Identity and Access Management API v3
Number of APIs: 96
GET https://{{host}}/identity-management/v3/user-admin/groups
This operation lists all groups the administrator can manage for the current account and contract type or other managed accounts using the accountSwitchKey parameter. The account and contract type are determined by the access tokens in your API client.
2. Groups - Create a new group
POST https://{{host}}/identity-management/v3/user-admin/groups/:groupId
This operation creates a new group within the specified parent group.
GET https://{{host}}/identity-management/v3/user-admin/groups/:groupId
This operation retrieves a group's details.
4. Groups - Modify a group's name
PUT https://{{host}}/identity-management/v3/user-admin/groups/:groupId
This operation changes a group's name.
DELETE https://{{host}}/identity-management/v3/user-admin/groups/:groupId
This operation deletes a group. You can't delete a group that contains subgroups, resources, or users with roles on that group. You need admin access to delete a group.
POST https://{{host}}/identity-management/v3/user-admin/groups/move
This operation moves a nested group under another group within the same parent hierarchy.
7. Move groups - List users affected by moving a group
GET https://{{host}}/identity-management/v3/user-admin/groups/move/:sourceGroupId/:destinationGroupId/affected-users
This operation lists users who are affected when you move a group. Users may lose or gain access to resources depending on the roles and permissions inherited from the new parent group. Users with a userType of lostAccess lose their access to the source group. If the userType is gainAccess, they gain access to the resources in the source group. Users who have inherited access to a group lose access to that group if it moves out of its hierarchy that gives them those access rights. If the group moves to another parent group to which they have access, they still have access to the group you move. Likewise, when you move a group to a new location, users who inherit their access rights from the new parent group gain access to the resources in the group you move.
8. Assets - List properties or includes
GET https://{{host}}/identity-management/v3/user-admin/properties
This operation lists the properties and includes for the current account or other managed accounts using the accountSwitchKey parameter. Include the groupId parameter in your request to filter the results by group. The response returns a list of propertyId regardless of whether they represent a property or include in PAPI. To learn more, see Manage access to properties and includes.
9. Assets - Get a property or include
GET https://{{host}}/identity-management/v3/user-admin/properties/:assetId?groupId={{groupId}}
This operation fetches a property's or include's details. The response returns details for propertyId regardless of whether it represent a property or include in PAPI. To learn more, see Manage access to properties and includes.
10. Assets - Move a property or include
PUT https://{{host}}/identity-management/v3/user-admin/properties/:assetId
This operation moves a property or include from one group to another group. You can only move an asset into another group within the same group hierarchy. Depending on your role in the destination group, you may lose access to resources the asset uses. Before moving an asset, run the List users affected by moving a group operation to review which users will be affected by the move.
11. Assets - List users for property or include
GET https://{{host}}/identity-management/v3/user-admin/properties/:assetId/users
This operation lists users who can access a property or include.
12. Assets - Block users from a property or include
PUT https://{{host}}/identity-management/v3/user-admin/properties/:assetId/users/block
This operation blocks the users on a property or include.
13. Resources - Get asset's resources
GET https://{{host}}/identity-management/v3/user-admin/properties/:assetId/resources?groupId={{groupId}}
This operation lists resources a property or include uses to deliver your web content across Akamai's edge network. You can think of these resources as objects, like CP codes and configuration files. For example, an ARL (Akamai resource locator) configuration file specifies how Akamai purges versions of an object that you can’t purge using just the URL.
POST https://{{host}}/identity-management/v3/user-admin/roles
This operation creates a custom role. A custom role combines grantable roles defined by Akamai. Roles exist at the account level regardless of group, but are constrained by contract type. If you create a role under one contract type, you can't apply that role to groups belonging to a different contract type, even if they're in the same account.
GET https://{{host}}/identity-management/v3/user-admin/roles
This operation lists roles for the current account and contract type or other accounts using the accountSwitchKey parameter. The account and contract type are determined by the access tokens in your API client.
