Object Management API
This API is a RESTful API using OAuth for authentication and OAuth scopes for authorization. In order to call this API, you will need to have an application in Arculix that is granted the necessary OAuth scopes. You will need the UID
of that application and its Secret
.
Authenticating to the API
This REST API uses the OAuth client_credentials
authentication flow.
Get Access Token from the authorization endpoint (/oauth/token
)
Parameter | Type | Description |
---|---|---|
grant_type | String |
|
client_id | String | The |
client_secret | String | The client secret for the application in Arculix |
scope | String | A space-delimited list of scopes to be issued to the access token |
Sample request
{ "grant_type": "client_credentials", "client_id": "YOUR_ARCULIX_APPLICATION_UID", "client_secret": "YOUR_ARCULIX_APPLICATION_SECRET", "scope": "REQUESTED_SCOPES" }
This will return the access token if that application is authorized with the requested scopes.
Note
The generated access tokens are more than 255 bytes in length, so when storing them make sure to have at least 500 bytes of storage available or else they will be truncated.
Sample response
{ "access_token": "YOUR_OAUTH_ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 7200, "scope": "public", "created_at": 1630710187 }
Call API endpoint, sending the access token in the Authorization
HTTP header with Bearer
:
Authorization: Bearer YOUR_OAUTH_ACCESS_TOKEN
Response overview
HTTP status codes
The HTTP status of the response will indicate the general disposition of the request:
Code | Meaning |
---|---|
2xx | Everything went well, the requested data will be in the |
422 | We were unable to process the given data, check the |
4xx | Some other error occurred, check the |
Response body
The body of the response is a JWT—signed by our private key—containing the following keys:
Field | Type | Description |
---|---|---|
response_code | String | A code indicating the general nature of the response (e.g. |
content | JSON | The output data from a successful request. Will only be present if response_code is |
errors | JSON | A mapping of fields to their error messages (e.g. |
message | String | An informative message describing the error. Present when response code is neither |
User Management
User management requires the admin_own_users
OAuth scope on the access token.
Get User Info
Returns the user information for the specified user id.
Request
Method | URL |
---|---|
GET |
|
Field | Value | Type | Description |
---|---|---|---|
id | Integer | URL | The id of the user to fetch |
Response
Successful response
Key | Value | Description |
---|---|---|
id | Integer | The unique identifier for the user |
String | The user's primary email address | |
first_name | String | The user's given name |
last_name | String | The user's surname |
mobile_phone_number | String | The mobile phone number for use by SMS, in E.164 International Standard Format |
created_at | DateTime | When the user was first created, in ISO-8601 format |
updated_at | DateTime | When the user was last updated, in ISO-8601 format |
last_login_at | DateTime | The time of the user's last successful login, in ISO-8601 format |
locked | Boolean | Whether the user's account is locked which prevents logging in |
Successful response example
HTTP/1.1 200 OK { "id": 1, "email": "abe.lincoln@example.com", "first_name": "Abe", "last_name": "Lincoln", "mobile_phone_number": "+18005551212", "created_at": "2021-08-24T14:33:32.804-07:00", "updated_at": "2021-11-19T08:07:22.976-07:00", "last_login_at": "2021-11-19T08:07:21.223-07:00", "locked": false }
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | More information about the response |
HTTP Status 404 { "response_code": "not_found", "message": "Could not find the specified user" }
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String | Code indicating type of error. e.g. |
message | String | Informative message describing the error |
Create New User
Request
Method | URL |
---|---|
POST |
|
Key | Value | Type | Description |
---|---|---|---|
String | Body | The primary email address for the user | |
first_name | String | Body | The user's given name |
last_name | String | Body | The user's surname |
mobile_phone_number | String (E.164 International Standard Format) | body | The user's mobile phone number for SMS MFA |
locale | String (ISO 639-1 code) | Body | Language code for the user |
locked |
| Body | Whether the user's account is locked which prevents logging in |
Sample request
{ "email": "abe.lincoln@example.com", "first_name": "Abe", "last_name": "Lincoln", "mobile_phone_number": "+18005551212" }
Response
Successful response
On success HTTP status 201 (Created) is returned and the user details of the newly created user are returned in the body. This includes the id
of the new user.
Successful response sample
HTTP/1.1 201 Created { "id": 1, "email": "abe.lincoln@example.com", "first_name": "Abe", "last_name": "Lincoln", "mobile_phone_number": "+18005551212", "created_at": "2021-08-24T14:33:32.804-07:00", "updated_at": "2021-08-24T14:33:32.804-07:00", "last_login_at": null, "locked": false }
Update Existing User
Updates an existing user by the given id.
