Administration API categories
Use this page to understand how Entrust Identity as a Service Administration API endpoints are grouped before you browse the generated reference. Each category name below links to the matching reference section.
Access depends on the application role
Your Administration API application can call only the operations permitted by its assigned role. If you need additional operations, update the role assigned to the application in Entrust Identity as a Service.
Choose a category quickly
Use this table to find the best starting point based on the task you need to complete.
| If you need to... | Start with |
|---|---|
| Authenticate the Administration API client and get the token required by protected requests | Admin Auth |
| Create, update, search, sync, or unlock users | Users |
| Manage authenticators or recovery options | Tokens, FIDO Tokens, Smart Credentials, Grids, Passwords, OTPs, Temp Access Codes, Machine Auth, Face, Magic Link, or User RBA Settings |
| Configure applications, sign-in policy, or identity sources | Applications, Resource Rules, Identity Providers, Directories, Settings, or OAuth Roles |
| Review account activity or configure outbound integrations | Reports, Webhooks, or Account Info |
| Manage service-provider tenants and tenant entitlements | Tenants or Entitlements |
Access and user administration
Use these categories when you need to authenticate the client application, manage people, control access, or update account-level data.
| Category | Use it for | Notes |
|---|---|---|
| Admin Auth | Authenticate the Administration API application and obtain the auth token required by later requests. | Start here before you call protected endpoints. For token expiry and session-cookie details, see Authentication and authorization. |
| Users | Create, update, delete, search, sync, unsync, and unlock users. | Includes bulk operations and lookups by UUID, user ID, user alias, or external ID. |
| User Attributes | Create and manage custom profile fields for users. | Use this category when your integration depends on custom user metadata. |
| Roles | List roles and manage role assignments. | Use roles to control what administrators and end users can do in IDaaS. |
| Groups | Create and manage groups and group membership. | Groups are commonly used by resource rules to control application access. |
| Organizations | Manage business-to-business organizations and organization membership. | Use this category when users need access to applications through organization membership. |
| Account Info | Read and update account-level details. | Includes values such as company name and the license acknowledged flag. |
Authenticators and user recovery
Use these categories when you need to manage the factors users rely on to sign in, recover access, or satisfy risk checks.
| Category | Use it for | Notes |
|---|---|---|
| Smart Credentials | Manage mobile smart credentials, certificates, activation, blocking, and signing workflows. | Use this category when you work with Entrust Mobile Smart Credential lifecycle and certificate operations. |
| Tokens | Manage hardware and soft tokens, including assignment, activation, reset, unlock, and state changes. | Use this category for token inventory and token-to-user lifecycle tasks. |
| FIDO Tokens | Manage FIDO2 and passkey tokens. | Includes registration, retrieval, update, and deletion. |
| Grids | Create, assign, export, email, unassign, and change the state of grid cards. | Use this category for both assigned and unassigned grid inventory. |
| Temp Access Codes | Issue and revoke temporary access codes. | Use this category when a user cannot access their usual OTP, grid, or token authenticator. |
| KBA | Manage knowledge-based authenticators and challenge questions. | These authenticators support question-and-answer sign-in flows for SAML applications. |
| Passwords | Manage password operations and password settings. | Covers both IDaaS-managed passwords and Active Directory passwords. |
| OTPs | Create OTPs and contact verification challenges. | Use this category when you need one-time passcode delivery or contact verification flows. |
| Machine Auth | Manage browser-based machine authenticators for users. | Machine Authentication supplies device-identifying information for SAML sign-ins. |
| Face | Create and manage Face Biometric authenticators. | Face Biometric uses an Onfido account and supports create, view, update, and delete operations. |
| Magic Link | Create, retrieve, and revoke magic links. | Magic links support authentication, registration, and password reset, and they can redirect to allowed URLs after verification. |
| User RBA Settings | Manage risk-based authentication settings and location data for a user. | Includes expected locations, user location history, and risk settings. |
Applications, policy, and identity sources
Use these categories when you need to define which applications exist, how users authenticate to them, and which external identity systems participate in the flow.
| Category | Use it for | Notes |
|---|---|---|
| Applications | Manage Admin API applications, Auth API applications, shared secrets, and application templates. | Start here when you need application IDs, client lifecycle, or secret rotation. |
| Resource Rules | Manage resource rules, ACRs, access filters, transaction rules, and authentication flows. | Use this category to define User Login, IdP Login, and Passkey Login behavior, plus group-based, domain-based, and ACR-based access decisions. |
| Identity Providers | Manage external OpenID Connect and SAML Identity Providers. | Includes configuration fetch, create, update, delete, and download operations. |
| Directories | Manage directory inventory, mappings, sync settings, search bases, and group filters. | Use this category when your integration depends on directory-backed identities or synchronization. |
| Settings | Manage account-wide behavior and authenticator settings. | Includes general settings, OTP settings, token settings, FIDO settings, password reset settings, Google Authenticator settings, Entrust ST settings, and Onfido settings. |
| OAuth Roles | List OAuth roles and manage user OAuth role membership. | Use this category when OAuth-enabled applications depend on role-based access data. |
Operations, integrations, and service-provider administration
Use these categories when you need audit data, outbound notifications, device administration, or multi-tenant service-provider controls.
| Category | Use it for | Notes |
|---|---|---|
| Reports | Retrieve audit data and SIEM-friendly audit events. | Use this category to review who did what on the account and when. |
| Webhooks | Register, test, read, update, and delete webhooks. | Use this category when you need outbound event delivery to your own systems. |
| Tenants | Manage child tenants, tenant Identity Provider settings, and tenant entitlements. | These APIs are available only to service provider accounts. |
| Entitlements | Retrieve entitlement information for a child tenant. | Use this category from a child tenant context when you need its own entitlement data. |
Next steps
- Use Authentication and authorization to understand token handling before you call protected endpoints.
- Use REST examples for raw HTTP request examples.
- Use SDK examples if you prefer client libraries.
- Open the Administration API reference when you're ready to inspect individual operations.