
- "expectedStatuses": [
- {
- "start": 0,
- "end": 0
}
], - "codecClientType": "http1"
}, - "loadBalancingPolicy": "round_robin",
- "policyIds": [
- "string"
], - "enforcedPolicies": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedPolicyIds": [
- "string"
], - "policies": [
- {
- "id": "string",
- "name": "string"
}
]
}
updateRoute
Update route
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
Request Body schema: application/jsonrequired
namespaceId required | string |
name required | string (entityName) [ 1 .. 128 ] characters |
from required | string <url> |
to | Array of strings <url> [ items <url > ] |
object (RouteDirectResponse) | |
prefix | string |
path | string |
regex | string |
prefixRewrite | string |
regexRewritePattern | string |
regexRewriteSubstitution | string |
hostRewrite | string |
hostRewriteHeader | string |
hostPathRegexRewritePattern | string |
hostPathRegexRewriteSubstitution | string |
regexPriorityOrder | integer <int64> |
timeout | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ |
idleTimeout | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ |
allowWebsockets required | boolean |
allowSpdy required | boolean |
tlsSkipVerify required | boolean |
tlsUpstreamServerName | string |
tlsDownstreamServerName | string |
tlsCustomCaKeyPairId | string |
tlsClientKeyPairId | string |
tlsDownstreamClientCaKeyPairId | string |
tlsUpstreamAllowRenegotiation required | boolean |
object (StringMap) | |
object (StringMap) | |
removeRequestHeaders | Array of strings |
Array of objects (RouteRewriteHeader) | |
preserveHostHeader required | boolean |
passIdentityHeaders | boolean |
kubernetesServiceAccountToken | string |
object (RouteRedirect) | |
enableGoogleCloudServerlessAuthentication required | boolean |
showErrorDetails required | boolean |
RouteHttpHealthCheck (object) or RouteTcpHealthCheck (object) or RouteGrpcHealthCheck (object) (RouteHealthCheck) | |
loadBalancingPolicy | string (RouteLoadBalancingPolicy) Enum: "round_robin" "least_request" "ring_hash" "random" "maglev" |
policyIds required | Array of strings |
Responses
Request samples
- Payload
{- "namespaceId": "string",
- "name": "string",
- "from": "string",
- "to": [
- "string"
], - "response": {
- "status": 200,
- "body": "string"
}, - "prefix": "string",
- "path": "string",
- "regex": "string",
- "prefixRewrite": "string",
- "regexRewritePattern": "string",
- "regexRewriteSubstitution": "string",
- "hostRewrite": "string",
- "hostRewriteHeader": "string",
- "hostPathRegexRewritePattern": "string",
- "hostPathRegexRewriteSubstitution": "string",
- "regexPriorityOrder": 0,
- "timeout": "string",
- "idleTimeout": "string",
- "allowWebsockets": true,
- "allowSpdy": true,
- "tlsSkipVerify": true,
- "tlsUpstreamServerName": "string",
- "tlsDownstreamServerName": "string",
- "tlsCustomCaKeyPairId": "string",
- "tlsClientKeyPairId": "string",
- "tlsDownstreamClientCaKeyPairId": "string",
- "tlsUpstreamAllowRenegotiation": true,
- "setRequestHeaders": {
- "property1": "string",
- "property2": "string"
}, - "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "removeRequestHeaders": [
- "string"
], - "rewriteResponseHeaders": [
- {
- "header": "string",
- "matcher": {
- "prefix": "string"
}, - "value": "string"
}
], - "preserveHostHeader": true,
- "passIdentityHeaders": true,
- "kubernetesServiceAccountToken": "string",
- "redirect": {
- "httpsRedirect": true,
- "schemeRedirect": "string",
- "hostRedirect": "string",
- "portRedirect": 0,
- "pathRedirect": "string",
- "prefixRewrite": "string",
- "responseCode": 0,
- "stripQuery": true
}, - "enableGoogleCloudServerlessAuthentication": true,
- "showErrorDetails": true,
- "healthCheck": {
- "timeout": "string",
- "interval": "string",
- "unhealthyThreshold": 0,
- "healthyThreshold": 0,
- "type": "http",
- "host": "string",
- "path": "string",
- "expectedStatuses": [
- {
- "start": 0,
- "end": 0
}
], - "codecClientType": "http1"
}, - "loadBalancingPolicy": "round_robin",
- "policyIds": [
- "string"
]
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "name": "string",
