integration-tests-definitions/okta.idp.yaml

openapi: 3.0.3
info:
  title: MyAccount Management
  version: 2024.08.3
  description: |-
    APIs for managing a user's own emails, phones, profile, and app authenticators.
    > **Note:** The MyAccount API doesn't support [delegated authentication](https://help.okta.com/okta_help.htm?id=ext_Security_Authentication).
  termsOfService: https://developer.okta.com/terms/
  contact:
    name: Okta Developer Team
    url: https://developer.okta.com/
    email: devex-public@okta.com
  license:
    name: Apache-2.0
    url: https://www.apache.org/licenses/LICENSE-2.0.html
  x-logo:
    url: logo.svg
    backgroundColor: transparent
    altText: Okta Developer
servers:
  - url: https://{yourOktaDomain}
    variables:
      yourOktaDomain:
        default: subdomain.okta.com
        description: The domain of your organization. This can be an official Okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains.
tags:
  - name: AppAuthenticator
    x-displayName: App Authenticators
    description: |
      The MyAccount App Authenticators API provides operations to enroll, update, and delete an app authenticator. The API also allows users to view and verify pending notification challenges. The API only supports custom authenticators. See the [Custom authenticator integration guide](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/).

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
    x-okta-lifecycle:
      lifecycle: GA
      isGenerallyAvailable: false
      SKUs: []
  - name: Authenticators
    description: |
      <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>The MyAccount Authenticators API provides operations to list all available authenticators and enrollments.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
  - name: Email
    description: |
      The MyAccount Email API provides operations to enroll, update, and delete emails. The API also provides utilities to create, view, and answer verification challenges.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
  - name: OktaApplications
    x-displayName: Okta Applications
    description: |
      <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>The MyAccount Profile API provides operations to view the Okta apps list. Okta creates and maintains Okta apps, or first-party apps, for example, the Admin Console and End-User Dashboard.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
  - name: Organization
    description: |
      <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>The MyAccount Profile API provides operations to view Org details.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
  - name: Password
    description: |
      The MyAccount Password API provides operations to enroll, update, and delete passwords.

      > **Note:** Super admins can enable the IDP MyAccount API Password feature. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?type=oie&id=ext_secur_manage_ea_bata).

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
  - name: Phone
    description: |
      The MyAccount Phone API provides operations to enroll, update, and delete phone numbers. The API also provides utilities to create, view, and answer verification challenges.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
  - name: Profile
    description: |
      The MyAccount Profile API provides operations to enroll and update profile fields. The API also allows viewing of all allowed profile fields.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
  - name: Sessions
    x-displayName: Sessions
    description: |
      <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>The MyAccount Sessions API provides operations to manage sessions. 

      See [Sessions](/openapi/okta-management/management/tag/Session/) for more information.

      ### API versioning
      A valid API version in the `Accept` header is required to access the API. Current version: `1.0.0`
      ```json
      Accept: application/json; okta-version=1.0.0
      ```
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
externalDocs:
  description: Find more info here
  url: https://developer.okta.com
paths:
  /idp/myaccount/app-authenticators:
    post:
      summary: Create an app authenticator enrollment
      description: Creates an app authenticator enrollment
      operationId: createAppAuthenticatorEnrollment
      requestBody:
        content:
          application/json, okta-version=1.0.0:
            schema:
              $ref: '#/components/schemas/AppAuthenticatorEnrollmentRequest'
            examples:
              Create-App-Authenticator-Enrollment:
                $ref: '#/components/examples/CreateAppAuthenticatorEnrollment'
      responses:
        '200':
          description: OK
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/AppAuthenticatorEnrollment'
        '400':
          description: Bad Request
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '401':
          description: Unauthorized
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Access Denied
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '404':
          description: Resource Not Found
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - oauth2:
            - okta.myAccount.appAuthenticator.manage
      tags:
        - AppAuthenticator
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
  /idp/myaccount/app-authenticators/challenge/{challengeId}/verify:
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
    parameters:
      - $ref: '#/components/parameters/appAuthenticatorChallengeId'
    post:
      summary: Verify a push notification challenge response from the app authenticator
      description: Verifies a push notification challenge from the app authenticator
      operationId: verifyAppAuthenticatorPushNotificationChallenge
      requestBody:
        content:
          application/json;okta-version=1.0.0:
            schema:
              $ref: '#/components/schemas/PushNotificationVerification'
            examples:
              PushNotificationChallengeRequestEx:
                $ref: '#/components/examples/VerifyPushNotificationChallengeRequest'
              PushNotificationChallengeRequestJWTHeaderEx:
                $ref: '#/components/examples/VerifyPushNotificationChallengeJWTHeader'
              PushNotificationChallengeRequestJWTPayloadEx:
                $ref: '#/components/examples/VerifyPushNotificationChallengeJWTPayload'
      responses:
        '200':
          description: Verification Success
        '204':
          description: User denied challenge attempt
        '400':
          description: Bad Request
      security: []
      tags:
        - AppAuthenticator
  /idp/myaccount/app-authenticators/{enrollmentId}:
    parameters:
      - $ref: '#/components/parameters/appAuthenticatorEnrollmentId'
    patch:
      summary: Update an app authenticator enrollment
      description: |-
        Updates an app authenticator enrollment

        The following update operations are allowed:
        * Update the user verification key
        * Remove the user verification key
        * Update the push token
        * Update the push method transaction types

        For more information, see [Access token management](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/#access-token-management) in the Custom authenticator integration guide.

        > **Note:** The following higher risk update operations require a stronger `okta.myAccount.appAuthenticator.manage` scope:
        > * Update the user verification key
        > * Remove the user verification key
      operationId: updateAppAuthenticatorEnrollment
      requestBody:
        content:
          application/merge-patch+json;okta-version=1.0.0:
            schema:
              $ref: '#/components/schemas/UpdateAppAuthenticatorEnrollmentRequest'
            examples:
              UpdateAppAuthenticatorEnrollmentPushTokenEx:
                $ref: '#/components/examples/UpdateAppAuthenticatorEnrollmentPushToken'
              EnrollAppAuthenticatorEnrollmentUserVerificationKeyEx:
                $ref: '#/components/examples/UpdateAppAuthenticatorEnrollmentUserVerificationKey'
              UnenrollAppAuthenticatorEnrollmentUserVerificationKeyEx:
                $ref: '#/components/examples/UnenrollAppAuthenticatorEnrollmentUserVerificationKey'
              UpdateAppAuthenticatorEnrollmentTransactionTypeEx:
                $ref: '#/components/examples/UpdateAppAuthenticatorEnrollmentTransactionType'
              UpdateAppAuthenticatorEnrollmentPushTokenandEnrollUserVerificationKeyEx:
                $ref: '#/components/examples/UpdateAppAuthenticatorEnrollmentPushTokenAndUserVerificationKey'
      responses:
        '200':
          description: OK
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/AppAuthenticatorEnrollment'
        '401':
          description: Unauthorized
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Access Denied
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '404':
          description: Resource Not Found
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - oauth2:
            - okta.myAccount.appAuthenticator.maintenance.manage
      tags:
        - AppAuthenticator
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
    delete:
      summary: Delete an app authenticator enrollment
      description: Deletes an app authenticator enrollment
      operationId: deleteAppAuthenticatorEnrollment
      responses:
        '204':
          description: No Content
        '401':
          description: Unauthorized
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Access Denied
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '404':
          description: Resource Not Found
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - oauth2:
            - okta.myAccount.appAuthenticator.manage
      tags:
        - AppAuthenticator
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
  /idp/myaccount/app-authenticators/{enrollmentId}/push/notifications:
    parameters:
      - $ref: '#/components/parameters/appAuthenticatorEnrollmentId'
    get:
      summary: List all pending push notification challenges
      description: Lists all pending push notification challenges
      operationId: listAppAuthenticatorPendingPushNotificationChallenges
      responses:
        '200':
          description: Success
          content:
            application/json;okta-version=1.0.0:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/PushNotificationChallenge'
              examples:
                SuccessResponseEx:
                  $ref: '#/components/examples/GetPendingNotificationsSuccessResponse'
                JWTHeaderEx:
                  $ref: '#/components/examples/GetPendingNotificationsJWTHeader'
                JWTPayloadEx:
                  $ref: '#/components/examples/GetPendingNotificationsJWTPayload'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.appAuthenticator.maintenance.read
      tags:
        - AppAuthenticator
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
  /idp/myaccount/authenticators:
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
    get:
      summary: List all Authenticators
      description: |
        Lists all of the authenticators for the current user
      operationId: listAuthenticators
      parameters:
        - $ref: '#/components/parameters/queryExpandAuthenticator'
      responses:
        '200':
          $ref: '#/components/responses/ListAuthenticatorsResponse'
        '403':
          $ref: '#/components/responses/ErrorAccessDenied403'
        '429':
          $ref: '#/components/responses/ErrorTooManyRequests429'
      security:
        - oauth2:
            - okta.myAccount.authenticators.read
      tags:
        - Authenticators
  /idp/myaccount/authenticators/{authenticatorId}:
    parameters:
      - $ref: '#/components/parameters/pathAuthenticatorId'
    get:
      summary: Retrieve an Authenticator
      description: |
        Retrieves an Authenticator by `authenticatorId`
      operationId: getAuthenticator
      parameters:
        - $ref: '#/components/parameters/queryExpandAuthenticator'
      responses:
        '200':
          $ref: '#/components/responses/AuthenticatorResponse'
        '403':
          $ref: '#/components/responses/ErrorAccessDenied403'
        '404':
          $ref: '#/components/responses/ErrorResourceNotFound404'
        '429':
          $ref: '#/components/responses/ErrorTooManyRequests429'
      security:
        - oauth2:
            - okta.myAccount.authenticators.read
      tags:
        - Authenticators
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
  /idp/myaccount/authenticators/{authenticatorId}/enrollments:
    parameters:
      - $ref: '#/components/parameters/pathAuthenticatorId'
    get:
      summary: List all Enrollments
      description: |
        Lists all Enrollments the current user has for an authenticator
      operationId: listEnrollments
      responses:
        '200':
          $ref: '#/components/responses/ListEnrollmentsResponse'
        '403':
          $ref: '#/components/responses/ErrorAccessDenied403'
        '404':
          $ref: '#/components/responses/ErrorResourceNotFound404'
        '429':
          $ref: '#/components/responses/ErrorTooManyRequests429'
      security:
        - oauth2:
            - okta.myAccount.authenticators.read
      tags:
        - Authenticators
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
  /idp/myaccount/authenticators/{authenticatorId}/enrollments/{enrollmentId}:
    parameters:
      - $ref: '#/components/parameters/pathAuthenticatorId'
      - $ref: '#/components/parameters/pathEnrollmentId'
    get:
      summary: Retrieve an Enrollment
      description: |
        Retrieves an Enrollment by `enrollmentId`
      operationId: getEnrollment
      responses:
        '200':
          $ref: '#/components/responses/EnrollmentResponse'
        '403':
          $ref: '#/components/responses/ErrorAccessDenied403'
        '404':
          $ref: '#/components/responses/ErrorResourceNotFound404'
        '429':
          $ref: '#/components/responses/ErrorTooManyRequests429'
      security:
        - oauth2:
            - okta.myAccount.authenticators.read
      tags:
        - Authenticators
      x-okta-lifecycle:
        lifecycle: LIMITED_GA
        isGenerallyAvailable: false
        SKUs:
          - Okta Identity Engine
  /idp/myaccount/emails:
    get:
      summary: List all Emails
      description: |
        Lists all of the current user's email information: a collection of links for each email that describe the acceptable operations
      operationId: listEmails
      responses:
        '200':
          $ref: '#/components/responses/Email-Array-Response'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.email.read
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    post:
      summary: Create an Email
      description: |
        Creates a primary or secondary email address for the user's account. The new email address has an `UNVERIFIED` status.
      operationId: createEmail
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                profile:
                  type: object
                  description: Defines the email address on the profile
                  required:
                    - email
                  properties:
                    email:
                      type: string
                      example: saml.jackson@example.com
                      format: email
                      writeOnly: true
                sendEmail:
                  type: boolean
                  default: true
                  description: Specifies whether Okta or the application sends an email to the end user
                state:
                  type: string
                  example: JPcFLTwOq7UvoFtmRd3EnyQwsR0PbDSI
                  description: |
                    Any application state that the client wishes to persist across the email challenge flow, and receive at the callback URL. Define the callback URL in the OIDC app configuration. This parameter proves to the client that the email link is verified.
                  writeOnly: true
                role:
                  type: string
                  enum:
                    - PRIMARY
                    - SECONDARY
                  example: PRIMARY
                  writeOnly: true
              required:
                - profile
            examples:
              New-Email:
                value:
                  profile:
                    email: saml.jackson@example.com
                  sendEmail: true
                  role: PRIMARY
                  state: JPcFLTwOq7UvoFtmRd3EnyQwsR0PbDSI
        description: New email
      responses:
        '201':
          $ref: '#/components/responses/Unverified-Email-Response'
        '400':
          $ref: '#/components/responses/Error-InvalidEmail-Response-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-Email-Response-403'
        '409':
          $ref: '#/components/responses/Error-EmailConflict-Response-409'
      security:
        - oauth2:
            - okta.myAccount.email.manage
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/emails/{id}:
    parameters:
      - schema:
          type: string
          example: 69dca29c2d8dbb0dca14395ccdb92317
        description: |
          The email ID
          Use `GET /idp/myaccount/emails` or `POST /idp/myaccount/emails` operations to obtain the email ID when adding a new email address.
        name: id
        in: path
        required: true
    get:
      summary: Retrieve an Email
      description: 'Retrieves the current user''s email information by ID: a collection of links that describe the acceptable email operations'
      operationId: getEmail
      responses:
        '200':
          $ref: '#/components/responses/Verified-Email-Response'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.email.read
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    delete:
      summary: Delete an Email
      description: |
        Deletes the current user's email information by ID. You can only delete unverified primary and secondary emails.
      operationId: deleteEmail
      parameters: []
      responses:
        '204':
          description: No Content
          content:
            application/json;okta-version=1.0.0: {}
        '400':
          $ref: '#/components/responses/Error-InvalidEmailDeletion-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '404':
          $ref: '#/components/responses/Error-EmailResourceNotFound-Response-404'
      security:
        - oauth2:
            - okta.myAccount.email.manage
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/emails/{id}/challenge:
    parameters:
      - schema:
          type: string
          example: 00T196qTp3LIMZQ0L0g3
        description: |-
          The email ID