GET https://{{host}}/identity-management/v3/user-admin/roles/:roleId
This operation retrieves a role's details.
PUT https://{{host}}/identity-management/v3/user-admin/roles/:roleId
This operation adds or removes a role's group role assignments, along with other data such as name and description. When you modify a role, those changes affect existing API clients. Review all API clients belonging to the user before modifying a role.
DELETE https://{{host}}/identity-management/v3/user-admin/roles/:roleId
This operation deletes a custom role. You can't delete a role if it's assigned to a user.
19. Grantable roles - List grantable roles
GET https://{{host}}/identity-management/v3/user-admin/roles/grantable-roles
This operation lists the grantable roles you can include in a new custom role, or add to an existing custom role.
POST https://{{host}}/identity-management/v3/user-admin/ui-identities
This operation creates a user, or clones an existing user's role assignments, in the account specified in your API client credentials. Optionally, sends a randomly generated one-time use password to the new user. If you send the email with the password directly to the user, the response for this operation doesn't include that password. If you don't send the password to the user through email, the password is included in the response.
GET https://{{host}}/identity-management/v3/user-admin/ui-identities
This operation lists the users who have access to your current account or other managed accounts using the accountSwitchKey parameter. The account is determined by the tokens in your API client. You can pass a groupId to filter users based on group. You can also return user information such as what product notifications they subscribe to, or what group and role assignments they have. Set the actions parameter to true to return the actions you can take on each user.
GET https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId
This operation retrieves a user's profile.
DELETE https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId
This operation deletes any user who doesn't own an API client. Before you delete a user with a client, transfer API client ownership to another user.
PUT https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/basic-info
This operation modifies a user's basic information. Pass the entire body of data in the request, including members you're not changing, or the unspecified data are removed. To edit detailed settings, run the Modify a user's group and role assignments or Update a user's notifications operations.
25. Blocked assets - List blocked properties and includes
GET https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/groups/:groupId/blocked-properties
This operation lists all properties and includes a user doesn't have access to in a group. Note the responses's set of IDs refer to either properties or includes. To find out which each refers to, see Manage access to properties and includes.
26. Blocked assets - Update blocked properties and includes
PUT https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/groups/:groupId/blocked-properties
This operation updates the list of blocked properties and includes. By default, users can access all properties and includes in a group, and this operation specifies IDs for any to block. To find out which each refers to, see Manage access to properties and includes. To get the list of already blocked properties run the List blocked properties and includes operation. In this request, include the whole list of properties you want to block. By not including a blocked property, you're unlocking it.
27. User authentication settings - Lock a user's account
POST https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/lock
This operation locks a user's account, preventing access to Control Center. The result shows in the user data as a read-only isLocked: true indicator. To allow a user access to Control Center, run the Unlock a user's account operation. This sets the isLocked indicator to false.
28. User authentication settings - Reset a user's password
POST https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/reset-password
This operation sends a one-time use password to the user. If you send the email with the password directly to the user, the response for this operation doesn't include that password. If you don't send the password to the user through email, the password is included in the response.
29. User authentication settings - Set a user's password
POST https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/set-password
This operation sets a password for a user. This differs from Reset a user's password because this password may be used more than once, and isn't randomly generated.
30. User authentication settings - Unlock a user's account
POST https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/unlock
This operation releases the lock on a user's account, allowing access to Control Center. The result shows in the user data as a read-only isLocked:false indicator. To prevent a user access to Control Center, run the Lock a user's account operation. This sets the isLocked indicator to true.
31. User authentication settings - Set multi-factor authentication for your user profile
PUT https://{{host}}/identity-management/v3/user-profile/additionalAuthentication
This operation sets multi-factor authentication to TFA, MFA, or NONE. You have five login attempts with MFA or 2FA before your account is locked. If your account is locked, use the Reset multi-factor authentication for your user profile operation to unlock it.
