Pomerium Zero API Reference (0.1.0)

Download OpenAPI specification:Download

Authentication

The Pomerium Zero API requires authenticated access for both personal accounts and organizations. To send a valid, authenticated request to the Pomerium Zero API:

Generate an API User Token in the Zero Console
Exchange the API User Token for an ID Token at the /token endpoint
Pass the ID token in an Authorization: Bearer {TOKEN} header to authenticate your request

user

The user service enables you to manage users and user information within an organization or namespace.

This service also enables you to create API access user accounts and renew API refresh tokens.

deleteCurrentUser

Delete current user

Authorizations:

bearerAuth

Responses

updateCurrentUserInfo

Fetch and update currently logged in user information from the identity provider

Authorizations:

bearerAuth

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"email": "user@example.com",
"displayName": "string",
"needsOnboarding": true,
"photoUrl": "string",
"type": "user_type_interactive",
"lastLoggedIn": "2019-08-24T14:15:22Z"
}

completeOnboarding

Complete onboarding

Authorizations:

bearerAuth

Responses

listUsersInOrganization

List users

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

userType

string (UserType)

Enum: "user_type_interactive" "user_type_api_access"

Type of user

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"email": "user@example.com",
"displayName": "string",
"needsOnboarding": true,
"photoUrl": "string",
"type": "user_type_interactive",
"lastLoggedIn": "2019-08-24T14:15:22Z",
"organizationRole": "owner"
}
]

createApiAccessUser

Create API access user account

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

name required	string Freetext user name
role	string (OrganizationRole) Enum: "owner" "admin" "auditor" "member" A high level role that describes the level of access a user has to an organization. Owner: Global namespace admin. Admin: Global namespace admin. Auditor: Global namespace viewer. Member: any user who was granted access to the organization

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"role": "owner"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"email": "user@example.com",
"displayName": "string",
"needsOnboarding": true,
"photoUrl": "string",
"type": "user_type_interactive",
"lastLoggedIn": "2019-08-24T14:15:22Z",
"refreshToken": "string"
}

removeUserFromOrganization

Remove user from organization

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
userId required	string ID of user

Responses

RenewApiUserRefreshToken

Renews API user refresh token. The userId must be an API user. Obtaining a new refresh token invalidates any previously issued refresh tokens.

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
userId required	string ID of user

Responses

Response samples

Content type

application/json

{"refreshToken": "string"
}

invitation

The invitation service is where you can view and respond to pending invitations to join a professional type organization.

listUserInvitations

List invitations

Authorizations:

bearerAuth

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"invitedBy": {"email": "user@example.com",
"displayName": "string",
"photoUrl": "string"
},
"organization": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"logoURL": "string",
"organizationType": "personal",
"ownerUserId": "string",
"role": "owner",
"joinedAt": "2019-08-24T14:15:22Z",
"quotas": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"readOnly": true
},
"organizationRole": "owner"
}
]

acceptInvitation

Accept invitation

Authorizations:

bearerAuth

path Parameters

invitationId

required

string

ID of invitation

Responses

rejectInvitation

Reject an invitation

Authorizations:

bearerAuth

path Parameters

invitationId

required

string

ID of invitation

Responses

invite

The invite service is where you can manage invitations sent to users to join your organization.

listOrganizationInvites

List invites

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"email": "user@example.com",
"role": "owner"
}
]

createOrganizationInvite

Create invite

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

emails required	Array of strings <email> [ items <email > ]
role required	string (OrganizationRole) Enum: "owner" "admin" "auditor" "member" A high level role that describes the level of access a user has to an organization. Owner: Global namespace admin. Admin: Global namespace admin. Auditor: Global namespace viewer. Member: any user who was granted access to the organization

Responses

Request samples

Payload

Content type

application/json

{"emails": ["user@example.com"
],
"role": "owner"
}

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"email": "user@example.com",
"role": "owner"
}
]

deleteOrganizationInvite

Delete invite

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
invitationId required	string ID of invitation

Responses

policy

The policy service is where you can manage policies within a namespace in your organization.

You can build a policy by configuring a Pomerium Policy Language (PPL) rule and apply it to a route.

See the PPL documentation to learn more.

listPolicies

List policies

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

namespaceId required	string ID of namespace
	object (FilterForPolicies) Filter for policies
includeDescendants	boolean include resources from descendant namespaces
limit	integer limit number of resources returned
offset	integer offset of the resources
orderBy	Array of strings (ListPoliciesOrderByField) Items Enum: "-assigned" "-cluster" "-id" "-name" "-updatedAt" "assigned" "cluster" "id" "name" "updatedAt" order by for policies

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"enforced": true,
"ppl": {"allow": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
},
"deny": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
}
},
"description": "string",
"explanation": "string",
"remediation": "string",
"routes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedRoutes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}
]

createPolicy

Create policy

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

namespaceId required	string
name required	string (entityName) [ 1 .. 128 ] characters
enforced required	boolean
required	PPLRule (object) or Array of PPLRule (objects)
description required	string
explanation required	string
remediation required	string

Responses

Request samples

Payload

Content type

application/json

{"namespaceId": "string",
"name": "string",
"enforced": true,
"ppl": {"allow": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
},
"deny": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
}
},
"description": "string",
"explanation": "string",
"remediation": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"enforced": true,
"ppl": {"allow": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
},
"deny": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
}
},
"description": "string",
"explanation": "string",
"remediation": "string",
"routes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedRoutes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

deletePolicy

Delete policy

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
policyId required	string ID of policy

Responses

getPolicy

Get policy

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
policyId required	string ID of policy

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"enforced": true,
"ppl": {"allow": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
},
"deny": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
}
},
"description": "string",
"explanation": "string",
"remediation": "string",
"routes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedRoutes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

updatePolicy

Update policy

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
policyId required	string ID of policy

Request Body schema: application/json
required

namespaceId required	string
name required	string (entityName) [ 1 .. 128 ] characters
enforced required	boolean
required	PPLRule (object) or Array of PPLRule (objects)
description required	string
explanation required	string
remediation required	string

Responses

Request samples

Payload

Content type

application/json

{"namespaceId": "string",
"name": "string",
"enforced": true,
"ppl": {"allow": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
},
"deny": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
}
},
"description": "string",
"explanation": "string",
"remediation": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"enforced": true,
"ppl": {"allow": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
},
"deny": {"and": [{ }
],
"or": [{ }
],
"not": [{ }
],
"nor": [{ }
]
}
},
"description": "string",
"explanation": "string",
"remediation": "string",
"routes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedRoutes": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

activityLog

listActivityLogs

List activity logs

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

activityType	string (ActivityType) Enum: "create" "delete" "update" Type of activity
changesetId	string id of changeset
entityId	string ID of entity
entityType	string (EntityType) Enum: "changeset" "custom_domain" "domain" "key_pair" "namespace" "organization" "policy" "route" "settings" "service_account" Type of entity
	object (FilterForActivityLogs) Filter for activity logs
limit	integer limit number of resources returned
namespaceId	string ID of namespace
offset	integer offset of the resources
orderBy	Array of strings (ListActivityLogsOrderByField) Items Enum: "-entity.data.name" "-entity.id" "-entity.type" "-updatedAt" "-user" "entity.data.name" "entity.id" "entity.type" "updatedAt" "user" order by for activity logs
userId	string ID of user

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"activityType": "create",
"applied": {"at": "2019-08-24T14:15:22Z",
"by": {"id": "string",
"email": "user@example.com",
"displayName": "string",
"photoUrl": "string"
},
"changesetId": "string"
},
"entity": {"type": "changeset",
"id": "string",
"data": { }
},
"namespace": {"id": "string",
"name": "string"
},
"user": {"id": "string",
"email": "user@example.com",
"displayName": "string",
"photoUrl": "string"
}
}
]

