Enforce policies on every tool call to the Mcp Api MCP Server. 310 tools with suggested default rules ready to customise.
Last updated:
This policy includes sensible default rules. Download it, adjust the limits to match your use case, and run with Intercept.
# Download policy with default rules
curl -o io-fusionauth-mcp-api.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/io-fusionauth-mcp-api.yaml # Run with Intercept
intercept --policy io-fusionauth-mcp-api.yaml -- npx -y @@fusionauth/mcp-api Server documentation: https://github.com/FusionAuth/fusionauth-mcp-api
This policy includes suggested default rules for common use cases. Adjust rate limits, add argument validation, or remove rules you don't need.
version: "1" description: "Policy for @fusionauth/mcp-api" # Set to "deny" to reject tool calls not listed below default: "allow" tools: # -- Destructive Tools ---------------------------------------- # cancelActionWithId: Cancels the user action. cancelActionWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # changePasswordWithId: Changes a user's password using the change password Id. This usually occurs after an email has been sent to the user and they clicked on a link to reset their password. As of version 1.32.2, prefer sending the changePasswordId in the request body. To do this, omit the first parameter, and set the value in the request body. changePasswordWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteAPIKeyWithId: Deletes the API key for the given Id. deleteAPIKeyWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteApplicationRoleWithId: Hard deletes an application role. This is a dangerous operation and should not be used in most circumstances. This permanently removes the given role from all users that had it. deleteApplicationRoleWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteApplicationWithId: Hard deletes an application. This is a dangerous operation and should not be used in most circumstances. This will delete the application, any registrations for that application, metrics and reports for the application, all the roles for the application, and any other data associated with the application. This operation could take a very long time, depending on the amount of data in your database. OR Deactivates the application with the given Id. deleteApplicationWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteConnectorWithId: Deletes the connector for the given Id. deleteConnectorWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteConsentWithId: Deletes the consent for the given Id. deleteConsentWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteEmailTemplateWithId: Deletes the email template for the given Id. deleteEmailTemplateWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteEntityGrantWithId: Deletes an Entity Grant for the given User or Entity. deleteEntityGrantWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteEntityTypePermissionWithId: Hard deletes a permission. This is a dangerous operation and should not be used in most circumstances. This permanently removes the given permission from all grants that had it. deleteEntityTypePermissionWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteEntityTypeWithId: Deletes the Entity Type for the given Id. deleteEntityTypeWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteEntityWithId: Deletes the Entity for the given Id. deleteEntityWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteFormFieldWithId: Deletes the form field for the given Id. deleteFormFieldWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteFormWithId: Deletes the form for the given Id. deleteFormWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteGroupMembersWithId: Removes users as members of a group. deleteGroupMembersWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteGroupWithId: Deletes the group for the given Id. deleteGroupWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteIdentityProviderWithId: Deletes the identity provider for the given Id. deleteIdentityProviderWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteIPAccessControlListWithId: Deletes the IP Access Control List for the given Id. deleteIPAccessControlListWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteJwtRefresh: Revokes refresh tokens using the information in the JSON body. The handling for this method is the same as the revokeRefreshToken method and is based on the information you provide in the RefreshDeleteRequest object. See that method for additional information. OR Revoke all refresh tokens that belong to a user by user Id for a specific application by applicationId. OR Revoke all refresh tokens that belong to a user by user Id. OR Revoke all refresh tokens that belong to an application by applicationId. OR Revokes a single refresh token by using the actual refresh token value. This refresh token value is sensitive, so be careful with this API request. OR Revokes refresh tokens. Usage examples: - Delete a single refresh token, pass in only the token. revokeRefreshToken(token) - Delete all refresh tokens for a user, pass in only the userId. revokeRefreshToken(null, userId) - Delete all refresh tokens for a user for a specific application, pass in both the userId and the applicationId. revokeRefreshToken(null, userId, applicationId) - Delete all refresh tokens for an application revokeRefreshToken(null, null, applicationId) Note: <code>null</code> may be handled differently depending upon the programming language. See also: (method names may vary by language... but you'll figure it out) - revokeRefreshTokenById - revokeRefreshTokenByToken - revokeRefreshTokensByUserId - revokeRefreshTokensByApplicationId - revokeRefreshTokensByUserIdForApplication deleteJwtRefresh: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteKeyWithId: Deletes the key for the given Id. deleteKeyWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteLambdaWithId: Deletes the lambda for the given Id. deleteLambdaWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteMessageTemplateWithId: Deletes the message template for the given Id. deleteMessageTemplateWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteMessengerWithId: Deletes the messenger for the given Id. deleteMessengerWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteOAuthScopeWithId: Hard deletes a custom OAuth scope. OAuth workflows that are still requesting the deleted OAuth scope may fail depending on the application's unknown scope policy. deleteOAuthScopeWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteTenantWithId: Deletes the tenant based on the given request (sent to the API as JSON). This permanently deletes all information, metrics, reports and data associated with the tenant and everything under the tenant (applications, users, etc). OR Deletes the tenant for the given Id asynchronously. This method is helpful if you do not want to wait for the delete operation to complete. OR Deletes the tenant based on the given Id on the URL. This permanently deletes all information, metrics, reports and data associated with the tenant and everything under the tenant (applications, users, etc). deleteTenantWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteThemeWithId: Deletes the theme for the given Id. deleteThemeWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserActionReasonWithId: Deletes the user action reason for the given Id. deleteUserActionReasonWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserActionWithId: Deletes the user action for the given Id. This permanently deletes the user action and also any history and logs of the action being applied to any users. OR Deactivates the user action with the given Id. deleteUserActionWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserBulk: Deletes the users with the given Ids, or users matching the provided JSON query or queryString. The order of preference is Ids, query and then queryString, it is recommended to only provide one of the three for the request. This method can be used to deactivate or permanently delete (hard-delete) users based upon the hardDelete boolean in the request body. Using the dryRun parameter you may also request the result of the action without actually deleting or deactivating any users. OR Deactivates the users with the given Ids. deleteUserBulk: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserLinkWithId: Remove an existing link that has been made from a 3rd party identity provider to a FusionAuth user. deleteUserLinkWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserRegistrationWithId: Deletes the user registration for the given user and application along with the given JSON body that contains the event information. OR Deletes the user registration for the given user and application. deleteUserRegistrationWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserTwoFactorWithId: Disable two-factor authentication for a user using a JSON body rather than URL parameters. OR Disable two-factor authentication for a user. deleteUserTwoFactorWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteUserWithId: Deletes