Get Service

The sequential number of the service. The value of this property is assigned by Authlete.

The name of this service.

The issuer identifier of the service.

A URL that starts with https:// and has no query or fragment component.

The value of this property is used as iss claim in an ID token and issuer property in the OpenID Provider Metadata.

The description about the service.

The service ID used in Authlete API calls. The value of this property is assigned by Authlete.

The API secret of this service. This value is assigned by Authlete and is used for service authentication in API calls.

The endpoint for batch token notifications. This endpoint is called when multiple tokens are issued or revoked in a batch operation.

The flag indicating whether the audience of client assertion JWTs must match the issuer identifier of this service.

The number of the organization that owns this service. This value is assigned by Authlete.

The maximum number of client applications that a developer can have.

The endpoint for developer authentication callbacks. This is used when developers log into the developer portal.

The API key for basic authentication at the developer authentication callback endpoint.

The API secret for basic authentication at the developer authentication callback endpoint.

Deprecated. Always true.

The time at which this service was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

The time at which this service was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

A Web API endpoint for user authentication which is to be prepared on the service side.

The endpoint must be implemented if you do not implement the UI at the authorization endpoint but use the one provided by Authlete.

The user authentication at the authorization endpoint provided by Authlete is performed by making a POST request to this endpoint.

API key for basic authentication at the authentication callback endpoint.

If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the authentication callback endpoint.

API secret for basic authentication at the authentication callback endpoint.

The flag to indicate whether the error_description response parameter is omitted.

According to RFC 6749, an authorization server may include the error_description response parameter in error responses.

If true, Authlete does not embed the error_description response parameter in error responses.

The flag to indicate whether the error_uri response parameter is omitted.

According to RFC 6749, an authorization server may include the error_uri response parameter in error responses.

If true, Authlete does not embed the error_uri response parameter in error responses.

The authorization endpoint of the service.

A URL that starts with https:// and has no fragment component. For example, https://example.com/auth/authorization.

The value of this property is used as authorization_endpoint property in the OpenID Provider Metadata.

The flag to indicate whether the direct authorization endpoint is enabled or not.

The path of the endpoint is /api/auth/authorization/direct/service-api-key.

The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.

If true, code_challenge request parameter is always required for authorization requests using Authorization Code Flow.

See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details about code_challenge request parameter.

The flag to indicate whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.

If this flag is set to true, code_challenge_method=S256 must be included in the authorization request whenever it includes the code_challenge request parameter. Neither omission of the code_challenge_method request parameter nor use of plain (code_challenge_method=plain) is allowed.

The duration of authorization response JWTs in seconds.

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

The token endpoint of the service.

A URL that starts with https:// and has not fragment component. For example, https://example.com/auth/token.

The value of this property is used as token_endpoint property in the OpenID Provider Metadata.

The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/service-api-key.

The flag to indicate token requests from public clients without the client_id request parameter are allowed when the client can be guessed from authorization_code or refresh_token.

This flag should not be set unless you have special reasons.

The revocation endpoint of the service.

A URL that starts with https://. For example, https://example.com/auth/revocation.

The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is /api/auth/revocation/direct/service-api-key.

The URI of the introspection endpoint.

The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is /api/auth/userinfo/direct/{serviceApiKey}.

The URI of the pushed authorization request endpoint.

This property corresponds to the pushed_authorization_request_endpoint metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.

The duration of pushed authorization requests in seconds.

The flag to indicate whether this service requires that clients use the pushed authorization request endpoint.

This property corresponds to the require_pushed_authorization_requests server metadata defined in OAuth 2.0 Pushed Authorization Requests.

The flag to indicate whether this service requires that authorization requests always utilize a request object by using either request or request_uri request parameter.

If this flag is set to true and the value of traditionalRequestObjectProcessingApplied is false, the value of require_signed_request_object server metadata of this service is reported as true in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request). That require_signed_request_object is true means that authorization requests which don't conform to the JAR specification are rejected.

The flag to indicate whether a request object is processed based on rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured Authorization Request).

The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.

The access token type.

This value is used as the value of token_type property in access token responses. If this service complies with RFC 6750, the value of this property should be Bearer.

See RFC 6749 (OAuth 2.0), 7.1. Access Token Types for details.

The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.

The duration of access tokens in seconds. This value is used as the value of expires_in property in access token responses. expires_in is defined RFC 6749, 5.1. Successful Response.

The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.

If true, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.

Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is true or false.

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

• as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
• as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
• or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.

The key ID to identify a JWK used for signing access tokens.

A JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs. Authlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based access token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for access token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.

The flag to indicate whether the remaining duration of the used refresh token is taken over to the newly issued refresh token.

