diff --git a/.speakeasy/gen.lock b/.speakeasy/gen.lock index 7673309..d36d5e9 100644 --- a/.speakeasy/gen.lock +++ b/.speakeasy/gen.lock @@ -1,19 +1,19 @@ lockVersion: 2.0.0 id: 22a6f89d-747a-448f-b027-c84e4bc947a1 management: - docChecksum: c8b3e5f61170d69d096475f6d28575ed + docChecksum: c0dc83f7df76995196d8d2dd83bbc181 docVersion: 3.0.16 speakeasyVersion: 1.761.7 generationVersion: 2.881.0 - releaseVersion: 0.0.8 - configChecksum: a95630b279a8d337e5e9fbcd44ec9927 + releaseVersion: 0.0.9 + configChecksum: 21e8f6bd1860f00896580babd3893014 repoURL: https://github.com/authlete/authlete-cli.git installationURL: https://github.com/authlete/authlete-cli published: true persistentEdits: - generation_id: 14c87592-ab3a-4607-b1a3-76a322227788 - pristine_commit_hash: 503f5d3b53a414082645041ee164d66fd235b68e - pristine_tree_hash: 101bbf243a5d78a11364abca17ea3b0f8d50a860 + generation_id: 6515005c-f90f-4814-bf71-86a22a8933f1 + pristine_commit_hash: 64dfe22af2e906fe82415573a42f2c3ea9404752 + pristine_tree_hash: 2adf98ba8f05c3cd749c2b9582101fe1192b0df0 features: cli: additionalProperties: 0.0.0 @@ -105,54 +105,86 @@ trackedFiles: id: 9805244b682f last_write_checksum: sha1:2ce817787465fa099ab62ef9e9411ac901c0fff8 pristine_git_object: 31317e6129c8224c6ea110657d12459b55007725 - internal/cli/client/clientmanagement1/deleteauthorizations.go: - id: f86c6a8509b4 - last_write_checksum: sha1:7d15a3a64257a172f77b4c378eec75811429397a - pristine_git_object: da5284830363b9e2c7e63c9e82449d95cbed258a - internal/cli/client/clientmanagement1/deletegrantedscopes.go: - id: 690791d813ab - last_write_checksum: sha1:1a9d088bd7b946bdb27119ddfbd223055d9a71d5 - pristine_git_object: fc73925c3a31bc6dd37f77f1e4b902412cb52397 - internal/cli/client/clientmanagement1/deleterequestablescopes.go: - id: 851b490971ca - last_write_checksum: sha1:cb93f6e44b634de69b44517ef71a71bb0abe4f12 - pristine_git_object: f4db7b6980805fdc629abd7a19979ba1827a23bd - internal/cli/client/clientmanagement1/getgrantedscopes.go: - id: 60b14cd8fcc6 - last_write_checksum: sha1:ee49c8b63be4a6ff264695496e9b7723b57dfc61 - pristine_git_object: 78b94c97e697dcdf8d9add51ed1565fa93a7e49c - internal/cli/client/clientmanagement1/getrequestablescopes.go: - id: 08fdc05eedcf - last_write_checksum: sha1:5634aba1dc1efe1d5485713c82cf3f368b154b92 - pristine_git_object: 7b60aadf36298d96337b112e2920e8761d094304 - internal/cli/client/clientmanagement1/listauthorizations.go: - id: 8d2022f8be84 - last_write_checksum: sha1:105b7742321920234e7532e849ff780bf76f46a2 - pristine_git_object: af04e26093c5a7ede2863a1dda626777f04a8f61 - internal/cli/client/clientmanagement1/refreshsecret.go: - id: 517af9bd88b0 - last_write_checksum: sha1:20c4ddf4ce6f22d12acc18c842fc061525496259 - pristine_git_object: 69a2aa884d8fa29c7077a4e581c303cd5fd5a990 - internal/cli/client/clientmanagement1/root.go: - id: 171e2f5d0eee - last_write_checksum: sha1:e0e852521d8de9bdb987956f71cf877a5dbcd9ab - pristine_git_object: b7f03c1016c97658ed757ef3d6c372c695dad0c4 - internal/cli/client/clientmanagement1/updateauthorizations.go: - id: e5a24b545fb7 - last_write_checksum: sha1:a0a530e73fe532d0c7b567850e7756b481d33687 - pristine_git_object: 92e6117866f95b147d2b0618c6dbfec66d0a0b74 - internal/cli/client/clientmanagement1/updatelockflag.go: - id: 5e4482f6cf22 - last_write_checksum: sha1:a1307f9773aa1232eb5311abd539ccd35480c0c9 - pristine_git_object: 0e45eea14279c24f4f4563670b462e8663e4afae - internal/cli/client/clientmanagement1/updaterequestablescopes.go: - id: f65aa9244d39 - last_write_checksum: sha1:9b9a1eb4d2a00f50e9fc6275483ff2d7d42efa58 - pristine_git_object: b4e0ea018e85d7ead2d078126e729080a149ac38 - internal/cli/client/clientmanagement1/updatesecret.go: - id: d9c97019ed53 - last_write_checksum: sha1:b452f4418bce835a9b3e122d7d3e63c31e1e483d - pristine_git_object: 81232f3cc8742941372389f9f08ddcda3ca8c8c5 + internal/cli/client/clientmanagement/deleteauthorizations.go: + id: 0696e9b8c67f + last_write_checksum: sha1:d57f834d46899a3e06e48de7741d3cebec209b76 + pristine_git_object: ea0d6bea1a0f19d8f83009e6d1d7731ea74b9354 + internal/cli/client/clientmanagement/deletegrantedscopes.go: + id: c8101a10604d + last_write_checksum: sha1:f0a4c769d99ff8ce9bdda415506d2ea0ed8ba85d + pristine_git_object: 5cf2d78da16b58c54daa47a2fbe563691f58a841 + internal/cli/client/clientmanagement/deletegrantedscopesforclient.go: + id: c9a053357fb4 + last_write_checksum: sha1:7fe215aa73274e26b212e83f77234eadb054b7ae + pristine_git_object: f29b8caab5cd659bbf42e1c638fbcf1d07d1620f + internal/cli/client/clientmanagement/deleterequestablescopes.go: + id: d91885f10e3e + last_write_checksum: sha1:ab7f5df1ac19b7a82569ec55d81cfb0ce26b9571 + pristine_git_object: d91117cdeed6d1c70c33114481b938ad6c0ce63a + internal/cli/client/clientmanagement/getgrantedscopes.go: + id: aafea591130f + last_write_checksum: sha1:389b84b0f0df0aecf1661730c4e3a985a7d1ae5b + pristine_git_object: 592cc685e132acfc233191977dd10465cab9a9b2 + internal/cli/client/clientmanagement/getgrantedscopesforclient.go: + id: 45103a109386 + last_write_checksum: sha1:ece9b6102a3c3d11c232528fa3d19190d1f8263f + pristine_git_object: a7fd4c7d37d3251067ddd7ac3a87b7117eda7146 + internal/cli/client/clientmanagement/getgrantedscopesforclientpost.go: + id: ff50282dc803 + last_write_checksum: sha1:c7a81acc1258f26a99324261fe0540cef76bd0fa + pristine_git_object: 355ef599f49b03f78f164171aa14db0494b98c87 + internal/cli/client/clientmanagement/getrequestablescopes.go: + id: ccc6b77901af + last_write_checksum: sha1:60a7104578f03c1faf34d8bfdd3c67f63d65e78c + pristine_git_object: 4eb77f93d29146976247f58c8555b5e7288263f0 + internal/cli/client/clientmanagement/listauthorizations.go: + id: 25bf976077af + last_write_checksum: sha1:2d4568fde7d492f5efbb03852025244f6b7d9aa4 + pristine_git_object: b83bc8b3d06857ce96f889d93e2eff85da7f5efa + internal/cli/client/clientmanagement/listauthorizedapplications.go: + id: ebaf63fc6b51 + last_write_checksum: sha1:bca68ff9b053895eb995ab8c1bfd99ff050b4893 + pristine_git_object: 8fed0b85e997c411d45270d6c5c17bc3cfe8277c + internal/cli/client/clientmanagement/listauthorizedapplicationspost.go: + id: ed8ac0ad8755 + last_write_checksum: sha1:fa6d28985d05fa004aaddb65e690e5d21e027607 + pristine_git_object: 8d0345cb9bc15486998c7b52216570b44386ac2d + internal/cli/client/clientmanagement/refreshsecret.go: + id: 0717e4b052df + last_write_checksum: sha1:009b938e87233d0eb7c50c281b403fa860bcdc13 + pristine_git_object: 7f724f7adf09cbac559b8995ec3564902ae9b2b3 + internal/cli/client/clientmanagement/revokeclienttokens.go: + id: 654de204d610 + last_write_checksum: sha1:f61fe07074d0f62114619b009d701b74e6cd452c + pristine_git_object: 66ec539fa3497f9857e0c6bf34383d64e66d81bb + internal/cli/client/clientmanagement/revokeclienttokenspost.go: + id: 3e677c9eb259 + last_write_checksum: sha1:2512dcb898e38c92ba2a6f833e05ebfb319487cf + pristine_git_object: c89fbd0427c73331af4f25eb9eef11da2b7b9857 + internal/cli/client/clientmanagement/root.go: + id: 2c72e99c91a1 + last_write_checksum: sha1:832f6861406a0ed11491597de9459e2009bf74a8 + pristine_git_object: 2777f378c98158853300fb335c4b76ec0bf453f0 + internal/cli/client/clientmanagement/updateauthorizations.go: + id: fcec43346de0 + last_write_checksum: sha1:c5eed716e6efc0473db399c0b72e88b42cfcb154 + pristine_git_object: 92b49dedbac567720ffabd8231eb7f94ec769d38 + internal/cli/client/clientmanagement/updatelockflag.go: + id: 6cb055b487e2 + last_write_checksum: sha1:a9d3f0aceb76cdd77ee60cc4d460946b46a966ff + pristine_git_object: 74989d9b07a753d95a485248a6a849947396245a + internal/cli/client/clientmanagement/updaterequestablescopes.go: + id: "846052442813" + last_write_checksum: sha1:ddaa272ae1d4b9873765a1537e8fe79c120b0034 + pristine_git_object: 11bc455a2970a9596dbaee1318d7a62fcf6c8303 + internal/cli/client/clientmanagement/updaterequestablescopespost.go: + id: 26820024af0a + last_write_checksum: sha1:3fee9c0418b2f24fd995aa36b6a72a39598a7b94 + pristine_git_object: f94383b9c00b0aa313de7239b55db4acf20008fb + internal/cli/client/clientmanagement/updatesecret.go: + id: cc534fc462b3 + last_write_checksum: sha1:4c7a769695e765da63ddcad245f216211a32b2bb + pristine_git_object: cd613b11735ab55827074e9bacf52f49304337ec internal/cli/client/create.go: id: accb0e52bf24 last_write_checksum: sha1:c585734546f4bb727f4261ddb9323f576b348825 @@ -171,8 +203,8 @@ trackedFiles: pristine_git_object: 89fa26dc3e094810962003f3c743f5736b785ebd internal/cli/client/root.go: id: 28afaba63bc9 - last_write_checksum: sha1:f8f7e8a0964b979cd03f61834bdca271a1676bd4 - pristine_git_object: 9be3ee563bffbf538fde0a4ea6effbb18e22cd39 + last_write_checksum: sha1:fb46e7657bf0f483d31fe0474f96850cd1e291d0 + pristine_git_object: 9112dc34d1ef491444a3b5d6f21f03887974ffd4 internal/cli/client/update.go: id: 486f5f4de4cb last_write_checksum: sha1:b40e52c15857028c3651a6f4b49442982576e3f0 @@ -181,42 +213,6 @@ trackedFiles: id: 10fe710517f4 last_write_checksum: sha1:6f23ee5756ef29d39636e9c4becd04808f7e6ffa pristine_git_object: d215a3e280ad770eced0b7b2512c10329dbea8c8 - internal/cli/clientmanagement2/clientauthorizationdeleteapi.go: - id: dd00195e7f58 - last_write_checksum: sha1:9733a3a1a83a4dbadb219a4bf17d641be09f86d4 - pristine_git_object: c973c62bc98e80d21babc1ea4cb0e2ed4f75f0fa - internal/cli/clientmanagement2/clientauthorizationdeleteapipost.go: - id: 4d2adc9f2825 - last_write_checksum: sha1:e2d4c7d78b760bca3d9db4d04e36b7ead6698266 - pristine_git_object: 317259f2fd56bd544e0576d378000567732f086b - internal/cli/clientmanagement2/clientauthorizationgetlistapi.go: - id: 55f89568c15f - last_write_checksum: sha1:e1a8f39c4c99c5825df68b3089eb00cee1dd8d74 - pristine_git_object: aff37d42c85296ab00dab3e76467bc9cdfaf1aa7 - internal/cli/clientmanagement2/clientauthorizationgetlistapipost.go: - id: 57525b021dbf - last_write_checksum: sha1:a349a27e4b7d12bd91627a7145da91db8214dc52 - pristine_git_object: 60d89143f6bbd5b80bd3c4034fcb862cef6e0933 - internal/cli/clientmanagement2/clientextensionrequestablesscopesupdateapipost.go: - id: 0c22638aa569 - last_write_checksum: sha1:295043af28804334630ef6f353c3ad9379b6aa29 - pristine_git_object: 16569f3b8eebbebcc0eb170903b25012f2983e0a - internal/cli/clientmanagement2/clientgrantedscopesdeleteapi.go: - id: 2c61f93070ca - last_write_checksum: sha1:f6b23cf26c668a13c05fd1c0f96ca4d8a2ea3ea6 - pristine_git_object: ef6461f0f21fbee17128594e34b931c8b714e634 - internal/cli/clientmanagement2/clientgrantedscopesgetapi.go: - id: b7b2c021dc43 - last_write_checksum: sha1:652ac583695d0e50803949ff52545e420807fba2 - pristine_git_object: cb5da57c60b68e1642d2a80c0afb0cadd3847744 - internal/cli/clientmanagement2/clientgrantedscopesgetapipost.go: - id: 310b3fde5cde - last_write_checksum: sha1:772f054f10f7a829b044f48ca4348812052bf6a6 - pristine_git_object: 578e914db02722218e3f64a9e295c11f2e8e01d9 - internal/cli/clientmanagement2/root.go: - id: 4af2b4eda6f7 - last_write_checksum: sha1:77b367240dcb9d169476aa59436956c4463b1d78 - pristine_git_object: 5623db3b9027d3a5d9920ff1bc3504258d02a861 internal/cli/configure.go: id: 36d400bc4372 last_write_checksum: sha1:122374b25fe55194df069618a041a3387f9c5a7d @@ -367,8 +363,8 @@ trackedFiles: pristine_git_object: b0e74ce496fc62549071d0208e4d48d8d8eee04d internal/cli/root.go: id: 239d55a0d6be - last_write_checksum: sha1:8d422256496fafa19704d521af78cbc6b91fbee1 - pristine_git_object: 69a6c6df06ea4aefd88b9499fee75a4a379df0cf + last_write_checksum: sha1:61f37eca0dd25fc14e299e7720d9b6710c02248f + pristine_git_object: 6d61561e3afb6d38f46b8e3cee3bded144d71b39 internal/cli/service/delete.go: id: a33e7be9a0f5 last_write_checksum: sha1:40dc706c945bb0eb42e5d0ebec6acd5cb5f0fc2b @@ -499,8 +495,8 @@ trackedFiles: pristine_git_object: eb4d9b0592ef23cbde314a6574b130b5dca5ea05 internal/cli/version.go: id: 7b0665492f72 - last_write_checksum: sha1:1b960be5f0c3405ba76ebeb848cdd9731cd5e0ed - pristine_git_object: 7678f11212c06092f7aa61070dec1a1fd31fb925 + last_write_checksum: sha1:56afc45b40a033921309609937c5129fc5c7e28f + pristine_git_object: 7df149040896144faf938ccf19c2ea981c1a8c25 internal/cli/whoami.go: id: c1787f2298ec last_write_checksum: sha1:02b5bea7e9d2b9ba4697c0ae4298808862c3d8f9 @@ -575,8 +571,8 @@ trackedFiles: pristine_git_object: e6a994416d0f527912d2d272e2583458f4fc9bcb internal/sdk/authlete.go: id: 81104225f83a - last_write_checksum: sha1:a9bc8335300652cec3eb71e2aa6f6384d3d520c2 - pristine_git_object: ce425c538698f040d498788b122fc0b858d6fe71 + last_write_checksum: sha1:b5db8f2fdc7e6ca67c4a44b19858de602a1e2a5c + pristine_git_object: bc0cd6956085b4ed91a7745923cf7725b735d33f internal/sdk/authorization.go: id: 8be896849290 last_write_checksum: sha1:99a2b01efe1c37a487d3a203831abd0eaefe1d9c @@ -591,16 +587,12 @@ trackedFiles: pristine_git_object: 2a30e7d7c2a3a7467a8d2f283e77d61d386f59ca internal/sdk/client.go: id: 24ed98cf9990 - last_write_checksum: sha1:86f0e6e80780bf836a336b9b8953cfcd8220f94b - pristine_git_object: cefe9eacd600e3b4e246302735e9e6ef2e3c8243 - internal/sdk/clientmanagement1.go: - id: 5b4dc9a518ea - last_write_checksum: sha1:06097d515a55fef4e4270c151432c2cd44822914 - pristine_git_object: f627677ddd667f4952a7fa337ee5a6daae88f2f1 - internal/sdk/clientmanagement2.go: - id: d4d47374d36d - last_write_checksum: sha1:6c0b4279b8a93fd3491fd3de44ea3bbd2eca19ac - pristine_git_object: 38e1e8c1526f7d40fdb91531ee1a0834553fcc7a + last_write_checksum: sha1:b60c949fcdaa9320e8e571f17820a08c9213f9e4 + pristine_git_object: fbdbae2e004dd86b3df1d4084d5a143df4342d87 + internal/sdk/clientmanagement.go: + id: ae31544bf45e + last_write_checksum: sha1:c23ec97e149f3bef25dfd9235d59ec97ad18d574 + pristine_git_object: bb4992d09f3666e882c4bb373e72ac0861f105a7 internal/sdk/deviceflow.go: id: e0d6b95d7c87 last_write_checksum: sha1:589676c18c7c659c75d79ac1f949a2ac86961777 @@ -1735,8 +1727,8 @@ trackedFiles: pristine_git_object: 159a87ec97aba99e4edd132f69652e123434303e internal/usage/schema.go: id: 0f40f4612437 - last_write_checksum: sha1:82087b09eb35b77923dbdedf4df5572531830c6e - pristine_git_object: 5e35812d5d45cd37bc12c74ee117d59988b428ab + last_write_checksum: sha1:f1d35f632b381ac61e9956d91815d7e088512ebd + pristine_git_object: 75c252e525203ad948242297d6797665052f5989 scripts/install.ps1: id: fee0853709e9 last_write_checksum: sha1:0ac5c61da159014da7754b4ca99541dc63397f8e @@ -5238,226 +5230,19 @@ examples: examplesVersion: 1.0.2 releaseNotes: | ## Cli SDK Changes: - * `Authlete.Service.Get()`: **Added** - * `Authlete.Service.List()`: **Added** - * `Authlete.Service.Update()`: **Added** - * `Authlete.Service.Delete()`: **Added** - * `Authlete.Service.GetConfiguration()`: **Added** - * `Authlete.Client.Get()`: **Added** - * `Authlete.Client.List()`: **Added** - * `Authlete.Client.Create()`: **Added** - * `Authlete.Client.Update()`: **Added** - * `Authlete.Client.UpdateForm()`: **Added** - * `Authlete.Client.Delete()`: **Added** - * `Authlete.Client.Management.UpdateLockFlag()`: **Added** - * `Authlete.Client.Management.RefreshSecret()`: **Added** - * `Authlete.Client.Management.UpdateSecret()`: **Added** - * `Authlete.Client.Management.ListAuthorizations()`: **Added** - * `Authlete.Client.Management.UpdateAuthorizations()`: **Added** - * `Authlete.Client.Management.DeleteAuthorizations()`: **Added** - * `Authlete.Client.Management.GetGrantedScopes()`: **Added** - * `Authlete.Client.Management.DeleteGrantedScopes()`: **Added** - * `Authlete.Client.Management.GetRequestableScopes()`: **Added** - * `Authlete.Client.Management.UpdateRequestableScopes()`: **Added** - * `Authlete.Client.Management.DeleteRequestableScopes()`: **Added** - * `Authlete.Authorization.ProcessRequest()`: **Added** - * `Authlete.Authorization.Fail()`: **Added** - * `Authlete.Authorization.Issue()`: **Added** - * `Authlete.Authorization.Management.GetTicketInfo()`: **Added** - * `Authlete.Authorization.Management.UpdateTicket()`: **Added** - * `Authlete.PushedAuthorization.Create()`: **Added** - * `Authlete.Token.Process()`: **Added** - * `Authlete.Token.Fail()`: **Added** - * `Authlete.Token.Issue()`: **Added** - * `Authlete.Token.Management.ReissueIdToken()`: **Added** - * `Authlete.Token.Management.List()`: **Added** - * `Authlete.Token.Management.Create()`: **Added** - * `Authlete.Token.Management.Update()`: **Added** - * `Authlete.Token.Management.Delete()`: **Added** - * `Authlete.Token.Management.Revoke()`: **Added** - * `Authlete.Introspection.Process()`: **Added** - * `Authlete.Introspection.StandardProcess()`: **Added** - * `Authlete.Revocation.Process()`: **Added** - * `Authlete.Userinfo.Process()`: **Added** - * `Authlete.Userinfo.Issue()`: **Added** - * `Authlete.GrantManagement.ProcessRequest()`: **Added** - * `Authlete.JwkSetEndpoint.ServiceJwksGetApi()`: **Added** - * `Authlete.DynamicClientRegistration.Register()`: **Added** - * `Authlete.DynamicClientRegistration.Get()`: **Added** - * `Authlete.DynamicClientRegistration.Update()`: **Added** - * `Authlete.DynamicClientRegistration.Delete()`: **Added** - * `Authlete.Ciba.ProcessAuthentication()`: **Added** - * `Authlete.Ciba.Issue()`: **Added** - * `Authlete.Ciba.Fail()`: **Added** - * `Authlete.Ciba.Complete()`: **Added** - * `Authlete.DeviceFlow.Authorization()`: **Added** - * `Authlete.DeviceFlow.Verification()`: **Added** - * `Authlete.DeviceFlow.Complete()`: **Added** - * `Authlete.JoseObject.JoseVerifyApi()`: **Added** - * `Authlete.HardwareSecurityKeys.Create()`: **Added** - * `Authlete.HardwareSecurityKeys.Delete()`: **Added** - * `Authlete.HardwareSecurityKeys.Get()`: **Added** - * `Authlete.HardwareSecurityKeys.List()`: **Added** - * `Authlete.VerifiableCredentials.GetMetadata()`: **Added** - * `Authlete.VerifiableCredentials.GetJwtIssuer()`: **Added** - * `Authlete.VerifiableCredentials.GetJwks()`: **Added** - * `Authlete.VerifiableCredentials.CreateOffer()`: **Added** - * `Authlete.VerifiableCredentials.GetOfferInfo()`: **Added** - * `Authlete.VerifiableCredentials.Parse()`: **Added** - * `Authlete.VerifiableCredentials.Issue()`: **Added** - * `Authlete.VerifiableCredentials.BatchParse()`: **Added** - * `Authlete.VerifiableCredentials.BatchIssue()`: **Added** - * `Authlete.VerifiableCredentials.DeferredParse()`: **Added** - * `Authlete.VerifiableCredentials.DeferredIssue()`: **Added** - * `Authlete.NativeSso.Process()`: **Added** - * `Authlete.NativeSso.Logout()`: **Added** - * `Authlete.ClientManagement.ClientGetApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientGetListApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientCreateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientUpdateApi1Form()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientDeleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientFlagUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientSecretRefreshApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientSecretUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientAuthorizationGetListBySubjectApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientAuthorizationUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientAuthorizationDeleteBySubjectApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientGrantedScopesGetBySubjectApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientGrantedScopesDeleteBySubjectApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientExtensionRequestablesScopesGetApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientExtensionRequestablesScopesUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.ClientExtensionRequestablesScopesDeleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.UpdateLockFlag()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.RefreshSecret()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.UpdateSecret()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.Authorizations()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.UpdateAuthorizations()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.DestroyAuthorizations()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.GrantedScopes()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.DestroyGrantedScopes()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.RequestableScopes()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.UpdateRequestableScopes()`: **Removed** (Breaking ⚠️) - * `Authlete.ClientManagement.DestroyRequestableScopes()`: **Removed** (Breaking ⚠️) - * `Authlete.ServiceManagement.ServiceGetApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ServiceManagement.ServiceGetListApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ServiceManagement.ServiceCreateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ServiceManagement.ServiceUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ServiceManagement.ServiceDeleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.ServiceManagement.ServiceConfigurationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Services.Retrieve()`: **Removed** (Breaking ⚠️) - * `Authlete.Services.List()`: **Removed** (Breaking ⚠️) - * `Authlete.Services.Create()`: **Removed** (Breaking ⚠️) - * `Authlete.Services.Update()`: **Removed** (Breaking ⚠️) - * `Authlete.Services.Destroy()`: **Removed** (Breaking ⚠️) - * `Authlete.Services.Configuration()`: **Removed** (Breaking ⚠️) - * `Authlete.Clients.Retrieve()`: **Removed** (Breaking ⚠️) - * `Authlete.Clients.List()`: **Removed** (Breaking ⚠️) - * `Authlete.Clients.Create()`: **Removed** (Breaking ⚠️) - * `Authlete.Clients.Update()`: **Removed** (Breaking ⚠️) - * `Authlete.Clients.UpdateForm()`: **Removed** (Breaking ⚠️) - * `Authlete.Clients.Destroy()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationEndpoint.AuthAuthorizationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationEndpoint.AuthAuthorizationFailApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationEndpoint.AuthAuthorizationIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationEndpoint.GetAuthorizationTicketInfo()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationEndpoint.UpdateAuthorizationTicket1()`: **Removed** (Breaking ⚠️) - * `Authlete.Authorization.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Authorization.FailRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Authorization.IssueResponse()`: **Removed** (Breaking ⚠️) - * `Authlete.PushedAuthorizationEndpoint.PushedAuthReqApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.PushedAuthorization.Create()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenEndpoint.AuthTokenApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenEndpoint.AuthTokenFailApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenEndpoint.AuthTokenIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenEndpoint.IdtokenReissueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Tokens.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Tokens.FailRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Tokens.IssueResponse()`: **Removed** (Breaking ⚠️) - * `Authlete.IntrospectionEndpoint.AuthIntrospectionApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.IntrospectionEndpoint.AuthIntrospectionStandardApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Introspection.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Introspection.StandardProcess()`: **Removed** (Breaking ⚠️) - * `Authlete.RevocationEndpoint.AuthRevocationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Revocation.