Request
Method | URL |
---|---|
PATCH or PUT |
|
Key | Value | Type | Description |
---|---|---|---|
id | Integer | URL | The id of the user to update |
email | String | URL | The primary email address for the user |
first_name | String | Body | The user's given name |
last_name | String | Body | The user's surname |
mobile_phone_number | String (E.164 International Standard Format) | Body | The user's mobile phone number for SMS MFA |
locale | String (ISO 639-1 code) | Body | Language code for the user |
locked |
| Body | Whether the user's account is locked which prevents logging in |
Sample request
{ "mobile_phone_number": "+18885559999" }
Response
On success, this returns the updated user information.
Successful response
{ "id": 1, "email": "abe.lincoln@example.com", "first_name": "Abe", "last_name": "Lincoln", "mobile_phone_number": "+18885559999", "created_at": "2021-08-24T14:33:32.804-07:00", "updated_at": "2022-01-14T12:47:22.976-07:00", "last_login_at": "2021-11-19T08:07:21.223-07:00", "locked": false }
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | More information about the response |
HTTP Status 404 { "response_code": "not_found", "message": "Could not find the specified item" }
Invalid Data
Key | Value | Description |
---|---|---|
response_code | String |
|
errors | JSON | Map giving the values that had errors and what those errors were. |
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String | Code indicating type of error. e.g. |
message | String | Informative message describing the error |
Offboard User
This endpoint allows for offboarding of one or more users. For each user to be offboarded, the following steps will be performed:
Account lock. The user's Arculix account will be locked, causing all authentications to be rejected. Even if the user's mobile device is re-paired, any attempt to re-pair a workstation will fail while the user's account is locked.
Mobile device unpairing. All of the user's paired mobile devices will be immediately unpaired in Arculix, and will no longer be available to the user for push-based authentications. If the mobile device is online at the time of offboarding, the Arculix Mobile app to return to the initial pairing screen. If the mobile device is not online, this will happen when network connectivity resumes. The user will no longer have access to their TOTP offline codes, or use of their mobile device for push authentications. (Note: When a user is offboarded, the organization is expected to disable their email account to prevent the possibility of re-pairing.)
Workstation unpairing. All of the user's paired workstations will be immediately unpaired in Arculix. If the workstation is online at the time of offboarding, it will immediately lock the desktop. The user will be unable to log in again without re-pairing the workstation, which will be impossible because the user's Arculix account will be locked and the user's mobile devices will be unpaired. If the workstation is not online, this locking and unpairing will happen when network connectivity resumes.
If a user has been offboarded in this manner, they can be onboarded again with the following steps:
Restore the user's access to email, if it was disabled.
Use the Arculix to unlock the user's account. (Organization admin privileges are necessary for this step.)
Ask the user to re-pair their mobile device.
Ask the user to re-pair their workstation and log in.
The offboard endpoint allows offboarding multiple users at once. However, note that each call to the endpoint is atomic -- if any failure occurs for any user, no offboarding steps will be performed for any user.
Offboarded users can optionally be soft deleted in the same request. This retains all user data, history, and audit logs while removing the account from the list of users. A new user account with the same email address may be onboarded, but will not retain the user's history. A soft deleted user account may only be restored by SecureAuth personnel.
Request
Method | URL |
---|---|
POST |
|
The request body should contain a JSON object with a single users
key whose value is an array of objects used to identify a user. (The examples below should provide clarity.) Each user identification object should contain exactly one key used to identify the user – either email
or id
– but not both.
An additional field, delete
, indicates that the user account should be soft deleted while retaining their data, history, and audit logs.
Key | Value | Type | Description |
---|---|---|---|
email | String | Body | The primary email address for the user |
id | Integer | Body | The unique identifier for the user |
delete | Boolean | Body | Whether to soft delete the user (default |
Sample requests
Offboarding a single user identified by email address:
{ "users": [ { "email": "abe.lincoln@example.com" } ] }
Offboarding a single user identified by their unique Arculix numeric identifier:
{ "users": [ { "id": 511940 } ] }
Offboarding multiple users and soft deleting one:
{ "users": [ { "email": "abe.lincoln@example.com" }, { "email": "mark.twain@example.com", "delete": true } ] }
Response
On success, this endpoint returns a JSON object with the response_code
set to success
.