- "from": "string",
- "to": [
- "string"
], - "response": {
- "status": 200,
- "body": "string"
}, - "prefix": "string",
- "path": "string",
- "regex": "string",
- "prefixRewrite": "string",
- "regexRewritePattern": "string",
- "regexRewriteSubstitution": "string",
- "hostRewrite": "string",
- "hostRewriteHeader": "string",
- "hostPathRegexRewritePattern": "string",
- "hostPathRegexRewriteSubstitution": "string",
- "regexPriorityOrder": 0,
- "timeout": "string",
- "idleTimeout": "string",
- "allowWebsockets": true,
- "allowSpdy": true,
- "tlsSkipVerify": true,
- "tlsUpstreamServerName": "string",
- "tlsDownstreamServerName": "string",
- "tlsCustomCaKeyPairId": "string",
- "tlsClientKeyPairId": "string",
- "tlsDownstreamClientCaKeyPairId": "string",
- "tlsUpstreamAllowRenegotiation": true,
- "setRequestHeaders": {
- "property1": "string",
- "property2": "string"
}, - "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "removeRequestHeaders": [
- "string"
], - "rewriteResponseHeaders": [
- {
- "header": "string",
- "matcher": {
- "prefix": "string"
}, - "value": "string"
}
], - "preserveHostHeader": true,
- "passIdentityHeaders": true,
- "kubernetesServiceAccountToken": "string",
- "redirect": {
- "httpsRedirect": true,
- "schemeRedirect": "string",
- "hostRedirect": "string",
- "portRedirect": 0,
- "pathRedirect": "string",
- "prefixRewrite": "string",
- "responseCode": 0,
- "stripQuery": true
}, - "enableGoogleCloudServerlessAuthentication": true,
- "showErrorDetails": true,
- "healthCheck": {
- "timeout": "string",
- "interval": "string",
- "unhealthyThreshold": 0,
- "healthyThreshold": 0,
- "type": "http",
- "host": "string",
- "path": "string",
- "expectedStatuses": [
- {
- "start": 0,
- "end": 0
}
], - "codecClientType": "http1"
}, - "loadBalancingPolicy": "round_robin",
- "policyIds": [
- "string"
], - "enforcedPolicies": [
- {
- "id": "string",
- "name": "string"
}
], - "enforcedPolicyIds": [
- "string"
], - "policies": [
- {
- "id": "string",
- "name": "string"
}
]
}
getRouteCertificates
Get certificates that match the given route
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
Responses
Response samples
- 200
[- {
- "certificateInfo": {
- "version": 0,
- "serial": "string",
- "issuer": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "subject": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "notBefore": "2019-08-24T14:15:22Z",
- "notAfter": "2019-08-24T14:15:22Z",
- "keyUsage": {
- "digitalSignature": true,
- "contentCommitment": true,
- "keyEncipherment": true,
- "dataEncipherment": true,
- "keyAgreement": true,
- "certSign": true,
- "crlSign": true,
- "encipherOnly": true,
- "decipherOnly": true
}, - "extKeyUsage": {
- "any": true,
- "serverAuth": true,
- "clientAuth": true,
- "codeSigning": true,
- "emailProtection": true,
- "ipsecEndSystem": true,
- "ipsecTunnel": true,
- "ipsecUser": true,
- "timeStamping": true,
- "ocspSigning": true,
- "microsoftServerGatedCrypto": true,
- "netscapeServerGatedCrypto": true,
- "microsoftCommercialCodeSigning": true,
- "microsoftKernelCodeSigning": true
}, - "dnsNames": [
- "string"
], - "emailAddresses": [
- "string"
], - "ipAddresses": [
- "string"
], - "uris": [
- "string"
], - "permittedDnsDomainsCritical": true,
- "permittedDnsDomains": [
- "string"
], - "excludedDnsDomains": [
- "string"
], - "permittedIpRanges": [
- "string"
], - "excludedIpRanges": [
- "string"
], - "permittedEmailAddresses": [
- "string"
], - "excludedEmailAddresses": [
- "string"
], - "permittedUriDomains": [
- "string"
], - "excludedUriDomains": [
- "string"
]
}, - "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string",
- "origin": "system",
- "status": "pending"
}
]
getIdToken
Exchange API refresh token for ID token
Request Body schema: application/jsonrequired
refreshToken required | string API refresh token |
Responses
Request samples
- Payload
{- "refreshToken": "string"
}
Response samples
- 200
{- "idToken": "string",
- "expiresInSeconds": "string"
}
The keypair service is where you can manage global- and route-level certificates for your organization.