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.UserInfoEndpoint.AuthUserinfoApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.UserInfoEndpoint.AuthUserinfoIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Userinfo.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Userinfo.IssueResponse()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenManagement.ReissueIdToken()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenManagement.List()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenManagement.Create()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenManagement.Update()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenManagement.Destroy()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenManagement.Revoke()`: **Removed** (Breaking ⚠️) - * `Authlete.GrantManagementEndpoint.GrantMApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.GrantManagement.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.JwkSetEndpoint.ServiceJwksGetApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.JwkSetEndpoint.ServiceJwksGetApi2()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.ClientRegistrationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.ClientRegistrationGetApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.ClientRegistrationUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.ClientRegistrationDeleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.Register()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.Retrieve()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.Update()`: **Removed** (Breaking ⚠️) - * `Authlete.DynamicClientRegistration.Destroy()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.BackchannelAuthenticationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.BackchannelAuthenticationIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.BackchannelAuthenticationFailApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.BackchannelAuthenticationCompleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.ProcessAuthentication()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.IssueResponse()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.FailRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.Ciba.CompleteRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.DeviceFlow.DeviceAuthorizationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DeviceFlow.DeviceVerificationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DeviceFlow.DeviceCompleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.DeviceFlow.Authorization()`: **Removed** (Breaking ⚠️) - * `Authlete.DeviceFlow.Verification()`: **Removed** (Breaking ⚠️) - * `Authlete.DeviceFlow.CompleteRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenOperations.AuthTokenGetListApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenOperations.AuthTokenCreateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenOperations.AuthTokenUpdateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenOperations.AuthTokenDeleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.TokenOperations.AuthTokenRevokeApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.JoseObject.JoseVerifyApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.JoseObject.JoseVerifyApi2()`: **Removed** (Breaking ⚠️) - * `Authlete.FederationEndpoint.FederationConfigurationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.FederationEndpoint.FederationRegistrationApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKey.HskCreateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKey.HskDeleteApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKey.HskGetApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKey.HskGetListApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKeys.Create()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKeys.Destroy()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKeys.Retrieve()`: **Removed** (Breaking ⚠️) - * `Authlete.HardwareSecurityKeys.List()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciMetadataApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciJwtissuerApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciJwksApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciOfferCreateApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciOfferInfoApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciSingleParseApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciSingleIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciBatchParseApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciBatchIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciDeferredParseApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentialIssuer.VciDeferredIssueApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.Metadata()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.JwtIssuer()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.Jwks()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.CreateOffer()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.OfferInfo()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.Parse()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.IssueResponse()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.BatchParse()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.BatchIssue()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.DeferredParse()`: **Removed** (Breaking ⚠️) - * `Authlete.VerifiableCredentials.DeferredIssue()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationManagement.TicketInfo()`: **Removed** (Breaking ⚠️) - * `Authlete.AuthorizationManagement.UpdateTicket()`: **Removed** (Breaking ⚠️) - * `Authlete.NativeSso.NativeSsoApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.NativeSso.NativeSsoLogoutApi1()`: **Removed** (Breaking ⚠️) - * `Authlete.NativeSso.ProcessRequest()`: **Removed** (Breaking ⚠️) - * `Authlete.NativeSso.Logout()`: **Removed** (Breaking ⚠️) + * `Authlete.Client.Management.ListAuthorizedApplications()`: **Added** + * `Authlete.Client.Management.ListAuthorizedApplicationsPost()`: **Added** + * `Authlete.Client.Management.RevokeClientTokens()`: **Added** + * `Authlete.Client.Management.RevokeClientTokensPost()`: **Added** + * `Authlete.Client.Management.GetGrantedScopesForClient()`: **Added** + * `Authlete.Client.Management.GetGrantedScopesForClientPost()`: **Added** + * `Authlete.Client.Management.DeleteGrantedScopesForClient()`: **Added** + * `Authlete.Client.Management.UpdateRequestableScopesPost()`: **Added** + * `Authlete.ClientManagement.ClientAuthorizationGetListApi()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientAuthorizationGetListApiPost()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientAuthorizationDeleteApi()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientAuthorizationDeleteApiPost()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientGrantedScopesGetApi()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientGrantedScopesGetApiPost()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientGrantedScopesDeleteApi()`: **Removed** (Breaking ⚠️) + * `Authlete.ClientManagement.ClientExtensionRequestablesScopesUpdateApiPost()`: **Removed** (Breaking ⚠️) diff --git a/.speakeasy/gen.yaml b/.speakeasy/gen.yaml index 0daa126..b8fe433 100644 --- a/.speakeasy/gen.yaml +++ b/.speakeasy/gen.yaml @@ -31,7 +31,7 @@ generation: generateNewTests: true skipResponseBodyAssertions: false cli: - version: 0.0.8 + version: 0.0.9 additionalDependencies: {} cliName: authlete distribution: diff --git a/.speakeasy/out.openapi.yaml b/.speakeasy/out.openapi.yaml index 8b40d41..f62bfad 100644 --- a/.speakeasy/out.openapi.yaml +++ b/.speakeasy/out.openapi.yaml @@ -1627,6 +1627,8 @@ paths: operationId: client_authorization_get_list_api tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: listAuthorizedApplications post: summary: Get Authorized Applications