Beyond Identity Agentic Access
Beyond Identity exposes 150 API operations that an AI agent could call, of which 81 are state-changing ‘acting’ operations. This is a recommended x-agentic-access execution contract — the scope, audience, consequence tier, short-lived token constraints, and escalation each action should carry before it is handed to an autonomous agent.
By consequence: 69 read, 77 write, and 4 safety-critical.
4 operations are classed safety-critical and should require human-in-the-loop approval at runtime.
Contracts are classified heuristically from the provider’s OpenAPI and refresh on every APIs.io network build; audience is bound per deployment. The model follows Curity’s Access Intelligence (apidays Munich 2026). Browse every provider’s agent contracts at agentic-access.apis.io.
By consequence
Highest-consequence actions
The physical and safety-critical operations an agent could invoke — the ones that most warrant scoped tokens, tight TTLs, and escalation. Full per-operation contracts are in the source below.
| Method | Path | Consequence | Human-in-loop |
|---|---|---|---|
| DELETE | /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens/{token_id} | safety-critical | required |
| POST | /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}:revoke | safety-critical | required |
| POST | /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke | safety-critical | required |
| POST | /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke | safety-critical | required |
Source
Agentic Access
generated: '2026-07-15'
method: generated
source: openapi/beyond-identity-secure-access-api-openapi.yml, openapi/beyond-identity-secure-workforce-api-openapi.yml
description: Recommended x-agentic-access execution contracts, classified heuristically from
the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind
audience per deployment. See research/curity/agentic-governance/.
summary:
operations: 150
by_action_class:
connected: 69
acting: 81
by_consequence:
read: 69
write: 77
safety-critical: 4
human_in_the_loop_required: 4
operations:
- path: /v1/tenants/{tenant_id}
method: get
operationId: GetTenant
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tenants:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}
method: patch
operationId: UpdateTenant
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tenants:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms
method: post
operationId: CreateRealm
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- realms:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms
method: get
operationId: ListRealms
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- realms:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}
method: get
operationId: GetRealm
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- realms:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}
method: patch
operationId: UpdateRealm
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- realms:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}
method: delete
operationId: DeleteRealm
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- realms:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups
method: post
operationId: CreateGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups
method: get
operationId: ListGroups
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- groups:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}
method: get
operationId: GetGroup
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- groups:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}
method: patch
operationId: UpdateGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}
method: delete
operationId: DeleteGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:addMembers
method: post
operationId: AddGroupMembers
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:update
- identities:read
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:deleteMembers
method: post
operationId: DeleteGroupMembers
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:update
- identities:read
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listMembers
method: get
operationId: ListGroupMembers
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- groups:read
- identities:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listRoles
method: get
operationId: ListGroupRoles
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- groups:read
- resource-servers:read
- roles:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities
method: post
operationId: CreateIdentity
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- identities:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities
method: get
operationId: ListIdentities
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- identities:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities:batchDelete
method: post
operationId: BatchDeleteIdentities
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- identities:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}
method: get
operationId: GetIdentity
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- identities:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}
method: patch
operationId: UpdateIdentity
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- identities:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}
method: delete
operationId: DeleteIdentity
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- identities:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listGroups
method: get
operationId: ListIdentityGroups
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- groups:read
- identities:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listRoles
method: get
operationId: ListIdentityRoles
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- identities:read
- resource-servers:read
- roles:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles
method: post
operationId: CreateRole
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- roles:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles
method: get
operationId: ListRoles
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- roles:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}
method: get
operationId: GetRole
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- roles:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}
method: patch
operationId: UpdateRole
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- roles:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}
method: delete
operationId: DeleteRole
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- roles:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addMembers
method: post
operationId: AddRoleMembers
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:read
- identities:read
- roles:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteMembers
method: post
operationId: DeleteRoleMembers
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- groups:read
- identities:read
- roles:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listMembers
method: get
operationId: ListRoleMembers
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- groups:read
- identities:read
- roles:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addScopes
method: post
operationId: AddRoleScopes
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- resource-servers:read
- roles:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteScopes
method: post
operationId: DeleteRoleScopes
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- resource-servers:read
- roles:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listScopes
method: get
operationId: ListRoleScopes
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- resource-servers:read
- roles:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials
method: get
operationId: ListCredentials
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- credentials:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}
method: get
operationId: GetCredential
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- credentials:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke
method: post
operationId: RevokeCredential
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
scope:
- credentials:revoke
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs
method: post
operationId: CreateCredentialBindingJob
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- credential-binding-jobs:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs
method: get
operationId: ListCredentialBindingJobs
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- credential-binding-jobs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}
method: get
operationId: GetCredentialBindingJob
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- credential-binding-jobs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}:revoke
method: post
operationId: SetCredentialBindingJobRevoked
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
scope:
- credential-binding-jobs:revoke
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs
method: post
operationId: CreateBatchCredentialBindingJob
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- credential-binding-jobs:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}
method: get
operationId: GetBatchCredentialBindingJob
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- credential-binding-jobs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}:listResults
method: get
operationId: ListBatchCredentialBindingJobResults
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- credential-binding-jobs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes
method: post
operationId: CreateTheme
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- themes:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/active
method: get
operationId: GetActiveTheme
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- themes:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id}
method: get
operationId: GetTheme
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- themes:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id}
method: patch
operationId: UpdateTheme
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- themes:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications
method: post
operationId: CreateApplication
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- applications:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications
method: get
operationId: ListApplications
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- applications:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}
method: get
operationId: GetApplication
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- applications:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}
method: patch
operationId: UpdateApplication
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- applications:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}
method: delete
operationId: DeleteApplication
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- applications:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs
method: post
operationId: CreateAuthenticatorConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- authenticator-configs:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs
method: get
operationId: ListAuthenticatorConfigs
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- authenticator-configs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}
method: get
operationId: GetAuthenticatorConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- authenticator-configs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}
method: patch
operationId: UpdateAuthenticatorConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- authenticator-configs:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}
method: delete
operationId: DeleteAuthenticatorConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- authenticator-configs:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers
method: post
operationId: CreateResourceServer
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- resource-servers:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers
method: get
operationId: ListResourceServers
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- resource-servers:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}
method: get
operationId: GetResourceServer
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- resource-servers:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}
method: patch
operationId: UpdateResourceServer
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- resource-servers:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}
method: delete
operationId: DeleteResourceServer
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- resource-servers:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens
method: get
operationId: ListTokens
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tokens:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens/{token_id}
method: delete
operationId: RevokeToken
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
scope:
- tokens:delete
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users
method: post
operationId: SCIMCreateUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:users:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users
method: get
operationId: SCIMListUsers
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- scim:users:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
method: get
operationId: SCIMGetUser
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- scim:users:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
method: patch
operationId: SCIMUpdateUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:users:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
method: put
operationId: SCIMReplaceUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:users:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}
method: delete
operationId: SCIMDeleteUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:users:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/
method: post
operationId: SCIMCreateGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:groups:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/
method: get
operationId: SCIMListGroups
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- scim:groups:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}
method: get
operationId: SCIMGetGroup
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- scim:groups:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}
method: patch
operationId: SCIMUpdateGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:groups:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}
method: delete
operationId: SCIMDeleteGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- scim:groups:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ResourceTypes
method: get
operationId: ListResourceTypes
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Schemas
method: get
operationId: ListSchemas
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ServiceProviderConfig
method: get
operationId: GetServiceProviderConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs
method: post
operationId: CreateSsoConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- sso-configs:create
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs
method: get
operationId: listSsoConfigs
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- sso-configs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}
method: get
operationId: GetSsoConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- sso-configs:read
token:
max-ttl: 3600
audit: none
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}
method: patch
operationId: UpdateSsoConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- sso-configs:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}
method: delete
operationId: DeleteSsoConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- sso-configs:delete
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:addIdentities
method: post
operationId: AddIdentitiesToSsoConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- sso-configs:update
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/tenants/{tenant_id}/realms/{realm_i
# --- truncated at 32 KB (54 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/beyond-identity/refs/heads/main/agentic-access/beyond-identity-agentic-access.yml