32. User authentication settings - Reset multi-factor authentication for your user profile
PUT https://{{host}}/identity-management/v3/user-profile/additionalAuthentication/reset
This operation resets your multi-factor authentication.
33. User authentication settings - Rotate your password
POST https://{{host}}/identity-management/v3/user-profile/change-password
This operation changes your password. Include your old password and your new password in the request body. Before you create your new password, run the View password policy operation to ensure it adheres to your policy. If you include your existing password incorrectly and make too many login attempts, your account locks.
34. User access - Set a user's multi-factor authentication
PUT https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/additionalAuthentication
This operation sets a user's multi-factor authentication to TFA, MFA, or NONE. Users are allowed five login attempts with MFA or 2FA before their account is locked. If the account is locked, use the Reset additional authentication to unlock it.
35. User access - Reset a user's multi-factor authentication
PUT https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/additionalAuthentication/reset
This operation prompts the reset of a user's multi-factor authentication method the next time they log in to Control Center. TFA indicates two-factor authentication. MFA indicates Akamai MFA authentication.
36. User notifications - Update a user's notifications
PUT https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/notifications
This operation subscribes or unsubscribes users to product notification emails.
37. User notifications - Update your notifications
PUT https://{{host}}/identity-management/v3/user-profile/notifications
This operation subscribes to notifications emails for password expiration reminders, proactive maintenance emails, and upgrade notification emails.
38. User authorization settings - Modify a user's group and role assignments
PUT https://{{host}}/identity-management/v3/user-admin/ui-identities/:uiIdentityId/auth-grants
This operation edits what groups a user has access to, and how the user interacts with the objects in those groups.
39. Profile - View your profile
GET https://{{host}}/identity-management/v3/user-profile
This operation gets your profile information. To make changes to your profile, run the Edit your profile operation.
40. Profile - Edit your profile
PUT https://{{host}}/identity-management/v3/user-profile/basic-info
This operation updates your basic profile information, such as your name or phone number. To edit detailed settings, run the Update your notifications or Modify a user's group and role assignments operations.
41. Contact types - View contact types
GET https://{{host}}/identity-management/v3/user-admin/common/contact-types
This operation lists the supported contact types. Administrators should use the values from this operation to add or update a user's contactType. Users should run the View contact types for a user profile operation before modifying their contact type.
42. Contact types - View contact types for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/contact-types
This operation lists the supported contact types. Users should use the values from this operation to add or update their contactType. Administrators should run the View contact types operation before modifying a user's contact type.
GET https://{{host}}/identity-management/v3/user-admin/common/countries
This operation lists the supported countries. Administrators should use the values from this operation to add or update a user's country. Users should run the View supported countries for a user profile operation before modifying their country.
GET https://{{host}}/identity-management/v3/user-admin/common/countries/:country/states
This operation lists the supported U.S. states or Canadian provinces. Administrators should use the values from this operation to add or update a user's state. If a user's state or province is unknown, use TBD. Users should run the View states for a user profile operation before modifying their state.
GET https://{{host}}/identity-management/v3/user-admin/common/supported-languages
This operation lists the supported languages. Administrators should use the values from this operation to set a user's preferredLanguage. Users should run the View languages for a user profile operation before setting their preferred language.
GET https://{{host}}/identity-management/v3/user-admin/common/timezones
This operation lists the supported time zones in the ISO 8601 format. Administrators should use the values from this operation to set a user's timeZone. Users should run the View time zones for a user profile operation before setting their time zone.
47. Locale - View supported countries for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/countries
This operation lists the supported countries. Users should use the values from this operation to add or update their country. Administrators should run the View supported countries operation before modifying a user's country.
48. Locale - View states for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/countries/:country/states
This operation lists the supported U.S. states or Canadian provinces. Users should use the values from this operation to add or update their state. Administrators should run the View states operation before modifying a user's state.