listKeyPairs
List key pairs
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
namespaceId required | string ID of namespace |
includeDescendants | boolean include resources from descendant namespaces |
Responses
Response samples
- 200
[- {
- "certificateInfo": {
- "version": 0,
- "serial": "string",
- "issuer": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "subject": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "notBefore": "2019-08-24T14:15:22Z",
- "notAfter": "2019-08-24T14:15:22Z",
- "keyUsage": {
- "digitalSignature": true,
- "contentCommitment": true,
- "keyEncipherment": true,
- "dataEncipherment": true,
- "keyAgreement": true,
- "certSign": true,
- "crlSign": true,
- "encipherOnly": true,
- "decipherOnly": true
}, - "extKeyUsage": {
- "any": true,
- "serverAuth": true,
- "clientAuth": true,
- "codeSigning": true,
- "emailProtection": true,
- "ipsecEndSystem": true,
- "ipsecTunnel": true,
- "ipsecUser": true,
- "timeStamping": true,
- "ocspSigning": true,
- "microsoftServerGatedCrypto": true,
- "netscapeServerGatedCrypto": true,
- "microsoftCommercialCodeSigning": true,
- "microsoftKernelCodeSigning": true
}, - "dnsNames": [
- "string"
], - "emailAddresses": [
- "string"
], - "ipAddresses": [
- "string"
], - "uris": [
- "string"
], - "permittedDnsDomainsCritical": true,
- "permittedDnsDomains": [
- "string"
], - "excludedDnsDomains": [
- "string"
], - "permittedIpRanges": [
- "string"
], - "excludedIpRanges": [
- "string"
], - "permittedEmailAddresses": [
- "string"
], - "excludedEmailAddresses": [
- "string"
], - "permittedUriDomains": [
- "string"
], - "excludedUriDomains": [
- "string"
]
}, - "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string",
- "origin": "system",
- "status": "pending"
}
]
createKeyPair
Create keyPair
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
key | string |
namespaceId required | string |
certificate | string |
name | string |
Responses
Request samples
- Payload
{- "key": "string",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string"
}
Response samples
- 201
{- "certificateInfo": {
- "version": 0,
- "serial": "string",
- "issuer": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "subject": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "notBefore": "2019-08-24T14:15:22Z",
- "notAfter": "2019-08-24T14:15:22Z",
- "keyUsage": {
- "digitalSignature": true,
- "contentCommitment": true,
- "keyEncipherment": true,
- "dataEncipherment": true,
- "keyAgreement": true,
- "certSign": true,
- "crlSign": true,
- "encipherOnly": true,
- "decipherOnly": true
}, - "extKeyUsage": {
- "any": true,
- "serverAuth": true,
- "clientAuth": true,
- "codeSigning": true,
- "emailProtection": true,
- "ipsecEndSystem": true,
- "ipsecTunnel": true,
- "ipsecUser": true,
- "timeStamping": true,
- "ocspSigning": true,
- "microsoftServerGatedCrypto": true,
- "netscapeServerGatedCrypto": true,
- "microsoftCommercialCodeSigning": true,
- "microsoftKernelCodeSigning": true
}, - "dnsNames": [
- "string"
], - "emailAddresses": [
- "string"
], - "ipAddresses": [
- "string"
], - "uris": [
- "string"
], - "permittedDnsDomainsCritical": true,
- "permittedDnsDomains": [
- "string"
], - "excludedDnsDomains": [
- "string"
], - "permittedIpRanges": [
- "string"
], - "excludedIpRanges": [
- "string"
], - "permittedEmailAddresses": [
- "string"
], - "excludedEmailAddresses": [
- "string"
], - "permittedUriDomains": [
- "string"
], - "excludedUriDomains": [
- "string"
]
}, - "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string",
- "origin": "system",
- "status": "pending"
}
getKeyPair
Get keyPair
Authorizations:
path Parameters
organizationId required | string ID of organization |
keyPairId required | string ID of namespace |
Responses
Response samples
- 200
{- "certificateInfo": {
- "version": 0,
- "serial": "string",
- "issuer": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "subject": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "notBefore": "2019-08-24T14:15:22Z",
- "notAfter": "2019-08-24T14:15:22Z",
- "keyUsage": {
- "digitalSignature": true,
- "contentCommitment": true,
- "keyEncipherment": true,
- "dataEncipherment": true,
- "keyAgreement": true,
- "certSign": true,
- "crlSign": true,
- "encipherOnly": true,
- "decipherOnly": true
}, - "extKeyUsage": {
- "any": true,
- "serverAuth": true,
- "clientAuth": true,
- "codeSigning": true,
- "emailProtection": true,
- "ipsecEndSystem": true,
- "ipsecTunnel": true,
- "ipsecUser": true,
- "timeStamping": true,
- "ocspSigning": true,
- "microsoftServerGatedCrypto": true,
- "netscapeServerGatedCrypto": true,
- "microsoftCommercialCodeSigning": true,
- "microsoftKernelCodeSigning": true
}, - "dnsNames": [
- "string"
], - "emailAddresses": [
- "string"
], - "ipAddresses": [
- "string"
], - "uris": [
- "string"
], - "permittedDnsDomainsCritical": true,
- "permittedDnsDomains": [
- "string"
], - "excludedDnsDomains": [
- "string"
], - "permittedIpRanges": [
- "string"
], - "excludedIpRanges": [
- "string"
], - "permittedEmailAddresses": [
- "string"
], - "excludedEmailAddresses": [
- "string"
], - "permittedUriDomains": [
- "string"
], - "excludedUriDomains": [
- "string"
]
}, - "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string",
- "origin": "system",
- "status": "pending"
}
updateKeyPair
Update keyPair. If the certificate and/or key is not set the existing certificate and/or key will be preserved.
