Deprecated: Add JWT Identity Provider (IDP)

deprecated

This endpoint has been deprecated and may be removed in future versions of the API.

Create a new identity provider configuration to enable your users to log in with social/enterprise login. JSON Web Token Identity Provider (JWT IDP) gives you the possibility to use an (existing) JWT as a federated identity. You have to provide an endpoint where ZITADEL can get the existing JWT token.

application/json
application/grpc
application/grpc-web+proto

Request Body required

name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the jwt can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the jwt (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean

Request Body required

name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the jwt can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the jwt (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean

Request Body required

name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the jwt can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the jwt (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean

Responses

200
400
403
404
default

idp created

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
idpId string

{
  "details": {
    "sequence": "2",
    "creationDate": "2023-05-12",
    "changeDate": "2023-05-12",
    "resourceOwner": "69629023906488334"
  },
  "idpId": "69234230193872955"
}

Schema
Example (from schema)

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
idpId string

{
  "details": {
    "sequence": "2",
    "creationDate": "2023-05-12",
    "changeDate": "2023-05-12",
    "resourceOwner": "69629023906488334"
  },
  "idpId": "69234230193872955"
}

Schema
Example (from schema)

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
idpId string

{
  "details": {
    "sequence": "2",
    "creationDate": "2023-05-12",
    "changeDate": "2023-05-12",
    "resourceOwner": "69629023906488334"
  },
  "idpId": "69234230193872955"
}

invalid argument

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Returned when the user does not have permission to access the resource.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Returned when the resource does not exist.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

An unexpected error response.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

POST /idps/jwt

Authorization

type: oauth2flow: authorizationCodescopes: openid,urn:zitadel:iam:org:project:id:zitadel:aud

Request

Base URL

https://$ZITADEL_DOMAIN/admin/v1

Bearer Token

Content-Type

Body required

{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}

Accept

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'

curl -L -X POST 'https://$ZITADEL_DOMAIN/admin/v1/idps/jwt' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "name": "google",
  "stylingType": "STYLING_TYPE_UNSPECIFIED",
  "jwtEndpoint": "https://custom.com/auth/jwt",
  "issuer": "https://accounts.custom.com",
  "keysEndpoint": "https://accounts.custom.com/keys",
  "headerName": "x-auth-token",
  "autoRegister": true
}'