Successful response
{ "response_code": "success" }
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String |
|
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | An explanation of the problematic parameter. |
Failure Response
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | Informative message describing the error |
Role Management
Role management requires the admin_own_users
OAuth scope on the access token.
List All Roles
Returns all available roles.
Request
Method | URL |
---|---|
GET |
|
Response
Successful response
An array of Role
objects:
Key | Value | Description |
---|---|---|
name | String | The unique identifier for the role. |
Successful response example
HTTP/1.1 200 OK [ { "name": "org_admin" }, { "name": "help_desk" } ]
List Roles Assigned to a User
Returns all the roles assigned to a specific user.
Request
Method | URL |
---|---|
GET |
|
Key | Value | Type | Description |
---|---|---|---|
user_id | Integer | URL | The id of the user to list the assigned roles for |
Response
Successful response
An array of Role
objects:
Key | Value | Description |
---|---|---|
name | String | The unique identifier for the role. |
Successful response example
HTTP/1.1 200 OK [ { "name": "org_admin" }, { "name": "help_desk" } ]
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | More information about the response |
HTTP Status 404 { "response_code": "not_found", "message": "Could not find the specified item" }
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String | Code indicating type of error. e.g. |
message | String | Informative message describing the error |
List Users With an Assigned Role
Returns all the users who have the specified role assigned to them.
Request
Method | URL |
---|---|
GET |
|
Key | Value | Type | Description |
---|---|---|---|
role_name | String | URL | The role identifier to list the users assigned to that role |
Response
And array of User
objects:
Key | Value | Description |
---|---|---|
id | Integer | The unique identifier for the user |
String | The user's primary email address | |
first_name | String | The user's given name |
last_name | String | The user's surname |
mobile_phone_number | String | The mobile phone number for use by SMS, in E.164 International Standard Format |
created_at | DateTime | When the user was first created, in ISO-8601 format |
updated_at | DateTime | When the user was last updated, in ISO-8601 format |
last_login_at | DateTime | The time of the user's last successful login, in ISO-8601 format |
locked | Boolean | Whether the user's account is locked which prevents logging in |
Successful response example
HTTP/1.1 200 OK [ { "id": 1, "email": "abe.lincoln@example.com", "first_name": "Abe", "last_name": "Lincoln", "mobile_phone_number": "+18005551212", "created_at": "2021-08-24T14:33:32.804-07:00", "updated_at": "2021-11-19T08:07:22.976-07:00", "last_login_at": "2021-11-19T08:07:21.223-07:00", "locked": false }, { "id": 2, "email": "user1@example.com", "first_name": "user", "last_name": "one", "mobile_phone_number": "+12345678", "created_at": "2021-08-24T14:33:32.804-07:00", "updated_at": "2021-11-19T08:07:22.976-07:00", "last_login_at": "2021-11-19T08:07:21.223-07:00", "locked": false } ]
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | More information about the response |
HTTP Status 404 { "response_code": "not_found", "message": "Could not find the specified item" }
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String | Code indicating type of error. e.g. |
message | String | Informative message describing the error |
Assign a Role to a User
Assigns the given role to the specified user.
Request
Method | URL |
---|---|
GET |
|
Key | Value | Type | Description |
---|---|---|---|
user_id | Integer | URL | The user identifier |
name | String | Body | The role identifier |
Sample request
{ "name": "help_desk" }
Response
On success, returns a success response code in the body with 201 (Created) HTTP status.
Successful response
HTTP/1.1 201 Created { "response_code": "success" }
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | More information about the response |
HTTP Status 404 { "response_code": "not_found", "message": "Could not find the specified item" }
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String | Code indicating type of error. e.g. |
message | String | Informative message describing the error |
Unassign a Role from a User
Removes the given role from the specified user.
Request
Method | URL |
---|---|
DELETE |
|
Key | Value | Type | Description |
---|---|---|---|
user_id | Integer | URL | The user identifier |
name | String | URL | The role identifier |
Response
On success, returns a success response code in the body with 200 (OK) HTTP status.
Successful response
HTTP/1.1 200 OK { "response_code": "success" }
Unsuccessful response
Not Found: HTTP 404
Key | Value | Description |
---|---|---|
response_code | String |
|
message | String | More information about the response |
HTTP Status 404 { "response_code": "not_found", "message": "Could not find the specified item" }
Invalid Parameter
Key | Value | Description |
---|---|---|
response_code | String | Code indicating type of error. e.g. |
message | String | Informative message describing the error |