Beyond Identity · Agentic Access

Beyond Identity Agentic Access

x-agentic-access generated

Beyond Identity exposes 150 API operations that an AI agent could call, of which 81 are state-changing ‘acting’ operations. This is a recommended x-agentic-access execution contract — the scope, audience, consequence tier, short-lived token constraints, and escalation each action should carry before it is handed to an autonomous agent.

By consequence: 69 read, 77 write, and 4 safety-critical.

4 operations are classed safety-critical and should require human-in-the-loop approval at runtime.

Contracts are classified heuristically from the provider’s OpenAPI and refresh on every APIs.io network build; audience is bound per deployment. The model follows Curity’s Access Intelligence (apidays Munich 2026). Browse every provider’s agent contracts at agentic-access.apis.io.

AuthenticationPasswordlessZero TrustIdentityPasskeysMFADevice SecurityOAuth 2.0OIDCSCIM
Operations: 150 Acting: 81 Human-in-the-loop: 4 Method: generated

By consequence

read 69 write 77 safety-critical 4

Highest-consequence actions

The physical and safety-critical operations an agent could invoke — the ones that most warrant scoped tokens, tight TTLs, and escalation. Full per-operation contracts are in the source below.

MethodPathConsequenceHuman-in-loop
DELETE /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens/{token_id} safety-critical required
POST /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}:revoke safety-critical required
POST /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke safety-critical required
POST /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke safety-critical required