          Use the `GET /idp/myaccount/emails` or `POST /idp/myaccount/emails` operations when adding a new email address.
        name: id
        in: path
        required: true
    post:
      summary: Send an Email Challenge
      description: |-
        Sends a \"Confirm email address change\" email to the user with a one-time passcode for verification.
        Also, the user receives a \"Notice of pending email address change\" email. After the challenge is verified, the email becomes active.
      operationId: sendEmailChallenge
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                state:
                  type: string
                  example: JPcFLTwOq7UvoFtmRd3EnyQwsR0PbDSI
                  writeOnly: true
                  description: (Optional) The state parameter that contains the state of the client
              required:
                - state
            examples:
              Challenge-Example:
                value:
                  state: JPcFLTwOq7UvoFtmRd3EnyQwsR0PbDSI
      responses:
        '201':
          description: Created
          headers: {}
          content:
            application/json;okta-version=1.0.0:
              schema:
                type: object
                example:
                  id: myaccount.2wdtXPtmS0WpKq4bnjlYIw
                  status: UNVERIFIED
                  expiresAt: '2022-02-01T00:19:08.220Z'
                  profile:
                    email: s.jackson@example.com
                  _links:
                    verify:
                      href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.2wdtXPtmS0WpKq4bnjlYIw/verify
                      hints:
                        allow:
                          - POST
                    poll:
                      href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.2wdtXPtmS0WpKq4bnjlYIw
                      hints:
                        allow:
                          - GET
                properties:
                  id:
                    type: string
                    description: The email ID of the caller
                    minLength: 1
                  status:
                    type: string
                    description: The challenge status of the caller's email
                    enum:
                      - VERIFIED
                      - UNVERIFIED
                    minLength: 1
                  expiresAt:
                    type: string
                    description: The time when the challenge expires. A challenge has a lifetime of five minutes.
                    minLength: 1
                  profile:
                    type: object
                    description: Defines the email address on the profile
                    required:
                      - email
                    properties:
                      email:
                        type: string
                        description: The email address on the profile
                        minLength: 1
                  _links:
                    type: object
                    description: Discoverable resources related to the caller's email challenge
                    required:
                      - verify
                      - poll
                    properties:
                      verify:
                        type: object
                        description: Link to the resource (verify)
                        required:
                          - href
                          - hints
                        properties:
                          href:
                            type: string
                            description: Link URI
                            minLength: 1
                          hints:
                            type: object
                            description: Describes the allowed HTTP verbs for the `href`
                            required:
                              - allow
                            properties:
                              allow:
                                type: array
                                items:
                                  type: string
                                  enum:
                                    - POST
                      poll:
                        type: object
                        description: Link to the resource (poll)
                        required:
                          - href
                          - hints
                        properties:
                          href:
                            type: string
                            description: Link URI
                            minLength: 1
                          hints:
                            type: object
                            description: Describes the allowed HTTP verbs for the `href`
                            required:
                              - allow
                            properties:
                              allow:
                                type: array
                                items:
                                  type: string
                                  enum:
                                    - GET
                required:
                  - id
                  - status
                  - expiresAt
                  - profile
                  - _links
              examples:
                Challenge-Created-Response:
                  value:
                    id: myaccount.2wdtXPtmS0WpKq4bnjlYIw
                    status: UNVERIFIED
                    expiresAt: '2022-02-01T00:19:08.220Z'
                    profile:
                      email: s.jackson@example.com
                    _links:
                      verify:
                        href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.2wdtXPtmS0WpKq4bnjlYIw/verify
                        hints:
                          allow:
                            - POST
                      poll:
                        href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.2wdtXPtmS0WpKq4bnjlYIw
                        hints:
                          allow:
                            - GET
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-Email-Response-403'
        '404':
          $ref: '#/components/responses/Error-EmailResourceNotFound-Response-404'
      security:
        - oauth2:
            - okta.myAccount.email.manage
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/emails/{id}/challenge/{challengeId}:
    parameters:
      - schema:
          type: string
          example: 00T196qTp3LIMZQ0L0g3
        description: |-
          The email ID

          Use the `GET /idp/myaccount/emails` or `POST /idp/myaccount/emails` operations to obtain the ID when adding a new email address.
        name: id
        in: path
        required: true
      - schema:
          type: string
          example: x1MDGzUb
        name: challengeId
        description: |-
          The `challengeId` of the email