the user based on the given request (sent to the API as JSON). This permanently deletes all information, metrics, reports and data associated with the user. OR Deletes the user for the given Id. This permanently deletes all information, metrics, reports and data associated with the user. OR Deactivates the user with the given Id. deleteUserWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteWebAuthnCredentialWithId: Deletes the WebAuthn credential for the given Id. deleteWebAuthnCredentialWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # deleteWebhookWithId: Deletes the webhook for the given Id. deleteWebhookWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # forgotPasswordWithId: Begins the forgot password sequence, which kicks off an email to the user so that they can reset their password. forgotPasswordWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # reindexWithId: Requests Elasticsearch to delete and rebuild the index for FusionAuth users or entities. Be very careful when running this request as it will increase the CPU and I/O load on your database until the operation completes. Generally speaking you do not ever need to run this operation unless instructed by FusionAuth support, or if you are migrating a database another system and you are not brining along the Elasticsearch index. You have been warned. reindexWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # removeUserFromFamilyWithId: Removes a user from the family with the given Id. removeUserFromFamilyWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # revokeRefreshTokenByIdWithId: Revokes a single refresh token by the unique Id. The unique Id is not sensitive as it cannot be used to obtain another JWT. revokeRefreshTokenByIdWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # revokeUserConsentWithId: Revokes a single User consent by Id. revokeUserConsentWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" # -- Execute Tools ---------------------------------------- # startIdentityProviderLoginWithId: Begins a login request for a 3rd party login that requires user interaction such as HYPR. startIdentityProviderLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true # startPasswordlessLoginWithId: Start a passwordless login request by generating a passwordless code. This code can be sent to the User using the Send Passwordless Code API or using a mechanism outside of FusionAuth. The passwordless login is completed by using the Passwordless Login API with this code. startPasswordlessLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true # startTwoFactorLoginWithId: Start a Two-Factor login request by generating a two-factor identifier. This code can then be sent to the Two Factor Send API (/api/two-factor/send)in order to send a one-time use code to a user. You can also use one-time use code returned to send the code out-of-band. The Two-Factor login is completed by making a request to the Two-Factor Login API (/api/two-factor/login). with the two-factor identifier and the one-time use code. This API is intended to allow you to begin a Two-Factor login outside a normal login that originated from the Login API (/api/login). startTwoFactorLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true # startVerifyIdentityWithId: Start a verification of an identity by generating a code. This code can be sent to the User using the Verify Send API Verification Code API or using a mechanism outside of FusionAuth. The verification is completed by using the Verify Complete API with this code. startVerifyIdentityWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true # startWebAuthnLoginWithId: Start a WebAuthn authentication ceremony by generating a new challenge for the user startWebAuthnLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true # startWebAuthnRegistrationWithId: Start a WebAuthn registration ceremony by generating a new challenge for the user startWebAuthnRegistrationWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true # -- Write Tools ---------------------------------------- # actionUserWithId: Takes an action on a user. The user being actioned is called the "actionee" and the user taking the action is called the "actioner". Both user ids are required in the request object. actionUserWithId: rules: - action: allow rate_limit: 30/hour # activateReactorWithId: Activates the FusionAuth Reactor using a license Id and optionally a license text (for air-gapped deployments) activateReactorWithId: rules: - action: allow rate_limit: 30/hour # approveDeviceWithId: Approve a device grant. approveDeviceWithId: rules: - action: allow rate_limit: 30/hour # commentOnUserWithId: Adds a comment to the user's account. commentOnUserWithId: rules: - action: allow rate_limit: 30/hour # completeVerifyIdentityWithId: Completes verification of an identity using verification codes from the Verify Start API. completeVerifyIdentityWithId: rules: - action: allow rate_limit: 30/hour # completeWebAuthnAssertionWithId: Complete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge without logging the user in completeWebAuthnAssertionWithId: rules: - action: allow rate_limit: 30/hour # completeWebAuthnLoginWithId: Complete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge and then login the user in completeWebAuthnLoginWithId: rules: - action: allow rate_limit: 30/hour # completeWebAuthnRegistrationWithId: Complete a WebAuthn registration ceremony by validating the client request and saving the new credential completeWebAuthnRegistrationWithId: rules: - action: allow rate_limit: 30/hour # createAPIKey: Creates an API key. You can optionally specify a unique Id for the key, if not provided one will be generated. an API key can only be created with equal or lesser authority. An API key cannot create another API key unless it is granted to that API key. If an API key is locked to a tenant, it can only create API Keys for that same tenant. createAPIKey: rules: - action: allow rate_limit: 30/hour # createAPIKeyWithId: Creates an API key. You can optionally specify a unique Id for the key, if not provided one will be generated. an API key can only be created with equal or lesser authority. An API key cannot create another API key unless it is granted to that API key. If an API key is locked to a tenant, it can only create API Keys for that same tenant. createAPIKeyWithId: rules: - action: allow rate_limit: 30/hour # createApplication: Creates an application. You can optionally specify an Id for the application, if not provided one will be generated. createApplication: rules: - action: allow rate_limit: 30/hour # createApplicationRole: Creates a new role for an application. You must specify the Id of the application you are creating the role for. You can optionally specify an Id for the role inside the ApplicationRole object itself, if not provided one will be generated. createApplicationRole: rules: - action: allow rate_limit: 30/hour # createApplicationRoleWithId: Creates a new role for an application. You must specify the Id of the application you are creating the role for. You can optionally specify an Id for the role inside the ApplicationRole object itself, if not provided one will be generated. createApplicationRoleWithId: rules: - action: allow rate_limit: 30/hour # createApplicationWithId: Creates an application. You can optionally specify an Id for the application, if not provided one will be generated. createApplicationWithId: rules: - action: allow rate_limit: 30/hour # createAuditLogWithId: Creates an audit log with the message and user name (usually an email). Audit logs should be written anytime you make changes to the FusionAuth database. When using the FusionAuth App web interface, any changes are automatically written to the audit log. However, if you are accessing the API, you must write the audit logs yourself. createAuditLogWithId: rules: - action: allow rate_limit: 30/hour # createConnector: Creates a connector. You can optionally specify an Id for the connector, if not provided one will be generated. createConnector: rules: - action: allow rate_limit: 30/hour # createConnectorWithId: Creates a connector. You can optionally specify an Id for the connector, if not provided one will be generated. createConnectorWithId: rules: - action: allow rate_limit: 30/hour # createConsent: Creates a user consent type. You can optionally specify an Id for the consent type, if not provided one will be generated. createConsent: rules: - action: allow rate_limit: 30/hour # createConsentWithId: Creates a user consent type. You can optionally specify an Id for the consent type, if not provided one will be generated. createConsentWithId: rules: - action: allow rate_limit: 30/hour # createEmailTemplate: Creates an email template. You can optionally specify an Id for the template, if not provided one will be generated. createEmailTemplate: rules: - action: allow rate_limit: 30/hour # createEmailTemplateWithId: Creates an email template. You can optionally specify an Id for the template, if not provided one will be generated. createEmailTemplateWithId: rules: - action: allow rate_limit: 