Authorizations:
path Parameters
organizationId required | string ID of organization |
keyPairId required | string ID of namespace |
Request Body schema: application/jsonrequired
key | string |
namespaceId required | string |
certificate | string |
name | string |
Responses
Request samples
- Payload
{- "key": "string",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string"
}
Response samples
- 200
{- "certificateInfo": {
- "version": 0,
- "serial": "string",
- "issuer": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "subject": {
- "country": [
- "string"
], - "organization": [
- "string"
], - "organizationalUnit": [
- "string"
], - "locality": [
- "string"
], - "province": [
- "string"
], - "streetAddress": [
- "string"
], - "postalCode": [
- "string"
], - "serialNumber": "string",
- "commonName": "string"
}, - "notBefore": "2019-08-24T14:15:22Z",
- "notAfter": "2019-08-24T14:15:22Z",
- "keyUsage": {
- "digitalSignature": true,
- "contentCommitment": true,
- "keyEncipherment": true,
- "dataEncipherment": true,
- "keyAgreement": true,
- "certSign": true,
- "crlSign": true,
- "encipherOnly": true,
- "decipherOnly": true
}, - "extKeyUsage": {
- "any": true,
- "serverAuth": true,
- "clientAuth": true,
- "codeSigning": true,
- "emailProtection": true,
- "ipsecEndSystem": true,
- "ipsecTunnel": true,
- "ipsecUser": true,
- "timeStamping": true,
- "ocspSigning": true,
- "microsoftServerGatedCrypto": true,
- "netscapeServerGatedCrypto": true,
- "microsoftCommercialCodeSigning": true,
- "microsoftKernelCodeSigning": true
}, - "dnsNames": [
- "string"
], - "emailAddresses": [
- "string"
], - "ipAddresses": [
- "string"
], - "uris": [
- "string"
], - "permittedDnsDomainsCritical": true,
- "permittedDnsDomains": [
- "string"
], - "excludedDnsDomains": [
- "string"
], - "permittedIpRanges": [
- "string"
], - "excludedIpRanges": [
- "string"
], - "permittedEmailAddresses": [
- "string"
], - "excludedEmailAddresses": [
- "string"
], - "permittedUriDomains": [
- "string"
], - "excludedUriDomains": [
- "string"
]
}, - "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "namespaceId": "string",
- "certificate": "string",
- "name": "string",
- "origin": "system",
- "status": "pending"
}
listNamespaces
List namespaces
Authorizations:
path Parameters
organizationId required | string ID of organization |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "parentId": "string",
- "name": "string",
- "type": "cluster",
- "role": "admin"
}
]
The changeset service is where you can list, get, and apply changesets within a cluster or namespace.
listChangesets
List changesets
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
clusterId | string ID of cluster |
status | string (ChangesetStatus) Enum: "pending" "applying" "applied" "failed" "current" "rejected" status of changeset |
offset | integer offset of the resources |
limit | integer limit number of resources returned |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "failureMessage": "string",
- "namespaceId": "string",
- "status": "pending"
}
]
compareChangesets
Compare changesets
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
clusterId required | string ID of cluster |
firstId | string id of the first changeset to compare |
secondId | string id of the second changeset to compare |
Responses
Response samples
- 200
{- "startChangeset": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "failureMessage": "string",
- "namespaceId": "string",
- "status": "pending"
}, - "endChangeset": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "failureMessage": "string",
- "namespaceId": "string",
- "status": "pending"
}, - "entities": [
- [
- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "activityType": "create",
- "applied": {
- "at": "2019-08-24T14:15:22Z",
- "by": {
- "id": "string",
- "email": "user@example.com",
- "displayName": "string",
- "photoUrl": "string"
}, - "changesetId": "string"
}, - "entity": {
- "type": "changeset",
- "id": "string",
- "data": { }
}, - "namespace": {
- "id": "string",
- "name": "string"
}, - "user": {
- "id": "string",
- "email": "user@example.com",
- "displayName": "string",
- "photoUrl": "string"
}
}
]
]
}
applyChangeset
Apply changeset
Authorizations:
path Parameters
organizationId required | string ID of organization |
changesetId required | string ID of changeset |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "failureMessage": "string",
- "namespaceId": "string",
- "status": "pending"
}
updateSettings
Update settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
logLevel required | string Sets the global logging level for Pomerium. Only logs of the desired level and above will be logged. |
proxyLogLevel | string Sets the logging level for the Pomerium Proxy service access logs. Only logs of the desired level and above will be logged. |
address required | string <hostport> Specifies the Host and Port to serve HTTP requests from. If empty, |
dnsLookupFamily required | string (DNSLookupFamily) Enum: "V4_ONLY" "V6_ONLY" "V4_PREFERRED" "AUTO" "ALL" Sets the DNS IP address resolution policy. |
httpRedirectAddr | string <hostport> Specifies the Host and Port to redirect HTTP to HTTPS traffic on. If unset, no redirect server is started. |
timeoutRead required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the amount of time for the entire request stream to be received from the client. |
timeoutWrite required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the max stream duration is the maximum time that a stream’s lifetime will span. |
timeoutIdle required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the idle timeout is the time at which a downstream or upstream connection will be terminated if there are no active streams. |
cookieName required | |
cookieSecret | string Sets the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you. |
cookieDomain | string Sets the scope of session cookies issued by Pomerium. If you specify the domain explicitly, then subdomains would also be included. |
cookieHttpOnly required | boolean If true, this setting forbids JavaScript from accessing the cookie. |
cookieExpire required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the lifetime of session cookies. After this interval, users must reauthenticate. |
cookieSameSite | string Sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests. |
certificateAuthorityKeyPairId | string ID of CA's public and private key pair. |
object (StringMap) Specifies a mapping of HTTP Headers added globally to all managed routes and Pomerium's Authenticate Service. | |