updateSettings

Update settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

logLevel required	string Sets the global logging level for Pomerium. Only logs of the desired level and above will be logged. Go to Log Level reference
proxyLogLevel	string Sets the logging level for the Pomerium Proxy service access logs. Only logs of the desired level and above will be logged. Go to Proxy Log Level reference
address required	string <ipport> Specifies the IP Address and Port to serve HTTP requests from. If empty, `:443` is used. Go to Address reference
dnsLookupFamily required	string (DNSLookupFamily) Enum: "V4_ONLY" "V6_ONLY" "V4_PREFERRED" "AUTO" "ALL" Sets the DNS IP address resolution policy. Go to DNS Lookup Family reference
dnsFailureRefreshRate	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the rate at which DNS lookups are refreshed when requests are failing. Go to DNS Failure Refresh Rate reference
dnsQueryTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the amount of time each name server is given to respond to a query on the first try of any given server. Go to DNS Query Timeout reference
dnsQueryTries	integer <uint32> Sets the maximum number of query attempts the resolver will make before giving up. Each attempt may use a different name server. Go to DNS Query Tries reference
dnsRefreshRate	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the rate at which DNS lookups are refreshed. Go to DNS Refresh Rate reference
dnsUdpMaxQueries	integer <uint32> Caps the number of UDP based DNS queries on a single port. Go to DNS UDP Max Queries reference
dnsUseTcp	boolean Use TCP instead of UDP for DNS queries. Go to DNS Use TCP reference
httpRedirectAddr	string <ipport> Specifies the IP Address and Port to redirect HTTP to HTTPS traffic on. If unset, no redirect server is started. Go to HTTP Redirect Address reference
timeoutRead required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the amount of time for the entire request stream to be received from the client. Go to Global Timeouts reference
timeoutWrite required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the max stream duration is the maximum time that a stream’s lifetime will span. Go to Global Timeouts reference
timeoutIdle required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the idle timeout is the time at which a downstream or upstream connection will be terminated if there are no active streams. Go to Global Timeouts reference
codecType required	string (CodecType) Enum: "" "auto" "http1" "http2" "http3" Sets the codec type.
cookieName required	string Sets the name of the session cookie sent to clients. Go to Cookie Settings reference
cookieSecret	string Sets the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you. Go to Cookie Settings reference
cookieDomain	string Sets the scope of session cookies issued by Pomerium. If you specify the domain explicitly, then subdomains would also be included. Go to Cookie Settings reference
cookieHttpOnly required	boolean If true, this setting forbids JavaScript from accessing the cookie. Go to Cookie Settings reference
cookieExpire required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the lifetime of session cookies. After this interval, users must reauthenticate. Go to Cookie Settings reference
cookieSameSite	string Sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests. Go to Cookie Settings reference
certificateAuthorityKeyPairId	string ID of CA's public and private key pair.
	object (StringMap) Specifies a mapping of HTTP Headers added globally to all managed routes and Pomerium's Authenticate Service. Go to Set Response Headers reference
	object (StringMap) Pass specific user session data to upstream applications as unsigned HTTP request headers. Go to JWT Claim Headers reference
defaultUpstreamTimeout required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The default timeout applied to a proxied route when no timeout key is specified by the policy. Go to Default Upstream Timeout reference
metricsAddress	string Exposes a Prometheus endpoint on the specified port. Go to Metrics Settings reference
otelTracesExporter	string The name of the tracing provider. Available options are "none" (default) or "otlp". Go to Tracing Reference
otelTracesSamplerArg	number <double> Percentage of requests to sample in decimal notation. The default is 1.0, or 100%. Go to Tracing Reference
otelResourceAttributes	Array of strings (StringList) Key-value pairs to be used as additional resource attributes Go to Tracing Reference
otelLogLevel	string Log level used by the OTEL SDK Go to Tracing Reference
otelAttributeValueLengthLimit	integer <int32> Maximum allowed attribute value size Go to Tracing Reference
otelExporterOtlpEndpoint	string Endpoint URL for OTLP data Go to Tracing Reference
otelExporterOtlpTracesEndpoint	string Endpoint URL for OTLP trace data Go to Tracing Reference
otelExporterOtlpProtocol	string Transport protocol to be used for OTLP data Go to Tracing Reference
otelExporterOtlpTracesProtocol	string Transport protocol to be used for OTLP trace data Go to Tracing Reference
otelExporterOtlpHeaders	Array of strings (StringList) Key=Value headers to add to all outgoing export requests Go to Tracing Reference
otelExporterOtlpTracesHeaders	Array of strings (StringList) Key=Value headers to add to all outgoing trace export requests Go to Tracing Reference
otelExporterOtlpTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The timeout value for all outgoing data (traces, metrics, and logs) Go to Tracing Reference
otelExporterOtlpTracesTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The timeout value for all outgoing traces Go to Tracing Reference
otelBspScheduleDelay	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The interval at which trace data is exported Go to Tracing Reference
otelBspMaxExportBatchSize	integer <int32> Maximum span batch size Go to Tracing Reference
downstreamMtlsCaKeyPairId	string Key pair ID of the downstream client CA. If set, requires mTLS for incoming requests. Go to Downstream mTLS reference
googleCloudServerlessAuthenticationServiceAccount	string Specifies the Service Account credentials to support GCP's Authorization Header format. Go to Google Cloud Serverless Authn SA reference
skipXffAppend required	boolean If true, the incoming X-Forwarded-For HTTP header would not be modified. Go to X-Forwarded-For reference
databrokerStorageConnection	string The databroker storage connection string. Go to Databroker Settings reference
accessLogFields	Array of strings (StringList) Controls which fields are included in the access logs. Go to Access Log Fields reference
authorizeLogFields	Array of strings (StringList) Controls which fields are included in the authorize logs. Go to Authorize Log Fields reference
passIdentityHeaders required	boolean
autoApplyChangesets required	boolean
authenticateServiceUrl	string <url> Specifies the URL to use for the authenticate service, if not using the Hosted Authenticate Service. (This URL should resolve to your Pomerium deployment.) Go to Authenticate Service URL reference
identityProvider	string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" Identity provider type, if not using the Hosted Authenticate Service. Go to Identity Provider reference
identityProviderClientId	string Identity provider client ID, if not using the Hosted Authenticate Service. Go to Identity Provider Client ID reference
identityProviderClientSecret	string Identity provider client secret, if not using the Hosted Authenticate Service. Go to Identity Provider Client Secret reference
	object (StringMap) Identity provider request params, if not using the Hosted Authenticate Service. Go to Identity Provider Request Params reference
identityProviderScopes	Array of strings (StringList) Identity provider scopes, if not using the Hosted Authenticate Service. Go to Identity Provider Scopes reference
identityProviderUrl	string <url> Identity provider URL, if not using the Hosted Authenticate Service. (This is required only for certain identity providers types.) Go to Identity Provider URL reference
bearerTokenFormat	string (BearerTokenFormat) Enum: "" "default" "idp_access_token" "idp_identity_token" The expected format of bearer tokens Go to Bearer Token Format reference
idpAccessTokenAllowedAudiences	Array of strings (StringList) Validates the audience claim of an IdP access token. Go to IDP Access Token Allowed Audiences reference
	object (CircuitBreakerThresholds) Sets the circuit breaker thresholds for a route. Go to Circuit Breaker Thresholds reference
sshAddress	string Sets the SSH address. Go to SSH reference
sshHostKeys	Array of strings (StringList) Sets the SSH host keys. Go to SSH reference
sshUserCaKey	string Sets the SSH user CA key. Go to SSH reference

Responses

Request samples

Payload

Content type

application/json

{"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

patchSettings

Patch settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

Array

op required	string Enum: "add" "remove" "replace" "copy" "move" "test"
path required	string
value	any
from	string

Responses

Request samples

Payload

Content type

application/json

[{"op": "add",
"path": "string",
"value": null,
"from": "string"
}
]

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

route

The route service is where you can build and manage routes defined in a namespace within your organization.

listRoutes

List routes

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

namespaceId required	string ID of namespace
includeDescendants	boolean include resources from descendant namespaces
	object (FilterForRoutes) Filter for routes
limit	integer limit number of resources returned
offset	integer offset of the resources
orderBy	Array of strings (ListRoutesOrderByField) Items Enum: "-assigned" "-from" "-id" "-inherited" "-name" "-path" "-prefix" "-regex" "-to" "-updatedAt" "assigned" "from" "id" "inherited" "name" "path" "prefix" "regex" "to" "updatedAt" order by for routes

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"description": "string",
"logoUrl": "string",
"from": "string",
"to": ["string"
],
"response": {"status": 200,
"body": "string"
},
"prefix": "string",
"path": "string",
"regex": "string",
"prefixRewrite": "string",
"regexRewritePattern": "string",
"regexRewriteSubstitution": "string",
"hostRewrite": "string",
"hostRewriteHeader": "string",
"hostPathRegexRewritePattern": "string",
"hostPathRegexRewriteSubstitution": "string",
"regexPriorityOrder": 0,
"timeout": "string",
"idleTimeout": "string",
"allowWebsockets": true,
"allowSpdy": true,
"tlsSkipVerify": true,
"tlsUpstreamServerName": "string",
"tlsDownstreamServerName": "string",
"tlsCustomCaKeyPairId": "string",
"tlsClientKeyPairId": "string",
"tlsDownstreamClientCaKeyPairId": "string",
"tlsUpstreamAllowRenegotiation": true,
"setRequestHeaders": {"property1": "string",
"property2": "string"
},
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"removeRequestHeaders": ["string"
],
"rewriteResponseHeaders": [{"header": "string",
"matcher": {"prefix": "string"
},
"value": "string"
}
],
"preserveHostHeader": true,
"passIdentityHeaders": true,
"kubernetesServiceAccountToken": "string",
"redirect": {"httpsRedirect": true,
"schemeRedirect": "string",
"hostRedirect": "string",
"portRedirect": 0,
"pathRedirect": "string",
"prefixRewrite": "string",
"responseCode": 0,
"stripQuery": true
},
"enableGoogleCloudServerlessAuthentication": true,
"jwtIssuerFormat": "hostOnly",
"showErrorDetails": true,
"healthCheck": {"timeout": "string",
"interval": "string",
"unhealthyThreshold": 0,
"healthyThreshold": 0,
"type": "http",
"host": "string",
"path": "string",
"expectedStatuses": [{"start": 0,
"end": 0
}
],
"codecClientType": "http1"
},
"loadBalancingPolicy": "round_robin",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"policyIds": ["string"
],
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"dependsOn": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"mcp": {"server": {"upstreamOAuth2": {"clientId": "string",
"clientSecret": "string",
"oauth2Endpoint": {"authUrl": "string",
"tokenUrl": "string",
"authStyle": "OAUTH2_AUTH_STYLE_UNSPECIFIED"
},
"scopes": ["string"
]
},
"maxRequestBytes": 0,
"path": "string"
},
"client": { }
},
"healthyPanicThreshold": 100,
"upstreamTunnel": { },
"enforcedPolicies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedPolicyIds": ["string"
],
"policies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}
]

createRoute

Create route

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

namespaceId required	string
name required	string (entityName) [ 1 .. 128 ] characters
description	string
logoUrl	string
from required	string <url>
to	Array of strings <url> [ items <url > ]
	object (RouteDirectResponse)
prefix	string
path	string
regex	string
prefixRewrite	string
regexRewritePattern	string
regexRewriteSubstitution	string
hostRewrite	string
hostRewriteHeader	string
hostPathRegexRewritePattern	string
hostPathRegexRewriteSubstitution	string
regexPriorityOrder	integer <int64>
timeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$
idleTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$
allowWebsockets required	boolean
allowSpdy required	boolean
tlsSkipVerify required	boolean
tlsUpstreamServerName	string
tlsDownstreamServerName	string
tlsCustomCaKeyPairId	string
tlsClientKeyPairId	string
tlsDownstreamClientCaKeyPairId	string
tlsUpstreamAllowRenegotiation required	boolean
	object (StringMap)
	object (StringMap)
removeRequestHeaders	Array of strings
	Array of objects (RouteRewriteHeader)
preserveHostHeader required	boolean
passIdentityHeaders	boolean
kubernetesServiceAccountToken	string
	object (RouteRedirect)
enableGoogleCloudServerlessAuthentication required	boolean
jwtIssuerFormat	string (JwtIssuerFormat) Enum: "hostOnly" "uri"
showErrorDetails required	boolean
	RouteHttpHealthCheck (object) or RouteTcpHealthCheck (object) or RouteGrpcHealthCheck (object) (RouteHealthCheck)
loadBalancingPolicy	string (RouteLoadBalancingPolicy) Enum: "round_robin" "least_request" "ring_hash" "random" "maglev"
identityProviderClientId	string
identityProviderClientSecret	string
policyIds required	Array of strings
bearerTokenFormat	string (BearerTokenFormat) Enum: "" "default" "idp_access_token" "idp_identity_token" The expected format of bearer tokens Go to Bearer Token Format reference
idpAccessTokenAllowedAudiences	Array of strings (StringList) Validates the audience claim of an IdP access token. Go to IDP Access Token Allowed Audiences reference
dependsOn	Array of strings Additional route domains to redirect through on login.
	object (CircuitBreakerThresholds) Sets the circuit breaker thresholds for a route. Go to Circuit Breaker Thresholds reference
	(object or null) or (object or null) (MCP)
healthyPanicThreshold	integer <int32> [ 0 .. 100 ] If the number of healthy hosts falls below this percentage, traffic will be balanced among all hosts regardless of health, allowing some requests to fail. 0% disables this behavior.
upstreamTunnel	object (UpstreamTunnel) Upstream tunnel configuration for this route