49. Locale - View languages for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/supported-languages
This operation lists the supported languages. Users should use the values from this operation to set their preferred language. Administrators should run the View languages operation before setting a user's preferred language.
50. Locale - View time zones for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/timezones
This operation lists the supported time zones in the ISO 8601 format. Users should use the values from this operation to set their timeZone. Administrators should run the View time zones operation before setting a user's time zone.
GET https://{{host}}/identity-management/v3/user-admin/common/notification-products
This operation lists the products a user can subscribe to and receive notifications for on the account. The tokens in your API client determine the account. Administrators should use the values from this operation to set a user's product notifications. Users should run the View products for a user profile operation before setting their product notifications.
52. Products - View products for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/notification-products
This operation lists the products a user can subscribe to and receive notifications for on the account. The account is determined by the tokens in your API client. Users should use the values from this operation to set their product notifications. Administrators should run the View products operation before setting a user's product notifications.
53. Policies - View password policy
GET https://{{host}}/identity-management/v3/user-admin/common/password-policy
This operation lists the password policy for the account. The tokens in your API client determine the account. Administrators should use the values from this operation to set a user's password policy. Users should run the View password policy for a user profile operation before setting their password policy.
54. Policies - View timeout policies
GET https://{{host}}/identity-management/v3/user-admin/common/timeout-policies
This operation lists the supported session timeout policies. The name for each timeout period is in minutes, and the time value is in seconds. Administrators should use the sessionTimeout values from this operation to set a user's timeout policy. Users should run the View timeout policies for a user profile operation before setting their timeout policy.
55. Policies - View password policy for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/password-policy
This operation lists the password policy for the account. The account is determined by the tokens in your API client. Users should use the values from this operation to set their password policy. Administrators should run the View password policy operation before setting a user's password policy.
56. Policies - View timeout policies for a user profile
GET https://{{host}}/identity-management/v3/user-profile/common/timeout-policies
This operation lists the supported session timeout policies. The name for each timeout period is in minutes, and the time value is in seconds. Users should use the values from this operation to set their sessionTimeout. Administrators should run the View timeout policies operation before setting a user's timeout policy.
57. CIDR blocks - Create a CIDR block
POST https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist
This operation adds CIDR blocks to your account's allowlist. You can add only one CIDR block at a time. Before creating the CIDR block, you may want to validate it, to check if its format is correct.
58. CIDR blocks - List CIDR blocks
GET https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist
This operation lists all CIDR blocks on your current account's allowlist or other managed accounts using the accountSwitchKey parameter. Your API client designates the allowlist for the account.
59. CIDR blocks - Validate CIDR blocks
GET https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/validate?cidrblock={{cidrblock}}
This operation checks the format of a potential CIDR block. If it's validated successfully, you can create it.
60. CIDR blocks - Get a CIDR block
GET https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/:cidrBlockId
This operation retrieves a CIDR block's details.
61. CIDR blocks - Modify a CIDR block
PUT https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/:cidrBlockId
This operation enables or disables an existing CIDR block, updates comments, IP addresses, or ranges in the CIDR block. Note that you can only update a CIDR block with IP allowlist enabled on the account. There are several CIDR blocks on the allowlist and your attempt to make changes to the CIDR block is from an IP address that's on the allowlist. You can't edit the last CIDR block in the allowlist or the CIDR block allowing access to the current user.
62. CIDR blocks - Delete a CIDR block
DELETE https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/:cidrBlockId
This operation deletes a CIDR block from the IP allowlist. After you delete a CIDR block, any requests from IP addresses you deleted fail the next time someone tries to log in from that address. Users accessing Control Center from an IP address you delete aren't automatically logged out of Control Center at the time you delete the IP address. With IP allowlist enabled for the account, you can't delete the last CIDR block in the allowlist or the CIDR block allowing access to the current user. There are no restrictions with IP allowlist disabled on the account.