object (StringMap) Pass specific user session data to upstream applications as unsigned HTTP request headers. | |
defaultUpstreamTimeout required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ The default timeout applied to a proxied route when no timeout key is specified by the policy. |
metricsAddress | |
tracingProvider | |
tracingSampleRate required | number Percentage of requests to sample in decimal notation. The default is 0.0001, or .01%. |
tracingDatadogAddress | string <hostport> The |
tracingJaegerCollectorEndpoint | |
tracingJaegerAgentEndpoint | |
tracingZipkinEndpoint | |
clientCa | string The X.509 public-key used to validate a client certificate. |
clientCaFile | |
clientCaKeyPairId | string ID of the client CA's public and private key pair. |
googleCloudServerlessAuthenticationServiceAccount | string Specifies the Service Account credentials to support GCP's Authorization Header format. |
skipXffAppend required | boolean If true, the incoming X-Forwarded-For HTTP header would not be modified. |
databrokerStorageConnection | |
accessLogFields | Array of strings Controls which fields are included in the access logs. |
authorizeLogFields | Array of strings Controls which fields are included in the authorize logs. |
passIdentityHeaders required | boolean |
autoApplyChangesets required | boolean |
authenticateServiceUrl | string <url> Specifies the URL to use for the authenticate service, if not using the Hosted Authenticate Service. (This URL should resolve to your Pomerium deployment.) |
identityProvider | string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" Identity provider type, if not using the Hosted Authenticate Service. |
identityProviderClientId | string Identity provider client ID, if not using the Hosted Authenticate Service. |
identityProviderClientSecret | string Identity provider client secret, if not using the Hosted Authenticate Service. |
object (StringMap) Identity provider request params, if not using the Hosted Authenticate Service. | |
identityProviderScopes | Array of strings (StringList) Identity provider scopes, if not using the Hosted Authenticate Service. |
identityProviderUrl | string <url> Identity provider URL, if not using the Hosted Authenticate Service. (This is required only for certain identity providers types.) |
Responses
Request samples
- Payload
{- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
patchSettings
Patch settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
op required | string Enum: "add" "remove" "replace" "copy" "move" "test" |
path required | string |
value | any |
from | string |
Responses
Request samples
- Payload
[- {
- "op": "add",
- "path": "string",
- "value": null,
- "from": "string"
}
]
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
getSettings
Get settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
updateSettings
Update settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
logLevel required | string Sets the global logging level for Pomerium. Only logs of the desired level and above will be logged. |
proxyLogLevel | string Sets the logging level for the Pomerium Proxy service access logs. Only logs of the desired level and above will be logged. |
address required | string <hostport> Specifies the Host and Port to serve HTTP requests from. If empty, |
dnsLookupFamily required | string (DNSLookupFamily) Enum: "V4_ONLY" "V6_ONLY" "V4_PREFERRED" "AUTO" "ALL" Sets the DNS IP address resolution policy. |
httpRedirectAddr | string <hostport> Specifies the Host and Port to redirect HTTP to HTTPS traffic on. If unset, no redirect server is started. |
timeoutRead required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the amount of time for the entire request stream to be received from the client. |
timeoutWrite required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the max stream duration is the maximum time that a stream’s lifetime will span. |
timeoutIdle required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the idle timeout is the time at which a downstream or upstream connection will be terminated if there are no active streams. |
cookieName required | |
cookieSecret | string Sets the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you. |
cookieDomain | string Sets the scope of session cookies issued by Pomerium. If you specify the domain explicitly, then subdomains would also be included. |
cookieHttpOnly required | boolean If true, this setting forbids JavaScript from accessing the cookie. |
cookieExpire required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ Sets the lifetime of session cookies. After this interval, users must reauthenticate. |
cookieSameSite | string Sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests. |
certificateAuthorityKeyPairId | string ID of CA's public and private key pair. |
object (StringMap) Specifies a mapping of HTTP Headers added globally to all managed routes and Pomerium's Authenticate Service. | |
object (StringMap) Pass specific user session data to upstream applications as unsigned HTTP request headers. | |
defaultUpstreamTimeout required | string (Duration) ^([0-9]+(y|w|d|h|m|s|ms))+$ The default timeout applied to a proxied route when no timeout key is specified by the policy. |
metricsAddress | |
tracingProvider | |
tracingSampleRate required | number Percentage of requests to sample in decimal notation. The default is 0.0001, or .01%. |
tracingDatadogAddress | string <hostport> The |
tracingJaegerCollectorEndpoint | |
tracingJaegerAgentEndpoint | |
tracingZipkinEndpoint | |
clientCa | string The X.509 public-key used to validate a client certificate. |
clientCaFile | |
clientCaKeyPairId | string ID of the client CA's public and private key pair. |
googleCloudServerlessAuthenticationServiceAccount | string Specifies the Service Account credentials to support GCP's Authorization Header format. |
skipXffAppend required | boolean If true, the incoming X-Forwarded-For HTTP header would not be modified. |
databrokerStorageConnection | |
accessLogFields | Array of strings Controls which fields are included in the access logs. |
authorizeLogFields | Array of strings Controls which fields are included in the authorize logs. |
passIdentityHeaders required | boolean |
autoApplyChangesets required | boolean |
authenticateServiceUrl | string <url> Specifies the URL to use for the authenticate service, if not using the Hosted Authenticate Service. (This URL should resolve to your Pomerium deployment.) |
identityProvider | string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" Identity provider type, if not using the Hosted Authenticate Service. |