Responses

Request samples

Payload

Content type

application/json

{"namespaceId": "string",
"name": "string",
"description": "string",
"logoUrl": "string",
"from": "string",
"to": ["string"
],
"response": {"status": 200,
"body": "string"
},
"prefix": "string",
"path": "string",
"regex": "string",
"prefixRewrite": "string",
"regexRewritePattern": "string",
"regexRewriteSubstitution": "string",
"hostRewrite": "string",
"hostRewriteHeader": "string",
"hostPathRegexRewritePattern": "string",
"hostPathRegexRewriteSubstitution": "string",
"regexPriorityOrder": 0,
"timeout": "string",
"idleTimeout": "string",
"allowWebsockets": true,
"allowSpdy": true,
"tlsSkipVerify": true,
"tlsUpstreamServerName": "string",
"tlsDownstreamServerName": "string",
"tlsCustomCaKeyPairId": "string",
"tlsClientKeyPairId": "string",
"tlsDownstreamClientCaKeyPairId": "string",
"tlsUpstreamAllowRenegotiation": true,
"setRequestHeaders": {"property1": "string",
"property2": "string"
},
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"removeRequestHeaders": ["string"
],
"rewriteResponseHeaders": [{"header": "string",
"matcher": {"prefix": "string"
},
"value": "string"
}
],
"preserveHostHeader": true,
"passIdentityHeaders": true,
"kubernetesServiceAccountToken": "string",
"redirect": {"httpsRedirect": true,
"schemeRedirect": "string",
"hostRedirect": "string",
"portRedirect": 0,
"pathRedirect": "string",
"prefixRewrite": "string",
"responseCode": 0,
"stripQuery": true
},
"enableGoogleCloudServerlessAuthentication": true,
"jwtIssuerFormat": "hostOnly",
"showErrorDetails": true,
"healthCheck": {"timeout": "string",
"interval": "string",
"unhealthyThreshold": 0,
"healthyThreshold": 0,
"type": "http",
"host": "string",
"path": "string",
"expectedStatuses": [{"start": 0,
"end": 0
}
],
"codecClientType": "http1"
},
"loadBalancingPolicy": "round_robin",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"policyIds": ["string"
],
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"dependsOn": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"mcp": {"server": {"upstreamOAuth2": {"clientId": "string",
"clientSecret": "string",
"oauth2Endpoint": {"authUrl": "string",
"tokenUrl": "string",
"authStyle": "OAUTH2_AUTH_STYLE_UNSPECIFIED"
},
"scopes": ["string"
]
},
"maxRequestBytes": 0,
"path": "string"
},
"client": { }
},
"healthyPanicThreshold": 100,
"upstreamTunnel": { }
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"description": "string",
"logoUrl": "string",
"from": "string",
"to": ["string"
],
"response": {"status": 200,
"body": "string"
},
"prefix": "string",
"path": "string",
"regex": "string",
"prefixRewrite": "string",
"regexRewritePattern": "string",
"regexRewriteSubstitution": "string",
"hostRewrite": "string",
"hostRewriteHeader": "string",
"hostPathRegexRewritePattern": "string",
"hostPathRegexRewriteSubstitution": "string",
"regexPriorityOrder": 0,
"timeout": "string",
"idleTimeout": "string",
"allowWebsockets": true,
"allowSpdy": true,
"tlsSkipVerify": true,
"tlsUpstreamServerName": "string",
"tlsDownstreamServerName": "string",
"tlsCustomCaKeyPairId": "string",
"tlsClientKeyPairId": "string",
"tlsDownstreamClientCaKeyPairId": "string",
"tlsUpstreamAllowRenegotiation": true,
"setRequestHeaders": {"property1": "string",
"property2": "string"
},
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"removeRequestHeaders": ["string"
],
"rewriteResponseHeaders": [{"header": "string",
"matcher": {"prefix": "string"
},
"value": "string"
}
],
"preserveHostHeader": true,
"passIdentityHeaders": true,
"kubernetesServiceAccountToken": "string",
"redirect": {"httpsRedirect": true,
"schemeRedirect": "string",
"hostRedirect": "string",
"portRedirect": 0,
"pathRedirect": "string",
"prefixRewrite": "string",
"responseCode": 0,
"stripQuery": true
},
"enableGoogleCloudServerlessAuthentication": true,
"jwtIssuerFormat": "hostOnly",
"showErrorDetails": true,
"healthCheck": {"timeout": "string",
"interval": "string",
"unhealthyThreshold": 0,
"healthyThreshold": 0,
"type": "http",
"host": "string",
"path": "string",
"expectedStatuses": [{"start": 0,
"end": 0
}
],
"codecClientType": "http1"
},
"loadBalancingPolicy": "round_robin",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"policyIds": ["string"
],
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"dependsOn": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"mcp": {"server": {"upstreamOAuth2": {"clientId": "string",
"clientSecret": "string",
"oauth2Endpoint": {"authUrl": "string",
"tokenUrl": "string",
"authStyle": "OAUTH2_AUTH_STYLE_UNSPECIFIED"
},
"scopes": ["string"
]
},
"maxRequestBytes": 0,
"path": "string"
},
"client": { }
},
"healthyPanicThreshold": 100,
"upstreamTunnel": { },
"enforcedPolicies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedPolicyIds": ["string"
],
"policies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

deleteRoute

Delete route

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
routeId required	string ID of route

Responses

getRoute

Get route

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
routeId required	string ID of route

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"description": "string",
"logoUrl": "string",
"from": "string",
"to": ["string"
],
"response": {"status": 200,
"body": "string"
},
"prefix": "string",
"path": "string",
"regex": "string",
"prefixRewrite": "string",
"regexRewritePattern": "string",
"regexRewriteSubstitution": "string",
"hostRewrite": "string",
"hostRewriteHeader": "string",
"hostPathRegexRewritePattern": "string",
"hostPathRegexRewriteSubstitution": "string",
"regexPriorityOrder": 0,
"timeout": "string",
"idleTimeout": "string",
"allowWebsockets": true,
"allowSpdy": true,
"tlsSkipVerify": true,
"tlsUpstreamServerName": "string",
"tlsDownstreamServerName": "string",
"tlsCustomCaKeyPairId": "string",
"tlsClientKeyPairId": "string",
"tlsDownstreamClientCaKeyPairId": "string",
"tlsUpstreamAllowRenegotiation": true,
"setRequestHeaders": {"property1": "string",
"property2": "string"
},
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"removeRequestHeaders": ["string"
],
"rewriteResponseHeaders": [{"header": "string",
"matcher": {"prefix": "string"
},
"value": "string"
}
],
"preserveHostHeader": true,
"passIdentityHeaders": true,
"kubernetesServiceAccountToken": "string",
"redirect": {"httpsRedirect": true,
"schemeRedirect": "string",
"hostRedirect": "string",
"portRedirect": 0,
"pathRedirect": "string",
"prefixRewrite": "string",
"responseCode": 0,
"stripQuery": true
},
"enableGoogleCloudServerlessAuthentication": true,
"jwtIssuerFormat": "hostOnly",
"showErrorDetails": true,
"healthCheck": {"timeout": "string",
"interval": "string",
"unhealthyThreshold": 0,
"healthyThreshold": 0,
"type": "http",
"host": "string",
"path": "string",
"expectedStatuses": [{"start": 0,
"end": 0
}
],
"codecClientType": "http1"
},
"loadBalancingPolicy": "round_robin",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"policyIds": ["string"
],
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"dependsOn": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"mcp": {"server": {"upstreamOAuth2": {"clientId": "string",
"clientSecret": "string",
"oauth2Endpoint": {"authUrl": "string",
"tokenUrl": "string",
"authStyle": "OAUTH2_AUTH_STYLE_UNSPECIFIED"
},
"scopes": ["string"
]
},
"maxRequestBytes": 0,
"path": "string"
},
"client": { }
},
"healthyPanicThreshold": 100,
"upstreamTunnel": { },
"enforcedPolicies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedPolicyIds": ["string"
],
"policies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

updateRoute

Update route

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
routeId required	string ID of route

Request Body schema: application/json
required

namespaceId required	string
name required	string (entityName) [ 1 .. 128 ] characters
description	string
logoUrl	string
from required	string <url>
to	Array of strings <url> [ items <url > ]
	object (RouteDirectResponse)
prefix	string
path	string
regex	string
prefixRewrite	string
regexRewritePattern	string
regexRewriteSubstitution	string
hostRewrite	string
hostRewriteHeader	string
hostPathRegexRewritePattern	string
hostPathRegexRewriteSubstitution	string
regexPriorityOrder	integer <int64>
timeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$
idleTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$
allowWebsockets required	boolean
allowSpdy required	boolean
tlsSkipVerify required	boolean
tlsUpstreamServerName	string
tlsDownstreamServerName	string
tlsCustomCaKeyPairId	string
tlsClientKeyPairId	string
tlsDownstreamClientCaKeyPairId	string
tlsUpstreamAllowRenegotiation required	boolean
	object (StringMap)
	object (StringMap)
removeRequestHeaders	Array of strings
	Array of objects (RouteRewriteHeader)
preserveHostHeader required	boolean
passIdentityHeaders	boolean
kubernetesServiceAccountToken	string
	object (RouteRedirect)
enableGoogleCloudServerlessAuthentication required	boolean
jwtIssuerFormat	string (JwtIssuerFormat) Enum: "hostOnly" "uri"
showErrorDetails required	boolean
	RouteHttpHealthCheck (object) or RouteTcpHealthCheck (object) or RouteGrpcHealthCheck (object) (RouteHealthCheck)
loadBalancingPolicy	string (RouteLoadBalancingPolicy) Enum: "round_robin" "least_request" "ring_hash" "random" "maglev"
identityProviderClientId	string
identityProviderClientSecret	string
policyIds required	Array of strings
bearerTokenFormat	string (BearerTokenFormat) Enum: "" "default" "idp_access_token" "idp_identity_token" The expected format of bearer tokens Go to Bearer Token Format reference
idpAccessTokenAllowedAudiences	Array of strings (StringList) Validates the audience claim of an IdP access token. Go to IDP Access Token Allowed Audiences reference
dependsOn	Array of strings Additional route domains to redirect through on login.
	object (CircuitBreakerThresholds) Sets the circuit breaker thresholds for a route. Go to Circuit Breaker Thresholds reference
	(object or null) or (object or null) (MCP)
healthyPanicThreshold	integer <int32> [ 0 .. 100 ] If the number of healthy hosts falls below this percentage, traffic will be balanced among all hosts regardless of health, allowing some requests to fail. 0% disables this behavior.
upstreamTunnel	object (UpstreamTunnel) Upstream tunnel configuration for this route