30/hour # createEntity: Creates an Entity. You can optionally specify an Id for the Entity. If not provided one will be generated. createEntity: rules: - action: allow rate_limit: 30/hour # createEntityType: Creates a Entity Type. You can optionally specify an Id for the Entity Type, if not provided one will be generated. createEntityType: rules: - action: allow rate_limit: 30/hour # createEntityTypePermission: Creates a new permission for an entity type. You must specify the Id of the entity type you are creating the permission for. You can optionally specify an Id for the permission inside the EntityTypePermission object itself, if not provided one will be generated. createEntityTypePermission: rules: - action: allow rate_limit: 30/hour # createEntityTypePermissionWithId: Creates a new permission for an entity type. You must specify the Id of the entity type you are creating the permission for. You can optionally specify an Id for the permission inside the EntityTypePermission object itself, if not provided one will be generated. createEntityTypePermissionWithId: rules: - action: allow rate_limit: 30/hour # createEntityTypeWithId: Creates a Entity Type. You can optionally specify an Id for the Entity Type, if not provided one will be generated. createEntityTypeWithId: rules: - action: allow rate_limit: 30/hour # createEntityWithId: Creates an Entity. You can optionally specify an Id for the Entity. If not provided one will be generated. createEntityWithId: rules: - action: allow rate_limit: 30/hour # createFamily: Creates a family with the user Id in the request as the owner and sole member of the family. You can optionally specify an Id for the family, if not provided one will be generated. createFamily: rules: - action: allow rate_limit: 30/hour # createFamilyWithId: Creates a family with the user Id in the request as the owner and sole member of the family. You can optionally specify an Id for the family, if not provided one will be generated. createFamilyWithId: rules: - action: allow rate_limit: 30/hour # createForm: Creates a form. You can optionally specify an Id for the form, if not provided one will be generated. createForm: rules: - action: allow rate_limit: 30/hour # createFormField: Creates a form field. You can optionally specify an Id for the form, if not provided one will be generated. createFormField: rules: - action: allow rate_limit: 30/hour # createFormFieldWithId: Creates a form field. You can optionally specify an Id for the form, if not provided one will be generated. createFormFieldWithId: rules: - action: allow rate_limit: 30/hour # createFormWithId: Creates a form. You can optionally specify an Id for the form, if not provided one will be generated. createFormWithId: rules: - action: allow rate_limit: 30/hour # createGroup: Creates a group. You can optionally specify an Id for the group, if not provided one will be generated. createGroup: rules: - action: allow rate_limit: 30/hour # createGroupMembersWithId: Creates a member in a group. createGroupMembersWithId: rules: - action: allow rate_limit: 30/hour # createGroupWithId: Creates a group. You can optionally specify an Id for the group, if not provided one will be generated. createGroupWithId: rules: - action: allow rate_limit: 30/hour # createIdentityProvider: Creates an identity provider. You can optionally specify an Id for the identity provider, if not provided one will be generated. createIdentityProvider: rules: - action: allow rate_limit: 30/hour # createIdentityProviderWithId: Creates an identity provider. You can optionally specify an Id for the identity provider, if not provided one will be generated. createIdentityProviderWithId: rules: - action: allow rate_limit: 30/hour # createIntrospect: Inspect an access token issued as the result of the Client Credentials Grant. OR Inspect an access token issued as the result of the User based grant such as the Authorization Code Grant, Implicit Grant, the User Credentials Grant or the Refresh Grant. createIntrospect: rules: - action: allow rate_limit: 30/hour # createIPAccessControlList: Creates an IP Access Control List. You can optionally specify an Id on this create request, if one is not provided one will be generated. createIPAccessControlList: rules: - action: allow rate_limit: 30/hour # createIPAccessControlListWithId: Creates an IP Access Control List. You can optionally specify an Id on this create request, if one is not provided one will be generated. createIPAccessControlListWithId: rules: - action: allow rate_limit: 30/hour # createLambda: Creates a Lambda. You can optionally specify an Id for the lambda, if not provided one will be generated. createLambda: rules: - action: allow rate_limit: 30/hour # createLambdaWithId: Creates a Lambda. You can optionally specify an Id for the lambda, if not provided one will be generated. createLambdaWithId: rules: - action: allow rate_limit: 30/hour # createLogout: The Logout API is intended to be used to remove the refresh token and access token cookies if they exist on the client and revoke the refresh token stored. This API takes the refresh token in the JSON body. OR The Logout API is intended to be used to remove the refresh token and access token cookies if they exist on the client and revoke the refresh token stored. This API does nothing if the request does not contain an access token or refresh token cookies. createLogout: rules: - action: allow rate_limit: 30/hour # createMessageTemplate: Creates an message template. You can optionally specify an Id for the template, if not provided one will be generated. createMessageTemplate: rules: - action: allow rate_limit: 30/hour # createMessageTemplateWithId: Creates an message template. You can optionally specify an Id for the template, if not provided one will be generated. createMessageTemplateWithId: rules: - action: allow rate_limit: 30/hour # createMessenger: Creates a messenger. You can optionally specify an Id for the messenger, if not provided one will be generated. createMessenger: rules: - action: allow rate_limit: 30/hour # createMessengerWithId: Creates a messenger. You can optionally specify an Id for the messenger, if not provided one will be generated. createMessengerWithId: rules: - action: allow rate_limit: 30/hour # createOAuthScope: Creates a new custom OAuth scope for an application. You must specify the Id of the application you are creating the scope for. You can optionally specify an Id for the OAuth scope on the URL, if not provided one will be generated. createOAuthScope: rules: - action: allow rate_limit: 30/hour # createOAuthScopeWithId: Creates a new custom OAuth scope for an application. You must specify the Id of the application you are creating the scope for. You can optionally specify an Id for the OAuth scope on the URL, if not provided one will be generated. createOAuthScopeWithId: rules: - action: allow rate_limit: 30/hour # createTenant: Creates a tenant. You can optionally specify an Id for the tenant, if not provided one will be generated. createTenant: rules: - action: allow rate_limit: 30/hour # createTenantWithId: Creates a tenant. You can optionally specify an Id for the tenant, if not provided one will be generated. createTenantWithId: rules: - action: allow rate_limit: 30/hour # createTheme: Creates a Theme. You can optionally specify an Id for the theme, if not provided one will be generated. createTheme: rules: - action: allow rate_limit: 30/hour # createThemeWithId: Creates a Theme. You can optionally specify an Id for the theme, if not provided one will be generated. createThemeWithId: rules: - action: allow rate_limit: 30/hour # createToken: Exchange User Credentials for a Token. If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s email and password for an access token. OR Exchange a Refresh Token for an Access Token. If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token. OR Exchanges an OAuth authorization code and code_verifier for an access token. Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a code_verifier for an access token. OR Exchanges an OAuth authorization code for an access token. Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token. OR Make a Client Credentials grant request to obtain an access token. createToken: rules: - action: allow rate_limit: 30/hour # createUser: Creates a user. You can optionally specify an Id for the user, if not provided one will be generated. createUser: rules: - action: allow rate_limit: 30/hour # createUserAction: Creates a user action. This action cannot be taken on a user until this call successfully returns. Anytime after that the user action can be applied to any user. createUserAction: rules: - action: allow rate_limit: 30/hour # createUserActionReason: Creates a user reason. This user action reason cannot be used when actioning a user until this call completes successfully. Anytime after that the user action reason can be used. createUserActionReason: rules: - action: allow rate_limit: 30/hour # createUserActionReasonWithId: Creates a user reason. This user action reason cannot be used when actioning a user until this call completes successfully. Anytime after that the user action reason can be used. createUserActionReasonWithId: rules: - action: allow rate_limit: 30/hour # createUserActionWithId: Creates a user action. This action cannot be taken on a user until this call successfully returns. Anytime after that the user action can be applied to any user. createUserActionWithId: rules: - action: allow rate_limit: 30/hour # createUserChangePassword: Changes a user's password using their access token (JWT) instead of the changePasswordId A common use case for this method will be if you want to allow the user to change their own password. Remember to send refreshToken in the request body if you want to get a new refresh token when login using the returned oneTimePassword. OR Changes a user's password using their identity (loginId and password). Using a loginId instead of the changePasswordId bypasses the email verification and allows a password to be changed directly without first calling the #forgotPassword method. createUserChangePassword: rules: - action: allow rate_limit: 30/hour # createUserConsent: Creates a single User consent. createUserConsent: rules: - action: allow rate_limit: 30/hour # createUserConsentWithId: Creates a single User consent. createUserConsentWithId: rules: - action: allow rate_limit: 30/hour # createUserLinkWithId: Link an external user from a 3rd party identity provider to a FusionAuth user. createUserLinkWithId: rules: - action: allow rate_limit: 30/hour # createUserVerifyEmail: Administratively verify a user's email address. Use this method to bypass email verification for the user. The request body will contain the userId to be verified. An API key is required when sending the userId in the request body. OR Confirms a user's email address. The request body will contain the verificationId. You may also be required to send a one-time use code based upon your configuration. When the tenant is configured to gate a user until their email address is verified, this procedures requires two values instead of one. The verificationId is a high entropy value and the one-time use code is a low entropy value that is easily entered in a user interactive form. The two values together are able to confirm a user's email address and mark the user's email address as verified. createUserVerifyEmail: rules: - action: allow rate_limit: 30/hour # createUserWithId: Creates a user. You can optionally specify an Id for the user, if not provided one will be generated. createUserWithId: rules: - action: allow rate_limit: 30/hour # createWebhook: Creates a webhook. You can optionally specify an Id for the webhook, if not provided one will be generated. createWebhook: rules: - action: allow rate_limit: 30/hour # createWebhookWithId: Creates a webhook. You can optionally specify an Id for the webhook, if not provided one will be generated. createWebhookWithId: rules: - action: allow rate_limit: 30/hour # enableTwoFactorWithId: Enable two-factor authentication for a user. enableTwoFactorWithId: rules: - action: allow rate_limit: 30/hour # exchangeRefreshTokenForJWTWithId: Exchange a refresh token for a new JWT. exchangeRefreshTokenForJWTWithId: rules: - action: allow rate_limit: 30/hour # generateKey: Generate a new RSA or EC key pair or an HMAC secret. generateKey: rules: - action: allow rate_limit: 30/hour # generateKeyWithId: Generate a new RSA or EC key pair or an HMAC secret. generateKeyWithId: rules: - action: allow rate_limit: 30/hour # generateTwoFactorRecoveryCodesWithId: Generate two-factor recovery codes for a user. Generating two-factor recovery codes will invalidate any existing recovery codes. generateTwoFactorRecoveryCodesWithId: rules: - action: allow rate_limit: 30/hour # generateTwoFactorSecretUsingJWTWithId: Generate a Two Factor secret that can be used to enable Two Factor authentication for a User. The response will contain both the secret and a Base32 encoded form of the secret which can be shown to a User when using a 2 Step Authentication application such as Google Authenticator. generateTwoFactorSecretUsingJWTWithId: rules: - action: allow rate_limit: 30/hour # identityProviderLoginWithId: Handles login via third-parties including Social login, external OAuth and OpenID Connect, and other login systems. identityProviderLoginWithId: rules: - action: allow rate_limit: 30/hour # importKey: Import an existing RSA or EC key pair or an HMAC secret. importKey: rules: - action: allow rate_limit: 30/hour # importKeyWithId: Import an existing RSA or EC key pair or an HMAC secret. importKeyWithId: rules: - action: allow rate_limit: 30/hour # importRefreshTokensWithId: Bulk imports refresh tokens. This request performs minimal validation and runs batch inserts of refresh tokens with the expectation that each token represents a user that already exists and is registered for the corresponding FusionAuth Application. This is done to increases the insert performance. Therefore, if you encounter an error due to a database key violation, the response will likely offer a generic explanation. If you encounter an error, you may optionally enable additional validation to receive a JSON response body with specific validation errors. This will slow the request down but will allow you to identify the cause of the failure. See the validateDbConstraints request parameter. importRefreshTokensWithId: rules: - action: allow rate_limit: 30/hour # importUsersWithId: Bulk imports users. This request performs minimal validation and runs batch inserts of users with the expectation that each user does not yet exist and each registration corresponds to an existing FusionAuth Application. This is done to increases the insert performance. Therefore, if you encounter an error due to a database key violation, the response will likely offer a generic explanation. If you encounter an error, you may optionally enable additional validation to receive a JSON response body with specific validation errors. This will slow the request down but will allow you to identify the cause of the failure. See the validateDbConstraints request parameter. importUsersWithId: rules: - action: allow rate_limit: 30/hour # importWebAuthnCredentialWithId: Import a WebAuthn credential importWebAuthnCredentialWithId: rules: - action: allow rate_limit: 30/hour # issueJWTWithId: Issue a new access token (JWT) for the requested Application after ensuring the provided JWT is valid. A valid access token is properly signed and not expired. <p> This API may be used in an SSO configuration to issue new tokens for another application after the user has obtained a valid token from authentication. issueJWTWithId: rules: - action: allow rate_limit: 30/hour # loginPingWithId: Sends a ping to FusionAuth indicating that the user was automatically logged into an application. When using FusionAuth's SSO or your own, you should call this if the user is already logged in centrally, but accesses an application where they no longer have a session. This helps correctly track login counts, times and helps with reporting. loginPingWithId: rules: - action: allow rate_limit: 30/hour # loginPingWithRequestWithId: Sends a ping to FusionAuth indicating that the user was automatically logged into an application. When using FusionAuth's SSO or your own, you should call this if the user is already logged in centrally, but accesses an application where they no longer have a session. This helps correctly track login counts, times and helps with reporting. loginPingWithRequestWithId: rules: - action: allow rate_limit: 30/hour # loginWithId: Authenticates a user to FusionAuth. This API optionally requires an API key. See <code>Application.loginConfiguration.requireAuthentication</code>. loginWithId: rules: - action: allow rate_limit: 30/hour # modifyActionWithId: Modifies a temporal user action by changing the expiration of the action and optionally adding a comment to the action. modifyActionWithId: rules: - action: allow rate_limit: 30/hour # passwordlessLoginWithId: Complete a login request using a passwordless code passwordlessLoginWithId: rules: - action: allow rate_limit: 30/hour # patchAPIKeyWithId: Updates an API key with the given Id. patchAPIKeyWithId: rules: - action: allow rate_limit: 30/hour # patchApplicationRoleWithId: Updates, via PATCH, the application role with the given Id for the application. patchApplicationRoleWithId: rules: - action: allow rate_limit: 30/hour # patchApplicationWithId: Updates, via PATCH, the application with the given Id. patchApplicationWithId: rules: - action: allow rate_limit: 30/hour # patchConnectorWithId: Updates, via PATCH, the connector with the given Id. patchConnectorWithId: rules: - action: allow rate_limit: 30/hour # patchConsentWithId: Updates, via PATCH, the consent with the given Id. patchConsentWithId: rules: - action: allow rate_limit: 30/hour # patchEmailTemplateWithId: Updates, via PATCH, the email template with the given Id. patchEmailTemplateWithId: rules: - action: allow rate_limit: 30/hour # patchEntityTypePermissionWithId: Patches the permission with the given Id for the entity