63. IP allowlists - Disable IP allowlist
POST https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/disable
This operation disables IP allowlist on your account. After you disable IP allowlist, users can access Control Center regardless of their IP address or who assigns it.
64. IP allowlists - Enable IP allowlist
POST https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/enable
This operation enables IP allowlist on your account. Before you enable IP allowlist, add at least one IP address to allow access to Control Center. The allowlist can't be empty with IP allowlist enabled.
65. IP allowlists - View IP allowlist status
GET https://{{host}}/identity-management/v3/user-admin/ip-acl/allowlist/status
This operation indicates whether IP allowlist is enabled or disabled on your account.
66. Helper - List authorized users
GET https://{{host}}/identity-management/v3/users
This operation lists authorized API client users.
67. Helper - List allowed APIs
GET https://{{host}}/identity-management/v3/users/:username/allowed-apis
This operation lists available APIs for a user.
68. Helper - List allowed CP codes
POST https://{{host}}/identity-management/v3/users/:username/allowed-cpcodes
This operation lists available CP codes for a user.
69. Helper - List accessible groups
GET https://{{host}}/identity-management/v3/users/:username/group-access
This operation lists groups available to a user.
70. API client: self - Get your API client
GET https://{{host}}/identity-management/v3/api-clients/self
This operation provides details about your API client.
71. API client: self - Update your API client
PUT https://{{host}}/identity-management/v3/api-clients/self
This operation updates your API client.
72. API client: self - Delete your API client
DELETE https://{{host}}/identity-management/v3/api-clients/self
This operation permanently deletes an API client you own, without active credentials. It also breaks any API connections with the client. Before deleting your API client, deactivate all credentials and make sure there aren't any API integrations or scripts using them.
73. API client: self - List your account switch keys
GET https://{{host}}/identity-management/v3/api-clients/self/account-switch-keys
This operation lists account switch keys available for your API client. You can use the accountSwitchKey in many Akamai APIs to make an API call to another account.
74. API client: self - Create your credential
POST https://{{host}}/identity-management/v3/api-clients/self/credentials
This operation creates a new credential for your API client. Only you may create credentials for this client. Credentials are in active status at creation. By default, they expire two years from their creation date. However, when the API client's permissions are based on Control Center permissions, credentials expire differently and follow the same rotation schedule listed for user passwords on those accounts. Run the Update a credential operation to change the expiration date, description, or status. Save the values from the response, such as the credentialID for future use. This is the only time you'll see the client secret. Save the credential at this time to avoid the need to create a new one.
75. API client: self - List your credentials
GET https://{{host}}/identity-management/v3/api-clients/self/credentials
This operation lists your API client's credentials.
76. API client: self - Deactivate your credentials
POST https://{{host}}/identity-management/v3/api-clients/self/credentials/deactivate
This operation deactivates all credentials for your API client. This doesn't delete the API client or the credentials. To deactivate a single credential, run either the Deactivate your credential operation or Update your credential and set the status to INACTIVE.
77. API client: self - Get your credential
GET https://{{host}}/identity-management/v3/api-clients/self/credentials/:credentialId
This operation provides details about a specific credential for your API client. To change the credential's expiration date or toggle its activation status, run the Update a credential operation.
78. API client: self - Update your credential
PUT https://{{host}}/identity-management/v3/api-clients/self/credentials/:credentialId
This operation updates a specific credential for your API client. You can change the expiration date, description, or toggle the activation status. This isn't the same as rotating a credential. For details, see Rotate credentials.
79. API client: self - Remove your credential
DELETE https://{{host}}/identity-management/v3/api-clients/self/credentials/:credentialId
This operation deletes a specific credential from your API client. You can only delete inactive credentials.
80. API client: self - Deactivate your credential
POST https://{{host}}/identity-management/v3/api-clients/self/credentials/:credentialId/deactivate
This operation deactivates a specific credential for your API client. This doesn't delete the client or the credentials. To update a specific credential, run the Update your credential operation.