The flag which indicates whether duration of refresh tokens are reset when they are used even if the refreshTokenKept property of this service set to is true (= even if "Refresh Token Continuous Use" is "Kept").

This flag has no effect when the refreshTokenKept property is set to false. In other words, if this service issues a new refresh token on every refresh token request, the refresh token will have fresh duration (unless refreshTokenDurationKept is set to true) and this refreshTokenDurationReset property is not referenced.

The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.

If true, a refresh token used to get a new access token remains valid after its use. Otherwise, if false, a refresh token is invalidated after its use and a new refresh token is issued.

See RFC 6749 6. Refreshing an Access Token, as to how to get a new access token using a refresh token.

The flag to indicate whether requests that request no scope are rejected or not.

'The duration of ID tokens in seconds. This value is used to calculate the value of exp claim in an ID token.'

The allowable clock skew between the server and clients in seconds.

The clock skew is taken into consideration when time-related claims in a JWT (e.g. exp, iat, nbf) are verified.

The flag indicating whether claims specified by shortcut scopes (e.g. profile) are included in the issued ID token only when no access token is issued.

The URL of the service's JSON Web Key Set document. For example, http://example.com/auth/jwks.

Client applications accesses this URL (1) to get the public key of the service to validate the signature of an ID token issued by the service and (2) to get the public key of the service to encrypt an request object of the client application. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

The value of this property is used as jwks_uri property in the OpenID Provider Metadata.

'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/service-api-key. '

The content of the service's JSON Web Key Set document.

If this property is not null in a /service/create request or a /service/update request, Authlete hosts the content in the database. This property must not be null and must contain pairs of public/private keys if the service wants to support asymmetric signatures for ID tokens and asymmetric encryption for request objects. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

The key ID to identify a JWK used for ID token signature using an asymmetric key.

The key ID to identify a JWK used for user info signature using an asymmetric key.

The key ID to identify a JWK used for signing authorization responses using an asymmetric key.

The user info endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/userinfo.

The value of this property is used as userinfo_endpoint property in the OpenID Provider Metadata.

The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is /api/auth/userinfo/direct/service-api-key.

The boolean flag which indicates whether the OAuth 2.0 Dynamic Client Registration Protocol is supported.

The registration endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/registration.

The value of this property is used as registration_endpoint property in the OpenID Provider Metadata.

The URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid}/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.

The URL of the "Policy" of the service.

The value of this property is used as op_policy_uri property in the OpenID Provider Metadata.

The URL of the "Terms Of Service" of the service.

The value of this property is used as op_tos_uri property in the OpenID Provider Metadata.

The URL of a page where documents for developers can be found.

The value of this property is used as service_documentation property in the OpenID Provider Metadata.

The URI of backchannel authentication endpoint, which is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

The duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.

The minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.

The boolean flag which indicates whether the user_code request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.

The flag to indicate whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.

The URI of the device authorization endpoint.

Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.

The verification URI for the device flow. This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint.

The verification URI for the device flow with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint.

The duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint.

The minimum interval between polling requests to the token endpoint from client applications in seconds in device flow. This is used as the value of the interval property in responses from the device authorization endpoint.

The character set for end-user verification codes (user_code) for Device Flow.

The length of end-user verification codes (user_code) for Device Flow.

OIDC4IDA / verifiedClaimsValidationSchemaSet

The flag indicating whether the nbf claim in the request object is optional even when the authorization request is regarded as a FAPI-Part2 request.

The flag indicating whether generation of the iss response parameter is suppressed.

The flag indicating whether the expiration date of an access token never exceeds that of the corresponding refresh token.

The flag indicating whether encryption of request object is required when the request object is passed through the front channel.

The flag indicating whether the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata of the client that has sent the request object.

The flag indicating whether the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata of the client that has sent the request object.

The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.

When this flag is false, keys managed in HSMs are not used even if they exist. In addition, /api/hsk/* APIs reject all requests.

Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.

The URL of the grant management endpoint.

The flag indicating whether every authorization request (and any request serving as an authorization request such as CIBA backchannel authentication request and device authorization request) must include the grant_management_action request parameter.

The flag indicating whether Authlete's /api/client/registration API uses UNAUTHORIZED as a value of the action response parameter when appropriate.

The flag indicating whether the scope request parameter in dynamic client registration and update requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.

Limiting the range of scopes that a client can request is achieved by listing scopes in the client.extension.requestableScopes property and setting the client.extension.requestableScopesEnabled property to true. This feature is called "requestable scopes".

This property affects behaviors of /api/client/registration and other family APIs.

The endpoint for clients ending the sessions.

A URL that starts with https:// and has no fragment component. For example, https://example.com/auth/endSession.

The value of this property is used as end_session_endpoint property in the OpenID Provider Metadata.