type. patchEntityTypePermissionWithId: rules: - action: allow rate_limit: 30/hour # patchEntityTypeWithId: Updates, via PATCH, the Entity Type with the given Id. patchEntityTypeWithId: rules: - action: allow rate_limit: 30/hour # patchEntityWithId: Updates, via PATCH, the Entity with the given Id. patchEntityWithId: rules: - action: allow rate_limit: 30/hour # patchFormFieldWithId: Patches the form field with the given Id. patchFormFieldWithId: rules: - action: allow rate_limit: 30/hour # patchFormWithId: Patches the form with the given Id. patchFormWithId: rules: - action: allow rate_limit: 30/hour # patchGroupWithId: Updates, via PATCH, the group with the given Id. patchGroupWithId: rules: - action: allow rate_limit: 30/hour # patchIdentityProviderWithId: Updates, via PATCH, the identity provider with the given Id. patchIdentityProviderWithId: rules: - action: allow rate_limit: 30/hour # patchIntegrationsWithId: Updates, via PATCH, the available integrations. patchIntegrationsWithId: rules: - action: allow rate_limit: 30/hour # patchIPAccessControlListWithId: Update the IP Access Control List with the given Id. patchIPAccessControlListWithId: rules: - action: allow rate_limit: 30/hour # patchLambdaWithId: Updates, via PATCH, the lambda with the given Id. patchLambdaWithId: rules: - action: allow rate_limit: 30/hour # patchMessageTemplateWithId: Updates, via PATCH, the message template with the given Id. patchMessageTemplateWithId: rules: - action: allow rate_limit: 30/hour # patchMessengerWithId: Updates, via PATCH, the messenger with the given Id. patchMessengerWithId: rules: - action: allow rate_limit: 30/hour # patchOAuthScopeWithId: Updates, via PATCH, the custom OAuth scope with the given Id for the application. patchOAuthScopeWithId: rules: - action: allow rate_limit: 30/hour # patchRegistrationWithId: Updates, via PATCH, the registration for the user with the given Id and the application defined in the request. patchRegistrationWithId: rules: - action: allow rate_limit: 30/hour # patchSystemConfigurationWithId: Updates, via PATCH, the system configuration. patchSystemConfigurationWithId: rules: - action: allow rate_limit: 30/hour # patchTenantWithId: Updates, via PATCH, the tenant with the given Id. patchTenantWithId: rules: - action: allow rate_limit: 30/hour # patchThemeWithId: Updates, via PATCH, the theme with the given Id. patchThemeWithId: rules: - action: allow rate_limit: 30/hour # patchUserActionReasonWithId: Updates, via PATCH, the user action reason with the given Id. patchUserActionReasonWithId: rules: - action: allow rate_limit: 30/hour # patchUserActionWithId: Updates, via PATCH, the user action with the given Id. patchUserActionWithId: rules: - action: allow rate_limit: 30/hour # patchUserConsentWithId: Updates, via PATCH, a single User consent by Id. patchUserConsentWithId: rules: - action: allow rate_limit: 30/hour # patchUserWithId: Updates, via PATCH, the user with the given Id. patchUserWithId: rules: - action: allow rate_limit: 30/hour # patchWebhookWithId: Patches the webhook with the given Id. patchWebhookWithId: rules: - action: allow rate_limit: 30/hour # reconcileJWTWithId: Reconcile a User to FusionAuth using JWT issued from another Identity Provider. reconcileJWTWithId: rules: - action: allow rate_limit: 30/hour # register: Registers a user for an application. If you provide the User and the UserRegistration object on this request, it will create the user as well as register them for the application. This is called a Full Registration. However, if you only provide the UserRegistration object, then the user must already exist and they will be registered for the application. The user Id can also be provided and it will either be used to look up an existing user or it will be used for the newly created User. register: rules: - action: allow rate_limit: 30/hour # registerWithId: Registers a user for an application. If you provide the User and the UserRegistration object on this request, it will create the user as well as register them for the application. This is called a Full Registration. However, if you only provide the UserRegistration object, then the user must already exist and they will be registered for the application. The user Id can also be provided and it will either be used to look up an existing user or it will be used for the newly created User. registerWithId: rules: - action: allow rate_limit: 30/hour # sendEmailWithId: Send an email using an email template Id. You can optionally provide <code>requestData</code> to access key value pairs in the email template. sendEmailWithId: rules: - action: allow rate_limit: 30/hour # sendFamilyRequestEmailWithId: Sends out an email to a parent that they need to register and create a family or need to log in and add a child to their existing family. sendFamilyRequestEmailWithId: rules: - action: allow rate_limit: 30/hour # sendPasswordlessCodeWithId: Send a passwordless authentication code in an email to complete login. sendPasswordlessCodeWithId: rules: - action: allow rate_limit: 30/hour # sendTwoFactorCodeForEnableDisableWithId: Send a Two Factor authentication code to assist in setting up Two Factor authentication or disabling. sendTwoFactorCodeForEnableDisableWithId: rules: - action: allow rate_limit: 30/hour # sendTwoFactorCodeForLoginUsingMethodWithId: Send a Two Factor authentication code to allow the completion of Two Factor authentication. sendTwoFactorCodeForLoginUsingMethodWithId: rules: - action: allow rate_limit: 30/hour # sendVerifyIdentityWithId: Send a verification code using the appropriate transport for the identity type being verified. sendVerifyIdentityWithId: rules: - action: allow rate_limit: 30/hour # twoFactorLoginWithId: Complete login using a 2FA challenge twoFactorLoginWithId: rules: - action: allow rate_limit: 30/hour # updateAPIKeyWithId: Updates an API key with the given Id. updateAPIKeyWithId: rules: - action: allow rate_limit: 30/hour # updateApplicationRoleWithId: Updates the application role with the given Id for the application. updateApplicationRoleWithId: rules: - action: allow rate_limit: 30/hour # updateApplicationWithId: Updates the application with the given Id. OR Reactivates the application with the given Id. updateApplicationWithId: rules: - action: allow rate_limit: 30/hour # updateConnectorWithId: Updates the connector with the given Id. updateConnectorWithId: rules: - action: allow rate_limit: 30/hour # updateConsentWithId: Updates the consent with the given Id. updateConsentWithId: rules: - action: allow rate_limit: 30/hour # updateEmailTemplateWithId: Updates the email template with the given Id. updateEmailTemplateWithId: rules: - action: allow rate_limit: 30/hour # updateEntityTypePermissionWithId: Updates the permission with the given Id for the entity type. updateEntityTypePermissionWithId: rules: - action: allow rate_limit: 30/hour # updateEntityTypeWithId: Updates the Entity Type with the given Id. updateEntityTypeWithId: rules: - action: allow rate_limit: 30/hour # updateEntityWithId: Updates the Entity with the given Id. updateEntityWithId: rules: - action: allow rate_limit: 30/hour # updateFormFieldWithId: Updates the form field with the given Id. updateFormFieldWithId: rules: - action: allow rate_limit: 30/hour # updateFormWithId: Updates the form with the given Id. updateFormWithId: rules: - action: allow rate_limit: 30/hour # updateGroupMembersWithId: Creates a member in a group. updateGroupMembersWithId: rules: - action: allow rate_limit: 30/hour # updateGroupWithId: Updates the group with the given Id. updateGroupWithId: rules: - action: allow rate_limit: 30/hour # updateIdentityProviderWithId: Updates the identity provider with the given Id. updateIdentityProviderWithId: rules: - action: allow rate_limit: 30/hour # updateIntegrationsWithId: Updates the available integrations. updateIntegrationsWithId: rules: - action: allow rate_limit: 30/hour # updateIPAccessControlListWithId: Updates the IP Access Control List with the given Id. updateIPAccessControlListWithId: rules: - action: allow rate_limit: 30/hour # updateKeyWithId: Updates the key with the given Id. updateKeyWithId: rules: - action: allow rate_limit: 30/hour # updateLambdaWithId: Updates the lambda with the given Id. updateLambdaWithId: rules: - action: allow rate_limit: 30/hour # updateMessageTemplateWithId: Updates the message template with the given Id. updateMessageTemplateWithId: rules: - action: allow rate_limit: 30/hour # updateMessengerWithId: Updates the messenger with the given Id. updateMessengerWithId: rules: - action: allow rate_limit: 30/hour # updateOAuthScopeWithId: Updates the OAuth scope with the given Id for the application. updateOAuthScopeWithId: rules: - action: allow rate_limit: 30/hour # updateRegistrationWithId: Updates the registration for the user with the given Id and the application defined in the request. updateRegistrationWithId: rules: - action: allow rate_limit: 30/hour # updateSystemConfigurationWithId: Updates the system configuration. updateSystemConfigurationWithId: rules: - action: allow rate_limit: 30/hour # updateTenantWithId: Updates