Responses

Request samples

Payload

Content type

application/json

{"namespaceId": "string",
"name": "string",
"description": "string",
"logoUrl": "string",
"from": "string",
"to": ["string"
],
"response": {"status": 200,
"body": "string"
},
"prefix": "string",
"path": "string",
"regex": "string",
"prefixRewrite": "string",
"regexRewritePattern": "string",
"regexRewriteSubstitution": "string",
"hostRewrite": "string",
"hostRewriteHeader": "string",
"hostPathRegexRewritePattern": "string",
"hostPathRegexRewriteSubstitution": "string",
"regexPriorityOrder": 0,
"timeout": "string",
"idleTimeout": "string",
"allowWebsockets": true,
"allowSpdy": true,
"tlsSkipVerify": true,
"tlsUpstreamServerName": "string",
"tlsDownstreamServerName": "string",
"tlsCustomCaKeyPairId": "string",
"tlsClientKeyPairId": "string",
"tlsDownstreamClientCaKeyPairId": "string",
"tlsUpstreamAllowRenegotiation": true,
"setRequestHeaders": {"property1": "string",
"property2": "string"
},
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"removeRequestHeaders": ["string"
],
"rewriteResponseHeaders": [{"header": "string",
"matcher": {"prefix": "string"
},
"value": "string"
}
],
"preserveHostHeader": true,
"passIdentityHeaders": true,
"kubernetesServiceAccountToken": "string",
"redirect": {"httpsRedirect": true,
"schemeRedirect": "string",
"hostRedirect": "string",
"portRedirect": 0,
"pathRedirect": "string",
"prefixRewrite": "string",
"responseCode": 0,
"stripQuery": true
},
"enableGoogleCloudServerlessAuthentication": true,
"jwtIssuerFormat": "hostOnly",
"showErrorDetails": true,
"healthCheck": {"timeout": "string",
"interval": "string",
"unhealthyThreshold": 0,
"healthyThreshold": 0,
"type": "http",
"host": "string",
"path": "string",
"expectedStatuses": [{"start": 0,
"end": 0
}
],
"codecClientType": "http1"
},
"loadBalancingPolicy": "round_robin",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"policyIds": ["string"
],
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"dependsOn": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"mcp": {"server": {"upstreamOAuth2": {"clientId": "string",
"clientSecret": "string",
"oauth2Endpoint": {"authUrl": "string",
"tokenUrl": "string",
"authStyle": "OAUTH2_AUTH_STYLE_UNSPECIFIED"
},
"scopes": ["string"
]
},
"maxRequestBytes": 0,
"path": "string"
},
"client": { }
},
"healthyPanicThreshold": 100,
"upstreamTunnel": { }
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"name": "string",
"description": "string",
"logoUrl": "string",
"from": "string",
"to": ["string"
],
"response": {"status": 200,
"body": "string"
},
"prefix": "string",
"path": "string",
"regex": "string",
"prefixRewrite": "string",
"regexRewritePattern": "string",
"regexRewriteSubstitution": "string",
"hostRewrite": "string",
"hostRewriteHeader": "string",
"hostPathRegexRewritePattern": "string",
"hostPathRegexRewriteSubstitution": "string",
"regexPriorityOrder": 0,
"timeout": "string",
"idleTimeout": "string",
"allowWebsockets": true,
"allowSpdy": true,
"tlsSkipVerify": true,
"tlsUpstreamServerName": "string",
"tlsDownstreamServerName": "string",
"tlsCustomCaKeyPairId": "string",
"tlsClientKeyPairId": "string",
"tlsDownstreamClientCaKeyPairId": "string",
"tlsUpstreamAllowRenegotiation": true,
"setRequestHeaders": {"property1": "string",
"property2": "string"
},
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"removeRequestHeaders": ["string"
],
"rewriteResponseHeaders": [{"header": "string",
"matcher": {"prefix": "string"
},
"value": "string"
}
],
"preserveHostHeader": true,
"passIdentityHeaders": true,
"kubernetesServiceAccountToken": "string",
"redirect": {"httpsRedirect": true,
"schemeRedirect": "string",
"hostRedirect": "string",
"portRedirect": 0,
"pathRedirect": "string",
"prefixRewrite": "string",
"responseCode": 0,
"stripQuery": true
},
"enableGoogleCloudServerlessAuthentication": true,
"jwtIssuerFormat": "hostOnly",
"showErrorDetails": true,
"healthCheck": {"timeout": "string",
"interval": "string",
"unhealthyThreshold": 0,
"healthyThreshold": 0,
"type": "http",
"host": "string",
"path": "string",
"expectedStatuses": [{"start": 0,
"end": 0
}
],
"codecClientType": "http1"
},
"loadBalancingPolicy": "round_robin",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"policyIds": ["string"
],
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"dependsOn": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"mcp": {"server": {"upstreamOAuth2": {"clientId": "string",
"clientSecret": "string",
"oauth2Endpoint": {"authUrl": "string",
"tokenUrl": "string",
"authStyle": "OAUTH2_AUTH_STYLE_UNSPECIFIED"
},
"scopes": ["string"
]
},
"maxRequestBytes": 0,
"path": "string"
},
"client": { }
},
"healthyPanicThreshold": 100,
"upstreamTunnel": { },
"enforcedPolicies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"enforcedPolicyIds": ["string"
],
"policies": [{"id": "string",
"name": "string",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

getRouteCertificates

Get certificates that match the given route

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
routeId required	string ID of route

Responses

Response samples

Content type

application/json

[{"certificateInfo": [{"version": 0,
"serial": "string",
"issuer": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"subject": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"notBefore": "2019-08-24T14:15:22Z",
"notAfter": "2019-08-24T14:15:22Z",
"keyUsage": {"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": true,
"crlSign": true,
"encipherOnly": true,
"decipherOnly": true
},
"extKeyUsage": {"any": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"ipsecEndSystem": true,
"ipsecTunnel": true,
"ipsecUser": true,
"timeStamping": true,
"ocspSigning": true,
"microsoftServerGatedCrypto": true,
"netscapeServerGatedCrypto": true,
"microsoftCommercialCodeSigning": true,
"microsoftKernelCodeSigning": true
},
"dnsNames": ["string"
],
"emailAddresses": ["string"
],
"ipAddresses": ["string"
],
"uris": ["string"
],
"permittedDnsDomainsCritical": true,
"permittedDnsDomains": ["string"
],
"excludedDnsDomains": ["string"
],
"permittedIpRanges": ["string"
],
"excludedIpRanges": ["string"
],
"permittedEmailAddresses": ["string"
],
"excludedEmailAddresses": ["string"
],
"permittedUriDomains": ["string"
],
"excludedUriDomains": ["string"
]
}
],
"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"certificate": "string",
"name": "string",
"hasKey": true,
"origin": "system",
"status": "pending"
}
]

token

The token service is where you can exchange a valid API refresh token for a new ID token.

getIdToken

Exchange API refresh token for ID token

Request Body schema: application/json
required

refreshToken

required

string

API refresh token

Responses

Request samples

Payload

Content type

application/json

{"refreshToken": "string"
}

Response samples

Content type

application/json

{"idToken": "string",
"expiresInSeconds": "string"
}

keyPair

The keypair service is where you can manage global- and route-level certificates for your organization.

listKeyPairs

List key pairs

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

namespaceId required	string ID of namespace
includeDescendants	boolean include resources from descendant namespaces
	object (FilterForKeyPairs) Filter for key pairs
limit	integer limit number of resources returned
offset	integer offset of the resources
orderBy	Array of strings (ListKeyPairsOrderByField) Items Enum: "-cluster" "-id" "-issuer" "-name" "-notAfter" "-status" "-subject" "-updatedAt" "cluster" "id" "issuer" "name" "notAfter" "status" "subject" "updatedAt" order by for key pairs

Responses

Response samples

Content type

application/json

[{"certificateInfo": [{"version": 0,
"serial": "string",
"issuer": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"subject": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"notBefore": "2019-08-24T14:15:22Z",
"notAfter": "2019-08-24T14:15:22Z",
"keyUsage": {"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": true,
"crlSign": true,
"encipherOnly": true,
"decipherOnly": true
},
"extKeyUsage": {"any": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"ipsecEndSystem": true,
"ipsecTunnel": true,
"ipsecUser": true,
"timeStamping": true,
"ocspSigning": true,
"microsoftServerGatedCrypto": true,
"netscapeServerGatedCrypto": true,
"microsoftCommercialCodeSigning": true,
"microsoftKernelCodeSigning": true
},
"dnsNames": ["string"
],
"emailAddresses": ["string"
],
"ipAddresses": ["string"
],
"uris": ["string"
],
"permittedDnsDomainsCritical": true,
"permittedDnsDomains": ["string"
],
"excludedDnsDomains": ["string"
],
"permittedIpRanges": ["string"
],
"excludedIpRanges": ["string"
],
"permittedEmailAddresses": ["string"
],
"excludedEmailAddresses": ["string"
],
"permittedUriDomains": ["string"
],
"excludedUriDomains": ["string"
]
}
],
"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"certificate": "string",
"name": "string",
"hasKey": true,
"origin": "system",
"status": "pending"
}
]

createKeyPair

Create keyPair

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

key	string
namespaceId required	string
certificate	string
name	string

Responses

Request samples

Payload

Content type

application/json

{"key": "string",
"namespaceId": "string",
"certificate": "string",
"name": "string"
}

Response samples

Content type

application/json

{"certificateInfo": [{"version": 0,
"serial": "string",
"issuer": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"subject": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"notBefore": "2019-08-24T14:15:22Z",
"notAfter": "2019-08-24T14:15:22Z",
"keyUsage": {"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": true,
"crlSign": true,
"encipherOnly": true,
"decipherOnly": true
},
"extKeyUsage": {"any": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"ipsecEndSystem": true,
"ipsecTunnel": true,
"ipsecUser": true,
"timeStamping": true,
"ocspSigning": true,
"microsoftServerGatedCrypto": true,
"netscapeServerGatedCrypto": true,
"microsoftCommercialCodeSigning": true,
"microsoftKernelCodeSigning": true
},
"dnsNames": ["string"
],
"emailAddresses": ["string"
],
"ipAddresses": ["string"
],
"uris": ["string"
],
"permittedDnsDomainsCritical": true,
"permittedDnsDomains": ["string"
],
"excludedDnsDomains": ["string"
],
"permittedIpRanges": ["string"
],
"excludedIpRanges": ["string"
],
"permittedEmailAddresses": ["string"
],
"excludedEmailAddresses": ["string"
],
"permittedUriDomains": ["string"
],
"excludedUriDomains": ["string"
]
}
],
"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"certificate": "string",
"name": "string",
"hasKey": true,
"origin": "system",
"status": "pending"
}

deleteKeyPair

Delete keyPair

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
keyPairId required	string ID of namespace