description: | @@ -1667,6 +1669,8 @@ paths: operationId: client_authorization_get_list_api_post tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: listAuthorizedApplicationsPost x-code-samples: - lang: shell label: curl @@ -1897,6 +1901,8 @@ paths: operationId: client_authorization_delete_api tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: revokeClientTokens post: summary: Delete Client Tokens description: | @@ -1948,6 +1954,8 @@ paths: operationId: client_authorization_delete_api_post tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: revokeClientTokensPost x-code-samples: - lang: shell label: curl @@ -2100,6 +2108,8 @@ paths: operationId: client_granted_scopes_get_api tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: getGrantedScopesForClient post: summary: Get Granted Scopes description: | @@ -2151,6 +2161,8 @@ paths: operationId: client_granted_scopes_get_api_post tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: getGrantedScopesForClientPost x-code-samples: - lang: shell label: curl @@ -2296,6 +2308,8 @@ paths: api.deleteClientAuthorization(clientId, subject) tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: deleteGrantedScopesForClient /api/{serviceId}/client/granted_scopes/delete/{clientId}/{subject}: delete: summary: Delete Granted Scopes (by Subject) @@ -8557,6 +8571,8 @@ paths: operationId: client_extension_requestables_scopes_update_api_post tags: - Client Management + x-speakeasy-group: client.management + x-speakeasy-name-override: updateRequestableScopesPost put: summary: Update Requestable Scopes description: | diff --git a/.speakeasy/workflow.lock b/.speakeasy/workflow.lock index ac64e8a..c8c8a6d 100644 --- a/.speakeasy/workflow.lock +++ b/.speakeasy/workflow.lock @@ -2,8 +2,8 @@ speakeasyVersion: 1.761.7 sources: Authlete-OAS: sourceNamespace: authlete-oas - sourceRevisionDigest: sha256:ec33fd29dce0b43cdf9f8fceaf329108b3c88595bdb8e5e57cba03ba221667ce - sourceBlobDigest: sha256:906f3b7cc12790c9e28fceea15ec542d88787634499ca705f6f0f29f243e8a6a + sourceRevisionDigest: sha256:f84cffca79642abc998ec3ffc4b78a2f868cd0824aac8f1aa16a830a9427c197 + sourceBlobDigest: sha256:967d4ce2f07bbfbedbca35fd693cd80e82e49c290983790c26cf308de8f0f1cd tags: - latest - 3.0.16 @@ -11,8 +11,8 @@ targets: authlete: source: Authlete-OAS sourceNamespace: authlete-oas - sourceRevisionDigest: sha256:ec33fd29dce0b43cdf9f8fceaf329108b3c88595bdb8e5e57cba03ba221667ce - sourceBlobDigest: sha256:906f3b7cc12790c9e28fceea15ec542d88787634499ca705f6f0f29f243e8a6a + sourceRevisionDigest: sha256:f84cffca79642abc998ec3ffc4b78a2f868cd0824aac8f1aa16a830a9427c197 + sourceBlobDigest: sha256:967d4ce2f07bbfbedbca35fd693cd80e82e49c290983790c26cf308de8f0f1cd workflow: workflowVersion: 1.0.0 speakeasyVersion: latest diff --git a/README.md b/README.md index d5065e4..49c52cb 100644 --- a/README.md +++ b/README.md @@ -274,30 +274,27 @@ Configuration is stored in `~/.config/authlete/config.yaml`. * [`update-form`](docs/authlete_client_update-form.md) - Update Client * [`delete`](docs/authlete_client_delete.md) - Delete Client ⚡ -#### [client-management-1](docs/authlete_client_client-management-1.md) - -* [`update-lock-flag`](docs/authlete_client_client-management-1_update-lock-flag.md) - Update Client Lock -* [`refresh-secret`](docs/authlete_client_client-management-1_refresh-secret.md) - Rotate Client Secret -* [`update-secret`](docs/authlete_client_client-management-1_update-secret.md) - Update Client Secret -* [`list-authorizations`](docs/authlete_client_client-management-1_list-authorizations.md) - Get Authorized Applications (by Subject) -* [`update-authorizations`](docs/authlete_client_client-management-1_update-authorizations.md) - Update Client Tokens -* [`delete-authorizations`](docs/authlete_client_client-management-1_delete-authorizations.md) - Delete Client Tokens (by Subject) -* [`get-granted-scopes`](docs/authlete_client_client-management-1_get-granted-scopes.md) - Get Granted Scopes (by Subject) -* [`delete-granted-scopes`](docs/authlete_client_client-management-1_delete-granted-scopes.md) - Delete Granted Scopes (by Subject) -* [`get-requestable-scopes`](docs/authlete_client_client-management-1_get-requestable-scopes.md) - Get Requestable Scopes -* [`update-requestable-scopes`](docs/authlete_client_client-management-1_update-requestable-scopes.md) - Update Requestable Scopes -* [`delete-requestable-scopes`](docs/authlete_client_client-management-1_delete-requestable-scopes.md) - Delete Requestable Scopes - -### [client-management-2](docs/authlete_client-management-2.md) - -* [`client-authorization-get-list-api`](docs/authlete_client-management-2_client-authorization-get-list-api.md) - Get Authorized Applications -* [`client-authorization-get-list-api-post`](docs/authlete_client-management-2_client-authorization-get-list-api-post.md) - Get Authorized Applications -* [`client-authorization-delete-api`](docs/authlete_client-management-2_client-authorization-delete-api.md) - Delete Client Tokens -* [`client-authorization-delete-api-post`](docs/authlete_client-management-2_client-authorization-delete-api-post.md) - Delete Client Tokens -* [`client-granted-scopes-get-api`](docs/authlete_client-management-2_client-granted-scopes-get-api.md) - Get Granted Scopes -* [`client-granted-scopes-get-api-post`](docs/authlete_client-management-2_client-granted-scopes-get-api-post.md) - Get Granted Scopes -* [`client-granted-scopes-delete-api`](docs/authlete_client-management-2_client-granted-scopes-delete-api.md) - Delete Granted Scopes -* [`client-extension-requestables-scopes-update-api-post`](docs/authlete_client-management-2_client-extension-requestables-scopes-update-api-post.md) - Update Requestable Scopes +#### [client-management](docs/authlete_client_client-management.md) + +* [`update-lock-flag`](docs/authlete_client_client-management_update-lock-flag.md) - Update Client Lock +* [`refresh-secret`](docs/authlete_client_client-management_refresh-secret.md) - Rotate Client Secret +* [`update-secret`](docs/authlete_client_client-management_update-secret.md) - Update Client Secret +* [`list-authorized-applications`](docs/authlete_client_client-management_list-authorized-applications.md) - Get Authorized Applications +* [`list-authorized-applications-post`](docs/authlete_client_client-management_list-authorized-applications-post.md) - Get Authorized Applications +* [`list-authorizations`](docs/authlete_client_client-management_list-authorizations.md) - Get Authorized Applications (by Subject) +* [`update-authorizations`](docs/authlete_client_client-management_update-authorizations.md) - Update Client Tokens +* [`revoke-client-tokens`](docs/authlete_client_client-management_revoke-client-tokens.md) - Delete Client Tokens +* [`revoke-client-tokens-post`](docs/authlete_client_client-management_revoke-client-tokens-post.md) - Delete Client Tokens +* [`delete-authorizations`](docs/authlete_client_client-management_delete-authorizations.md) - Delete Client Tokens (by Subject) +* [`get-granted-scopes-for-client`](docs/authlete_client_client-management_get-granted-scopes-for-client.md) - Get Granted Scopes +* [`get-granted-scopes-for-client-post`](docs/authlete_client_client-management_get-granted-scopes-for-client-post.md) - Get Granted Scopes +* [`get-granted-scopes`](docs/authlete_client_client-management_get-granted-scopes.md) - Get Granted Scopes (by Subject) +* [`delete-granted-scopes-for-client`](docs/authlete_client_client-management_delete-granted-scopes-for-client.md) - Delete Granted Scopes +* [`delete-granted-scopes`](docs/authlete_client_client-management_delete-granted-scopes.md) - Delete Granted Scopes (by Subject) +* [`get-requestable-scopes`](docs/authlete_client_client-management_get-requestable-scopes.md) - Get Requestable Scopes +* [`update-requestable-scopes-post`](docs/authlete_client_client-management_update-requestable-scopes-post.md) - Update Requestable Scopes +* [`update-requestable-scopes`](docs/authlete_client_client-management_update-requestable-scopes.md) - Update Requestable Scopes +* [`delete-requestable-scopes`](docs/authlete_client_client-management_delete-requestable-scopes.md) - Delete Requestable Scopes ### [authorization](docs/authlete_authorization.md) diff --git a/RELEASES.md b/RELEASES.md index 772ec56..50936a0 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -36,4 +36,14 @@ Based on: ### Generated - [cli v0.0.8] . ### Releases -- [CLI v0.0.8] https://github.com/authlete/authlete-cli/releases/tag/v0.0.8 - . \ No newline at end of file +- [CLI v0.0.8] https://github.com/authlete/authlete-cli/releases/tag/v0.0.8 - . + +## 2026-04-17 17:03:13 +### Changes +Based on: +- OpenAPI Doc +- Speakeasy CLI 1.761.7 (2.881.0) https://github.com/speakeasy-api/speakeasy +### Generated +- [cli v0.0.9] . +### Releases +- [CLI v0.0.9] https://github.com/authlete/authlete-cli/releases/tag/v0.0.9 - . \ No newline at end of file diff --git a/docs/authlete.md b/docs/authlete.md index 8f7be71..2971763 100644 --- a/docs/authlete.md +++ b/docs/authlete.md @@ -120,7 +120,6 @@ authlete [flags] * [authlete authorization](authlete_authorization.md) - Operations for authorization * [authlete ciba](authlete_ciba.md) - Operations for ciba * [authlete client](authlete_client.md) - Operations for client -* [authlete client-management-2](authlete_client-management-2.md) - API endpoints for managing OAuth clients, including creation, update, and deletion of clients * [authlete configure](authlete_configure.md) - Configure authentication credentials and preferences * [authlete device-flow](authlete_device-flow.md) - Operations for device-flow * [authlete dynamic-client-registration](authlete_dynamic-client-registration.md) - Operations for dynamic-client-registration diff --git a/docs/authlete_client.md b/docs/authlete_client.md index 08196c6..ac6dd62 100644 --- a/docs/authlete_client.md +++ b/docs/authlete_client.md @@ -49,6 +49,6 @@ authlete client [flags] * [authlete client delete](authlete_client_delete.md) - Delete Client ⚡ * [authlete client get](authlete_client_get.md) - Get Client * [authlete client list](authlete_client_list.md) - List Clients -* [authlete client management-1](authlete_client_management-1.md) - Operations for client-management-1 +* [authlete client management](authlete_client_management.md) - Operations for client-management * [authlete client update](authlete_client_update.md) - Update Client * [authlete client update-form](authlete_client_update-form.md) - Update Client diff --git a/docs/authlete_client_management.md b/docs/authlete_client_management.md index 16784a0..81eb1c4 100644 --- a/docs/authlete_client_management.md +++ b/docs/authlete_client_management.md @@ -45,22 +45,22 @@ authlete client management [flags] ### SEE ALSO * [authlete client](authlete_client.md) - Operations for client -* [authlete client management create-granted-scopes](authlete_client_management_create-granted-scopes.md) - Get Granted Scopes * [authlete client management delete-authorizations](authlete_client_management_delete-authorizations.md) - Delete Client Tokens (by Subject) -* [authlete client management delete-client-tokens](authlete_client_management_delete-client-tokens.md) - Delete Client Tokens * [authlete client management delete-granted-scopes](authlete_client_management_delete-granted-scopes.md) - Delete Granted Scopes (by Subject) * [authlete client management delete-granted-scopes-for-client](authlete_client_management_delete-granted-scopes-for-client.md) - Delete Granted Scopes * [authlete client management delete-requestable-scopes](authlete_client_management_delete-requestable-scopes.md) - Delete Requestable Scopes * [authlete client management get-granted-scopes](authlete_client_management_get-granted-scopes.md) - Get Granted Scopes (by Subject) * [authlete client management get-granted-scopes-for-client](authlete_client_management_get-granted-scopes-for-client.md) - Get Granted Scopes +* [authlete client management get-granted-scopes-for-client-post](authlete_client_management_get-granted-scopes-for-client-post.md) - Get Granted Scopes * [authlete client management get-requestable-scopes](authlete_client_management_get-requestable-scopes.md) - Get Requestable Scopes * [authlete client management list-authorizations](authlete_client_management_list-authorizations.md) - Get Authorized Applications (by Subject) * [authlete client management list-authorized-applications](authlete_client_management_list-authorized-applications.md) - Get Authorized Applications -* [authlete client management list-authorized-applications-with-body](authlete_client_management_list-authorized-applications-with-body.md) - Get Authorized Applications +* [authlete client management list-authorized-applications-post](authlete_client_management_list-authorized-applications-post.md) - Get Authorized Applications * [authlete client management refresh-secret](authlete_client_management_refresh-secret.md) - Rotate Client Secret * [authlete client management revoke-client-tokens](authlete_client_management_revoke-client-tokens.md) - Delete Client Tokens +* [authlete client management revoke-client-tokens-post](authlete_client_management_revoke-client-tokens-post.md) - Delete Client Tokens * [authlete client management update-authorizations](authlete_client_management_update-authorizations.md) - Update Client Tokens * [authlete client management update-lock-flag](authlete_client_management_update-lock-flag.md) - Update Client Lock * [authlete client management update-requestable-scopes](authlete_client_management_update-requestable-scopes.md) - Update Requestable Scopes -* [authlete client management update-requestable-scopes-with-body](authlete_client_management_update-requestable-scopes-with-body.md) - Update Requestable Scopes +* [authlete client management update-requestable-scopes-post](authlete_client_management_update-requestable-scopes-post.md) - Update Requestable Scopes * [authlete client management update-secret](authlete_client_management_update-secret.md) - Update Client Secret diff --git a/docs/authlete_client_management_get-granted-scopes-for-client-post.md b/docs/authlete_client_management_get-granted-scopes-for-client-post.md new file mode 100644 index 0000000..fefcae7 --- /dev/null +++ b/docs/authlete_client_management_get-granted-scopes-for-client-post.md @@ -0,0 +1,60 @@ +## authlete client management get-granted-scopes-for-client-post + +Get Granted Scopes + +### Synopsis + +Get the set of scopes that a user has granted to a client application. + +The subject parameter is required. + +``` +authlete client management get-granted-scopes-for-client-post [flags] +``` + +### Examples + +``` + authlete client-management get-granted-scopes-for-client-post --service-id --client-id --subject +``` + +### Options + +``` + --body string Request body as JSON (alternative to individual flags). Can also be provided via stdin. + -c, --client-id string A client ID. + [required] + -h, --help help for get-granted-scopes-for-client-post + --service-id string A service ID. [required] + --subject string Unique user ID of an end-user. [required] +``` + +### Options inherited from parent commands + +``` + --agent-mode Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable. + --bearer Authorization: Bearer Authenticate every request with a **Service Access Token** or **Organization Token**. + Set the token value in the Authorization: Bearer header. + + **Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows. + + **Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically. + + Both token types are