the tenant with the given Id. updateTenantWithId: rules: - action: allow rate_limit: 30/hour # updateThemeWithId: Updates the theme with the given Id. updateThemeWithId: rules: - action: allow rate_limit: 30/hour # updateUserActionReasonWithId: Updates the user action reason with the given Id. updateUserActionReasonWithId: rules: - action: allow rate_limit: 30/hour # updateUserActionWithId: Updates the user action with the given Id. OR Reactivates the user action with the given Id. updateUserActionWithId: rules: - action: allow rate_limit: 30/hour # updateUserConsentWithId: Updates a single User consent by Id. updateUserConsentWithId: rules: - action: allow rate_limit: 30/hour # updateUserFamilyWithId: Updates a family with a given Id. OR Adds a user to an existing family. The family Id must be specified. updateUserFamilyWithId: rules: - action: allow rate_limit: 30/hour # updateUserVerifyEmail: Re-sends the verification email to the user. If the Application has configured a specific email template this will be used instead of the tenant configuration. OR Re-sends the verification email to the user. OR Generate a new Email Verification Id to be used with the Verify Email API. This API will not attempt to send an email to the User. This API may be used to collect the verificationId for use with a third party system. updateUserVerifyEmail: rules: - action: allow rate_limit: 30/hour # updateUserVerifyRegistration: Re-sends the application registration verification email to the user. OR Generate a new Application Registration Verification Id to be used with the Verify Registration API. This API will not attempt to send an email to the User. This API may be used to collect the verificationId for use with a third party system. updateUserVerifyRegistration: rules: - action: allow rate_limit: 30/hour # updateUserWithId: Updates the user with the given Id. OR Reactivates the user with the given Id. updateUserWithId: rules: - action: allow rate_limit: 30/hour # updateWebhookWithId: Updates the webhook with the given Id. updateWebhookWithId: rules: - action: allow rate_limit: 30/hour # upsertEntityGrantWithId: Creates or updates an Entity Grant. This is when a User/Entity is granted permissions to an Entity. upsertEntityGrantWithId: rules: - action: allow rate_limit: 30/hour # vendJWTWithId: It's a JWT vending machine! Issue a new access token (JWT) with the provided claims in the request. This JWT is not scoped to a tenant or user, it is a free form token that will contain what claims you provide. <p> The iat, exp and jti claims will be added by FusionAuth, all other claims must be provided by the caller. If a TTL is not provided in the request, the TTL will be retrieved from the default Tenant or the Tenant specified on the request either by way of the X-FusionAuth-TenantId request header, or a tenant scoped API key. vendJWTWithId: rules: - action: allow rate_limit: 30/hour # -- Read Tools ---------------------------------------- # checkChangePasswordUsingIdWithId: Check to see if the user must obtain a Trust Token Id in order to complete a change password request. When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication. An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. checkChangePasswordUsingIdWithId: rules: - action: allow rate_limit: 60/minute # lookupIdentityProviderWithId: Retrieves the identity provider for the given domain. A 200 response code indicates the domain is managed by a registered identity provider. A 404 indicates the domain is not managed. lookupIdentityProviderWithId: rules: - action: allow rate_limit: 60/minute # retrieveActionWithId: Retrieves a single action log (the log of a user action that was taken on a user previously) for the given Id. retrieveActionWithId: rules: - action: allow rate_limit: 60/minute # retrieveAPIKeyWithId: Retrieves an authentication API key for the given Id. retrieveAPIKeyWithId: rules: - action: allow rate_limit: 60/minute # retrieveApplication: Retrieves all the applications that are currently inactive. OR Retrieves the application for the given Id or all the applications if the Id is null. retrieveApplication: rules: - action: allow rate_limit: 60/minute # retrieveApplicationWithId: Retrieves the application for the given Id or all the applications if the Id is null. retrieveApplicationWithId: rules: - action: allow rate_limit: 60/minute # retrieveAuditLogWithId: Retrieves a single audit log for the given Id. retrieveAuditLogWithId: rules: - action: allow rate_limit: 60/minute # retrieveConnectorWithId: Retrieves the connector with the given Id. retrieveConnectorWithId: rules: - action: allow rate_limit: 60/minute # retrieveConsentWithId: Retrieves the Consent for the given Id. retrieveConsentWithId: rules: - action: allow rate_limit: 60/minute # retrieveDailyActiveReportWithId: Retrieves the daily active user report between the two instants. If you specify an application Id, it will only return the daily active counts for that application. retrieveDailyActiveReportWithId: rules: - action: allow rate_limit: 60/minute # retrieveDeviceUserCode: Retrieve a user_code that is part of an in-progress Device Authorization Grant. This API is useful if you want to build your own login workflow to complete a device grant. This request will require an API key. OR Retrieve a user_code that is part of an in-progress Device Authorization Grant. This API is useful if you want to build your own login workflow to complete a device grant. retrieveDeviceUserCode: rules: - action: allow rate_limit: 60/minute # retrieveEmailTemplate: Retrieves the email template for the given Id. If you don't specify the Id, this will return all the email templates. retrieveEmailTemplate: rules: - action: allow rate_limit: 60/minute # retrieveEmailTemplatePreviewWithId: Creates a preview of the email template provided in the request. This allows you to preview an email template that hasn't been saved to the database yet. The entire email template does not need to be provided on the request. This will create the preview based on whatever is given. retrieveEmailTemplatePreviewWithId: rules: - action: allow rate_limit: 60/minute # retrieveEmailTemplateWithId: Retrieves the email template for the given Id. If you don't specify the Id, this will return all the email templates. retrieveEmailTemplateWithId: rules: - action: allow rate_limit: 60/minute # retrieveEntityGrantWithId: Retrieves an Entity Grant for the given Entity and User/Entity. retrieveEntityGrantWithId: rules: - action: allow rate_limit: 60/minute # retrieveEntityTypeWithId: Retrieves the Entity Type for the given Id. retrieveEntityTypeWithId: rules: - action: allow rate_limit: 60/minute # retrieveEntityWithId: Retrieves the Entity for the given Id. retrieveEntityWithId: rules: - action: allow rate_limit: 60/minute # retrieveEventLogWithId: Retrieves a single event log for the given Id. retrieveEventLogWithId: rules: - action: allow rate_limit: 60/minute # retrieveFamiliesWithId: Retrieves all the families that a user belongs to. retrieveFamiliesWithId: rules: - action: allow rate_limit: 60/minute # retrieveFamilyMembersByFamilyIdWithId: Retrieves all the members of a family by the unique Family Id. retrieveFamilyMembersByFamilyIdWithId: rules: - action: allow rate_limit: 60/minute # retrieveFormFieldWithId: Retrieves the form field with the given Id. retrieveFormFieldWithId: rules: - action: allow rate_limit: 60/minute # retrieveFormWithId: Retrieves the form with the given Id. retrieveFormWithId: rules: - action: allow rate_limit: 60/minute # retrieveGroupWithId: Retrieves the group for the given Id. retrieveGroupWithId: rules: - action: allow rate_limit: 60/minute # retrieveIdentityProviderByTypeWithId: Retrieves one or more identity provider for the given type. For types such as Google, Facebook, Twitter and LinkedIn, only a single identity provider can exist. For types such as OpenID Connect and SAMLv2 more than one identity provider can be configured so this request may return multiple identity providers. retrieveIdentityProviderByTypeWithId: rules: - action: allow rate_limit: 60/minute # retrieveIdentityProviderLink: Retrieve all Identity Provider users (links) for the user. Specify the optional identityProviderId to retrieve links for a particular IdP. OR Retrieve a single Identity Provider user (link). retrieveIdentityProviderLink: rules: - action: allow rate_limit: 60/minute # retrieveIdentityProviderWithId: Retrieves the identity provider for the given Id or all the identity providers if the Id is null. retrieveIdentityProviderWithId: rules: - action: allow rate_limit: 60/minute # retrieveIPAccessControlListWithId: Retrieves the IP Access Control List with the given Id. retrieveIPAccessControlListWithId: rules: - action: allow rate_limit: 60/minute # retrieveJsonWebKeySetWithId: Returns public keys used by FusionAuth to cryptographically verify JWTs using the JSON Web Key format. retrieveJsonWebKeySetWithId: rules: - action: allow rate_limit: 60/minute # retrieveJwtPublicKey: Retrieves the Public Key configured for verifying the JSON Web Tokens (JWT) issued by the Login API by