81. API client: self - Lock your API client
PUT https://{{host}}/identity-management/v3/api-clients/self/lock
This operation locks your API client. You can't use the API client while it's locked. To unlock your client, run the Unlock an API client operation.
82. API clients - Create an API client
POST https://{{host}}/identity-management/v3/api-clients
This operation creates a new API client. Optionally, you can automatically assign a credential for the client when you create it. If you choose not to assign the credential automatically, see Create authentication credentials for details.
83. API clients - List API clients
GET https://{{host}}/identity-management/v3/api-clients
This operation lists API clients an administrator can manage on the current account or other managed accounts using the accountSwitchKey parameter.
84. API clients - Get an API client
GET https://{{host}}/identity-management/v3/api-clients/:clientId
This operation provides details about an API client.
85. API clients - Update an API client
PUT https://{{host}}/identity-management/v3/api-clients/:clientId
This operation updates an API client.
86. API clients - Delete an API client
DELETE https://{{host}}/identity-management/v3/api-clients/:clientId
This operation permanently deletes the API client, breaking any API connections with the client. To delete a client, you need to own the client, or have admin access on a given group. Before deleting an API client, make sure there aren't any API integrations or scripts using it.
87. API clients - List account switch keys
GET https://{{host}}/identity-management/v3/api-clients/:clientId/account-switch-keys
This operation lists account switch keys available for a specific API client. The client can use the accountSwitchKey in many Akamai APIs to make an API call to another account.
88. API clients - Create a credential
POST https://{{host}}/identity-management/v3/api-clients/:clientId/credentials
This operation creates a new credential for your API client. If you don't know your clientId, you can run the Create your credential operation. Credentials are in active status at creation. By default, they expire two years from their creation date. However, when the API client's permissions are based on Control Center permissions, credentials expire differently and follow the same rotation schedule listed for user passwords on those accounts. Run the Update a credential operation to change the expiration date, description, or status. Save the values from the response, such as the credentialID, for future use. This is the only time you'll see the client secret. Save the credential to avoid the need to create a new one.
89. API clients - List credentials
GET https://{{host}}/identity-management/v3/api-clients/:clientId/credentials
This operation lists credentials for an API client.
90. API clients - Deactivate credentials
POST https://{{host}}/identity-management/v3/api-clients/:clientId/credentials/deactivate
This operation deactivates all credentials for a specific API client. This doesn't delete the API client or the credentials. To deactivate a single credential, run either the Deactivate a credential operation or Update a credential and set the status to INACTIVE.
91. API clients - Get a credential
GET https://{{host}}/identity-management/v3/api-clients/:clientId/credentials/:credentialId
This operation returns details about a specific credential for an API client. To change the credential's expiration date or toggle its activation status, run the Update credential for an API client operation.
92. API clients - Update a credential
PUT https://{{host}}/identity-management/v3/api-clients/:clientId/credentials/:credentialId
This operation updates a specific credential for an API client. You can change the expiration date, description, or toggle the activation status. This isn't the same as rotating a credential. For details, see Rotate credentials.
93. API clients - Remove a credential
DELETE https://{{host}}/identity-management/v3/api-clients/:clientId/credentials/:credentialId
This operation deletes a specific credential from an API client. You can only delete inactive credentials.
94. API clients - Deactivate a credential
POST https://{{host}}/identity-management/v3/api-clients/:clientId/credentials/:credentialId/deactivate
This operation deactivates a specific credential for an API client. This doesn't delete the API client, or the other credentials.
95. API clients - Lock an API client
PUT https://{{host}}/identity-management/v3/api-clients/:clientId/lock
This operation locks an API client. You can't use the API client while it's locked. To unlock a client, run the Unlock an API client operation.
96. API clients - Unlock an API client
PUT https://{{host}}/identity-management/v3/api-clients/:clientId/unlock
This operation unlocks an API client.
ENDPOINTS