          Use the `POST /idp/myaccount/emails/{id}/challenge/` operation to obtain the `challengeId` when creating a new challenge.
        in: path
        required: true
    get:
      summary: Poll the Challenge for Email Magic Link
      description: Polls for the email challenge's status
      operationId: pollChallengeForEmailMagicLink
      responses:
        '200':
          description: OK
          content:
            application/json;okta-version=1.0.0:
              schema:
                description: ''
                type: object
                example:
                  id: myaccount.DDvNA6XORA2dIfB894o32g
                  status: UNVERIFIED
                  expiresAt: '2022-02-01T00:41:25.497Z'
                  profile:
                    email: s.jackson@example.com
                  _links:
                    verify:
                      href: https://example.okta.com/idp/myaccount/emails/da03e945d44d8b714da2b9fded39e851/challenge/myaccount.DDvNA6XORA2dIfB894o32g/verify
                      hints:
                        allow:
                          - POST
                    poll:
                      href: https://example.okta.com/idp/myaccount/emails/da03e945d44d8b714da2b9fded39e851/challenge/myaccount.DDvNA6XORA2dIfB894o32g
                      hints:
                        allow:
                          - GET
                properties:
                  id:
                    type: string
                    description: The email ID
                    minLength: 1
                  status:
                    type: string
                    description: The challenge status of the caller's email
                    minLength: 1
                    enum:
                      - VERIFIED
                      - UNVERIFIED
                  expiresAt:
                    type: string
                    description: The time at which the challenge expires. The lifetime of a challenge is five minutes.
                    minLength: 1
                  profile:
                    type: object
                    description: Defines the email address on the profile
                    required:
                      - email
                    properties:
                      email:
                        type: string
                        description: The email address on the profile
                        minLength: 1
                  _links:
                    type: object
                    description: Discoverable resources related to the poll for the email challenge's status
                    required:
                      - verify
                      - poll
                    properties:
                      verify:
                        type: object
                        description: Link to the resource (verify)
                        required:
                          - href
                          - hints
                        properties:
                          href:
                            type: string
                            description: Link URI
                            minLength: 1
                          hints:
                            type: object
                            description: Describes the allowed HTTP verbs for the `href`
                            required:
                              - allow
                            properties:
                              allow:
                                type: array
                                items:
                                  type: string
                                  enum:
                                    - DELETE
                                    - GET
                                    - POST
                                    - PUT
                      poll:
                        type: object
                        description: Link to the resource (poll)
                        required:
                          - href
                          - hints
                        properties:
                          href:
                            type: string
                            description: Link URI
                            minLength: 1
                          hints:
                            type: object
                            description: Describes the allowed HTTP verbs for the `href`
                            required:
                              - allow
                            properties:
                              allow:
                                type: array
                                items:
                                  type: string
                                  enum:
                                    - DELETE
                                    - GET
                                    - POST
                                    - PUT
                required:
                  - id
                  - status
                  - expiresAt
                  - profile
                  - _links
              examples:
                Polling-Response-Example:
                  value:
                    id: myaccount.DDvNA6XORA2dIfB894o32g
                    status: UNVERIFIED
                    expiresAt: '2022-02-01T00:41:25.497Z'
                    profile:
                      email: s.jackson@example.com
                    _links:
                      verify:
                        href: https://example.okta.com/idp/myaccount/emails/da03e945d44d8b714da2b9fded39e851/challenge/myaccount.DDvNA6XORA2dIfB894o32g/verify
                        hints:
                          allow:
                            - POST
                      poll:
                        href: https://example.okta.com/idp/myaccount/emails/da03e945d44d8b714da2b9fded39e851/challenge/myaccount.DDvNA6XORA2dIfB894o32g
                        hints:
                          allow:
                            - GET
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '404':
          $ref: '#/components/responses/Error-EmailChallengeResourceNotFound-Response-404'
      security:
        - oauth2:
            - okta.myAccount.email.read
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/emails/{id}/challenge/{challengeId}/verify:
    parameters:
      - schema:
          type: string
          example: 00T196qTp3LIMZQ0L0g3
        description: |
          The email ID
          Use `GET /idp/myaccount/emails` or `POST /idp/myaccount/emails` operations to obtain the email ID when adding a new email address.
        name: id
        in: path
        required: true
      - schema:
          type: string
          example: x1MDGzUb
        description: |
          The `challengeId` of the email
          Use the `POST /idp/myaccount/emails/{id}/challenge` operation to obtain the `challengeId` when creating a new challenge.
        name: challengeId
        in: path
        required: true
    post:
      summary: Verify an Email OTP
      description: |
        Verifies the email challenge with the code that the user receives from the \"Confirm email address change\" email. Once verified, the email is active.
      operationId: verifyEmailOtp
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                verificationCode:
                  type: string
                  example: '498560'
                  format: password
                  writeOnly: true
                  description: A six-digit verification code sent to the user in the "Confirm email address change" email
              required:
                - verificationCode
            examples:
              OTP-Example:
                value:
                  verificationCode: '456058'
      responses:
        '200':
          description: OK
          content:
            application/json;okta-version=1.0.0: {}
        '401':
          $ref: '#/components/responses/Error-VerifyPhoneEmail-Response-401'
        '403':
          $ref: '#/components/responses/Error-Email-Response-403'
        '404':
          $ref: '#/components/responses/Error-EmailChallengeResourceNotFound-Response-404'
      security:
        - oauth2:
            - okta.myAccount.email.manage
      tags:
        - Email
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/okta-applications:
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
    get:
      summary: List all Okta apps
      description: |
        Lists all of the current user's Okta apps
      operationId: listOktaApplications
      responses:
        '200':
          $ref: '#/components/responses/OktaApplicationsResponse'
        '400':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.oktaApplications.read
      tags:
        - OktaApplications
  /idp/myaccount/organization:
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
    get:
      summary: Retrieve the Org details
      description: |
        Retrieves the Org details
      operationId: getOrganization
      responses:
        '200':
          $ref: '#/components/responses/OrganizationResponse'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.organization.read
      tags:
        - Organization
  /idp/myaccount/password:
    get:
      summary: Retrieve a Password
      description: |
        Retrieves the current user's password status
        > **Note:** This request only returns information about the password, not the password itself.
      operationId: getPassword
      responses:
        '200':
          $ref: '#/components/responses/Password-Enrolled-Response'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.password.read
      tags:
        - Password
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    post:
      summary: Create a Password
      description: Creates and enrolls a password for the current user
      operationId: createPassword
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                profile:
                  type: object
                  description: Defines the password on the profile
                  required:
                    - password
                  properties:
                    password:
                      type: string
                      example: Abcd12345
                      writeOnly: true
              required:
                - profile
            examples:
              New-Password:
                value:
                  profile:
                    password: Abcd1234
        description: New password
      responses:
        '201':
          $ref: '#/components/responses/Password-Enrolled-Response'
        '400':
          $ref: '#/components/responses/Error-InvalidPassword-Reponse-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-PasswordConflict-Response-409'
      security:
        - oauth2:
            - okta.myAccount.password.manage
      tags:
        - Password
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    put:
      summary: Replace a Password
      description: |
        Replaces the password for the current user
      operationId: replacePassword
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                profile:
                  type: object
                  description: Defines the password on the profile
                  required:
                    - password
                  properties:
                    password:
                      type: string
                      example: Abcd12345
                      writeOnly: true
              required:
                - profile
            examples:
              New-Password:
                value:
                  profile:
                    password: Abcd1234
        description: New password
      responses:
        '201':
          $ref: '#/components/responses/Password-Enrolled-Response'
        '400':
          $ref: '#/components/responses/Error-InvalidPassword-Reponse-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-Email-Response-403'
      security:
        - oauth2:
            - okta.myAccount.password.manage
      tags:
        - Password
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    delete:
      summary: Delete a Password
      description: |
        Deletes the current user's enrolled password
      operationId: deletePassword
      responses:
        '204':
          description: No Content
          content:
            application/json;okta-version=1.0.0: {}
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '404':
          $ref: '#/components/responses/Error-PasswordResourceNotFound-Response-404'
      security:
        - oauth2:
            - okta.myAccount.password.manage
      tags:
        - Password
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/phones:
    get:
      summary: List all Phones
      description: Lists the current user's phone information for all phones. Includes a collection of links for each phone describing the acceptable operations.
      operationId: listPhones
      responses:
        '200':
          $ref: '#/components/responses/Phone-Array-Response'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.phone.read
      tags:
        - Phone
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    post:
      summary: Create a Phone
      description: Creates an `UNVERIFIED` status phone for either the SMS or CALL method to the user's MyAccount setting
      operationId: createPhone
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                profile:
                  type: object
                  description: Defines the phone number on the profile
                  properties:
                    phoneNumber:
                      type: string
                      description: The newly added phone number
                      example: 555-555-5555
                sendCode:
                  type: boolean
                  default: true
                  description: Whether to send a challenge to the newly added phone
                method:
                  type: string
                  enum:
                    - SMS
                    - CALL
                  example: SMS
                  writeOnly: true
                  description: The method of the challenge sent to the newly added phone. Applicable when sendCode is true.
              required:
                - profile
            examples:
              Okta-Sends-Challenge:
                value:
                  profile:
                    phoneNumber: +1(444)444-4444
                  sendCode: true
                  method: SMS
      responses:
        '201':
          $ref: '#/components/responses/Unverified-Phone-Response'
        '400':
          $ref: '#/components/responses/Error-Create-Phone-Response-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-CreateChallengeVerify-Phone-Response-403'
        '409':
          $ref: '#/components/responses/Error-PhoneNumberExists-Response-409'
        '500':
          $ref: '#/components/responses/Error-FailedToSendOutOfBandChallenge-Response-500'
      security:
        - oauth2:
            - okta.myAccount.phone.manage
      tags:
        - Phone
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/phones/{id}:
    parameters:
      - schema:
          type: string
          example: sms10ltpSdwXJCem80g4
        description: The ID of the phone. Obtain the ID of the phone through `GET /idp/myaccount/phones` or `POST /idp/myaccount/phones` when adding a new phone.
        name: id
        in: path
        required: true
    get:
      summary: Retrieve a Phone
      description: Retrieves the current user's phone information by ID. Along with a collection of links describing the operations that can be performed to the phone.
      operationId: getPhone
      responses:
        '200':
          $ref: '#/components/responses/Verified-Phone-Response'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '404':
          $ref: '#/components/responses/Error-InvalidFactorId-Response-404'
      security:
        - oauth2:
            - okta.myAccount.phone.read
      tags:
        - Phone
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    delete:
      summary: Delete a Phone
      description: Deletes the current user's phone information by ID
      operationId: deletePhone
      responses:
        '204':
          description: No Content
          content:
            application/json;okta-version=1.0.0: {}
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-Delete-Phone-Response-403'
        '404':
          $ref: '#/components/responses/Error-InvalidFactorId-Response-404'
      security:
        - oauth2:
            - okta.myAccount.phone.manage
      tags:
        - Phone
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/phones/{id}/challenge:
    parameters:
      - schema:
          type: string
          example: sms18vtfKgzqDhNqP0g4
          description: ID of the phone. Obtain the ID of the phone through `GET /idp/myaccount/phones` or `POST /idp/myaccount/phones` when adding a new phone.
        name: id
        in: path
        required: true
    post:
      summary: Send a Phone Challenge
      description: |-
        Sends a phone challenge using one of two methods: `SMS` or `CALL`. This request can also handle a resend challenge (retry).

        Upon a successful challenge, the user receives a verification code by `SMS` or `CALL`. Send a `POST` request to the `/idp/myaccount/phones/{id}/verify` endpoint to use the verification code to verify the phone number. The verification code expires in five minutes.

        > **Notes:**
        > * Sending requests to the `/idp/myaccount/phones/{id}/challenge` endpoint more often than once every 30 seconds, or at a rate that exceeds the rate limit rule configured by the admin, returns a 429 (Too Many Requests) error.
      operationId: sendPhoneChallenge
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                method:
                  type: string
                  example: SMS
                  description: The method with which the challenge should be sent
                  enum:
                    - SMS
                    - CALL
                  writeOnly: true
                retry:
                  type: boolean
                  description: Indicates whether this is a normal challenge or retry
                  default: false
              required:
                - method
            examples:
              Send-SMS-Challenge:
                value:
                  method: SMS
              Send-Voice-Challenge:
                value:
                  method: CALL
      responses:
        '200':
          $ref: '#/components/responses/Challenged-Phone-Response'
        '400':
          $ref: '#/components/responses/Error-Challenge-Phone-Response-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
        '403':
          $ref: '#/components/responses/Error-CreateChallengeVerify-Phone-Response-403'
        '404':
          $ref: '#/components/responses/Error-InvalidFactorId-Response-404'
        '500':
          $ref: '#/components/responses/Error-FailedToSendOutOfBandChallenge-Response-500'
      security:
        - oauth2:
            - okta.myAccount.phone.manage
      tags:
        - Phone
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/phones/{id}/verify:
    parameters:
      - schema:
          type: string
          example: sms18vtfKgzqDhNqP0g4
          description: The phone ID. Obtain the ID of the phone through `GET /idp/myaccount/phones` or `POST /idp/myaccount/phones` when adding a new phone.
        name: id
        in: path
        required: true
    post:
      summary: Verify a Phone Challenge
      description: |-
        Verifies the phone number with the verification code that the user receives through `SMS` or `CALL`. The phone number is active upon a successful verification.

        > **Notes:**
        > * Sending requests to the `/idp/myaccount/phones/{id}/verify` endpoint at a rate that exceeds the rate limit rule configured by the admin returns a 429 (Too Many Requests) error.
      operationId: verifyPhoneChallenge
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                verificationCode:
                  type: string
                  example: '492592'
                  format: password
                  description: A six-digit verification code that the user receives through SMS or CALL
                  writeOnly: true
              required:
                - verificationCode
            examples:
              Verify-SMS-Challenge:
                value:
                  verificationCode: '048284'
      responses:
        '204':
          description: No Content
          content:
            application/json;okta-version=1.0.0: {}
        '400':
          $ref: '#/components/responses/Error-Verify-Phone-Response-400'
        '401':
          $ref: '#/components/responses/Error-VerifyPhoneEmail-Response-401'
        '403':
          $ref: '#/components/responses/Error-CreateChallengeVerify-Phone-Response-403'
        '404':
          $ref: '#/components/responses/Error-InvalidFactorId-Response-404'
        '409':
          $ref: '#/components/responses/Error-InvalidTransaction-Response-409'
      security:
        - oauth2:
            - okta.myAccount.phone.manage
      tags:
        - Phone
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/profile:
    get:
      summary: Retrieve my Profile
      description: Retrieves the caller's Okta User Profile, without attributes excluded by the [Get My User Profile Schema](/openapi/okta-myaccount/myaccount/tag/Profile/#tag/Profile/operation/getProfileSchema)
      operationId: getProfile
      responses:
        '200':
          description: OK
          $ref: '#/components/responses/Profile-Retrieval-Response'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.profile.read
      tags:
        - Profile
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
    put:
      summary: Replace my Profile My User Profile
      description: |-
        Replaces the caller's User Profile

        > **Note:** This API differs from the the existing [Users API](https://developer.okta.com/docs/reference/api/users/) in that only the PUT operation is supported.  Partial updates (PATCH requests) aren't available. All values returned by fetching a User Profile must pass to the MyAccount API, or the update doesn't pass validation. This applies even if the omitted schema property is optional. To ensure an optional property passes, enter a value of 'null'.
      operationId: replaceProfile
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                profile:
                  type: object
                  description: The properties defined in the schema
            examples:
              Update-Profile:
                value:
                  profile:
                    customBoolean: true
                    foo: bar
                    login: example@ex.ample.com
                    mobilePhone: 555-555-5555
                    customInteger: 42
      responses:
        '200':
          description: OK
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Profile'
              examples:
                Success-Response:
                  value:
                    createdAt: '2020-01-14T20:05:32.000Z'
                    modifiedAt: '2020-01-14T20:05:32.000Z'
                    profile:
                      customBoolean: true
                      foo: bar
                      login: example@ex.ample.com
                      mobilePhone: 555-555-5555
                      customInteger: 42
                    _links:
                      self:
                        href: https://example.okta.com/idp/myaccount/profile
                      describedBy:
                        href: https://example.okta.com/idp/myaccount/profile/schema
        '400':
          $ref: '#/components/responses/Error-UpdateProfile-Response-400'
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.profile.manage
      tags:
        - Profile
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/profile/schema:
    get:
      summary: Retrieve my Profile Schema
      description: |-
        Retrieves the appropriate User Profile Schema for the caller's [User Type](https://developer.okta.com/docs/reference/api/user-types/)