Responses

getKeyPair

Get keyPair

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
keyPairId required	string ID of namespace

Responses

Response samples

Content type

application/json

{"certificateInfo": [{"version": 0,
"serial": "string",
"issuer": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"subject": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"notBefore": "2019-08-24T14:15:22Z",
"notAfter": "2019-08-24T14:15:22Z",
"keyUsage": {"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": true,
"crlSign": true,
"encipherOnly": true,
"decipherOnly": true
},
"extKeyUsage": {"any": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"ipsecEndSystem": true,
"ipsecTunnel": true,
"ipsecUser": true,
"timeStamping": true,
"ocspSigning": true,
"microsoftServerGatedCrypto": true,
"netscapeServerGatedCrypto": true,
"microsoftCommercialCodeSigning": true,
"microsoftKernelCodeSigning": true
},
"dnsNames": ["string"
],
"emailAddresses": ["string"
],
"ipAddresses": ["string"
],
"uris": ["string"
],
"permittedDnsDomainsCritical": true,
"permittedDnsDomains": ["string"
],
"excludedDnsDomains": ["string"
],
"permittedIpRanges": ["string"
],
"excludedIpRanges": ["string"
],
"permittedEmailAddresses": ["string"
],
"excludedEmailAddresses": ["string"
],
"permittedUriDomains": ["string"
],
"excludedUriDomains": ["string"
]
}
],
"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"certificate": "string",
"name": "string",
"hasKey": true,
"origin": "system",
"status": "pending"
}

updateKeyPair

Update keyPair. If the certificate and/or key is not set the existing certificate and/or key will be preserved.

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
keyPairId required	string ID of namespace

Request Body schema: application/json
required

key	string
namespaceId required	string
certificate	string
name	string

Responses

Request samples

Payload

Content type

application/json

{"key": "string",
"namespaceId": "string",
"certificate": "string",
"name": "string"
}

Response samples

Content type

application/json

{"certificateInfo": [{"version": 0,
"serial": "string",
"issuer": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"subject": {"country": ["string"
],
"organization": ["string"
],
"organizationalUnit": ["string"
],
"locality": ["string"
],
"province": ["string"
],
"streetAddress": ["string"
],
"postalCode": ["string"
],
"serialNumber": "string",
"commonName": "string"
},
"notBefore": "2019-08-24T14:15:22Z",
"notAfter": "2019-08-24T14:15:22Z",
"keyUsage": {"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": true,
"crlSign": true,
"encipherOnly": true,
"decipherOnly": true
},
"extKeyUsage": {"any": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"ipsecEndSystem": true,
"ipsecTunnel": true,
"ipsecUser": true,
"timeStamping": true,
"ocspSigning": true,
"microsoftServerGatedCrypto": true,
"netscapeServerGatedCrypto": true,
"microsoftCommercialCodeSigning": true,
"microsoftKernelCodeSigning": true
},
"dnsNames": ["string"
],
"emailAddresses": ["string"
],
"ipAddresses": ["string"
],
"uris": ["string"
],
"permittedDnsDomainsCritical": true,
"permittedDnsDomains": ["string"
],
"excludedDnsDomains": ["string"
],
"permittedIpRanges": ["string"
],
"excludedIpRanges": ["string"
],
"permittedEmailAddresses": ["string"
],
"excludedEmailAddresses": ["string"
],
"permittedUriDomains": ["string"
],
"excludedUriDomains": ["string"
]
}
],
"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"namespaceId": "string",
"certificate": "string",
"name": "string",
"hasKey": true,
"origin": "system",
"status": "pending"
}

namespace

The namespace service is where you can manage namespaces within an organization.

listNamespaces

List namespaces

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"parentId": "string",
"name": "string",
"type": "cluster",
"role": "admin"
}
]

changeset

The changeset service is where you can list, get, and apply changesets within a cluster or namespace.

listChangesets

List changesets

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

status	string (ChangesetStatus) Enum: "pending" "applying" "applied" "failed" "current" "rejected" status of changeset
clusterId	string ID of cluster
	object (FilterForChangesets) Filter for changesets
limit	integer limit number of resources returned
offset	integer offset of the resources
orderBy	Array of strings (ListChangesetsOrderByField) Items Enum: "-cluster" "-createdAt" "-failureMessage" "-id" "-status" "-updatedAt" "cluster" "createdAt" "failureMessage" "id" "status" "updatedAt" order by for changesets

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"failureMessage": "string",
"namespaceId": "string",
"status": "pending"
}
]

compareChangesets

Compare changesets

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

clusterId required	string ID of cluster
firstId	string id of the first changeset to compare
secondId	string id of the second changeset to compare

Responses

Response samples

Content type

application/json

{"startChangeset": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"failureMessage": "string",
"namespaceId": "string",
"status": "pending"
},
"endChangeset": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"failureMessage": "string",
"namespaceId": "string",
"status": "pending"
},
"entities": [[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"activityType": "create",
"applied": {"at": "2019-08-24T14:15:22Z",
"by": {"id": "string",
"email": "user@example.com",
"displayName": "string",
"photoUrl": "string"
},
"changesetId": "string"
},
"entity": {"type": "changeset",
"id": "string",
"data": { }
},
"namespace": {"id": "string",
"name": "string"
},
"user": {"id": "string",
"email": "user@example.com",
"displayName": "string",
"photoUrl": "string"
}
}
]
]
}

applyChangeset

Apply changeset

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
changesetId required	string ID of changeset

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"failureMessage": "string",
"namespaceId": "string",
"status": "pending"
}

updateSettings

Update settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

logLevel required	string Sets the global logging level for Pomerium. Only logs of the desired level and above will be logged. Go to Log Level reference
proxyLogLevel	string Sets the logging level for the Pomerium Proxy service access logs. Only logs of the desired level and above will be logged. Go to Proxy Log Level reference
address required	string <ipport> Specifies the IP Address and Port to serve HTTP requests from. If empty, `:443` is used. Go to Address reference
dnsLookupFamily required	string (DNSLookupFamily) Enum: "V4_ONLY" "V6_ONLY" "V4_PREFERRED" "AUTO" "ALL" Sets the DNS IP address resolution policy. Go to DNS Lookup Family reference
dnsFailureRefreshRate	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the rate at which DNS lookups are refreshed when requests are failing. Go to DNS Failure Refresh Rate reference
dnsQueryTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the amount of time each name server is given to respond to a query on the first try of any given server. Go to DNS Query Timeout reference
dnsQueryTries	integer <uint32> Sets the maximum number of query attempts the resolver will make before giving up. Each attempt may use a different name server. Go to DNS Query Tries reference
dnsRefreshRate	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the rate at which DNS lookups are refreshed. Go to DNS Refresh Rate reference
dnsUdpMaxQueries	integer <uint32> Caps the number of UDP based DNS queries on a single port. Go to DNS UDP Max Queries reference
dnsUseTcp	boolean Use TCP instead of UDP for DNS queries. Go to DNS Use TCP reference
httpRedirectAddr	string <ipport> Specifies the IP Address and Port to redirect HTTP to HTTPS traffic on. If unset, no redirect server is started. Go to HTTP Redirect Address reference
timeoutRead required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the amount of time for the entire request stream to be received from the client. Go to Global Timeouts reference
timeoutWrite required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the max stream duration is the maximum time that a stream’s lifetime will span. Go to Global Timeouts reference
timeoutIdle required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the idle timeout is the time at which a downstream or upstream connection will be terminated if there are no active streams. Go to Global Timeouts reference
codecType required	string (CodecType) Enum: "" "auto" "http1" "http2" "http3" Sets the codec type.
cookieName required	string Sets the name of the session cookie sent to clients. Go to Cookie Settings reference
cookieSecret	string Sets the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you. Go to Cookie Settings reference
cookieDomain	string Sets the scope of session cookies issued by Pomerium. If you specify the domain explicitly, then subdomains would also be included. Go to Cookie Settings reference
cookieHttpOnly required	boolean If true, this setting forbids JavaScript from accessing the cookie. Go to Cookie Settings reference
cookieExpire required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the lifetime of session cookies. After this interval, users must reauthenticate. Go to Cookie Settings reference
cookieSameSite	string Sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests. Go to Cookie Settings reference
certificateAuthorityKeyPairId	string ID of CA's public and private key pair.
	object (StringMap) Specifies a mapping of HTTP Headers added globally to all managed routes and Pomerium's Authenticate Service. Go to Set Response Headers reference
	object (StringMap) Pass specific user session data to upstream applications as unsigned HTTP request headers. Go to JWT Claim Headers reference
defaultUpstreamTimeout required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The default timeout applied to a proxied route when no timeout key is specified by the policy. Go to Default Upstream Timeout reference
metricsAddress	string Exposes a Prometheus endpoint on the specified port. Go to Metrics Settings reference
otelTracesExporter	string The name of the tracing provider. Available options are "none" (default) or "otlp". Go to Tracing Reference
otelTracesSamplerArg	number <double> Percentage of requests to sample in decimal notation. The default is 1.0, or 100%. Go to Tracing Reference
otelResourceAttributes	Array of strings (StringList) Key-value pairs to be used as additional resource attributes Go to Tracing Reference
otelLogLevel	string Log level used by the OTEL SDK Go to Tracing Reference
otelAttributeValueLengthLimit	integer <int32> Maximum allowed attribute value size Go to Tracing Reference
otelExporterOtlpEndpoint	string Endpoint URL for OTLP data Go to Tracing Reference
otelExporterOtlpTracesEndpoint	string Endpoint URL for OTLP trace data Go to Tracing Reference
otelExporterOtlpProtocol	string Transport protocol to be used for OTLP data Go to Tracing Reference
otelExporterOtlpTracesProtocol	string Transport protocol to be used for OTLP trace data Go to Tracing Reference
otelExporterOtlpHeaders	Array of strings (StringList) Key=Value headers to add to all outgoing export requests Go to Tracing Reference
otelExporterOtlpTracesHeaders	Array of strings (StringList) Key=Value headers to add to all outgoing trace export requests Go to Tracing Reference
otelExporterOtlpTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The timeout value for all outgoing data (traces, metrics, and logs) Go to Tracing Reference
otelExporterOtlpTracesTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The timeout value for all outgoing traces Go to Tracing Reference
otelBspScheduleDelay	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The interval at which trace data is exported Go to Tracing Reference
otelBspMaxExportBatchSize	integer <int32> Maximum span batch size Go to Tracing Reference
downstreamMtlsCaKeyPairId	string Key pair ID of the downstream client CA. If set, requires mTLS for incoming requests. Go to Downstream mTLS reference
googleCloudServerlessAuthenticationServiceAccount	string Specifies the Service Account credentials to support GCP's Authorization Header format. Go to Google Cloud Serverless Authn SA reference
skipXffAppend required	boolean If true, the incoming X-Forwarded-For HTTP header would not be modified. Go to X-Forwarded-For reference
databrokerStorageConnection	string The databroker storage connection string. Go to Databroker Settings reference
accessLogFields	Array of strings (StringList) Controls which fields are included in the access logs. Go to Access Log Fields reference
authorizeLogFields	Array of strings (StringList) Controls which fields are included in the authorize logs. Go to Authorize Log Fields reference
passIdentityHeaders required	boolean
autoApplyChangesets required	boolean
authenticateServiceUrl	string <url> Specifies the URL to use for the authenticate service, if not using the Hosted Authenticate Service. (This URL should resolve to your Pomerium deployment.) Go to Authenticate Service URL reference
identityProvider	string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" Identity provider type, if not using the Hosted Authenticate Service. Go to Identity Provider reference
identityProviderClientId	string Identity provider client ID, if not using the Hosted Authenticate Service. Go to Identity Provider Client ID reference
identityProviderClientSecret	string Identity provider client secret, if not using the Hosted Authenticate Service. Go to Identity Provider Client Secret reference
	object (StringMap) Identity provider request params, if not using the Hosted Authenticate Service. Go to Identity Provider Request Params reference
identityProviderScopes	Array of strings (StringList) Identity provider scopes, if not using the Hosted Authenticate Service. Go to Identity Provider Scopes reference
identityProviderUrl	string <url> Identity provider URL, if not using the Hosted Authenticate Service. (This is required only for certain identity providers types.) Go to Identity Provider URL reference
bearerTokenFormat	string (BearerTokenFormat) Enum: "" "default" "idp_access_token" "idp_identity_token" The expected format of bearer tokens Go to Bearer Token Format reference
idpAccessTokenAllowedAudiences	Array of strings (StringList) Validates the audience claim of an IdP access token. Go to IDP Access Token Allowed Audiences reference
	object (CircuitBreakerThresholds) Sets the circuit breaker thresholds for a route. Go to Circuit Breaker Thresholds reference
sshAddress	string Sets the SSH address. Go to SSH reference
sshHostKeys	Array of strings (StringList) Sets the SSH host keys. Go to SSH reference
sshUserCaKey	string Sets the SSH user CA key. Go to SSH reference