The flag indicating whether the port number component of redirection URIs can be variable when the host component indicates loopback.

The flag indicating whether Authlete checks whether the aud claim of request objects matches the issuer identifier of this service.

The flag indicating whether Authlete generates access tokens for external attachments and embeds them in ID tokens and userinfo responses.

flag indicating whether this service supports OpenID Connect Federation 1

JWK Set document containing keys that are used to sign (1) self-signed entity statement of this service and (2) the response from signed_jwks_uri.

A key ID to identify a JWK used to sign the entity configuration and the signed JWK Set.

The duration of the entity configuration in seconds.

The URI of the federation registration endpoint. This property corresponds to the federation_registration_endpoint server metadata that is defined in OpenID Connect Federation 1.0.

The human-readable name representing the organization that operates this service. This property corresponds to the organization_name server metadata that is defined in OpenID Connect Federation 1.0.

The transformed claims predefined by this service in JSON format. This property corresponds to the transformed_claims_predefined server metadata.

flag indicating whether refresh token requests with the same refresh token can be made multiple times in quick succession and they can obtain the same renewed refresh token within the short period.

The URI of the endpoint that returns this service's JWK Set document in the JWT format. This property corresponds to the signed_jwks_uri server metadata defined in OpenID Connect Federation 1.0.

The flag indicating whether to prohibit unidentifiable clients from making token exchange requests.

The flag indicating whether to prohibit public clients from making token exchange requests.

The flag indicating whether to prohibit clients that have no explicit permission from making token exchange requests.

The flag indicating whether to reject token exchange requests which use encrypted JWTs as input tokens.

The flag indicating whether to reject token exchange requests which use unsigned JWTs as input tokens.

The flag indicating whether to prohibit unidentifiable clients from using the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".

The flag indicating whether to reject token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".

The flag indicating whether to reject token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".

The flag indicating whether to block DCR (Dynamic Client Registration) requests whose "software_id" has already been used previously.

The flag indicating whether the openid scope should be dropped from scopes list assigned to access token issued when a refresh token grant is used.

The flag indicating whether this service signs responses from the resource server.

The duration of c_nonce.

Whether to require DPoP proof JWTs to include the nonce claim whenever they are presented.

Get the flag indicating whether the feature of Verifiable Credentials for this service is enabled or not.

The URL at which the JWK Set document of the credential issuer is exposed.

The default duration of credential offers in seconds.

The duration of nonce values for DPoP proof JWTs in seconds.

The flag indicating whether token requests using the pre-authorized code grant flow by unidentifiable clients are allowed.

The duration of transaction ID in seconds that may be issued as a result of a credential request or a batch credential request.

The key ID of the key for signing introspection responses.

The key ID of the key for signing introspection responses.

The default length of user PINs.

The flag indicating whether to enable the feature of ID token reissuance in the refresh token flow.

The JWK Set document containing private keys that are used to sign verifiable credentials.

The default duration of verifiable credentials in seconds.

The type of the aud claim in ID tokens.

Flag that enables the OpenID Connect Native SSO for Mobile Apps 1.0 specification (“Native SSO”). When this property is not true, Native SSO specific parameters are ignored or treated as errors. For example:

• The device_sso scope has no special meaning (Authlete does not embed the sid claim in ID tokens).
• The urn:openid:params:token-type:device-secret token type is treated as unknown and results in an error.

When set to true, the server metadata advertises "native_sso_supported": true. See OpenID Connect Discovery 1.0 and RFC 8414 §2 for background. Native SSO is available in Authlete 3.0 and later.

Version of the OpenID for Verifiable Credential Issuance (OID4VCI) specification to support.

Accepted values are:

• null or "1.0-ID1" → Implementer’s Draft 1.
• "1.0" or "1.0-Final" → Final 1.0 specification.

Choose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.

Flag that controls whether the CIMD metadata policy is applied to client metadata obtained through the Client ID Metadata Document (CIMD) mechanism.

Indicates whether the Client ID Metadata Document (CIMD) mechanism is supported. When true, the service will attempt to retrieve client metadata via CIMD where applicable.

Enables the allowlist for CIMD. When true, only CIMD endpoints that are on the allowlist are used.

If true, CIMD retrieval is always attempted for clients, regardless of other conditions.

Allows CIMD retrieval over plain HTTP. When false, only HTTPS CIMD endpoints are allowed.

Allows the use of query parameters when retrieving CIMD metadata. When false, query parameters are disallowed for CIMD requests.

The metadata policy applied to client metadata obtained through the CIMD mechanism. The value must follow the metadata policy grammar defined in OpenID Federation 1.0 §6.1 Metadata Policy.

When true, client ID aliases starting with https:// or http:// are prohibited.