        > **Note:** If a property's value isn't visible to an end user (because it's hidden or [sensitive](https://help.okta.com/okta_help.htm?id=ext-hide-sensitive-attributes)), then the property's definition is also hidden in the output of the MyAccount API.
      operationId: getProfileSchema
      responses:
        '200':
          description: OK
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Schema'
              examples:
                Success-Response:
                  value:
                    properties:
                      customBoolean:
                        permissions:
                          SELF: READ_WRITE
                        title: customBoolean
                        type: boolean
                      foo:
                        permissions:
                          SELF: READ_ONLY
                        title: foo
                        type: string
                      login:
                        maxLength: 100
                        minLength: 5
                        permissions:
                          SELF: READ_ONLY
                        required: true
                        title: Username
                        type: string
                      mobilePhone:
                        maxLength: 100
                        permissions:
                          SELF: READ_WRITE
                        title: Mobile phone
                        type: string
                      customInteger:
                        permissions:
                          SELF: READ_WRITE
                        title: customInteger
                        type: integer
                    _links:
                      self:
                        href: https://example.okta.com/idp/myaccount/profile/schema
                      user:
                        href: https://example.okta.com/idp/myaccount/profile
        '401':
          $ref: '#/components/responses/Error-IdpMyAccountNotEnabled-Response-401'
      security:
        - oauth2:
            - okta.myAccount.profile.read
      tags:
        - Profile
      x-okta-lifecycle:
        lifecycle: GA
        isGenerallyAvailable: true
  /idp/myaccount/sessions:
    x-okta-lifecycle:
      lifecycle: LIMITED_GA
      isGenerallyAvailable: false
      SKUs:
        - Okta Identity Engine
    delete:
      summary: Delete all sessions
      description: |
        Deletes all sessions. Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Also revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
      operationId: deleteSessions
      responses:
        '204':
          description: No Content
        '401':
          description: Unauthorized
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
        '404':
          description: Resource Not Found
          content:
            application/json;okta-version=1.0.0:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - oauth2:
            - okta.myAccount.sessions.manage
      tags:
        - Sessions
components:
  examples:
    AuthenticatorExamplePassword:
      summary: Password Authenticator
      value:
        id: aut65i8bdXk90tyfr0q7
        key: webauthn
        name: Security Key or Biometric
        enrollable: false
        _links:
          self:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut65i8bdXk90tyfr0q7
            hints:
              allow:
                - GET
          enrollments:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut65i8bdXk90tyfr0q7/enrollments
            hints:
              allow:
                - GET
    AuthenticatorExampleSecurityKey:
      summary: Security key Authenticator
      value:
        id: aut3jiaiZukD4Ta0Z0g5
        key: okta_password
        name: Okta Password
        enrollable: true
        _links:
          self:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
            hints:
              allow:
                - GET
          enrollments:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments
            hints:
              allow:
                - GET
    CreateAppAuthenticatorEnrollment:
      summary: Create App Authenticator enrollment
      value:
        authenticatorId: aut12i8bdXk90NIfr0q5
        device:
          secureHardwarePresent: true
          clientInstanceKey:
            x: O0N1H3AIXj5p5cpQx5RUzowIRz1iPnheo7SbEC-CtFw
            'y': Cea3KAFqsyxqPni2QJ6LjjqgRKgRHpsVzkNazd3m8To
            kty: EC
            okta:kpr: HARDWARE
            crv: P-256
            kid: DF47DEE2-D1B0-40B6-BEB7-09134CC4A19B
          osVersion: '14.3'
          clientInstanceBundleId: com.company.authenticatorApp
          platform: IOS
          manufacturer: APPLE
          deviceAttestation: {}
          clientInstanceVersion: 6.4.0
          clientInstanceDeviceSdkVersion: DeviceSDK 1.0.0
          model: iPhone
          displayName: My device name
          udid: 4956095A-D99E-4A4E-A6DC-9E63E5978722
        methods:
          push:
            apsEnvironment: DEVELOPMENT
            pushToken: 667b773e90871f014805f45f770c90d161b84b609d167039b2c388c7bacfdaa1
            keys:
              proofOfPossession:
                x: hFr-xcGSMHbWKq2_SUAOMkif1ARYAU-X_8ZGprOhxfw
                'y': HVqAxDCiGcV7H0QAQas6CMbh2wyG-cPU_cwXv3kPqcI
                kty: EC
                okta:kpr: HARDWARE
                crv: P-256
                kid: 2078892D-BC96-4C8C-A3FA-34045C002C4A
              userVerification:
                x: V0p-5JFpcen4Iep94ihs00Kjezw9sblfMSUW-cJxTRk
                'y': wgJ9SFT3iaT6cqS08TBIBg_K-20r_4FMGFUlN2BXFJc
                kty: EC
                okta:kpr: HARDWARE
                crv: P-256
                kid: 80D6AC7B-B640-4899-A32C-CA7B98BE0AE6
            capabilities:
              transactionTypes:
                - LOGIN
                - CIBA
    EnrollmentExampleEmail:
      summary: Email Enrollment
      value:
        id: eae3jiacDBMEjIC9V0g5
        name: Email
        created: '2023-08-10T20:11:55.000Z'
        profile:
          email: s***q@example.com
        _links:
          self:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5/enrollments/eae3jiacDBMEjIC9V0g5
            hints:
              allow:
                - GET
          authenticator:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5
            hints:
              allow:
                - GET
    EnrollmentExamplePassword:
      summary: Password Enrollment
      value:
        id: pasfs1tgsKqEha3JwZKq
        name: Okta Password
        created: '2023-05-01T14:24:54.000Z'
        lastChallenged: '2023-06-01T13:44:54.000Z'
        canReset: true
        canUnenroll: false
        _links:
          self:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut7liEC2BWqGZ8tosym/enrollments/pasfs1tgsKqEha3JwZKq
            hints:
              allow:
                - GET
          authenticator:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut7liEC2BWqGZ8tosym
            hints:
              allow:
                - GET
    EnrollmentExampleSecurityKey:
      summary: Security key Enrollment
      value:
        id: fwf3jiaukymSFdBBS0g5
        name: YubiKey 5
        created: '2023-05-01T14:24:54.000Z'
        lastChallenged: '2023-06-01T13:44:54.000Z'
        _links:
          self:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut7liEC2BWqGZ8tosym/enrollments/pasfs1tgsKqEha3JwZKq
            hints:
              allow:
                - GET
          authenticator:
            href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut7liEC2BWqGZ8tosym
            hints:
              allow:
                - GET
    ErrorAccessDenied:
      summary: Access Denied
      value:
        errorCode: E0000006
        errorSummary: You don't have permission to perform the requested action.
        errorLink: E0000006
        errorId: sampleNUSD_8fdkFd8fs8SDBK
        errorCauses: []
    ErrorResourceNotFound:
      summary: Resource Not Found
      value:
        errorCode: E0000007
        errorSummary: 'Not found: {0}'
        errorLink: E0000007
        errorId: sampleMlLvGUj_YD5v16vkYWY
        errorCauses: []
    ErrorTooManyRequests:
      summary: Too Many Requests
      value:
        errorCode: E0000047
        errorSummary: You exceeded the maximum number of requests. Try again in a while.
        errorLink: E0000047
        errorId: sampleQPivGUj_ND5v78vbYWW
        errorCauses: []
    GetPendingNotificationsJWTHeader:
      summary: JWT Header
      value:
        - kid: seD0hUMrcpFtlVVTmkDyJ0mGxlEygWEZ42ts9z4ih9M
          typ: okta-pushbind+jwt
          alg: RS256
    GetPendingNotificationsJWTPayload:
      summary: JWT Payload
      value:
        - iss: https://{{yourOktaDomain}}
          aud: okta.63c081db-1f13-5084-882f-e79e1e5e2da7
          exp: 1648339796
          iat: 1648339496
          jti: ft-hqOpHM8yxcGvE0cN7UXWVodVyP0omKW
          nonce: LA_OIcYdr4R0GqMDJ08p
          transactionId: ft-hqOpHM8yxcGvE0cN7UXWVodVyP0omKW
          signals:
            - id
            - displayName
            - platform
            - manufacturer
            - model
            - osVersion
            - serialNumber
            - udid
            - sid
            - imei
            - meid
            - secureHardwarePresent
            - deviceAttestation
          verificationUri: https://{{yourOktaDomain}}/idp/myaccount/app-authenticators/challenge/ft-hqOpHM8yxcGvE0cN7UXWVodVyP0omKW/verify
          orgId: 00o54bswOJKhBhzy20w5
          appInstanceName: Okta Dashboard
          method: push
          methodEnrollmentId: opf6aeq9U2hoM8aqO0w5
          authorizationServerId: aus1k3lsbNOta5rds0g5
          userMediation: REQUIRED
          userVerification: PREFERRED
          authenticatorEnrollmentId": pfd7rzcmvlhmE0Y1w0g4
          challengeContext:
            clientOS: MAC_OS_X
            clientLocation: San Francisco, California, United States
            transactionTime: '2022-03-27T00:04:56.861Z'
            transactionType: LOGIN
            bindingMessage: Required if transactionType = CIBA
          userId: 00u44bx5BuSpiLUMl0w5
          ver: 0
    GetPendingNotificationsSuccessResponse:
      summary: Success Response
      value:
        - payloadVersion: IDXv1
          challenge: Your encoded challenge request JWT
    ListAuthenticatorsExample:
      summary: List all Authenticators
      value:
        - id: aut3ji50IyerHHpCa0g5
          key: okta_email
          name: Email
          enrollable: true
          _links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5
              hints:
                allow:
                  - GET
            enrollments:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5/enrollments
              hints:
                allow:
                  - GET
        - id: aut3ji4zFcHpwBlic0g5
          key: okta_password
          name: Password
          enrollable: true
          _links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji4zFcHpwBlic0g5
              hints:
                allow:
                  - GET
            enrollments:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji4zFcHpwBlic0g5/enrollments
              hints:
                allow:
                  - GET
        - id: aut3jiaiZukD4Ta0Z0g5
          key: webauthn
          name: Security Key or Biometric
          enrollable: true
          _links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
              hints:
                allow:
                  - GET
            enrollments:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments
              hints:
                allow:
                  - GET
    ListAuthenticatorsExpandExample:
      summary: List all Authenticators with embedded enrollments using the `expand=enrollments` query parameter
      value:
        - id: aut3ji50IyerHHpCa0g5
          key: okta_email
          name: Email
          enrollable: true
          _links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5
              hints:
                allow:
                  - GET
            enrollments:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5/enrollments
              hints:
                allow:
                  - GET
          _embedded:
            enrollments:
              - id: eae3jiacDBMEjIC9V0g5
                name: Email
                created: '2023-08-10T20:11:55.000Z'
                profile:
                  email: s***q@example.com
                links:
                  self:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5/enrollments/eae3jiacDBMEjIC9V0g5
                    hints:
                      allow:
                        - GET
                  authenticator:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji50IyerHHpCa0g5
                    hints:
                      allow:
                        - GET
        - id: aut3ji4zFcHpwBlic0g5
          key: okta_password
          name: Password
          enrollable: true
          _links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji4zFcHpwBlic0g5
              hints:
                allow:
                  - GET
            enrollments:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji4zFcHpwBlic0g5/enrollments
              hints:
                allow:
                  - GET
          _embedded:
            enrollments:
              - id: lae9bw3rvnO03wAbx0g4
                name: Password
                created: '2023-08-10T20:11:55.000Z'
                links:
                  self:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji4zFcHpwBlic0g5/enrollments/lae9bw3rvnO03wAbx0g4
                    hints:
                      allow:
                        - GET
                  authenticator:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3ji4zFcHpwBlic0g5
                    hints:
                      allow:
                        - GET
        - id: aut3jiaiZukD4Ta0Z0g5
          key: webauthn
          name: Security Key or Biometric
          enrollable: true
          _links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
              hints:
                allow:
                  - GET
            enrollments:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments
              hints:
                allow:
                  - GET
          _embedded:
            enrollments:
              - id: fwf3jiatpzkqerFkA0g5
                name: MacBook Touch ID
                created: '2023-08-10T20:12:01.000Z'
                links:
                  self:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments/fwf3jiatpzkqerFkA0g5
                    hints:
                      allow:
                        - GET
                  authenticator:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
                    hints:
                      allow:
                        - GET
              - id: fwf3jiaukymSFdBBS0g5
                name: YubiKey 5
                created: '2023-08-10T20:12:03.000Z'
                links:
                  self:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments/fwf3jiaukymSFdBBS0g5
                    hints:
                      allow:
                        - GET
                  authenticator:
                    href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
                    hints:
                      allow:
                        - GET
    ListEnrollmentsExample:
      summary: All security key and biometric Enrollments
      value:
        - id: fwf3jiatpzkqerFkA0g5
          name: MacBook Touch ID
          created: '2023-08-10T20:12:01.000Z'
          links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments/fwf3jiatpzkqerFkA0g5
              hints:
                allow:
                  - GET
            authenticator:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
              hints:
                allow:
                  - GET
        - id: fwf3jiaukymSFdBBS0g5
          name: YubiKey 5
          created: '2023-08-10T20:12:03.000Z'
          links:
            self:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5/enrollments/fwf3jiaukymSFdBBS0g5
              hints:
                allow:
                  - GET
            authenticator:
              href: https://sampleorg.okta.com/idp/myaccount/authenticators/aut3jiaiZukD4Ta0Z0g5
              hints:
                allow:
                  - GET
    UnenrollAppAuthenticatorEnrollmentUserVerificationKey:
      summary: Unenroll App Authenticator Enrollment User Verification Key
      value:
        methods:
          push:
            keys:
              userVerification: null
    UpdateAppAuthenticatorEnrollmentPushToken:
      summary: Update App Authenticator Enrollment Push Token
      value:
        methods:
          push:
            pushToken: 667b713e90871f014805f45f770c90d161b84b609d167039b2c388c7bacfdaa1
    UpdateAppAuthenticatorEnrollmentPushTokenAndUserVerificationKey:
      summary: Update App Authenticator Enrollment Push Token and Enroll User Verification Key
      value:
        methods:
          push:
            pushToken: 667b713e90871f014805f45f770c90d161b84b609d167039b2c388c7bacfdaa1
            keys:
              userVerification:
                x: V0p-5JFpcen4Iep94ihs00Kjezw9sblfMSUW-cJxTRk
                'y': wgJ9SFT3iaT6cqS08TBIBg_K-20r_4FMGFUlN2BXFJc
                kty: EC
                okta:kpr: HARDWARE
                crv: P-256
                kid: 80D6AC7B-B640-4899-A32C-CA7B98BE0AE6
    UpdateAppAuthenticatorEnrollmentTransactionType:
      summary: Update App Authenticator Enrollment Transaction Type
      value:
        methods:
          push:
            capabilities:
              transactionTypes:
                - LOGIN
                - CIBA
    UpdateAppAuthenticatorEnrollmentUserVerificationKey:
      summary: Enroll App Authenticator Enrollment User Verification Key
      value:
        methods:
          push:
            keys:
              userVerification:
                x: V0p-5JFpcen4Iep94ihs00Kjezw9sblfMSUW-cJxTRk
                'y': wgJ9SFT3iaT6cqS08TBIBg_K-20r_4FMGFUlN2BXFJc
                kty: EC
                okta:kpr: HARDWARE
                crv: P-256
                kid: 80D6AC7B-B640-4899-A32C-CA7B98BE0AE6
    VerifyPushNotificationChallengeJWTHeader:
      summary: JWT Header
      value:
        typ: okta-pushbind+jwt
        kid: b33b262d-b054-4519-833e-0893f53616ec
        alg: RS256
    VerifyPushNotificationChallengeJWTPayload:
      summary: JWT Payload
      value:
        iss: pfd7rzcmvlhmE0Y1w0g4
        sub: 00u12xkg3YOQqFyeC0g6
        aud: https://{{yourOktaDomain}}
        jti: 9866e66d-e173-487a-878b-4059ffb15255
        iat: 1648687225
        exp: 1648687525
        nbf: 1648686925
        methodEnrollmentId: opf13zf81eK3VfeHE0g6
        tx: ftxWtAah8d4Gv-P-ZcMdbSmELeRlRShWNR
        nonce: 4OvrzlCotGBJIVCAzHb9
        deviceSignals:
          id: guo13zf7vXryjyUCU0g6
          isHardwareProtectionEnabled: false,
          model: Pixel 4
          manufacturer: Google
          displayName: Pixel 4
          platform": ANDROID
          osVersion": 12:2022-03-05
          clientInstanceId": cli13zf7wfZ27xCRQ0g6
          clientInstanceBundleId: com.okta.devices.push.app
          clientInstanceVersion: 1
          secureHardwarePresent: true
          screenLockType: BIOMETRIC
          diskEncryptionType: USER
        keyType: proofOfPossession
        challengeResponseContext:
          userConsent: APPROVED_CONSENT_PROMPT
          transactionType: LOGIN
    VerifyPushNotificationChallengeRequest:
      summary: Push Notification Challenge Request
      value:
        method: push
        challengeResponse: Your encoded challenge response JWT
  parameters:
    appAuthenticatorChallengeId:
      name: challengeId
      in: path
      required: true
      description: Id of the challenge associated with the app authenticator
      schema:
        type: string
        example: ft-hqOpHM8yxcGvE0cN7UXWVodVyP0omKW
    appAuthenticatorEnrollmentId:
      name: enrollmentId
      in: path
      required: true
      description: Id of the user's app authenticator enrollment
      schema:
        type: string
        example: pfd7rzcmvlhmE0Y1w0g4
    pathAuthenticatorId:
      name: authenticatorId
      in: path
      required: true
      description: '`id` of the Authenticator'
      schema:
        type: string
        example: aut9gnvcjUHIWb37J0g4
    pathEnrollmentId:
      name: enrollmentId
      in: path
      required: true
      description: '`id` of the authenticator Enrollment'
      schema:
        type: string
        example: ufs2bysphxKODSZKWVCT
    queryExpandAuthenticator:
      name: expand
      in: query
      description: Optional additional items to return in the `_embedded` object. Currently supports the value `enrollments`.
      schema:
        type: string
        example: enrollments
  responses:
    ErrorAccessDenied403:
      description: Forbidden
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            AccessDenied:
              $ref: '#/components/examples/ErrorAccessDenied'
    ErrorResourceNotFound404:
      description: Not Found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            ResourceNotFound:
              $ref: '#/components/examples/ErrorResourceNotFound'
    ErrorTooManyRequests429:
      description: Too Many Requests
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            TooManyRequests:
              $ref: '#/components/examples/ErrorTooManyRequests'
    ListAuthenticatorsResponse:
      description: Authenticators
      content:
        application/json:
          schema:
            type: array
            items:
              $ref: '#/components/schemas/Authenticator'
          examples:
            ListAuthenticatorsExample:
              $ref: '#/components/examples/ListAuthenticatorsExample'
            ListAuthenticatorsExpandExample:
              $ref: '#/components/examples/ListAuthenticatorsExpandExample'
    AuthenticatorResponse:
      description: Authenticator
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Authenticator'
          examples:
            AuthenticatorExamplePassword:
              $ref: '#/components/examples/AuthenticatorExamplePassword'
            AuthenticatorExampleSecurityKey:
              $ref: '#/components/examples/AuthenticatorExampleSecurityKey'
    ListEnrollmentsResponse:
      description: Enrollments
      content:
        application/json:
          schema:
            type: array
            items:
              $ref: '#/components/schemas/AuthenticatorEnrollment'
          examples:
            ListEnrollmentsExample:
              $ref: '#/components/examples/ListEnrollmentsExample'
    EnrollmentResponse:
      description: Enrollment
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/AuthenticatorEnrollment'
          examples:
            EnrollmentExamplePassword:
              $ref: '#/components/examples/EnrollmentExamplePassword'
            EnrollmentExampleEmail:
              $ref: '#/components/examples/EnrollmentExampleEmail'
            EnrollmentExampleSecurityKey:
              $ref: '#/components/examples/EnrollmentExampleSecurityKey'
    Verified-Email-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Email'
          examples:
            Success-Response:
              value:
                id: 69dca29c2d8dbb0dca14395ccdb92317
                status: VERIFIED
                roles:
                  - PRIMARY
                profile:
                  email: saml.jackson@example.com
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/emails/69dca29c2d8dbb0dca14395ccdb92317
                    hints:
                      allow:
                        - GET
                  challenge:
                    href: https://example.okta.com/idp/myaccount/emails/69dca29c2d8dbb0dca14395ccdb92317/challenge
                    hints:
                      allow:
                        - POST
    OktaApplicationsResponse:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            type: array
            items:
              $ref: '#/components/schemas/OktaApplication'
          examples:
            Success-Response:
              value:
                - id: okta.2b1959c8-bcc0-56eb-a589-cfcfb7422f26
                  name: okta_enduser
                  displayName: Okta Dashboard
                - id: okta.b8003760-1ca5-51b8-9404-85bb7ef9bc8c
                  name: okta_account_settings
                  displayName: Okta End User Settings
                - id: okta.ee074f99-1b5b-513e-8ea6-f8beeab8dbb9
                  name: okta_browser_plugin
                  displayName: Okta Browser Plugin
                - id: okta.b58d5b75-07d4-5f25-bf59-368a1261a405
                  name: saasure
                  displayName: Okta Admin Console
    OrganizationResponse:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Organization'
          examples:
            Success-Response:
              value:
                name: TestOrg
                url: https://example.okta.com
                helpLink: https://example.okta.com/helpLink
                supportEmail: orgsupport@example.com
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/organization
                    hints:
                      allow:
                        - GET
    Unverified-Email-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Email'
          examples:
            Success-Response:
              value:
                id: e2a84ed3cc538f75457596faa74a4532
                status: UNVERIFIED
                roles:
                  - PRIMARY
                profile:
                  email: s.jackson@company.com
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532
                    hints:
                      allow:
                        - GET
                        - DELETE
                  challenge:
                    href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge
                    hints:
                      allow:
                        - POST
                  verify:
                    href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.IDseIErVSEiFlLyAbzSp5Q/verify
                    hints:
                      allow:
                        - POST
                  poll:
                    href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.IDseIErVSEiFlLyAbzSp5Q
                    hints:
                      allow:
                        - GET
    Email-Array-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            type: array
            items:
              $ref: '#/components/schemas/Email'
          examples:
            Success-Response:
              value:
                - id: 69dca29c2d8dbb0dca14395ccdb92317
                  status: VERIFIED
                  roles:
                    - PRIMARY
                  profile:
                    email: saml.jackson@example.com
                  _links:
                    self:
                      href: https://example.okta.com/idp/myaccount/emails/69dca29c2d8dbb0dca14395ccdb92317
                      hints:
                        allow:
                          - GET
                    challenge:
                      href: https://example.okta.com/idp/myaccount/emails/69dca29c2d8dbb0dca14395ccdb92317/challenge
                      hints:
                        allow:
                          - POST
                - id: e2a84ed3cc538f75457596faa74a4532
                  status: UNVERIFIED
                  roles:
                    - PRIMARY
                  profile:
                    email: s.jackson@company.com
                  _links:
                    self:
                      href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532
                      hints:
                        allow:
                          - GET
                          - DELETE
                    challenge:
                      href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge
                      hints:
                        allow:
                          - POST
                    verify:
                      href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.IDseIErVSEiFlLyAbzSp5Q/verify
                      hints:
                        allow:
                          - POST
                    poll:
                      href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.IDseIErVSEiFlLyAbzSp5Q
                      hints:
                        allow:
                          - GET
    Phone-Array-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            type: array
            items:
              $ref: '#/components/schemas/Phone'
          examples:
            Success-Response:
              value:
                - id: sms10ltpSdwXJCem80g4
                  status: VERIFIED
                  profile:
                    phoneNumber: '+13333333333'
                  _links:
                    self:
                      href: https://example.okta.com/idp/myaccount/phones/sms10ltpSdwXJCem80g4
                      hints:
                        allow:
                          - GET
                          - DELETE
                    challenge:
                      href: https://example.okta.com/idp/myaccount/phones/sms10ltpSdwXJCem80g4/challenge
                      hints:
                        allow:
                          - POST
                - id: sms18vrvVDDmi4Qlz0g4
                  status: UNVERIFIED
                  profile:
                    phoneNumber: '+12222222222'
                  _links:
                    self:
                      href: https://example.okta.com/idp/myaccount/phones/sms18vrvVDDmi4Qlz0g4
                      hints:
                        allow:
                          - GET
                          - DELETE
                    challenge:
                      href: https://example.okta.com/idp/myaccount/phones/sms18vrvVDDmi4Qlz0g4/challenge
                      hints:
                        allow:
                          - POST
                    verify:
                      href: https://example.okta.com/idp/myaccount/phones/sms18vrvVDDmi4Qlz0g4/verify
                      hints:
                        allow:
                          - POST
    Unverified-Phone-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Phone'
          examples:
            Success-Response:
              value:
                id: sms18vtfKgzqDhNqP0g4
                status: UNVERIFIED
                profile:
                  phoneNumber: +1(444)444-4444
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/phones/sms18vtfKgzqDhNqP0g4
                    hints:
                      allow:
                        - GET
                        - DELETE
                  challenge:
                    href: https://example.okta.com/idp/myaccount/phones/sms18vtfKgzqDhNqP0g4/challenge
                    hints:
                      allow:
                        - POST
                  verify:
                    href: https://example.okta.com/idp/myaccount/phones/sms18vtfKgzqDhNqP0g4/verify
                    hints:
                      allow:
                        - POST
    Verified-Phone-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Phone'
          examples:
            Success-Response:
              value:
                id: sms10ltpSdwXJCem80g4
                status: VERIFIED
                profile:
                  phoneNumber: +1(333)333-3333
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/phones/sms10ltpSdwXJCem80g4
                    hints:
                      allow:
                        - GET
                        - DELETE
                  challenge:
                    href: https://example.okta.com/idp/myaccount/phones/sms10ltpSdwXJCem80g4/challenge
                    hints:
                      allow:
                        - POST
    Challenged-Phone-Response:
      description: Example response after challenging a phone
      content:
        application/json;okta-version=1.0.0:
          schema:
            type: object
            properties:
              _links:
                type: object
                description: Discoverable resources related to the phone challenge
                properties:
                  verify:
                    type: object
                    description: Link to the resource (verify)
                    required:
                      - href
                      - hints
                    properties:
                      href:
                        type: string
                        description: Link URI
                        minLength: 1
                      hints:
                        type: object
                        description: Describes the allowed HTTP verbs for the `href`
                        required:
                          - allow
                        properties:
                          allow:
                            type: array
                            items:
                              type: string
                              enum:
                                - GET
          examples:
            Success-Response:
              value:
                _links:
                  verify:
                    href: https://example.okta.com/idp/myaccount/emails/e2a84ed3cc538f75457596faa74a4532/challenge/myaccount.2wdtXPtmS0WpKq4bnjlYIw/verify
                    hints:
                      allow:
                        - POST
    Password-Enrolled-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/PasswordResponse'
          examples:
            Success-Response:
              value:
                id: 00T196qTp3LIMZQ0L0g3
                status: ACTIVE
                created: '2020-01-14T20:05:32.000Z'
                lastUpdated: '2020-01-14T20:05:32.000Z'
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/password
                    hints:
                      allow:
                        - GET
                        - DELETE
                        - PUT
    Profile-Retrieval-Response:
      description: Example response
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Profile'
          examples:
            Success-Response:
              value:
                createdAt: '2020-01-14T20:05:32.000Z'
                modifiedAt: '2020-01-14T20:05:32.000Z'
                profile:
                  customBoolean: false
                  foo: bar
                  login: example@ex.ample.com
                  mobilePhone: +1(555)555-5555
                  customInteger: 42
                _links:
                  self:
                    href: https://example.okta.com/idp/myaccount/profile
                  describedBy:
                    href: https://example.okta.com/idp/myaccount/profile/schema
    Error-InvalidFactorId-Response-404:
      description: Not Found
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Phone-Factor-Id-404:
              value:
                errorCode: E0000008
                errorSummary: The requested path was not found
                errorLink: E0000008
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: This operation couldn't be completed as requested due to an issue with the specified authenticator.
    Error-FailedToSendOutOfBandChallenge-Response-500:
      description: Internal Server Error
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Failed-To-Send-Out-Of-Band-Challenge-500:
              value:
                errorCode: E0000138
                errorSummary: There was an internal error with call provider(s).
                errorLink: E0000138
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Failed to send the out of band OTP challenge. Set "retry" to "true" in the API request body and resubmit the API call to the endpoint.
    Error-InvalidTransaction-Response-409:
      description: Conflict
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Transaction-409:
              value:
                errorCode: E0000157
                errorSummary: 'Another authenticator with key: transactionHandle is already active.'
                errorLink: E0000157
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Failed to find a transaction. Either the challenge was answered or the factor id is invalid.
    Error-UpdateProfile-Response-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Email-Update-From-Profile:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: forUpdate'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: You cannot update email attributes using the profile endpoint. Use the emails endpoint to make any required changes.
            Invalid-Value-Type-For-Property:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: forUpdate'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid value data type for property 'some-property'
            Missing-Property-Value-For-Self-Update:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: forUpdate'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Property 'some-property' needs a value passed.  To unset it, explicitly set it to null.
            Read-Only-Property-Changed-For-Self-Update:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: forUpdate'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Property 'some-property' is read only.  The value supplied must exactly match the existing value.
            Corrupt-Profile-Prevents-Self-Update:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: forUpdate'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Your profile is corrupt in a way that requires administrative intervention.  Please contact support.
            Concealed-Or-Unknown-Property-For-Self-Update:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: forUpdate'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Property 'some-property' does not exist or is not accessible.
    Error-PhoneNumberExists-Response-409:
      description: Conflict
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Phone-Number-Exists-409:
              value:
                errorCode: E0000157
                errorSummary: 'Another authenticator with key: +14161111111 is already active.'
                errorLink: E0000157
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: This phone number is already assigned to the current user account.
    Error-InvalidEmailDeletion-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Email-Deletion-400:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Email'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Can't delete a verified email address.
    Error-InvalidEmail-Response-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Email-400:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Email'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid email address.
    Error-EmailConflict-Response-409:
      description: Conflict
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Email-Conflict-409:
              value:
                errorCode: E0000157
                errorSummary: 'Another authenticator with key: Email is already active.'
                errorLink: E0000157
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: The email example@email.com is already registered to the current user profile.
    Error-EmailResourceNotFound-Response-404:
      description: Not Found
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Email-Resource-Not-Found-404:
              value:
                errorCode: E0000007
                errorSummary: 'Not found: Resource not found: 796bc844c1802c5ad5a65e1dbd26c30a (UserProfileEmail)'
                errorLink: E0000007
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses: []
    Error-EmailChallengeResourceNotFound-Response-404:
      description: Not Found
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Email-Challenge-Resource-Not-Found-404:
              value:
                errorCode: E0000007
                errorSummary: 'Not found: Resource not found: myaccount.WJLzOhehQwSVUFLVTy2ywb (IdpMyAccountChallenge)'
                errorLink: E0000007
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses: []
    Error-Email-Response-403:
      description: Forbidden
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Secondary-Email:
              value:
                errorCode: E0000038
                errorSummary: This operation is not allowed in the user's current status.
                errorLink: E0000038
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Secondary email is not enabled as an authenticator for your org.
    Error-Create-Phone-Response-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Method:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Method'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid method some_invalid_method in the request.
            Not-A-Number:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Error type: NOT_A_NUMBER. The string supplied did not seem to be a phone number.'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid phone number.
            Invalid-Country-Code:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Error type: INVALID_COUNTRY_CODE. Could not interpret numbers after plus-sign.'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid phone number.
            Too-Long:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Error type: TOO_LONG. The string supplied is too long to be a phone number.'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid phone number.
            Invalid-Transaction-Data-Type:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Transaction'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid transaction.
            Cardinality-Max-Reached:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Exceeded cardinality max'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: This user account has reached the maximum number of enrolled phone numbers.
    Error-Challenge-Phone-Response-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Method:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Method'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid method some_invalid_method in the request.
            Invalid-Transaction-Data-Type:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Transaction'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid transaction.
    Error-Verify-Phone-Response-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Method:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Method'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid method some_invalid_method in the request.
            Invalid-Transaction-Data-Type:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Transaction'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid transaction.
            Invalid-Phone-Factor-Id:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: factorId and/or verificationCode'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: This operation couldn't be completed as requested due to an issue with the specified authenticator.
    Error-IdpMyAccountNotEnabled-Response-401:
      description: Unauthorized
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            IDP-MyAccount-not-enabled-401:
              value:
                errorCode: E0000015
                errorSummary: You do not have permission to access the feature you are requesting
                errorLink: E0000015
                errorId: oaeStOuPPxDRUm3PJhf-tL7bQ
                errorCauses: []
    Error-VerifyPhoneEmail-Response-401:
      description: Unauthorized
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            IDP-MyAccount-not-enabled-401:
              value:
                errorCode: E0000015
                errorSummary: You do not have permission to access the feature you are requesting
                errorLink: E0000015
                errorId: oaeStOuPPxDRUm3PJhf-tL7bQ
                errorCauses: []
            Unauthorized-User-401:
              value:
                errorCode: E0000004
                errorSummary: Authentication failed
                errorLink: E0000004
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: User is not authorized.
            User-Failed-To-Answer-Challenge-401:
              value:
                errorCode: E0000004
                errorSummary: Authentication failed
                errorLink: E0000004
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: The verification challenge failed due to an invalid code.
    Error-CreateChallengeVerify-Phone-Response-403:
      description: Forbidden
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Phone-Authenticator-Disabled:
              value:
                errorCode: E0000038
                errorSummary: This operation is not allowed in the user's current status.
                errorLink: E0000038
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Phone authenticator is not enabled for your org.
            Invalid-Authentication-Method-Type:
              value:
                errorCode: E0000038
                errorSummary: This operation is not allowed in the user's current status.
                errorLink: E0000038
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Method some_invalid_method is not enabled for your org.
    Error-Delete-Phone-Response-403:
      description: Forbidden
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Phone-Authenticator-Disabled:
              value:
                errorCode: E0000038
                errorSummary: This operation is not allowed in the user's current status.
                errorLink: E0000038
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Phone authenticator is not enabled for your org.
    Error-InvalidPassword-Reponse-400:
      description: Bad Request
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Invalid-Password-400:
              value:
                errorCode: E0000001
                errorSummary: 'Api validation failed: Password'
                errorLink: E0000001
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: Invalid password.
    Error-PasswordConflict-Response-409:
      description: Conflict
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Password-Conflict-409:
              value:
                errorCode: E0000157
                errorSummary: This account already has a password set as an authenticator.
                errorLink: E0000157
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses:
                  - errorSummary: This account already has a password set as an authenticator.
    Error-PasswordResourceNotFound-Response-404:
      description: Not Found
      content:
        application/json;okta-version=1.0.0:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            Password-Resource-Not-Found-404:
              value:
                errorCode: E0000007
                errorSummary: 'Not found: Resource not found: 796bc844c1802c5ad5a65e1dbd26c30a (UserProfilePassword)'
                errorLink: E0000007
                errorId: oaejUwz8U5FQ_SyggQwz1kC3w
                errorCauses: []
  schemas:
    AppAuthenticatorEnrollment:
      description: App authenticator enrollment object
      type: object
      properties:
        authenticatorId:
          type: string
          readOnly: true
        createdDate:
          type: string
          format: date-time
          readOnly: true
        device:
          type: object
          properties:
            id:
              type: string
            status:
              type: string
              enum:
                - ACTIVE
            createdDate:
              type: string
              format: date-time
            lastUpdated:
              type: string
              format: date-time
            clientInstanceId:
              type: string
          readOnly: true
        id:
          type: string
          readOnly: true
        lastUpdated:
          type: string
          format: date-time
          readOnly: true
        links:
          type: object
          description: Discoverable resources related to the app authenticator
          properties:
            self:
              type: object
              description: Link to the resource (app authenticator)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - PATCH
                          - DELETE
          readOnly: true
        methods:
          type: object
          properties:
            push:
              type: object
              properties:
                id:
                  type: string
                createdDate:
                  type: string
                  format: date-time
                lastUpdated:
                  type: string
                  format: date-time
                links:
                  type: object
                  properties:
                    pending:
                      type: object
                      properties:
                        href:
                          type: string
                          minLength: 1
                        hints:
                          type: object
                          properties:
                            allow:
                              type: array
                              items:
                                type: string
                                enum:
                                  - GET
        user:
          type: object
          properties:
            id:
              type: string
            username:
              type: string
          readOnly: true
    AppAuthenticatorEnrollmentRequest:
      description: App Authenticator enrollment request
      type: object
      properties:
        authenticatorId:
          type: string
        device:
          type: object
          properties:
            secureHardwarePresent:
              type: boolean
              description: Indicates if the device is equipped with TPM storage for storing signing keys
            clientInstanceKey:
              $ref: '#/components/schemas/KeyObject'
              description: A public key in Json Web Keys format that is not tied to a user. It can be used to identify a device across orgs.
            osVersion:
              type: string
            clientInstanceBundleId:
              type: string
            platform:
              type: string
              enum:
                - ANDROID
                - IOS
            manufacturer:
              type: string
              example:
                - APPLE
                - Google
            deviceAttestation:
              type: object
            clientInstanceVersion:
              type: string
            clientInstanceDeviceSdkVersion:
              type: string
            model:
              type: string
              example:
                - iPhone 14
                - Pixel 4
            displayName:
              type: string
              description: The device's display name
            udid:
              type: string
          required:
            - clientInstanceKey
            - clientInstanceBundleId
            - clientInstanceVersion
            - clientInstanceDeviceSdkVersion
            - osVersion
            - platform
            - displayName
        methods:
          type: object
          required:
            - push
          properties:
            push:
              type: object
              required:
                - pushToken
                - keys
              properties:
                apsEnvironment:
                  type: string
                  description: Target APS type that application registers to. Required for iOS enrollments.
                  enum:
                    - PRODUCTION
                    - DEVELOPMENT
                pushToken:
                  type: string
                keys:
                  type: object
                  required:
                    - proofOfPossession
                  properties:
                    proofOfPossession:
                      $ref: '#/components/schemas/KeyObject'
                    userVerification:
                      $ref: '#/components/schemas/KeyObject'
                    capabilities:
                      $ref: '#/components/schemas/AppAuthenticatorMethodCapabilities'
      required:
        - authenticatorId
        - device
        - methods
    AppAuthenticatorMethodCapabilities:
      type: object
      properties:
        transactionTypes:
          type: array
          items:
            type: string
            enum:
              - LOGIN
              - CIBA
    Authenticator:
      description: A specific Authenticator of the current user
      type: object
      properties:
        enrollable:
          type: boolean
          readOnly: true
        id:
          type: string
          readOnly: true
        key:
          $ref: '#/components/schemas/AuthenticatorKey'
        name:
          type: string
          readOnly: true
        _embedded:
          type: object
          readOnly: true
          properties:
            enrollments:
              type: array
              items:
                $ref: '#/components/schemas/AuthenticatorEnrollment'
        _links:
          type: object
          readOnly: true
          properties:
            self:
              $ref: '#/components/schemas/HrefObject'
            enrollments:
              $ref: '#/components/schemas/HrefObject'
    AuthenticatorEnrollment:
      description: Authenticator Enrollment of the current user
      type: object
      properties:
        canReset:
          type: boolean
          readOnly: true
        canUnenroll:
          type: boolean
          readOnly: true
        created:
          type: string
          readOnly: true
        id:
          type: string
          readOnly: true
        lastChallenged:
          type: string
          readOnly: true
        name:
          type: string
        profile:
          type: object
          readOnly: true
        _links:
          type: object
          readOnly: true
          properties:
            self:
              $ref: '#/components/schemas/HrefObject'
            authenticator:
              $ref: '#/components/schemas/HrefObject'
    AuthenticatorKey:
      type: string
      enum:
        - custom_app
        - custom_otp
        - duo
        - external_idp
        - google_otp
        - okta_email
        - okta_password
        - okta_verify
        - onprem_mfa
        - phone_number
        - rsa_token
        - security_question
        - symantec_vip
        - webauthn
        - yubikey_token
      readOnly: true
    Email:
      description: Email Object
      type: object
      properties:
        id:
          type: string
          description: The email ID of the caller
          minLength: 1
          readOnly: true
        profile:
          type: object
          description: Defines the email address on the profile
          required:
            - email
          properties:
            email:
              type: string
              description: Email address of the user
              minLength: 1
        roles:
          type: array
          description: Defines the role of the email
          items:
            type: string
            enum:
              - PRIMARY
              - SECONDARY
        status:
          type: string
          description: The email status of the caller
          minLength: 1
          readOnly: true
          enum:
            - VERIFIED
            - UNVERIFIED
        _links:
          type: object
          description: Discoverable resources related to the caller's email
          properties:
            self:
              type: object
              description: Link to the resource (self)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - GET
                          - DELETE
                          - PUT
            challenge:
              type: object
              description: Link to the resource (challenge)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - DELETE
                          - GET
                          - POST
                          - PUT
            verify:
              type: object
              description: Link to the resource (verify)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - DELETE
                          - GET
                          - POST
                          - PUT
            poll:
              type: object
              description: Link to the resource (poll)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - DELETE
                          - GET
                          - POST
                          - PUT
      required:
        - id
        - status
        - profile
        - roles
    Error:
      description: Standard API Error Object
      type: object
      properties:
        errorCauses:
          type: array
          description: (Optional) Further information about what caused this error
          items:
            type: object
            properties:
              errorSummary:
                type: string
                description: A natural language explanation of the error
                example: Bad request because XYZ is missing.
                readOnly: true
        errorCode:
          type: string
          description: A code that is associated with this error type
          example: E0000001
          readOnly: true
        errorId:
          type: string
          description: A unique identifier for this error. This can be used by Okta Support to help with troubleshooting.
          example: oaeWGQKoQHeQmy0u8w8bPwi_Q
          readOnly: true
        errorLink:
          type: string
          description: A link to documentation with a more detailed explanation of the error (not yet implemented and is currently the same value as the 'errorCode')
          example: E0000001
          readOnly: true
        errorSummary:
          type: string
          description: A natural language explanation of the error
          example: Bad request because XYZ is missing.
          readOnly: true
    HrefObject:
      title: Link Object
      type: object
      properties:
        hints:
          type: object
          description: Describes allowed HTTP verbs for the `href`
          properties:
            allow:
              type: array
              items:
                $ref: '#/components/schemas/HttpMethod'
        href:
          type: string
          description: Link URI
        name:
          type: string
          description: Link name
        type:
          type: string
          description: The media type of the link. If omitted, it is implicitly `application/json`.
      required:
        - href
      readOnly: true
    HttpMethod:
      type: string
      enum:
        - DELETE
        - GET
        - POST
        - PUT
    KeyEC:
      type: object
      properties:
        crv:
          type: string
          enum:
            - P-256
        kid:
          type: string
          description: The unique identifier of the key
        kty:
          type: string
          enum:
            - EC
          description: The type of public key
        okta:kpr:
          type: string
          enum:
            - HARDWARE
            - SOFTWARE
        x:
          type: string
          description: The public x coordinate for the elliptic curve point
        'y':
          type: string
          description: The public y coordinate for the elliptic curve point
      required:
        - x
        - 'y'
        - kty
        - okta:kpr
        - crv
        - kid
    KeyObject:
      oneOf:
        - $ref: '#/components/schemas/KeyEC'
        - $ref: '#/components/schemas/KeyRSA'
      type: object
    KeyRSA:
      type: object
      properties:
        e:
          type: string
          description: The key exponent of a RSA key
        kid:
          type: string
          description: The unique identifier of the key
        kty:
          type: string
          enum:
            - RSA
          description: The type of public key
        'n':
          type: string
          description: The modulus of the RSA key
        okta:kpr:
          type: string
          enum:
            - HARDWARE
            - SOFTWARE
      required:
        - 'n'
        - e
        - kty
        - okta:kpr
        - kid
    OktaApplication:
      description: Okta apps list
      type: object
      properties:
        displayName:
          type: string
          description: The display name of the app
          minLength: 1
          readOnly: true
        id:
          type: string
          description: The `client_id` of the app
          minLength: 1
          readOnly: true
        name:
          type: string
          description: The name of the app
          minLength: 1
          readOnly: true
    Organization:
      description: Org Object
      type: object
      properties:
        helpLink:
          type: string
          description: The URL of the Org's help resources
          readOnly: true
        name:
          type: string
          description: The name of the Org
          minLength: 1
          readOnly: true
        supportEmail:
          type: string
          description: The email address of the Org support contact
          readOnly: true
        url:
          type: string
          description: The URL of the Org
          minLength: 1
          readOnly: true
        _links:
          type: object
          description: Discoverable resources related to the Org
          properties:
            self:
              type: object
              description: Link to the resource (self)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - GET
    PasswordResponse:
      description: Password Response Object
      type: object
      properties:
        created:
          type: string
          description: If password is `ACTIVE`, returns the date when password was first enrolled
        id:
          type: string
          minLength: 1
          readOnly: true
        lastUpdated:
          type: string
          description: If password is `ACTIVE`, returns the date when password was last updated
        status:
          type: string
          description: '`ACTIVE`, `EXPIRED`, `SUSPENDED`, `NOT_ENROLLED`'
        _links:
          type: object
          description: Discoverable resources related to the password
          properties:
            self:
              type: object
              description: Link to the resource (self)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - DELETE
                          - GET
                          - PUT
    Phone:
      description: Phone Object
      type: object
      properties:
        id:
          type: string
          description: The phone ID of the caller
          minLength: 1
          readOnly: true
        profile:
          type: object
          description: Defines the phone number on the profile
          required:
            - phoneNumber
          properties:
            phoneNumber:
              type: string
              description: The phone number on the profile
              minLength: 1
        status:
          type: string
          description: The phone status of the caller
          enum:
            - VERIFIED
            - UNVERIFIED
          minLength: 1
          readOnly: true
        _links:
          type: object
          description: Discoverable resources related to the caller's phone
          properties:
            self:
              type: object
              description: Link to the resource (self)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - GET
                          - DELETE
                          - PUT
            challenge:
              type: object
              description: Link to the resource (challenge)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - DELETE
                          - GET
                          - POST
                          - PUT
            verify:
              type: object
              description: Link to the resource (verify)
              properties:
                href:
                  type: string
                  description: Link URI
                  minLength: 1
                hints:
                  type: object
                  description: Describes the allowed HTTP verbs for the `href`
                  properties:
                    allow:
                      type: array
                      items:
                        type: string
                        enum:
                          - DELETE
                          - GET
                          - POST
                          - PUT
      required:
        - id
        - status
        - profile
    Profile:
      description: Profile object based on the user's directory profile schema (based on UD)
      type: object
      properties:
        createdAt:
          type: string
          description: The timestamp of the creation of the caller's account
          format: date-time
          readOnly: true
        modifiedAt:
          type: string
          description: The timestamp of the last update to the caller's account
          format: date-time
          readOnly: true
        profile:
          type: object
          description: The properties defined in the [User Profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)
        _links:
          type: object
          properties:
            self:
              type: object
              description: Link to the resource (self)
              properties:
                href:
                  type: string
                  description: Link URI
                  format: uri
                  readOnly: true
            describedBy:
              type: object
              description: Link to the resource (describedBy)
              properties:
                href:
                  type: string
                  description: Link URI
                  format: uri
                  readOnly: true
    PushNotificationChallenge:
      description: Push notification challenge request object for an app authenticator
      type: object
      properties:
        challenge:
          type: string
          description: |
            JWT issued by Okta at the time of challenging for a push notification.