Responses

Request samples

Payload

Content type

application/json

{"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

patchSettings

Patch settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

Array

op required	string Enum: "add" "remove" "replace" "copy" "move" "test"
path required	string
value	any
from	string

Responses

Request samples

Payload

Content type

application/json

[{"op": "add",
"path": "string",
"value": null,
"from": "string"
}
]

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

settings

Manage configuration settings for a cluster within an organization.

getSettings

Get settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

updateSettings

Update settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

logLevel required	string Sets the global logging level for Pomerium. Only logs of the desired level and above will be logged. Go to Log Level reference
proxyLogLevel	string Sets the logging level for the Pomerium Proxy service access logs. Only logs of the desired level and above will be logged. Go to Proxy Log Level reference
address required	string <ipport> Specifies the IP Address and Port to serve HTTP requests from. If empty, `:443` is used. Go to Address reference
dnsLookupFamily required	string (DNSLookupFamily) Enum: "V4_ONLY" "V6_ONLY" "V4_PREFERRED" "AUTO" "ALL" Sets the DNS IP address resolution policy. Go to DNS Lookup Family reference
dnsFailureRefreshRate	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the rate at which DNS lookups are refreshed when requests are failing. Go to DNS Failure Refresh Rate reference
dnsQueryTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the amount of time each name server is given to respond to a query on the first try of any given server. Go to DNS Query Timeout reference
dnsQueryTries	integer <uint32> Sets the maximum number of query attempts the resolver will make before giving up. Each attempt may use a different name server. Go to DNS Query Tries reference
dnsRefreshRate	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the rate at which DNS lookups are refreshed. Go to DNS Refresh Rate reference
dnsUdpMaxQueries	integer <uint32> Caps the number of UDP based DNS queries on a single port. Go to DNS UDP Max Queries reference
dnsUseTcp	boolean Use TCP instead of UDP for DNS queries. Go to DNS Use TCP reference
httpRedirectAddr	string <ipport> Specifies the IP Address and Port to redirect HTTP to HTTPS traffic on. If unset, no redirect server is started. Go to HTTP Redirect Address reference
timeoutRead required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the amount of time for the entire request stream to be received from the client. Go to Global Timeouts reference
timeoutWrite required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the max stream duration is the maximum time that a stream’s lifetime will span. Go to Global Timeouts reference
timeoutIdle required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the idle timeout is the time at which a downstream or upstream connection will be terminated if there are no active streams. Go to Global Timeouts reference
codecType required	string (CodecType) Enum: "" "auto" "http1" "http2" "http3" Sets the codec type.
cookieName required	string Sets the name of the session cookie sent to clients. Go to Cookie Settings reference
cookieSecret	string Sets the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you. Go to Cookie Settings reference
cookieDomain	string Sets the scope of session cookies issued by Pomerium. If you specify the domain explicitly, then subdomains would also be included. Go to Cookie Settings reference
cookieHttpOnly required	boolean If true, this setting forbids JavaScript from accessing the cookie. Go to Cookie Settings reference
cookieExpire required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ Sets the lifetime of session cookies. After this interval, users must reauthenticate. Go to Cookie Settings reference
cookieSameSite	string Sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests. Go to Cookie Settings reference
certificateAuthorityKeyPairId	string ID of CA's public and private key pair.
	object (StringMap) Specifies a mapping of HTTP Headers added globally to all managed routes and Pomerium's Authenticate Service. Go to Set Response Headers reference
	object (StringMap) Pass specific user session data to upstream applications as unsigned HTTP request headers. Go to JWT Claim Headers reference
defaultUpstreamTimeout required	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The default timeout applied to a proxied route when no timeout key is specified by the policy. Go to Default Upstream Timeout reference
metricsAddress	string Exposes a Prometheus endpoint on the specified port. Go to Metrics Settings reference
otelTracesExporter	string The name of the tracing provider. Available options are "none" (default) or "otlp". Go to Tracing Reference
otelTracesSamplerArg	number <double> Percentage of requests to sample in decimal notation. The default is 1.0, or 100%. Go to Tracing Reference
otelResourceAttributes	Array of strings (StringList) Key-value pairs to be used as additional resource attributes Go to Tracing Reference
otelLogLevel	string Log level used by the OTEL SDK Go to Tracing Reference
otelAttributeValueLengthLimit	integer <int32> Maximum allowed attribute value size Go to Tracing Reference
otelExporterOtlpEndpoint	string Endpoint URL for OTLP data Go to Tracing Reference
otelExporterOtlpTracesEndpoint	string Endpoint URL for OTLP trace data Go to Tracing Reference
otelExporterOtlpProtocol	string Transport protocol to be used for OTLP data Go to Tracing Reference
otelExporterOtlpTracesProtocol	string Transport protocol to be used for OTLP trace data Go to Tracing Reference
otelExporterOtlpHeaders	Array of strings (StringList) Key=Value headers to add to all outgoing export requests Go to Tracing Reference
otelExporterOtlpTracesHeaders	Array of strings (StringList) Key=Value headers to add to all outgoing trace export requests Go to Tracing Reference
otelExporterOtlpTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The timeout value for all outgoing data (traces, metrics, and logs) Go to Tracing Reference
otelExporterOtlpTracesTimeout	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The timeout value for all outgoing traces Go to Tracing Reference
otelBspScheduleDelay	string (Duration) ^([0-9]+(y\|w\|d\|h\|m\|s\|ms))+$ The interval at which trace data is exported Go to Tracing Reference
otelBspMaxExportBatchSize	integer <int32> Maximum span batch size Go to Tracing Reference
downstreamMtlsCaKeyPairId	string Key pair ID of the downstream client CA. If set, requires mTLS for incoming requests. Go to Downstream mTLS reference
googleCloudServerlessAuthenticationServiceAccount	string Specifies the Service Account credentials to support GCP's Authorization Header format. Go to Google Cloud Serverless Authn SA reference
skipXffAppend required	boolean If true, the incoming X-Forwarded-For HTTP header would not be modified. Go to X-Forwarded-For reference
databrokerStorageConnection	string The databroker storage connection string. Go to Databroker Settings reference
accessLogFields	Array of strings (StringList) Controls which fields are included in the access logs. Go to Access Log Fields reference
authorizeLogFields	Array of strings (StringList) Controls which fields are included in the authorize logs. Go to Authorize Log Fields reference
passIdentityHeaders required	boolean
autoApplyChangesets required	boolean
authenticateServiceUrl	string <url> Specifies the URL to use for the authenticate service, if not using the Hosted Authenticate Service. (This URL should resolve to your Pomerium deployment.) Go to Authenticate Service URL reference
identityProvider	string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping" Identity provider type, if not using the Hosted Authenticate Service. Go to Identity Provider reference
identityProviderClientId	string Identity provider client ID, if not using the Hosted Authenticate Service. Go to Identity Provider Client ID reference
identityProviderClientSecret	string Identity provider client secret, if not using the Hosted Authenticate Service. Go to Identity Provider Client Secret reference
	object (StringMap) Identity provider request params, if not using the Hosted Authenticate Service. Go to Identity Provider Request Params reference
identityProviderScopes	Array of strings (StringList) Identity provider scopes, if not using the Hosted Authenticate Service. Go to Identity Provider Scopes reference
identityProviderUrl	string <url> Identity provider URL, if not using the Hosted Authenticate Service. (This is required only for certain identity providers types.) Go to Identity Provider URL reference
bearerTokenFormat	string (BearerTokenFormat) Enum: "" "default" "idp_access_token" "idp_identity_token" The expected format of bearer tokens Go to Bearer Token Format reference
idpAccessTokenAllowedAudiences	Array of strings (StringList) Validates the audience claim of an IdP access token. Go to IDP Access Token Allowed Audiences reference
	object (CircuitBreakerThresholds) Sets the circuit breaker thresholds for a route. Go to Circuit Breaker Thresholds reference
sshAddress	string Sets the SSH address. Go to SSH reference
sshHostKeys	Array of strings (StringList) Sets the SSH host keys. Go to SSH reference
sshUserCaKey	string Sets the SSH user CA key. Go to SSH reference

