Deutsche Telekom Agentic Access
Deutsche Telekom exposes 366 API operations that an AI agent could call, of which 187 are state-changing ‘acting’ operations. This is a recommended x-agentic-access execution contract — the scope, audience, consequence tier, short-lived token constraints, and escalation each action should carry before it is handed to an autonomous agent.
By consequence: 179 read, 177 write, 4 physical, and 6 safety-critical.
6 operations are classed safety-critical and should require human-in-the-loop approval at runtime.
Contracts are classified heuristically from the provider’s OpenAPI and refresh on every APIs.io network build; audience is bound per deployment. The model follows Curity’s Access Intelligence (apidays Munich 2026). Browse every provider’s agent contracts at agentic-access.apis.io.
By consequence
Highest-consequence actions
The physical and safety-critical operations an agent could invoke — the ones that most warrant scoped tokens, tight TTLs, and escalation. Full per-operation contracts are in the source below.
| Method | Path | Consequence | Human-in-loop |
|---|---|---|---|
| PATCH | /rovers/{roverId}/secret | safety-critical | required |
| DELETE | /{realm}/attack-detection/brute-force/users | safety-critical | required |
| DELETE | /{realm}/attack-detection/brute-force/users/{userId} | safety-critical | required |
| DELETE | /{realm}/users/{id}/consents/{client} | safety-critical | required |
| PUT | /{realm}/users/{id}/disable-credential-types | safety-critical | required |
| PUT | /{realm}/users/{id}/reset-password | safety-critical | required |
| POST | /{realm}/clients/{id}/nodes | physical | conditional |
| PUT | /{realm}/users/{id}/execute-actions-email | physical | conditional |
| POST | /{realm}/users/{id}/logout | physical | conditional |
| PUT | /{realm}/users/{id}/send-verify-email | physical | conditional |
Source
Agentic Access
generated: '2026-07-15'
method: generated
source: openapi/controlplane-cpapi-openapi.yml, openapi/controlplane-discovery-application-openapi.yml,
openapi/controlplane-discovery-event-openapi.yml, openapi/controlplane-discovery-stargate-openapi.yml,
openapi/controlplane-file-manager-openapi.yml, openapi/controlplane-identity-openapi.yml,
openapi/controlplane-rover-server-openapi.yml, openapi/controlplane-secret-manager-openapi.yml
description: Recommended x-agentic-access execution contracts, classified heuristically from
the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind
audience per deployment. See research/curity/agentic-governance/.
summary:
operations: 366
by_action_class:
acting: 187
connected: 179
by_consequence:
write: 177
read: 179
safety-critical: 6
physical: 4
human_in_the_loop_required: 6
operations:
- path: /remoteSubscriptions/{remoteSubscriptionId}
method: put
operationId: createOrUpdateRemoteSubscription
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /remoteSubscriptions/{remoteSubscriptionId}
method: delete
operationId: deleteRemoteSubscription
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /remoteSubscriptions/{remoteSubscriptionId}/status
method: put
operationId: updateRemoteSubscriptionStatus
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications
method: get
operationId: getAllApplications
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications
method: post
operationId: createApplication
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}
method: get
operationId: getApplication
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}
method: put
operationId: updateApplication
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}
method: delete
operationId: deleteApplication
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/status
method: get
operationId: getApplicationStatus
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /eventtypes
method: get
operationId: getAllEventTypes
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:read - tardis:user:obfuscated
token:
max-ttl: 3600
audit: none
- path: /eventtypes/{eventTypeId}
method: get
operationId: getEventType
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /eventtypes/{eventTypeId}/status
method: get
operationId: getEventTypeStatus
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /eventtypes/{eventTypeName}/active
method: get
operationId: getActiveEventType
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventexposures
method: get
operationId: getAllEventExposures
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:read - tardis:user:obfuscated
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventexposures/{eventExposureName}
method: get
operationId: getEventExposure
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:read - tardis:user:obfuscated
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventexposures/{eventExposureName}/status
method: get
operationId: getEventExposureStatus
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventexposures/{eventExposureName}/eventsubscriptions
method: get
operationId: getAllExposureEventSubscriptions
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventsubscriptions
method: get
operationId: getAllEventSubscriptions
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:read - tardis:user:obfuscated
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventsubscriptions/{eventSubscriptionName}
method: get
operationId: getEventSubscription
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:read - tardis:user:obfuscated
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/eventsubscriptions/{eventSubscriptionName}/status
method: get
operationId: getEventSubscriptionStatus
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apiexposures
method: get
operationId: getAllApiExposures
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apiexposures
method: post
operationId: createApiExposure
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/apiexposures/{apiExposureName}
method: get
operationId: getApiExposure
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apiexposures/{apiExposureName}