issued by the Authlete console or provisioning APIs. + --color string Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars. (default "auto") + -d, --debug Log request and response diagnostics to stderr + --dry-run Preview the request that would be sent without executing it (output to stderr) + -H, --header stringArray Set a custom HTTP request header (format: "Key: Value"). Can be specified multiple times. + --include-headers Include HTTP response headers in the output + -q, --jq string Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id') + --no-interactive Disable all interactive features (auto-prompting, explorer auto-launch, TUI forms) + -o, --output-format string Specify the output format. Options: pretty, json, yaml, table, toon. (default "pretty") + --server string Select a server by index (for indexed servers) or name (for named servers) + --server-url string Override the default server URL + --timeout string HTTP request timeout (e.g., 30s, 5m, 100ms) + --usage Print the CLI Usage schema in KDL format +``` + +### SEE ALSO + +* [authlete client management](authlete_client_management.md) - Operations for client-management diff --git a/docs/authlete_client_management_list-authorized-applications-post.md b/docs/authlete_client_management_list-authorized-applications-post.md new file mode 100644 index 0000000..afd835b --- /dev/null +++ b/docs/authlete_client_management_list-authorized-applications-post.md @@ -0,0 +1,61 @@ +## authlete client management list-authorized-applications-post + +Get Authorized Applications + +### Synopsis + +Get a list of client applications that an end-user has authorized. + +The subject parameter is required. + +``` +authlete client management list-authorized-applications-post [flags] +``` + +### Examples + +``` + authlete client-management list-authorized-applications-post --service-id --subject +``` + +### Options + +``` + --body string Request body as JSON (alternative to individual flags). Can also be provided via stdin. + --developer string Unique ID of a client developer. + -e, --end int End index of search results (exclusive). + -h, --help help for list-authorized-applications-post + --service-id string A service ID. [required] + --start int Start index of search results (inclusive). + --subject string Unique user ID of an end-user. [required] +``` + +### Options inherited from parent commands + +``` + --agent-mode Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable. + --bearer Authorization: Bearer Authenticate every request with a **Service Access Token** or **Organization Token**. + Set the token value in the Authorization: Bearer header. + + **Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows. + + **Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically. + + Both token types are issued by the Authlete console or provisioning APIs. + --color string Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars. (default "auto") + -d, --debug Log request and response diagnostics to stderr + --dry-run Preview the request that would be sent without executing it (output to stderr) + -H, --header stringArray Set a custom HTTP request header (format: "Key: Value"). Can be specified multiple times. + --include-headers Include HTTP response headers in the output + -q, --jq string Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id') + --no-interactive Disable all interactive features (auto-prompting, explorer auto-launch, TUI forms) + -o, --output-format string Specify the output format. Options: pretty, json, yaml, table, toon. (default "pretty") + --server string Select a server by index (for indexed servers) or name (for named servers) + --server-url string Override the default server URL + --timeout string HTTP request timeout (e.g., 30s, 5m, 100ms) + --usage Print the CLI Usage schema in KDL format +``` + +### SEE ALSO + +* [authlete client management](authlete_client_management.md) - Operations for client-management diff --git a/docs/authlete_client_management_revoke-client-tokens-post.md b/docs/authlete_client_management_revoke-client-tokens-post.md new file mode 100644 index 0000000..067ac97 --- /dev/null +++ b/docs/authlete_client_management_revoke-client-tokens-post.md @@ -0,0 +1,60 @@ +## authlete client management revoke-client-tokens-post + +Delete Client Tokens + +### Synopsis + +Delete all existing access tokens issued to a client application by an end-user. + +The subject parameter is required. + +``` +authlete client management revoke-client-tokens-post [flags] +``` + +### Examples + +``` + authlete client-management revoke-client-tokens-post --service-id --client-id --subject +``` + +### Options + +``` + --body string Request body as JSON (alternative to individual flags). Can also be provided via stdin. + -c, --client-id string A client ID. + [required] + -h, --help help for revoke-client-tokens-post + --service-id string A service ID. [required] + --subject string Unique user ID of an end-user. [required] +``` + +### Options inherited from parent commands + +``` + --agent-mode Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable. + --bearer Authorization: Bearer Authenticate every request with a **Service Access Token** or **Organization Token**. + Set the token value in the Authorization: Bearer header. + + **Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows. + + **Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically. + + Both token types are issued by the Authlete console or provisioning APIs. + --color string Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars. (default "auto") + -d, --debug Log request and response diagnostics to stderr + --dry-run Preview the request that would be sent without executing it (output to stderr) + -H, --header stringArray Set a custom HTTP request header (format: "Key: Value"). Can be specified multiple times. + --include-headers Include HTTP response headers in the output + -q, --jq string Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id') + --no-interactive Disable all interactive features (auto-prompting, explorer auto-launch, TUI forms) + -o, --output-format string Specify the output format. Options: pretty, json, yaml, table, toon. (default "pretty") + --server string Select a server by index (for indexed servers) or name (for named servers) + --server-url string Override the default server URL + --timeout string HTTP request timeout (e.g., 30s, 5m, 100ms) + --usage Print the CLI Usage schema in KDL format +``` + +### SEE ALSO + +* [authlete client management](authlete_client_management.md) - Operations for client-management diff --git a/docs/authlete_client_management_revoke-client-tokens.md b/docs/authlete_client_management_revoke-client-tokens.md index e807e5e..d678837 100644 --- a/docs/authlete_client_management_revoke-client-tokens.md +++ b/docs/authlete_client_management_revoke-client-tokens.md @@ -6,7 +6,7 @@ Delete Client Tokens Delete all existing access tokens issued to a client application by an end-user. -The subject parameter is required. +The subject parameter is required and must be provided as a query parameter. ``` authlete client management revoke-client-tokens [flags] @@ -21,12 +21,12 @@ authlete client management revoke-client-tokens [flags] ### Options ``` - --body string Request body as JSON (alternative to individual flags). Can also be provided via stdin. -c, --client-id string A client ID. [required] -h, --help help for revoke-client-tokens --service-id string A service ID. [required] - --subject string Unique user ID of an end-user. [required] + --subject string Unique user ID of an end-user. + [required] ``` ### Options inherited from parent commands diff --git a/docs/authlete_client_management_update-requestable-scopes-post.md b/docs/authlete_client_management_update-requestable-scopes-post.md