Responses

Request samples

Payload

Content type

application/json

{"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

patchSettings

Patch settings

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

Array

op required	string Enum: "add" "remove" "replace" "copy" "move" "test"
path required	string
value	any
from	string

Responses

Request samples

Payload

Content type

application/json

[{"op": "add",
"path": "string",
"value": null,
"from": "string"
}
]

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"logLevel": "string",
"proxyLogLevel": "string",
"address": "string",
"dnsLookupFamily": "V4_ONLY",
"dnsFailureRefreshRate": "string",
"dnsQueryTimeout": "string",
"dnsQueryTries": 0,
"dnsRefreshRate": "string",
"dnsUdpMaxQueries": 0,
"dnsUseTcp": true,
"httpRedirectAddr": "string",
"timeoutRead": "string",
"timeoutWrite": "string",
"timeoutIdle": "string",
"codecType": "",
"cookieName": "string",
"cookieSecret": "string",
"cookieDomain": "string",
"cookieHttpOnly": true,
"cookieExpire": "string",
"cookieSameSite": "string",
"certificateAuthorityKeyPairId": "string",
"setResponseHeaders": {"property1": "string",
"property2": "string"
},
"jwtClaimsHeaders": {"property1": "string",
"property2": "string"
},
"defaultUpstreamTimeout": "string",
"metricsAddress": "string",
"otelTracesExporter": "string",
"otelTracesSamplerArg": 0.1,
"otelResourceAttributes": ["string"
],
"otelLogLevel": "string",
"otelAttributeValueLengthLimit": 0,
"otelExporterOtlpEndpoint": "string",
"otelExporterOtlpTracesEndpoint": "string",
"otelExporterOtlpProtocol": "string",
"otelExporterOtlpTracesProtocol": "string",
"otelExporterOtlpHeaders": ["string"
],
"otelExporterOtlpTracesHeaders": ["string"
],
"otelExporterOtlpTimeout": "string",
"otelExporterOtlpTracesTimeout": "string",
"otelBspScheduleDelay": "string",
"otelBspMaxExportBatchSize": 0,
"downstreamMtlsCaKeyPairId": "string",
"googleCloudServerlessAuthenticationServiceAccount": "string",
"skipXffAppend": true,
"databrokerStorageConnection": "string",
"accessLogFields": ["string"
],
"authorizeLogFields": ["string"
],
"passIdentityHeaders": true,
"autoApplyChangesets": true,
"authenticateServiceUrl": "string",
"identityProvider": "apple",
"identityProviderClientId": "string",
"identityProviderClientSecret": "string",
"identityProviderRequestParams": {"property1": "string",
"property2": "string"
},
"identityProviderScopes": ["string"
],
"identityProviderUrl": "string",
"bearerTokenFormat": "",
"idpAccessTokenAllowedAudiences": ["string"
],
"circuitBreakerThresholds": {"maxConnections": 0,
"maxPendingRequests": 0,
"maxRequests": 0,
"maxRetries": 0,
"maxConnectionPools": 0
},
"sshAddress": "string",
"sshHostKeys": ["string"
],
"sshUserCaKey": "string"
}

cluster

A cluster represents an isolated Pomerium Core instance within your organization. An organization can have multiple clusters with separate configurations depending on the organization’s use case.

createOrganization

Create organization

Authorizations:

bearerAuth

Request Body schema: application/json
required

name required	string
logoURL	string <url> URL to an image that will be used as the organization logo. User may provide a URL to an image hosted on a third party service, or upload an image to the dashboard, which would result in an URL being generated.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"logoURL": "string"
}

Response samples

Content type

application/json

{"cluster": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"fqdn": "string",
"autoDetectIpAddress": "string",
"namespaceId": "string",
"hasFailingHealthChecks": true,
"minReplicaVersion": "string",
"domain": "string",
"onboardingStatus": "string",
"importStatus": {"timestamp": "2019-08-24T14:15:22Z",
"hints": {"systemType": "string",
"hostname": "string",
"kubernetesNamespace": "string",
"argv0": "string",
"configArg": "string"
},
"messages": ["string"
],
"warnings": ["string"
],
"error": "string"
},
"refreshToken": "string"
},
"namespace": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"parentId": "string",
"name": "string",
"type": "cluster"
},
"organization": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"logoURL": "string",
"organizationType": "personal",
"ownerUserId": "string",
"role": "owner",
"joinedAt": "2019-08-24T14:15:22Z",
"quotas": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"readOnly": true
}
}

listClusters

List clusters

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"fqdn": "string",
"autoDetectIpAddress": "string",
"namespaceId": "string",
"hasFailingHealthChecks": true,
"minReplicaVersion": "string",
"domain": "string",
"onboardingStatus": "string",
"importStatus": {"timestamp": "2019-08-24T14:15:22Z",
"hints": {"systemType": "string",
"hostname": "string",
"kubernetesNamespace": "string",
"argv0": "string",
"configArg": "string"
},
"messages": ["string"
],
"warnings": ["string"
],
"error": "string"
}
}
]

createCluster

Create cluster

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

name required	string
manualOverrideIpAddress	string <ip> (IPAddress)
flavor	string (ClusterFlavor) Enum: "standard" "hosted" The flavor of the cluster
domain required	string

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"domain": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"fqdn": "string",
"autoDetectIpAddress": "string",
"namespaceId": "string",
"hasFailingHealthChecks": true,
"minReplicaVersion": "string",
"domain": "string",
"onboardingStatus": "string",
"importStatus": {"timestamp": "2019-08-24T14:15:22Z",
"hints": {"systemType": "string",
"hostname": "string",
"kubernetesNamespace": "string",
"argv0": "string",
"configArg": "string"
},
"messages": ["string"
],
"warnings": ["string"
],
"error": "string"
},
"refreshToken": "string"
}

deleteCluster

Delete cluster

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Responses

getCluster

Get cluster

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"fqdn": "string",
"autoDetectIpAddress": "string",
"namespaceId": "string",
"hasFailingHealthChecks": true,
"minReplicaVersion": "string",
"domain": "string",
"onboardingStatus": "string",
"importStatus": {"timestamp": "2019-08-24T14:15:22Z",
"hints": {"systemType": "string",
"hostname": "string",
"kubernetesNamespace": "string",
"argv0": "string",
"configArg": "string"
},
"messages": ["string"
],
"warnings": ["string"
],
"error": "string"
}
}

updateCluster

Update cluster

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

name required	string
manualOverrideIpAddress	string <ip> (IPAddress)
flavor	string (ClusterFlavor) Enum: "standard" "hosted" The flavor of the cluster

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"fqdn": "string",
"autoDetectIpAddress": "string",
"namespaceId": "string",
"hasFailingHealthChecks": true,
"minReplicaVersion": "string",
"domain": "string",
"onboardingStatus": "string",
"importStatus": {"timestamp": "2019-08-24T14:15:22Z",
"hints": {"systemType": "string",
"hostname": "string",
"kubernetesNamespace": "string",
"argv0": "string",
"configArg": "string"
},
"messages": ["string"
],
"warnings": ["string"
],
"error": "string"
}
}

listClusterReplicas

List replicas known for a cluster

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

query Parameters

startTime required	string <date-time> Start time of the time range
endTime required	string <date-time> Start time of the time range

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"hostname": "string"
}
]

getClusterHealth

Get cluster health check data

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Responses

Response samples

Content type

application/json

[{"description": "string",
"helpUrl": "string",
"hostname": "string",
"status": "success",
"updatedAt": "2019-08-24T14:15:22Z"
}
]

rotateClusterToken

Rotate cluster identity token. This token is used to authenticate the cluster to the Pomerium Zero API. Only one token may be active at a time. Requesting a new token will invalidate the previous one.

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Responses

Response samples

Content type

application/json

{"refreshToken": "string"
}

quota

Quota counts and limits for an organization.

getQuotas

Get quotas

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

namespaceId

string

ID of namespace

Responses

Response samples

Content type

application/json

{"counts": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"limits": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
}
}

generateSubdomainName

Generate a subdomain name

Authorizations:

bearerAuth

Responses

Response samples

Content type

application/json

{"name": "string"
}

checkIdentityProviderSettings

Check identity provider settings

Authorizations:

bearerAuth

Request Body schema: application/json
required

provider required	string (IdentityProviderType) Enum: "apple" "auth0" "azure" "cognito" "github" "gitlab" "google" "oidc" "okta" "onelogin" "ping"
url	string
clientId	string
clientSecret	string
	object (StringMap)
scopes	Array of strings (StringList)

Responses

Request samples

Payload

Content type

application/json

{"provider": "apple",
"url": "string",
"clientId": "string",
"clientSecret": "string",
"requestParams": {"property1": "string",
"property2": "string"
},
"scopes": ["string"
]
}

Response samples

Content type

application/json

{"success": true,
"errors": {"provider": "string",
"url": "string",
"clientId": "string",
"clientSecret": "string",
"requestParams": "string",
"scopes": "string"
}
}

startOnboarding

Start onboarding

Authorizations:

bearerAuth

Request Body schema: application/json
required

system required	string
timezone required	string

Responses

Request samples

Payload

Content type

application/json

{"system": "string",
"timezone": "string"
}

Response samples

Content type

application/json

{"organizationId": "string",
"clusterId": "string",
"clusterToken": "string"
}

configureOnboarding

Configure onboarding

Authorizations:

bearerAuth

Request Body schema: application/json
required

ipAddress	string <ip> (IPAddress)
port	string <port> (Port)
system required	string
timezone required	string

Responses

Request samples

Payload

Content type

application/json

{"ipAddress": "string",
"port": "string",
"system": "string",
"timezone": "string"
}

Response samples

Content type

application/json

{ }

runHealthChecks

Request health checks to be re-run

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

object (ReRunHealthChecksRequest)

Responses

Request samples

Payload

Content type

application/json

{ }

getDistributionSum

Get distribution metric as a time series for a given percentile

Authorizations:

bearerAuth

path Parameters

clusterId required	string ID of cluster
organizationId required	string ID of organization
metricId required	string (DistributionMetricId) Value: "upstream_request_time" ID of distribution metric

query Parameters

startTime required	string <date-time> Start time of the time range
endTime required	string <date-time> Start time of the time range
routeId	string ID of route
replicaId	string ID of replica

Responses

Response samples

Content type

application/json

[{"labels": {"property1": "string",
"property2": "string"
},
"distributionValue": {"count": 0,
"mean": 0.1,
"explicitBucketBounds": [0.1
],
"bucketCounts": [0
]
},
"unit": "string"
}
]

getDistributionTimeSeries

Get distribution metric as a time series for a given percentile

Authorizations:

bearerAuth

path Parameters

clusterId required	string ID of cluster
organizationId required	string ID of organization
metricId required	string (DistributionMetricId) Value: "upstream_request_time" ID of distribution metric

query Parameters

percentile	integer (Percentile) Enum: 50 95 99 Percentile of the distribution
startTime required	string <date-time> Start time of the time range
endTime required	string <date-time> Start time of the time range
routeId	string ID of route
replicaId	string ID of replica