the Application Id. OR Retrieves the Public Key configured for verifying JSON Web Tokens (JWT) by the key Id (kid). retrieveJwtPublicKey: rules: - action: allow rate_limit: 60/minute # retrieveKeysWithId: Retrieves all the keys. retrieveKeysWithId: rules: - action: allow rate_limit: 60/minute # retrieveKeyWithId: Retrieves the key for the given Id. retrieveKeyWithId: rules: - action: allow rate_limit: 60/minute # retrieveLambdasByTypeWithId: Retrieves all the lambdas for the provided type. retrieveLambdasByTypeWithId: rules: - action: allow rate_limit: 60/minute # retrieveLambdaWithId: Retrieves the lambda for the given Id. retrieveLambdaWithId: rules: - action: allow rate_limit: 60/minute # retrieveMessageTemplate: Retrieves the message template for the given Id. If you don't specify the Id, this will return all the message templates. retrieveMessageTemplate: rules: - action: allow rate_limit: 60/minute # retrieveMessageTemplatePreviewWithId: Creates a preview of the message template provided in the request, normalized to a given locale. retrieveMessageTemplatePreviewWithId: rules: - action: allow rate_limit: 60/minute # retrieveMessageTemplateWithId: Retrieves the message template for the given Id. If you don't specify the Id, this will return all the message templates. retrieveMessageTemplateWithId: rules: - action: allow rate_limit: 60/minute # retrieveMessengerWithId: Retrieves the messenger with the given Id. retrieveMessengerWithId: rules: - action: allow rate_limit: 60/minute # retrieveMonthlyActiveReportWithId: Retrieves the monthly active user report between the two instants. If you specify an application Id, it will only return the monthly active counts for that application. retrieveMonthlyActiveReportWithId: rules: - action: allow rate_limit: 60/minute # retrieveOauthConfigurationWithId: Retrieves the Oauth2 configuration for the application for the given Application Id. retrieveOauthConfigurationWithId: rules: - action: allow rate_limit: 60/minute # retrieveOAuthScopeWithId: Retrieves a custom OAuth scope. retrieveOAuthScopeWithId: rules: - action: allow rate_limit: 60/minute # retrieveOpenIdConfigurationWithId: Returns the well known OpenID Configuration JSON document retrieveOpenIdConfigurationWithId: rules: - action: allow rate_limit: 60/minute # retrievePasswordValidationRulesWithId: Retrieves the password validation rules for a specific tenant. This method requires a tenantId to be provided through the use of a Tenant scoped API key or an HTTP header X-FusionAuth-TenantId to specify the Tenant Id. This API does not require an API key. retrievePasswordValidationRulesWithId: rules: - action: allow rate_limit: 60/minute # retrievePasswordValidationRulesWithTenantIdWithId: Retrieves the password validation rules for a specific tenant. This API does not require an API key. retrievePasswordValidationRulesWithTenantIdWithId: rules: - action: allow rate_limit: 60/minute # retrievePendingChildrenWithId: Retrieves all the children for the given parent email address. retrievePendingChildrenWithId: rules: - action: allow rate_limit: 60/minute # retrievePendingLinkWithId: Retrieve a pending identity provider link. This is useful to validate a pending link and retrieve meta-data about the identity provider link. retrievePendingLinkWithId: rules: - action: allow rate_limit: 60/minute # retrieveReactorMetricsWithId: Retrieves the FusionAuth Reactor metrics. retrieveReactorMetricsWithId: rules: - action: allow rate_limit: 60/minute # retrieveRefreshTokenByIdWithId: Retrieves a single refresh token by unique Id. This is not the same thing as the string value of the refresh token. If you have that, you already have what you need. retrieveRefreshTokenByIdWithId: rules: - action: allow rate_limit: 60/minute # retrieveRefreshTokensWithId: Retrieves the refresh tokens that belong to the user with the given Id. retrieveRefreshTokensWithId: rules: - action: allow rate_limit: 60/minute # retrieveRegistrationReportWithId: Retrieves the registration report between the two instants. If you specify an application Id, it will only return the registration counts for that application. retrieveRegistrationReportWithId: rules: - action: allow rate_limit: 60/minute # retrieveRegistrationWithId: Retrieves the user registration for the user with the given Id and the given application Id. retrieveRegistrationWithId: rules: - action: allow rate_limit: 60/minute # retrieveReportLogin: Retrieves the login report between the two instants for a particular user by login Id, using specific loginIdTypes. If you specify an application id, it will only return the login counts for that application. OR Retrieves the login report between the two instants for a particular user by login Id. If you specify an application Id, it will only return the login counts for that application. OR Retrieves the login report between the two instants for a particular user by Id. If you specify an application Id, it will only return the login counts for that application. OR Retrieves the login report between the two instants. If you specify an application Id, it will only return the login counts for that application. retrieveReportLogin: rules: - action: allow rate_limit: 60/minute # retrieveStatus: Retrieves the FusionAuth system status using an API key. Using an API key will cause the response to include the product version, health checks and various runtime metrics. OR Retrieves the FusionAuth system status. This request is anonymous and does not require an API key. When an API key is not provided the response will contain a single value in the JSON response indicating the current health check. retrieveStatus: rules: - action: allow rate_limit: 60/minute # retrieveSystemHealthWithId: Retrieves the FusionAuth system health. This API will return 200 if the system is healthy, and 500 if the system is un-healthy. retrieveSystemHealthWithId: rules: - action: allow rate_limit: 60/minute # retrieveTenantWithId: Retrieves the tenant for the given Id. retrieveTenantWithId: rules: - action: allow rate_limit: 60/minute # retrieveThemeWithId: Retrieves the theme for the given Id. retrieveThemeWithId: rules: - action: allow rate_limit: 60/minute # retrieveTotalReportWithId: Retrieves the totals report. This contains all the total counts for each application and the global registration count. retrieveTotalReportWithId: rules: - action: allow rate_limit: 60/minute # retrieveTwoFactorRecoveryCodesWithId: Retrieve two-factor recovery codes for a user. retrieveTwoFactorRecoveryCodesWithId: rules: - action: allow rate_limit: 60/minute # retrieveTwoFactorStatusWithId: Retrieve a user's two-factor status. This can be used to see if a user will need to complete a two-factor challenge to complete a login, and optionally identify the state of the two-factor trust across various applications. retrieveTwoFactorStatusWithId: rules: - action: allow rate_limit: 60/minute # retrieveUser: Retrieves the user for the given Id. This method does not use an API key, instead it uses a JSON Web Token (JWT) for authentication. OR Retrieves the user by a verificationId. The intended use of this API is to retrieve a user after the forgot password workflow has been initiated and you may not know the user's email or username. OR Retrieves the user for the given username. OR Retrieves the user for the loginId, using specific loginIdTypes. OR Retrieves the user for the loginId. The loginId can be either the username or the email. OR Retrieves the user for the given email. OR Retrieves the user by a change password Id. The intended use of this API is to retrieve a user after the forgot password workflow has been initiated and you may not know the user's email or username. retrieveUser: rules: - action: allow rate_limit: 60/minute # retrieveUserAction: Retrieves the user action for the given Id. If you pass in null for the Id, this will return all the user actions. OR Retrieves all the user actions that are currently inactive. retrieveUserAction: rules: - action: allow rate_limit: 60/minute # retrieveUserActioning: Retrieves all the actions for the user with the given Id that are currently inactive. An inactive action means one that is time based and has been canceled or has expired, or is not time based. OR Retrieves all the actions for the user with the given Id that are currently active. An active action means one that is time based and has not been canceled, and has not ended. OR Retrieves all the actions for the user with the given Id that are currently preventing the User from logging in. OR Retrieves all the actions for the user with the given Id. This will return all time based actions that are active, and inactive as well as non-time based actions. retrieveUserActioning: rules: - action: allow rate_limit: 60/minute # retrieveUserActionReason: Retrieves the user action reason for the given Id. If you pass in null for the Id, this will return all the user action reasons. retrieveUserActionReason: rules: - action: allow rate_limit: 60/minute # retrieveUserActionReasonWithId: Retrieves the user action reason for the given Id. If you pass in null for the