            This based64-encoded JWT consists of a [JWT header](/openapi/okta-myaccount/myaccount/tag/AppAuthenticator/#tag/AppAuthenticator/schema/PushNotificationChallengeRequestJwtHeader)
            and a [JWT payload](/openapi/okta-myaccount/myaccount/tag/AppAuthenticator/#tag/AppAuthenticator/schema/PushNotificationChallengeRequestJwt).
        payloadVersion:
          type: string
          enum:
            - IDXv1
    PushNotificationChallengeRequestJwt:
      x-tags:
        - AppAuthenticator
      description: JSON Web Token payload constructed by Okta for the push notification challenge request JWT
      type: object
      properties:
        appInstanceName:
          type: string
          description: Friendly name of the application for the authentication request
        aud:
          type: string
          description: Audience (maps to the application ID)
        authenticatorEnrollmentId:
          type: string
          description: ID of the app authenticator enrollment
          example: pfd7rzcmvlhmE0Y1w0g4
        authorizationServerId:
          type: string
          description: ID of the authorization server that signed the challenge request
        challengeContext:
          type: object
          properties:
            clientOS:
              type: string
              description: OS of the client making the request
            clientLocation:
              type: string
              description: Location of the request
            transactionTime:
              type: string
              description: Time the challenge request was created
            transactionType:
              type: string
              description: Indicates if the request is CIBA or LOGIN
              enum:
                - CIBA
                - LOGIN
            bindingMessage:
              type: string
              description: If `transactionType` is CIBA, this message must be shown to the user
        exp:
          type: string
          description: Expiration time of token (UNIX timestamp)
        iat:
          type: string
          description: Issuing time of token (UNIX timestamp)
        iss:
          type: string
          description: Issuer (maps to the org URL)
        jti:
          type: string
          description: Token ID (matches `transactionId`)
        method:
          type: string
          description: Method type requested for the response
          enum:
            - push
          example: push
        methodEnrollmentId:
          type: string
          description: ID of the push method enrollment
          example: opf6aeq9U2hoM8aqO0w5
        nonce:
          type: string
          description: Randomly generated nonce value
        orgId:
          type: string
          description: ID of the organization
        signals:
          type: array
          description: Array of string values describing client signals requested for collection
        transactionId:
          type: string
          description: Transaction ID (matches the `challengeId` path parameter)
        userId:
          type: string
          description: ID of the user being challenged
        userMediation:
          type: string
          description: Indicates if user mediation is required
          enum:
            - NONE
            - OPTIONAL
            - REQUIRED
          x-enumDescriptions:
            NONE: User interaction isn't required by the client during authentication.
            OPTIONAL: The client can decide to interact with the user or not.
            REQUIRED: The client must interact with the user. If a biometrics prompt occurs during user verification, additional consent prompt isn't shown by the client.
          example: REQUIRED
        userVerification:
          type: string
          description: Indicates if user verification (biometrics) is used in the response
          enum:
            - NONE
            - DISCOURAGED
            - PREFERRED
            - REQUIRED
          x-enumDescriptions:
            NONE: The client doesn't require any user verification as part of the authentication flow.
            DISCOURAGED: The client prefers a proof of possession flow without user interaction. However, the client can prompt for user verification if it allows for a better user experience.
            PREFERRED: Client user verification prompt is preferred. If the user verification key is unavailable, the client can use the proof of possession. In this situation, Okta recommends that the client send UV_TEMPORARILY_UNAVAILABLE or UV_PERMANENTLY_UNAVAILABLE in the challenge response's `userConsent` field.
            REQUIRED: The client must prompt for user verification and otherwise fail silently without user interaction.
          example: REQUIRED
        ver:
          type: integer
          description: 'Version of the JWT (supported value: 0)'
          example: 0
        verificationUri:
          type: string
          description: The expected endpoint posted by the client for the challenge response
    PushNotificationChallengeRequestJwtHeader:
      x-tags:
        - AppAuthenticator
      description: JSON Web Token header used for the push notification challenge request JWT
      type: object
      properties:
        alg:
          type: string
          description: Signing algorithm used
          example: RS256
        kid:
          type: string
          description: Signing key ID that matches the key ID used by the authorization server
          example: “seD0hUMrcpFtlVVTmkDyJ0mGxlEygWEZ42ts9z4ih9M”
        typ:
          type: string
          description: Type of token
          enum:
            - okta-pushbind+jwt
          example: okta-pushbind+jwt
    PushNotificationChallengeResponseJwt:
      x-tags:
        - AppAuthenticator
      description: JSON Web Token payload used for the push notification challenge response JWT
      type: object
      properties:
        aud:
          type: string
          description: Audience (matches the org URL)
        challengeResponseContext:
          type: object
          description: Object describing the response context
          required:
            - userConsent
          properties:
            userConsent:
              type: string
              description: Type of user consent
              enum:
                - NONE
                - APPROVED_CONSENT_PROMPT
                - APPROVED_USER_VERIFICATION
                - CANCELLED_USER_VERIFICATION
                - DENIED_CONSENT_PROMPT
                - UV_TEMPORARILY_UNAVAILABLE
                - UV_PERMANENTLY_UNAVAILABLE
                - USER_ABANDONED
              x-enumDescriptions:
                NONE: There was no interaction with the end user as part of the authentication
                APPROVED_CONSENT_PROMPT: The user approved the consent prompt
                APPROVED_USER_VERIFICATION: The user approved the user verification by providing biometrics or a PIN
                CANCELLED_USER_VERIFICATION: The user cancelled user verification by rejecting the biometrics prompt
                DENIED_CONSENT_PROMPT: The user rejected the consent prompt
                UV_TEMPORARILY_UNAVAILABLE: The client currently can't access the user verification key
                UV_PERMANENTLY_UNAVAILABLE: The client permanently lost access to the user verification key
                USER_ABANDONED: The user cancelled user verification by closing the biometrics prompt
              example: APPROVED_CONSENT_PROMPT
            transactionType:
              type: string
              description: Type of transaction
              enum:
                - LOGIN
                - CIBA
              example: LOGIN
        deviceSignals:
          type: object
          description: JSON dictionary with the `signals` keys (and their values) requested in the challenge request
          properties:
            id:
              type: string
              description: ID of the device
            isHardwareProtectionEnabled:
              type: boolean
              description: Indicates whether the Android device supports a hardware keystore or if the iOS device supports Secure Enclave
            model:
              type: string
              description: The device type or design
              example: iPhone
            manufacturer:
              type: string
              description: The vendor that created the physical device
              example: Apple
            displayName:
              type: string
              description: The display name of the device
            platform:
              type: string
              description: The device operating system
              enum:
                - ANDROID
                - IOS
              example: IOS
            osVersion:
              type: string
              description: The device operating system software version
              example: '11.4'
            clientInstanceId:
              type: string
              description: Key ID of the client instance key
            clientInstanceBundleId:
              type: string
              description: ID of the application bundle
            clientInstanceVersion:
              type: string
              description: Application version
            secureHardwarePresent:
              type: boolean
              description: Indicates if secure hardware is present
            screenLockType:
              type: string
              description: Screen lock type set on the device
              enum:
                - NONE
                - PASSCODE
                - BIOMETRIC
              x-enumDescriptions:
                NONE: No passcode is set on the device
                PASSCODE: Only a passcode or password is set on the device (biometrics aren't set up)
                BIOMETRIC: Passcode and biometrics are set on the device
              example: BIOMETRIC
            diskEncryptionType:
              type: string
              description: Disk encryption type of the device profile
              enum:
                - NONE
                - FULL
                - USER
              x-enumDescriptions:
                NONE: No encryption has been set
                FULL: The disk is fully encrypted
                USER: The encryption key is tied to the user or profile (Android only)
              example: FULL
        exp:
          type: string
          description: Expiration time of token (UNIX timestamp)
        iat:
          type: string
          description: Issuing time of token (UNIX timestamp)
        iss:
          type: string
          description: Issuer (matches the app authenticator enrollment ID)
        jti:
          type: string
          description: Randomly generated ID for every response
        keyType:
          type: string
          description: Type of key used to sign the JWT
          enum:
            - proofOfPossession
            - userVerification
          example: proofOfPossession
        methodEnrollmentId:
          type: string
          description: ID of the push method enrollmnet
          example: opf6aeq9U2hoM8aqO0w5
        nbf:
          type: string
          description: Token isn't valid before this time (UNIX timestamp)
        nonce:
          type: string
          description: Matches the `nonce` in the challenge request
        sub:
          type: string
          description: Subject (matches the user ID)
        tx:
          type: string
          description: Matches the `transactionId` in the challenge request
      required:
        - iss
        - sub
        - aud
        - jti
        - iat
        - exp
        - nbf
        - methodEnrollmentId
        - tx
        - nonce
        - keyType
        - challengeResponseContext
    PushNotificationChallengeResponseJwtHeader:
      x-tags:
        - AppAuthenticator
      description: JSON Web Token header used for the push notification challenge response JWT
      type: object
      properties:
        alg:
          type: string
          description: Signing algorithm used
          example: RS256
        kid:
          type: string
          description: Signing key ID that matches the key ID used during the authenticator enrolment flow
          example: “7fbc27fd-e3df-4522-86bf-1930110256ad”
        typ:
          type: string
          description: Type of token
          enum:
            - okta-pushbind+jwt
          example: okta-pushbind+jwt
      required:
        - kid
        - typ
        - alg
    PushNotificationVerification:
      description: Push notification challenge response object for an app authenticator
      type: object
      properties:
        challengeResponse:
          type: string
          description: |
            JWT issued by the app authenticator at the time of push notification verification