Responses

Response samples

Content type

application/json

[{"labels": {"property1": "string",
"property2": "string"
},
"points": [{"value": 0.1,
"timestamp": "2019-08-24T14:15:22Z"
}
],
"unit": "string"
}
]

getTimeSeries

Get time series for a metric

Authorizations:

bearerAuth

path Parameters

clusterId required	string ID of cluster
organizationId required	string ID of organization
metricId required	string (TimeSeriesMetricId) Enum: "mau" "dau" "upstream_requests" "upstream_rx_bytes" "upstream_tx_bytes" "authz_ok" "authz_err" "authz_denied" ID of cluster time series metric

query Parameters

startTime required	string <date-time> Start time of the time range
endTime required	string <date-time> Start time of the time range
routeId	string ID of route
replicaId	string ID of replica

Responses

Response samples

Content type

application/json

[{"labels": {"property1": "string",
"property2": "string"
},
"points": [{"value": 0.1,
"timestamp": "2019-08-24T14:15:22Z"
}
],
"unit": "string"
}
]

getTimeSeriesSum

Get route metric time series sum over the requested time range

Authorizations:

bearerAuth

path Parameters

clusterId required	string ID of cluster
organizationId required	string ID of organization
metricId required	string (TimeSeriesMetricId) Enum: "mau" "dau" "upstream_requests" "upstream_rx_bytes" "upstream_tx_bytes" "authz_ok" "authz_err" "authz_denied" ID of cluster time series metric

query Parameters

startTime required	string <date-time> Start time of the time range
endTime required	string <date-time> Start time of the time range
routeId	string ID of route
replicaId	string ID of replica

Responses

Response samples

Content type

application/json

[{"labels": {"property1": "string",
"property2": "string"
},
"value": 0.1,
"unit": "string"
}
]

pingCluster

Ping cluster

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Responses

Response samples

Content type

application/json

{"success": true,
"errorCode": "err_cluster_ping_no_identity",
"errorMessage": "string"
}

getVersion

Get version

Responses

Response samples

Content type

application/json

{"version": "string"
}

organization

acceptInvitation

Accept invitation

Authorizations:

bearerAuth

path Parameters

invitationId

required

string

ID of invitation

Responses

listOrganizations

List organizations

Authorizations:

bearerAuth

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"logoURL": "string",
"organizationType": "personal",
"ownerUserId": "string",
"role": "owner",
"joinedAt": "2019-08-24T14:15:22Z",
"quotas": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"readOnly": true
}
]

createOrganization

Create organization

Authorizations:

bearerAuth

Request Body schema: application/json
required

name required	string
logoURL	string <url> URL to an image that will be used as the organization logo. User may provide a URL to an image hosted on a third party service, or upload an image to the dashboard, which would result in an URL being generated.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"logoURL": "string"
}

Response samples

Content type

application/json

{"cluster": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"manualOverrideIpAddress": "string",
"flavor": "standard",
"fqdn": "string",
"autoDetectIpAddress": "string",
"namespaceId": "string",
"hasFailingHealthChecks": true,
"minReplicaVersion": "string",
"domain": "string",
"onboardingStatus": "string",
"importStatus": {"timestamp": "2019-08-24T14:15:22Z",
"hints": {"systemType": "string",
"hostname": "string",
"kubernetesNamespace": "string",
"argv0": "string",
"configArg": "string"
},
"messages": ["string"
],
"warnings": ["string"
],
"error": "string"
},
"refreshToken": "string"
},
"namespace": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"parentId": "string",
"name": "string",
"type": "cluster"
},
"organization": {"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"logoURL": "string",
"organizationType": "personal",
"ownerUserId": "string",
"role": "owner",
"joinedAt": "2019-08-24T14:15:22Z",
"quotas": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"readOnly": true
}
}

deleteOrganization

Delete organization

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

getOrganization

Get organization

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"logoURL": "string",
"organizationType": "personal",
"ownerUserId": "string",
"role": "owner",
"joinedAt": "2019-08-24T14:15:22Z",
"quotas": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"readOnly": true
}

updateOrganization

Update organization

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

name required	string
logoURL	string <url> URL to an image that will be used as the organization logo. User may provide a URL to an image hosted on a third party service, or upload an image to the dashboard, which would result in an URL being generated.
ownerUserId	string

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"logoURL": "string",
"ownerUserId": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"name": "string",
"logoURL": "string",
"organizationType": "personal",
"ownerUserId": "string",
"role": "owner",
"joinedAt": "2019-08-24T14:15:22Z",
"quotas": {"administrators": 0,
"apiUsers": 0,
"certificates": 0,
"clusters": 0,
"customDomains": 0,
"policies": 0,
"replicas": 0,
"routes": 0,
"serviceAccounts": 0
},
"readOnly": true
}

leaveOrganization

Leave organization

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

defaultTemplate

listDefaultTemplates

List default templates

Authorizations:

bearerAuth

path Parameters

recordType

required

string (DefaultTemplateRecordType)

Enum: "route" "settings" "policy"

Type of record

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"recordType": "route",
"name": "string",
"defaultProperties": { }
}
]

billing

createBillingPortalSession

Create a new billing portal session

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

deepLink required	string Enum: "" "payment_method"
returnUrl required	string <url>

Responses

Request samples

Payload

Content type

application/json

{"deepLink": "",
"returnUrl": "string"
}

Response samples

Content type

application/json

{"url": "string"
}

createCheckoutSession

Create a new checkout session

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

billingEmail	string
cancelUrl required	string <url>
organizationName	string
successUrl required	string <url>

Responses

Request samples

Payload

Content type

application/json

{"billingEmail": "string",
"cancelUrl": "string",
"organizationName": "string",
"successUrl": "string"
}

Response samples

Content type

application/json

{"url": "string"
}

completeCheckoutSession

Complete a checkout session

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

checkoutSessionId

required

string

Responses

Request samples

Payload

Content type

application/json

{"checkoutSessionId": "string"
}

updateCustomerInformation

Update customer information

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

required

string

Responses

Request samples

Payload

Content type

application/json

{"email": "string"
}

listInvoices

List invoices

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

[{"date": "2019-08-24T14:15:22Z",
"downloadUrl": "string",
"currency": "string",
"productName": "string",
"total": 0
}
]

getPaymentInformation

Get payment information

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

{"billingEmail": "string",
"card": {"brand": "string",
"last4": "string"
},
"paymentMethod": "string"
}

getSubscriptionInformation

Get subscription information

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

{"hasCustomerId": true,
"nextInvoiceDate": "2019-08-24T14:15:22Z",
"pricePerSeatPerMonthCents": 0,
"status": "active"
}

getBillingUsage

Get billing usage

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Responses

Response samples

Content type

application/json

{"admins": 0,
"auditors": 0,
"members": 0,
"owners": 0,
"time": "2019-08-24T14:15:22Z",
"users": 0
}

serviceAccount

listServiceAccounts

List service accounts

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

query Parameters

offset	integer offset of the resources
limit	integer limit number of resources returned

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"expiresAt": "2019-08-24T14:15:22Z",
"description": "string",
"userId": "string"
}
]

createServiceAccount

Create service account

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster

Request Body schema: application/json
required

expiresAt	string <date-time>
description required	string
userId required	string

Responses

Request samples

Payload

Content type

application/json

{"expiresAt": "2019-08-24T14:15:22Z",
"description": "string",
"userId": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"expiresAt": "2019-08-24T14:15:22Z",
"description": "string",
"userId": "string",
"token": "string"
}

deleteServiceAccount

Delete service account

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster
serviceAccountId required	string ID of service account

Responses

getServiceAccount

Get service account

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster
serviceAccountId required	string ID of service account

Responses

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"expiresAt": "2019-08-24T14:15:22Z",
"description": "string",
"userId": "string"
}

getServiceAccountToken

Get service account token

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
clusterId required	string ID of cluster
serviceAccountId required	string ID of service account

Responses

Response samples

Content type

application/json

{"token": "string"
}

customDomain

listCustomDomains

List custom domains

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

query Parameters

clusterId

required

string

ID of cluster

Responses

Response samples

Content type

application/json

[{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"clusterId": "string",
"domainName": "string",
"lastError": "string",
"keyPairId": "string",
"expiresAt": "2019-08-24T14:15:22Z"
}
]

addCustomDomain

Add custom domain

Authorizations:

bearerAuth

path Parameters

organizationId

required

string

ID of organization

Request Body schema: application/json
required

clusterId required	string
domainName required	string

Responses

Request samples

Payload

Content type

application/json

{"clusterId": "string",
"domainName": "string"
}

Response samples

Content type

application/json

{"id": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"clusterId": "string",
"domainName": "string",
"lastError": "string",
"keyPairId": "string",
"expiresAt": "2019-08-24T14:15:22Z"
}

deleteCustomDomain

Delete custom domain

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
customDomainId required	string ID of custom domain

Responses

retryCustomDomain

Retry provisioning a custom domain

Authorizations:

bearerAuth

path Parameters

organizationId required	string ID of organization
customDomainId required	string ID of custom domain

Responses

notification

authorizeNotifications

authorize notifications

Authorizations:

bearerAuth

Request Body schema: application/x-www-form-urlencoded
required

socket_id required	string
channel_name required	string

Responses

Response samples

Content type

application/json

{"auth": "string"
}

Pomerium Zero API Reference (0.1.0)

Authentication

user

deleteCurrentUser

Authorizations:

Responses

updateCurrentUserInfo

Authorizations:

Responses

Response samples

completeOnboarding

Authorizations:

Responses

listUsersInOrganization

Authorizations:

path Parameters

query Parameters

Responses

Response samples

createApiAccessUser

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

removeUserFromOrganization

Authorizations:

path Parameters

Responses

RenewApiUserRefreshToken

Authorizations:

path Parameters

Responses

Response samples

invitation

listUserInvitations

Authorizations:

Responses

Response samples

acceptInvitation

Authorizations:

path Parameters

Responses

rejectInvitation

Authorizations:

path Parameters

Responses

invite

listOrganizationInvites

Authorizations:

path Parameters

Responses

Response samples

createOrganizationInvite

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

deleteOrganizationInvite

Authorizations:

path Parameters

Responses

policy

listPolicies

Authorizations:

path Parameters

query Parameters

Responses

Response samples

createPolicy

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

deletePolicy

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required