Identity
Per-tenant identity-verification signing secret (verify mode).
Read identity-verification mode and signing-secret metadata
Returns whether the tenant is in trust or verify mode plus the active secret kid, previous-secret overlap expiry, and last-rotated timestamp. Never returns the secret. Any admin principal may read; rotation requires `manage_settings`.
List the tenant’s OIDC trusted-identity issuers
Returns the configured OIDC issuer rows (secret-free public config). Any admin principal may read; mutations require `manage_settings`.
Add an OIDC trusted-identity issuer (discovery + test-fetch before save)
Takes an issuer URL as a *discovery locator*, fetches its `/.well-known/openid-configuration`, derives and test-fetches the JWKS (SSRF-guarded), and stores the **canonical** discovery `issuer` + derived `jwks_uri`. Fails 422 if discovery/test-fetch fails (no row written); 409 on a duplicate `(issuer, audience)`. Requires `manage_settings`.
Remove an OIDC trusted-identity issuer
Deletes the issuer row. Requires `manage_settings`.
Mint or rotate the tenant identity-verification signing secret
Generates a new HMAC signing secret for verify-mode identity assertions and returns it in the response body (only time it is shown). The first call flips the tenant from trust mode to verify mode; subsequent calls rotate, keeping the prior secret valid for a 24 h overlap (`previousSecretExpiresAt`). The secret is never written to the audit log. Dual-auth: both paths require `manage_settings`.
Read identity-verification mode and signing-secret metadata
Returns whether the tenant is in trust or verify mode plus the active secret kid, previous-secret overlap expiry, and last-rotated timestamp. Never returns the secret. Any admin principal may read; rotation requires `manage_settings`.
List the tenant’s OIDC trusted-identity issuers
Returns the configured OIDC issuer rows (secret-free public config). Any admin principal may read; mutations require `manage_settings`.
Add an OIDC trusted-identity issuer (discovery + test-fetch before save)
Takes an issuer URL as a *discovery locator*, fetches its `/.well-known/openid-configuration`, derives and test-fetches the JWKS (SSRF-guarded), and stores the **canonical** discovery `issuer` + derived `jwks_uri`. Fails 422 if discovery/test-fetch fails (no row written); 409 on a duplicate `(issuer, audience)`. Requires `manage_settings`.
Remove an OIDC trusted-identity issuer
Deletes the issuer row. Requires `manage_settings`.
Mint or rotate the tenant identity-verification signing secret
Generates a new HMAC signing secret for verify-mode identity assertions and returns it in the response body (only time it is shown). The first call flips the tenant from trust mode to verify mode; subsequent calls rotate, keeping the prior secret valid for a 24 h overlap (`previousSecretExpiresAt`). The secret is never written to the audit log. Dual-auth: both paths require `manage_settings`.