            This based64-encoded JWT consists of a [JWT header](/openapi/okta-myaccount/myaccount/tag/AppAuthenticator/#tag/AppAuthenticator/schema/PushNotificationChallengeResponseJwtHeader)
            and a [JWT payload](/openapi/okta-myaccount/myaccount/tag/AppAuthenticator/#tag/AppAuthenticator/schema/PushNotificationChallengeResponseJwt).
        method:
          type: string
          enum:
            - push
    Schema:
      title: Schema
      description: Describes a user's directory profile schema (based on UD)
      type: object
      properties:
        properties:
          type: object
          description: The properties defined in the [User Profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)
          readOnly: true
        _links:
          type: object
          description: Discoverable resources related to the user's directory profile
          properties:
            self:
              type: object
              description: Link to the resource (self)
              properties:
                href:
                  type: string
                  description: Link URI
                  format: uri
                  readOnly: true
            user:
              type: object
              description: Link to the resource (user)
              properties:
                href:
                  type: string
                  description: Link URI
                  format: uri
                  readOnly: true
    UpdateAppAuthenticatorEnrollmentRequest:
      type: object
      properties:
        methods:
          type: object
          properties:
            push:
              type: object
              properties:
                pushToken:
                  type: string
                keys:
                  type: object
                  properties:
                    userVerification:
                      $ref: '#/components/schemas/KeyObject'
                      nullable: true
                capabilities:
                  type: object
                  $ref: '#/components/schemas/AppAuthenticatorMethodCapabilities'
  securitySchemes:
    oauth2:
      type: oauth2
      description: 'Pass the access_token as the value of the Authorization header: `Authorization: Bearer {access_token}`'
      flows:
        authorizationCode:
          authorizationUrl: /oauth2/v1/authorize
          tokenUrl: /oauth2/v1/token
          scopes:
            okta.myAccount.appAuthenticator.maintenance.manage: Write access to non-sensitive attributes of user app authenticator enrollments
            okta.myAccount.appAuthenticator.maintenance.read: Read access to non-sensitive attributes of user app authenticator enrollments
            okta.myAccount.appAuthenticator.manage: Write access to user app authenticator enrollments
            okta.myAccount.appAuthenticator.read: Read access to user app authenticator enrollments
            okta.myAccount.authenticators.read: Read access to user authenticator configurations and enrollments
            okta.myAccount.email.manage: Write access to user emails
            okta.myAccount.email.read: Read access to user emails
            okta.myAccount.oktaApplications.read: Read access to the Okta apps list
            okta.myAccount.organization.read: Read access to org details
            okta.myAccount.password.manage: Write access to user password
            okta.myAccount.password.read: Read access to user password metadata
            okta.myAccount.phone.manage: Write access to user phones
            okta.myAccount.phone.read: Read access to user phones
            okta.myAccount.profile.manage: Write access to user profile and schema
            okta.myAccount.profile.read: Read access to user profile and schema
            okta.myAccount.sessions.manage: Write access to user sessions