identityProviderClientId | string Identity provider client ID, if not using the Hosted Authenticate Service. |
identityProviderClientSecret | string Identity provider client secret, if not using the Hosted Authenticate Service. |
object (StringMap) Identity provider request params, if not using the Hosted Authenticate Service. | |
identityProviderScopes | Array of strings (StringList) Identity provider scopes, if not using the Hosted Authenticate Service. |
identityProviderUrl | string <url> Identity provider URL, if not using the Hosted Authenticate Service. (This is required only for certain identity providers types.) |
Responses
Request samples
- Payload
{- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
patchSettings
Patch settings
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
op required | string Enum: "add" "remove" "replace" "copy" "move" "test" |
path required | string |
value | any |
from | string |
Responses
Request samples
- Payload
[- {
- "op": "add",
- "path": "string",
- "value": null,
- "from": "string"
}
]
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "logLevel": "string",
- "proxyLogLevel": "string",
- "address": "string",
- "dnsLookupFamily": "V4_ONLY",
- "httpRedirectAddr": "string",
- "timeoutRead": "string",
- "timeoutWrite": "string",
- "timeoutIdle": "string",
- "cookieName": "string",
- "cookieSecret": "string",
- "cookieDomain": "string",
- "cookieHttpOnly": true,
- "cookieExpire": "string",
- "cookieSameSite": "string",
- "certificateAuthorityKeyPairId": "string",
- "setResponseHeaders": {
- "property1": "string",
- "property2": "string"
}, - "jwtClaimsHeaders": {
- "property1": "string",
- "property2": "string"
}, - "defaultUpstreamTimeout": "string",
- "metricsAddress": "string",
- "tracingProvider": "string",
- "tracingSampleRate": 0,
- "tracingDatadogAddress": "string",
- "tracingJaegerCollectorEndpoint": "string",
- "tracingJaegerAgentEndpoint": "string",
- "tracingZipkinEndpoint": "string",
- "clientCa": "string",
- "clientCaFile": "string",
- "clientCaKeyPairId": "string",
- "googleCloudServerlessAuthenticationServiceAccount": "string",
- "skipXffAppend": true,
- "databrokerStorageConnection": "string",
- "accessLogFields": [
- "string"
], - "authorizeLogFields": [
- "string"
], - "passIdentityHeaders": true,
- "autoApplyChangesets": true,
- "authenticateServiceUrl": "string",
- "identityProvider": "apple",
- "identityProviderClientId": "string",
- "identityProviderClientSecret": "string",
- "identityProviderRequestParams": {
- "property1": "string",
- "property2": "string"
}, - "identityProviderScopes": [
- "string"
], - "identityProviderUrl": "string"
}
A cluster represents an isolated Pomerium Core instance within your organization. An organization can have multiple clusters with separate configurations depending on the organization’s use case.
createOrganization
Create organization
Authorizations:
Request Body schema: application/jsonrequired
name required | string |
logoURL | string <url> URL to an image that will be used as the organization logo. User may provide a URL to an image hosted on a third party service, or upload an image to the dashboard, which would result in an URL being generated. |
Responses
Request samples
- Payload
{- "name": "string",
- "logoURL": "string"
}
Response samples
- 201
{- "cluster": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "manualOverrideIpAddress": "string",
- "fqdn": "string",
- "autoDetectIpAddress": "string",
- "namespaceId": "string",
- "hasFailingHealthChecks": true,
- "domain": "string",
- "refreshToken": "string"
}, - "namespace": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "parentId": "string",
- "name": "string",
- "type": "cluster"
}, - "organization": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "logoURL": "string",
- "organizationType": "personal",
- "ownerUserId": "string",
- "role": "owner",
- "joinedAt": "2019-08-24T14:15:22Z",
- "quotas": {
- "administrators": 0,
- "certificates": 0,
- "clusters": 0,
- "customDomains": 0,
- "policies": 0,
- "replicas": 0,
- "routes": 0,
- "serviceAccounts": 0
}
}
}
listClusters
List clusters
Authorizations:
path Parameters
organizationId required | string ID of organization |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "manualOverrideIpAddress": "string",
- "fqdn": "string",
- "autoDetectIpAddress": "string",
- "namespaceId": "string",
- "hasFailingHealthChecks": true,
- "domain": "string"
}
]
createCluster
Create cluster
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
name required | string |
manualOverrideIpAddress | string <ip> (IPAddress) |
domain required | string |
Responses
Request samples
- Payload
{- "name": "string",
- "manualOverrideIpAddress": "string",
- "domain": "string"
}
Response samples
- 201
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "manualOverrideIpAddress": "string",
- "fqdn": "string",
- "autoDetectIpAddress": "string",
- "namespaceId": "string",
- "hasFailingHealthChecks": true,
- "domain": "string",
- "refreshToken": "string"
}
getCluster
Get cluster
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "manualOverrideIpAddress": "string",
- "fqdn": "string",
- "autoDetectIpAddress": "string",
- "namespaceId": "string",
- "hasFailingHealthChecks": true,
- "domain": "string"
}
updateCluster
Update cluster
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
name required | string |
manualOverrideIpAddress | string <ip> (IPAddress) |
Responses
Request samples
- Payload
{- "name": "string",
- "manualOverrideIpAddress": "string"
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "manualOverrideIpAddress": "string",
- "fqdn": "string",
- "autoDetectIpAddress": "string",
- "namespaceId": "string",
- "hasFailingHealthChecks": true,
- "domain": "string"
}
listClusterReplicas
List replicas known for a cluster
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
query Parameters
startTime required | string <date-time> Start time of the time range |
endTime required | string <date-time> Start time of the time range |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "hostname": "string"
}
]
getClusterHealth
Get cluster health check data
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Responses
Response samples
- 200
[- {
- "description": "string",
- "helpUrl": "string",
- "hostname": "string",
- "status": "success",
- "updatedAt": "2019-08-24T14:15:22Z"
}
]
rotateClusterToken
Rotate cluster identity token. This token is used to authenticate the cluster to the Pomerium Zero API. Only one token may be active at a time. Requesting a new token will invalidate the previous one.
