Skip to main content
The Identity API starts login flows, completes OTP/passkey flows, manages role and invite operations, and reads identity policies through API-key guarded runtime endpoints.

Auth

Use an API key:
Authorization: Bearer sk_your_api_key
Some identity flows may return or consume flow-specific tokens after the API-key-guarded start point. Developer-portal admin endpoints are intentionally omitted from this reference.

Start OAuth auth

GET /identity/api/auth/start Query parameters:
ParameterTypeDescription
providerstringProvider key
client_idstringIdentity client id
redirect_uristringRedirect URI registered for the client
statestringClient state returned with the redirect
networkenumNETWORK_DEVNET or NETWORK_MAINNET
flowstringFlow name such as role or session
policy_idstringPolicy used for signup/session flow
skip_approvalbooleanSkip approval when allowed
invite_tokenstringInvite token for invite acceptance flows
Response:
{
  "redirectUrl": "https://provider.example/authorize?...",
  "state": "client_state",
  "startToken": "start_token"
}

Start email OTP

POST /identity/api/auth/email/start
{
  "provider": "email",
  "clientId": "client_123",
  "redirectUri": "https://app.example/callback",
  "state": "client_state",
  "network": "NETWORK_DEVNET",
  "flow": "session",
  "policyId": "policy_123",
  "email": "user@example.com"
}
The response includes challengeId, maskedEmail, expiresAt, otpEntryUrl, and startToken.

Start passkey challenge

POST /identity/api/auth/passkey/start
{
  "clientId": "client_123",
  "redirectUri": "https://app.example/callback",
  "network": "NETWORK_DEVNET",
  "ceremony": "PASSKEY_CEREMONY_REGISTRATION",
  "clientState": "state",
  "policyId": "policy_123"
}
The response returns a challengeId and webauthnOptionsJson for navigator.credentials. Identity client and organization-provider configuration is handled through developer-portal admin surfaces, not API-key runtime endpoints.