method: put
operationId: updateApiExposure
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/apiexposures/{apiExposureName}
method: delete
operationId: deleteApiExposure
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/apiexposures/{apiExposureName}/status
method: get
operationId: getApiExposureStatus
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apisubscriptions
method: get
operationId: getAllApiSubscriptions
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apisubscriptions
method: post
operationId: createApiSubscription
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/apisubscriptions/{apiSubscriptionName}
method: get
operationId: getApiSubscription
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apisubscriptions/{apiSubscriptionName}
method: put
operationId: updateApiSubscription
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/apisubscriptions/{apiSubscriptionName}
method: delete
operationId: deleteApiSubscription
x-agentic-access:
action-class: acting
consequence: write
subject: required
scope:
- tardis:admin:all
- tardis:hub:all
- tardis:team:all
- tardis:user:all
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /applications/{applicationId}/apisubscriptions/{apiSubscriptionName}/status
method: get
operationId: getApiSubscriptionStatus
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /applications/{applicationId}/apiexposures/{apiExposureName}/apisubscriptions
method: get
operationId: getAllExposureApiSubscriptions
x-agentic-access:
action-class: connected
consequence: read
subject: optional
scope:
- tardis:admin:all
- tardis:admin:obfuscated
- tardis:admin:read
- tardis:hub:all
- tardis:hub:obfuscated
- tardis:hub:read
- tardis:supervisor:read
- tardis:team:all
- tardis:team:obfuscated
- tardis:team:read
- tardis:user:all
- tardis:user:obfuscated
- tardis:user:read
token:
max-ttl: 3600
audit: none
- path: /v1/files/{fileId}
method: put
operationId: uploadFile
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /v1/files/{fileId}
method: get
operationId: downloadFile
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /v1/files/{fileId}
method: delete
operationId: deleteFile
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{id}/name
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}
method: put
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}
method: delete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/admin-events
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/admin-events
method: delete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/attack-detection/brute-force/users
method: delete
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /{realm}/attack-detection/brute-force/users/{userId}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/attack-detection/brute-force/users/{userId}
method: delete
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /{realm}/authentication/authenticator-providers
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/client-authenticator-providers
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/config-description/{providerId}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/config/{id}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/config/{id}
method: put
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/config/{id}
method: delete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/executions
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/executions/{executionId}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/executions/{executionId}
method: delete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/executions/{executionId}/config
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/executions/{executionId}/lower-priority
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/executions/{executionId}/raise-priority
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/flows
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows/{flowAlias}/copy
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows/{flowAlias}/executions
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/flows/{flowAlias}/executions
method: put
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows/{flowAlias}/executions/execution
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows/{flowAlias}/executions/flow
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows/{id}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/flows/{id}
method: put
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/flows/{id}
method: delete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/form-action-providers
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/form-providers
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/per-client-config-description
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/register-required-action
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/required-actions
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/required-actions/{alias}
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/authentication/required-actions/{alias}
method: put
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/required-actions/{alias}
method: delete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/required-actions/{alias}/lower-priority
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/required-actions/{alias}/raise-priority
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/authentication/unregistered-required-actions
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{realm}/clear-keys-cache
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/clear-realm-cache
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/clear-user-cache
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{realm}/client-description-converter
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
-
# --- truncated at 32 KB (112 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/deutsche-telekom/refs/heads/main/agentic-access/deutsche-telekom-agentic-access.yml