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Responses
Response samples
- 200
{- "refreshToken": "string"
}
checkIdentityProviderSettings
Check identity provider settings
Authorizations:
Request Body schema: application/jsonrequired
provider required | string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" |
url | string |
clientId | string |
clientSecret | string |
object (StringMap) | |
scopes | Array of strings (StringList) |
Responses
Request samples
- Payload
{- "provider": "apple",
- "url": "string",
- "clientId": "string",
- "clientSecret": "string",
- "requestParams": {
- "property1": "string",
- "property2": "string"
}, - "scopes": [
- "string"
]
}
Response samples
- 200
{- "success": true,
- "errors": {
- "provider": "string",
- "url": "string",
- "clientId": "string",
- "clientSecret": "string",
- "requestParams": "string",
- "scopes": "string"
}
}
startOnboarding
Start onboarding
Authorizations:
Request Body schema: application/jsonrequired
system required | string |
timezone required | string |
Responses
Request samples
- Payload
{- "system": "string",
- "timezone": "string"
}
Response samples
- 200
{- "organizationId": "string",
- "clusterId": "string",
- "clusterToken": "string"
}
configureOnboarding
Configure onboarding
Authorizations:
Request Body schema: application/jsonrequired
ipAddress | string <ip> (IPAddress) |
port | string <port> (Port) |
system required | string |
timezone required | string |
Responses
Request samples
- Payload
{- "ipAddress": "string",
- "port": "string",
- "system": "string",
- "timezone": "string"
}
Response samples
- 200
{ }
getClusterTimeSeriesMetric
Get cluster metric time series
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
metricId required | string (ClusterTimeSeriesMetricId) Enum: "mau" "dau" ID of cluster time series metric |
Responses
Response samples
- 200
{- "labels": {
- "property1": "string",
- "property2": "string"
}, - "points": [
- {
- "value": 0.1,
- "timestamp": "2019-08-24T14:15:22Z"
}
], - "unit": "string"
}
getRouteDistributionMetricSum
Get distribution metric as a time series for a given percentile
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
metricId required | string (RouteDistributionMetricId) Value: "upstream_request_time" ID of route time series metric |
query Parameters
startTime required | string <date-time> Start time of the time range |
endTime required | string <date-time> Start time of the time range |
replicaId | string ID of replica |
Responses
Response samples
- 200
[- {
- "labels": {
- "property1": "string",
- "property2": "string"
}, - "distributionValue": {
- "count": 0,
- "mean": 0.1,
- "explicitBucketBounds": [
- 0.1
], - "bucketCounts": [
- 0
]
}, - "unit": "string"
}
]
getRouteDistributionMetricTimeSeries
Get distribution metric as a time series for a given percentile
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
metricId required | string (RouteDistributionMetricId) Value: "upstream_request_time" ID of route time series metric |
query Parameters
percentile required | integer (Percentile) Enum: 50 95 99 Percentile of the distribution |
startTime required | string <date-time> Start time of the time range |
endTime required | string <date-time> Start time of the time range |
replicaId | string ID of replica |
Responses
Response samples
- 200
[- {
- "labels": {
- "property1": "string",
- "property2": "string"
}, - "points": [
- {
- "value": 0.1,
- "timestamp": "2019-08-24T14:15:22Z"
}
], - "unit": "string"
}
]
getRouteTimeSeriesMetric
Get route metric time series
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
metricId required | string (RouteTimeSeriesMetricId) Enum: "upstream_requests" "upstream_rx_bytes" "upstream_tx_bytes" "authz_ok" "authz_err" "authz_denied" ID of route time series metric |
query Parameters
startTime required | string <date-time> Start time of the time range |
endTime required | string <date-time> Start time of the time range |
replicaId | string ID of replica |
Responses
Response samples
- 200
[- {
- "labels": {
- "property1": "string",
- "property2": "string"
}, - "points": [
- {
- "value": 0.1,
- "timestamp": "2019-08-24T14:15:22Z"
}
], - "unit": "string"
}
]
getRouteTimeSeriesMetricSum
Get route metric time series sum over the requested time range
Authorizations:
path Parameters
organizationId required | string ID of organization |
routeId required | string ID of route |
metricId required | string (RouteTimeSeriesMetricId) Enum: "upstream_requests" "upstream_rx_bytes" "upstream_tx_bytes" "authz_ok" "authz_err" "authz_denied" ID of route time series metric |
query Parameters
startTime required | string <date-time> Start time of the time range |
endTime required | string <date-time> Start time of the time range |
replicaId | string ID of replica |
Responses
Response samples
- 200
[- {
- "labels": {
- "property1": "string",
- "property2": "string"
}, - "value": 0.1,
- "unit": "string"
}
]
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "logoURL": "string",
- "organizationType": "personal",
- "ownerUserId": "string",
- "role": "owner",
- "joinedAt": "2019-08-24T14:15:22Z",
- "quotas": {
- "administrators": 0,
- "certificates": 0,
- "clusters": 0,
- "customDomains": 0,
- "policies": 0,
- "replicas": 0,
- "routes": 0,