Source

Agentic Access

Raw ↑
generated: '2026-07-15'
method: generated
source: openapi/beyond-identity-secure-access-api-openapi.yml, openapi/beyond-identity-secure-workforce-api-openapi.yml
description: Recommended x-agentic-access execution contracts, classified heuristically from
  the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind
  audience per deployment. See research/curity/agentic-governance/.
summary:
  operations: 150
  by_action_class:
    connected: 69
    acting: 81
  by_consequence:
    read: 69
    write: 77
    safety-critical: 4
  human_in_the_loop_required: 4
operations:
- path: /v1/tenants/{tenant_id}
  method: get
  operationId: GetTenant
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - tenants:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}
  method: patch
  operationId: UpdateTenant
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - tenants:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms
  method: post
  operationId: CreateRealm
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - realms:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms
  method: get
  operationId: ListRealms
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - realms:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}
  method: get
  operationId: GetRealm
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - realms:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}
  method: patch
  operationId: UpdateRealm
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - realms:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}
  method: delete
  operationId: DeleteRealm
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - realms:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups
  method: post
  operationId: CreateGroup
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups
  method: get
  operationId: ListGroups
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - groups:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}
  method: get
  operationId: GetGroup
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - groups:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}
  method: patch
  operationId: UpdateGroup
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}
  method: delete
  operationId: DeleteGroup
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:addMembers
  method: post
  operationId: AddGroupMembers
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:update
    - identities:read
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:deleteMembers
  method: post
  operationId: DeleteGroupMembers
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:update
    - identities:read
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listMembers
  method: get
  operationId: ListGroupMembers
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - groups:read
    - identities:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listRoles
  method: get
  operationId: ListGroupRoles
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - groups:read
    - resource-servers:read
    - roles:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities
  method: post
  operationId: CreateIdentity
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - identities:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities
  method: get
  operationId: ListIdentities
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - identities:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities:batchDelete
  method: post
  operationId: BatchDeleteIdentities
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - identities:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}
  method: get
  operationId: GetIdentity
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - identities:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}
  method: patch
  operationId: UpdateIdentity
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - identities:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}
  method: delete
  operationId: DeleteIdentity
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - identities:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listGroups
  method: get
  operationId: ListIdentityGroups
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - groups:read
    - identities:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listRoles
  method: get
  operationId: ListIdentityRoles
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - identities:read
    - resource-servers:read
    - roles:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles
  method: post
  operationId: CreateRole
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - roles:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles
  method: get
  operationId: ListRoles
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - roles:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}
  method: get
  operationId: GetRole
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - roles:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}
  method: patch
  operationId: UpdateRole
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - roles:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}
  method: delete
  operationId: DeleteRole
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - roles:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addMembers
  method: post
  operationId: AddRoleMembers
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:read
    - identities:read
    - roles:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteMembers
  method: post
  operationId: DeleteRoleMembers
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - groups:read
    - identities:read
    - roles:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listMembers
  method: get
  operationId: ListRoleMembers
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - groups:read
    - identities:read
    - roles:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addScopes
  method: post
  operationId: AddRoleScopes
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - resource-servers:read
    - roles:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteScopes
  method: post
  operationId: DeleteRoleScopes
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - resource-servers:read
    - roles:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listScopes
  method: get
  operationId: ListRoleScopes
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - resource-servers:read
    - roles:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials
  method: get
  operationId: ListCredentials
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - credentials:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}
  method: get
  operationId: GetCredential
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - credentials:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke
  method: post
  operationId: RevokeCredential
  x-agentic-access:
    action-class: acting
    consequence: safety-critical
    subject: required
    scope:
    - credentials:revoke
    audience: null
    token:
      max-ttl: 120
      exchange: true
      purpose-required: true
      proof-of-possession: true
    escalation:
      human-in-the-loop: required
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs
  method: post
  operationId: CreateCredentialBindingJob
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - credential-binding-jobs:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs
  method: get
  operationId: ListCredentialBindingJobs
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - credential-binding-jobs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}
  method: get
  operationId: GetCredentialBindingJob
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - credential-binding-jobs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}:revoke
  method: post
  operationId: SetCredentialBindingJobRevoked
  x-agentic-access:
    action-class: acting
    consequence: safety-critical
    subject: required
    scope:
    - credential-binding-jobs:revoke
    audience: null
    token:
      max-ttl: 120
      exchange: true
      purpose-required: true
      proof-of-possession: true
    escalation:
      human-in-the-loop: required
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs
  method: post
  operationId: CreateBatchCredentialBindingJob
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - credential-binding-jobs:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}
  method: get
  operationId: GetBatchCredentialBindingJob
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - credential-binding-jobs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}:listResults
  method: get
  operationId: ListBatchCredentialBindingJobResults
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - credential-binding-jobs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes
  method: post
  operationId: CreateTheme
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - themes:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/active
  method: get
  operationId: GetActiveTheme
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - themes:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id}
  method: get
  operationId: GetTheme
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - themes:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id}
  method: patch
  operationId: UpdateTheme
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - themes:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications
  method: post
  operationId: CreateApplication
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - applications:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications
  method: get
  operationId: ListApplications
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - applications:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}
  method: get
  operationId: GetApplication
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - applications:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}
  method: patch
  operationId: UpdateApplication
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - applications:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}
  method: delete
  operationId: DeleteApplication
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - applications:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs
  method: post
  operationId: CreateAuthenticatorConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - authenticator-configs:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs
  method: get
  operationId: ListAuthenticatorConfigs
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - authenticator-configs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}
  method: get
  operationId: GetAuthenticatorConfig
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - authenticator-configs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}
  method: patch
  operationId: UpdateAuthenticatorConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - authenticator-configs:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}
  method: delete
  operationId: DeleteAuthenticatorConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - authenticator-configs:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers
  method: post
  operationId: CreateResourceServer
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - resource-servers:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers
  method: get
  operationId: ListResourceServers
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - resource-servers:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}
  method: get
  operationId: GetResourceServer
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - resource-servers:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}
  method: patch
  operationId: UpdateResourceServer
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - resource-servers:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}
  method: delete
  operationId: DeleteResourceServer
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - resource-servers:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens
  method: get
  operationId: ListTokens
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - tokens:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens/{token_id}
  method: delete
  operationId: RevokeToken
  x-agentic-access:
    action-class: acting
    consequence: safety-critical
    subject: required
    scope:
    - tokens:delete
    audience: null
    token:
      max-ttl: 120
      exchange: true
      purpose-required: true
      proof-of-possession: true
    escalation:
      human-in-the-loop: required
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users
  method: post
  operationId: SCIMCreateUser
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:users:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users
  method: get
  operationId: SCIMListUsers
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - scim:users:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
  method: get
  operationId: SCIMGetUser
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - scim:users:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
  method: patch
  operationId: SCIMUpdateUser
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:users:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
  method: put
  operationId: SCIMReplaceUser
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:users:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
  method: delete
  operationId: SCIMDeleteUser
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:users:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/
  method: post
  operationId: SCIMCreateGroup
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:groups:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/
  method: get
  operationId: SCIMListGroups
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - scim:groups:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}
  method: get
  operationId: SCIMGetGroup
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - scim:groups:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}
  method: patch
  operationId: SCIMUpdateGroup
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:groups:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}
  method: delete
  operationId: SCIMDeleteGroup
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - scim:groups:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ResourceTypes
  method: get
  operationId: ListResourceTypes
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Schemas
  method: get
  operationId: ListSchemas
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ServiceProviderConfig
  method: get
  operationId: GetServiceProviderConfig
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs
  method: post
  operationId: CreateSsoConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - sso-configs:create
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs
  method: get
  operationId: listSsoConfigs
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - sso-configs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}
  method: get
  operationId: GetSsoConfig
  x-agentic-access:
    action-class: connected
    consequence: read
    subject: optional
    scope:
    - sso-configs:read
    token:
      max-ttl: 3600
    audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}
  method: patch
  operationId: UpdateSsoConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - sso-configs:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}
  method: delete
  operationId: DeleteSsoConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - sso-configs:delete
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:addIdentities
  method: post
  operationId: AddIdentitiesToSsoConfig
  x-agentic-access:
    action-class: acting
    consequence: write
    subject: required
    scope:
    - sso-configs:update
    audience: null
    token:
      max-ttl: 900
    escalation:
      human-in-the-loop: conditional
      triggers:
      - abnormal
      - high-value
    audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_i

# --- truncated at 32 KB (54 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/beyond-identity/refs/heads/main/agentic-access/beyond-identity-agentic-access.yml