Id, this will return all the user action reasons. retrieveUserActionReasonWithId: rules: - action: allow rate_limit: 60/minute # retrieveUserActionWithId: Retrieves the user action for the given Id. If you pass in null for the Id, this will return all the user actions. retrieveUserActionWithId: rules: - action: allow rate_limit: 60/minute # retrieveUserChangePassword: Check to see if the user must obtain a Trust Request Id in order to complete a change password request. When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication. An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. OR Check to see if the user must obtain a Trust Token Id in order to complete a change password request. When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication. An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. retrieveUserChangePassword: rules: - action: allow rate_limit: 60/minute # retrieveUserCommentsWithId: Retrieves all the comments for the user with the given Id. retrieveUserCommentsWithId: rules: - action: allow rate_limit: 60/minute # retrieveUserConsentsWithId: Retrieves all the consents for a User. retrieveUserConsentsWithId: rules: - action: allow rate_limit: 60/minute # retrieveUserConsentWithId: Retrieve a single User consent by Id. retrieveUserConsentWithId: rules: - action: allow rate_limit: 60/minute # retrieveUserInfoFromAccessTokenWithId: Call the UserInfo endpoint to retrieve User Claims from the access token issued by FusionAuth. retrieveUserInfoFromAccessTokenWithId: rules: - action: allow rate_limit: 60/minute # retrieveUserRecentLogin: Retrieves the last number of login records for a user. OR Retrieves the last number of login records. retrieveUserRecentLogin: rules: - action: allow rate_limit: 60/minute # retrieveUserWithId: Retrieves the user for the given Id. retrieveUserWithId: rules: - action: allow rate_limit: 60/minute # retrieveVersionWithId: Retrieves the FusionAuth version string. retrieveVersionWithId: rules: - action: allow rate_limit: 60/minute # retrieveWebAuthnCredentialsForUserWithId: Retrieves all WebAuthn credentials for the given user. retrieveWebAuthnCredentialsForUserWithId: rules: - action: allow rate_limit: 60/minute # retrieveWebAuthnCredentialWithId: Retrieves the WebAuthn credential for the given Id. retrieveWebAuthnCredentialWithId: rules: - action: allow rate_limit: 60/minute # retrieveWebhook: Retrieves the webhook for the given Id. If you pass in null for the Id, this will return all the webhooks. retrieveWebhook: rules: - action: allow rate_limit: 60/minute # retrieveWebhookAttemptLogWithId: Retrieves a single webhook attempt log for the given Id. retrieveWebhookAttemptLogWithId: rules: - action: allow rate_limit: 60/minute # retrieveWebhookEventLogWithId: Retrieves a single webhook event log for the given Id. retrieveWebhookEventLogWithId: rules: - action: allow rate_limit: 60/minute # retrieveWebhookWithId: Retrieves the webhook for the given Id. If you pass in null for the Id, this will return all the webhooks. retrieveWebhookWithId: rules: - action: allow rate_limit: 60/minute # searchApplicationsWithId: Searches applications with the specified criteria and pagination. searchApplicationsWithId: rules: - action: allow rate_limit: 60/minute # searchAuditLogsWithId: Searches the audit logs with the specified criteria and pagination. searchAuditLogsWithId: rules: - action: allow rate_limit: 60/minute # searchConsentsWithId: Searches consents with the specified criteria and pagination. searchConsentsWithId: rules: - action: allow rate_limit: 60/minute # searchEmailTemplatesWithId: Searches email templates with the specified criteria and pagination. searchEmailTemplatesWithId: rules: - action: allow rate_limit: 60/minute # searchEntitiesByIdsWithId: Retrieves the entities for the given Ids. If any Id is invalid, it is ignored. searchEntitiesByIdsWithId: rules: - action: allow rate_limit: 60/minute # searchEntitiesWithId: Searches entities with the specified criteria and pagination. searchEntitiesWithId: rules: - action: allow rate_limit: 60/minute # searchEntityGrantsWithId: Searches Entity Grants with the specified criteria and pagination. searchEntityGrantsWithId: rules: - action: allow rate_limit: 60/minute # searchEntityTypesWithId: Searches the entity types with the specified criteria and pagination. searchEntityTypesWithId: rules: - action: allow rate_limit: 60/minute # searchEventLogsWithId: Searches the event logs with the specified criteria and pagination. searchEventLogsWithId: rules: - action: allow rate_limit: 60/minute # searchGroupMembersWithId: Searches group members with the specified criteria and pagination. searchGroupMembersWithId: rules: - action: allow rate_limit: 60/minute # searchGroupsWithId: Searches groups with the specified criteria and pagination. searchGroupsWithId: rules: - action: allow rate_limit: 60/minute # searchIdentityProvidersWithId: Searches identity providers with the specified criteria and pagination. searchIdentityProvidersWithId: rules: - action: allow rate_limit: 60/minute # searchIPAccessControlListsWithId: Searches the IP Access Control Lists with the specified criteria and pagination. searchIPAccessControlListsWithId: rules: - action: allow rate_limit: 60/minute # searchKeysWithId: Searches keys with the specified criteria and pagination. searchKeysWithId: rules: - action: allow rate_limit: 60/minute # searchLambdasWithId: Searches lambdas with the specified criteria and pagination. searchLambdasWithId: rules: - action: allow rate_limit: 60/minute # searchLoginRecordsWithId: Searches the login records with the specified criteria and pagination. searchLoginRecordsWithId: rules: - action: allow rate_limit: 60/minute # searchTenantsWithId: Searches tenants with the specified criteria and pagination. searchTenantsWithId: rules: - action: allow rate_limit: 60/minute # searchThemesWithId: Searches themes with the specified criteria and pagination. searchThemesWithId: rules: - action: allow rate_limit: 60/minute # searchUserCommentsWithId: Searches user comments with the specified criteria and pagination. searchUserCommentsWithId: rules: - action: allow rate_limit: 60/minute # searchUsersByIdsWithId: Retrieves the users for the given Ids. If any Id is invalid, it is ignored. searchUsersByIdsWithId: rules: - action: allow rate_limit: 60/minute # searchUsersByQueryWithId: Retrieves the users for the given search criteria and pagination. searchUsersByQueryWithId: rules: - action: allow rate_limit: 60/minute # searchWebhookEventLogsWithId: Searches the webhook event logs with the specified criteria and pagination. searchWebhookEventLogsWithId: rules: - action: allow rate_limit: 60/minute # searchWebhooksWithId: Searches webhooks with the specified criteria and pagination. searchWebhooksWithId: rules: - action: allow rate_limit: 60/minute # validateDeviceWithId: Validates the end-user provided user_code from the user-interaction of the Device Authorization Grant. If you build your own activation form you should validate the user provided code prior to beginning the Authorization grant. validateDeviceWithId: rules: - action: allow rate_limit: 60/minute # validateJWTWithId: Validates the provided JWT (encoded JWT string) to ensure the token is valid. A valid access token is properly signed and not expired. <p> This API may be used to verify the JWT as well as decode the encoded JWT into human readable identity claims. validateJWTWithId: rules: - action: allow rate_limit: 60/minute # verifyIdentityWithId: Administratively verify a user identity. verifyIdentityWithId: rules: - action: allow rate_limit: 60/minute # verifyUserRegistrationWithId: Confirms a user's registration. The request body will contain the verificationId. You may also be required to send a one-time use code based upon your configuration. When the application is configured to gate a user until their registration is verified, this procedures requires two values instead of one. The verificationId is a high entropy value and the one-time use code is a low entropy value that is easily entered in a user interactive form. The two values together are able to confirm a user's registration and mark the user's registration as verified. verifyUserRegistrationWithId: rules: - action: allow rate_limit: 60/minute
Yes. The Mcp Api server exposes 40 destructive tools including cancelActionWithId, changePasswordWithId, deleteAPIKeyWithId. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.
The Mcp Api server has 159 write tools including actionUserWithId, activateReactorWithId, approveDeviceWithId. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.
310 tools across 4 categories: Destructive, Execute, Read, Write. 105 are read-only. 205 can modify, create, or delete data.
One line change. Instead of running the Mcp Api server directly, prefix it with Intercept: intercept -c io-fusionauth-mcp-api.yaml -- npx -y @@fusionauth/mcp-api. Download a pre-built policy from policylayer.com/policies/io-fusionauth-mcp-api and adjust the limits to match your use case.
Open source. One binary. Zero dependencies.
npx -y @policylayer/intercept