- "serviceAccounts": 0
}
}
]
createOrganization
Create organization
Authorizations:
Request Body schema: application/jsonrequired
name required | string |
logoURL | string <url> URL to an image that will be used as the organization logo. User may provide a URL to an image hosted on a third party service, or upload an image to the dashboard, which would result in an URL being generated. |
Responses
Request samples
- Payload
{- "name": "string",
- "logoURL": "string"
}
Response samples
- 201
{- "cluster": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "manualOverrideIpAddress": "string",
- "fqdn": "string",
- "autoDetectIpAddress": "string",
- "namespaceId": "string",
- "hasFailingHealthChecks": true,
- "domain": "string",
- "refreshToken": "string"
}, - "namespace": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "parentId": "string",
- "name": "string",
- "type": "cluster"
}, - "organization": {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "logoURL": "string",
- "organizationType": "personal",
- "ownerUserId": "string",
- "role": "owner",
- "joinedAt": "2019-08-24T14:15:22Z",
- "quotas": {
- "administrators": 0,
- "certificates": 0,
- "clusters": 0,
- "customDomains": 0,
- "policies": 0,
- "replicas": 0,
- "routes": 0,
- "serviceAccounts": 0
}
}
}
getOrganization
Get organization
Authorizations:
path Parameters
organizationId required | string ID of organization |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "logoURL": "string",
- "organizationType": "personal",
- "ownerUserId": "string",
- "role": "owner",
- "joinedAt": "2019-08-24T14:15:22Z",
- "quotas": {
- "administrators": 0,
- "certificates": 0,
- "clusters": 0,
- "customDomains": 0,
- "policies": 0,
- "replicas": 0,
- "routes": 0,
- "serviceAccounts": 0
}
}
updateOrganization
Update organization
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
name required | string |
logoURL | string <url> URL to an image that will be used as the organization logo. User may provide a URL to an image hosted on a third party service, or upload an image to the dashboard, which would result in an URL being generated. |
ownerUserId | string |
Responses
Request samples
- Payload
{- "name": "string",
- "logoURL": "string",
- "ownerUserId": "string"
}
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "name": "string",
- "logoURL": "string",
- "organizationType": "personal",
- "ownerUserId": "string",
- "role": "owner",
- "joinedAt": "2019-08-24T14:15:22Z",
- "quotas": {
- "administrators": 0,
- "certificates": 0,
- "clusters": 0,
- "customDomains": 0,
- "policies": 0,
- "replicas": 0,
- "routes": 0,
- "serviceAccounts": 0
}
}
listDefaultTemplates
List default templates
Authorizations:
path Parameters
recordType required | string (DefaultTemplateRecordType) Enum: "route" "settings" "policy" Type of record |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "recordType": "route",
- "name": "string",
- "defaultProperties": { }
}
]
listServiceAccounts
List service accounts
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "expiresAt": "2019-08-24T14:15:22Z",
- "description": "string",
- "userId": "string"
}
]
createServiceAccount
Create service account
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
Request Body schema: application/jsonrequired
expiresAt | string <date-time> |
description required | string |
userId required | string |
Responses
Request samples
- Payload
{- "expiresAt": "2019-08-24T14:15:22Z",
- "description": "string",
- "userId": "string"
}
Response samples
- 201
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "expiresAt": "2019-08-24T14:15:22Z",
- "description": "string",
- "userId": "string",
- "token": "string"
}
getServiceAccount
Get service account
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
serviceAccountId required | string ID of service account |
Responses
Response samples
- 200
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "expiresAt": "2019-08-24T14:15:22Z",
- "description": "string",
- "userId": "string"
}
getServiceAccountToken
Get service account token
Authorizations:
path Parameters
organizationId required | string ID of organization |
clusterId required | string ID of cluster |
serviceAccountId required | string ID of service account |
Responses
Response samples
- 200
{- "token": "string"
}
listCustomDomains
List custom domains
Authorizations:
path Parameters
organizationId required | string ID of organization |
query Parameters
clusterId required | string ID of cluster |
Responses
Response samples
- 200
[- {
- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "clusterId": "string",
- "domainName": "string",
- "lastError": "string",
- "keyPairId": "string",
- "expiresAt": "2019-08-24T14:15:22Z"
}
]
addCustomDomain
Add custom domain
Authorizations:
path Parameters
organizationId required | string ID of organization |
Request Body schema: application/jsonrequired
clusterId required | string |
domainName required | string |
Responses
Request samples
- Payload
{- "clusterId": "string",
- "domainName": "string"
}
Response samples
- 201
{- "id": "string",
- "createdAt": "2019-08-24T14:15:22Z",
- "updatedAt": "2019-08-24T14:15:22Z",
- "clusterId": "string",
- "domainName": "string",
- "lastError": "string",
- "keyPairId": "string",
- "expiresAt": "2019-08-24T14:15:22Z"
}