new file mode 100644 index 0000000..69df581 --- /dev/null +++ b/docs/authlete_client_management_update-requestable-scopes-post.md @@ -0,0 +1,68 @@ +## authlete client management update-requestable-scopes-post + +Update Requestable Scopes + +### Synopsis + +Update requestable scopes of a client + +``` +authlete client management update-requestable-scopes-post [flags] +``` + +### Examples + +``` + authlete client-management update-requestable-scopes-post --service-id --client-id +``` + +### Options + +``` + --body string Request body as JSON (alternative to individual flags). Can also be provided via stdin. + -c, --client-id string A client ID. + [required] + -h, --help help for update-requestable-scopes-post + -r, --requestable-scopes null The set of scopes that the client application is allowed to request. + This parameter will be one of the following. Details are described in the description. + + + - an empty set + - a set with at least one element + + If this parameter contains scopes that the service does not support, those scopes are just + ignored. Also, if this parameter is null or is not included in the request, it is equivalent + to calling `/client/extension/requestable_scopes/delete` API. + + -s, --service-id string A service ID. [required] +``` + +### Options inherited from parent commands + +``` + --agent-mode Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable. + --bearer Authorization: Bearer Authenticate every request with a **Service Access Token** or **Organization Token**. + Set the token value in the Authorization: Bearer header. + + **Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows. + + **Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically. + + Both token types are issued by the Authlete console or provisioning APIs. + --color string Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars. (default "auto") + -d, --debug Log request and response diagnostics to stderr + --dry-run Preview the request that would be sent without executing it (output to stderr) + -H, --header stringArray Set a custom HTTP request header (format: "Key: Value"). Can be specified multiple times. + --include-headers Include HTTP response headers in the output + -q, --jq string Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id') + --no-interactive Disable all interactive features (auto-prompting, explorer auto-launch, TUI forms) + -o, --output-format string Specify the output format. Options: pretty, json, yaml, table, toon. (default "pretty") + --server string Select a server by index (for indexed servers) or name (for named servers) + --server-url string Override the default server URL + --timeout string HTTP request timeout (e.g., 30s, 5m, 100ms) + --usage Print the CLI Usage schema in KDL format +``` + +### SEE ALSO + +* [authlete client management](authlete_client_management.md) - Operations for client-management diff --git a/internal/cli/client/clientmanagement1/deleteauthorizations.go b/internal/cli/client/clientmanagement/deleteauthorizations.go similarity index 95% rename from internal/cli/client/clientmanagement1/deleteauthorizations.go rename to internal/cli/client/clientmanagement/deleteauthorizations.go index da52848..ea0d6be 100644 --- a/internal/cli/client/clientmanagement1/deleteauthorizations.go +++ b/internal/cli/client/clientmanagement/deleteauthorizations.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -26,7 +26,7 @@ func initDeleteAuthorizationsCmd(parent *cobra.Command) error { Use: "delete-authorizations", Short: "Delete Client Tokens (by Subject)", Long: "Delete all existing access tokens issued to a client application by an end-user.\nIn this variant, the subject is provided in the path.", - Example: " authlete client-management-1 delete-authorizations --service-id --client-id --subject ", + Example: " authlete client-management delete-authorizations --service-id --client-id --subject ", RunE: runDeleteAuthorizationsCmd, Aliases: []string{"da"}, } diff --git a/internal/cli/client/clientmanagement1/deletegrantedscopes.go b/internal/cli/client/clientmanagement/deletegrantedscopes.go similarity index 95% rename from internal/cli/client/clientmanagement1/deletegrantedscopes.go rename to internal/cli/client/clientmanagement/deletegrantedscopes.go index fc73925..5cf2d78 100644 --- a/internal/cli/client/clientmanagement1/deletegrantedscopes.go +++ b/internal/cli/client/clientmanagement/deletegrantedscopes.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -26,7 +26,7 @@ func initDeleteGrantedScopesCmd(parent *cobra.Command) error { Use: "delete-granted-scopes", Short: "Delete Granted Scopes (by Subject)", Long: "Delete the set of scopes that an end-user has granted to a client application.\nIn this variant, the subject is provided in the path.", - Example: " authlete client-management-1 delete-granted-scopes --service-id --client-id --subject ", + Example: " authlete client-management delete-granted-scopes --service-id --client-id --subject ", RunE: runDeleteGrantedScopesCmd, Aliases: []string{"dgs"}, } diff --git a/internal/cli/clientmanagement2/clientgrantedscopesdeleteapi.go b/internal/cli/client/clientmanagement/deletegrantedscopesforclient.go similarity index 66% rename from internal/cli/clientmanagement2/clientgrantedscopesdeleteapi.go rename to internal/cli/client/clientmanagement/deletegrantedscopesforclient.go index ef6461f..f29b8ca 100644 --- a/internal/cli/clientmanagement2/clientgrantedscopesdeleteapi.go +++ b/internal/cli/client/clientmanagement/deletegrantedscopesforclient.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,41 +14,41 @@ import ( "github.com/spf13/cobra" ) -var clientGrantedScopesDeleteAPICmdMeta = []flagutil.FlagMeta{ +var deleteGrantedScopesForClientCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "client-id", Shorthand: "c", FieldPath: "ClientID", Kind: flagutil.FlagKindString, Required: true, Description: "A client ID.\n [required]"}, {FlagName: "subject", FieldPath: "Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user.\n [required]"}, } -// initClientGrantedScopesDeleteApiCmd initializes the client-granted-scopes-delete-api command. -func initClientGrantedScopesDeleteApiCmd(parent *cobra.Command) error { +// initDeleteGrantedScopesForClientCmd initializes the delete-granted-scopes-for-client command. +func initDeleteGrantedScopesForClientCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-granted-scopes-delete-api", + Use: "delete-granted-scopes-for-client", Short: "Delete Granted Scopes", Long: "Delete the set of scopes that an end-user has granted to a client application.\n\nEven if records about granted scopes are deleted by calling this API, existing access tokens are\nnot deleted and scopes of existing access tokens are not changed.\nThe subject parameter is required and must be provided as a query parameter.", - Example: " authlete client-management-2 client-granted-scopes-delete-api --service-id --client-id --subject ", - RunE: runClientGrantedScopesDeleteApiCmd, - Aliases: []string{"cgsda"}, + Example: " authlete client-management delete-granted-scopes-for-client --service-id --client-id --subject ", + RunE: runDeleteGrantedScopesForClientCmd, + Aliases: []string{"dgsfc"}, } - flagutil.RegisterFlags(cmd, clientGrantedScopesDeleteAPICmdMeta) - if err := flagutil.ValidateMeta[operations.ClientGrantedScopesDeleteAPIRequest](clientGrantedScopesDeleteAPICmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-granted-scopes-delete-api: %w", err) + flagutil.RegisterFlags(cmd, deleteGrantedScopesForClientCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientGrantedScopesDeleteAPIRequest](deleteGrantedScopesForClientCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for delete-granted-scopes-for-client: %w", err) } parent.AddCommand(cmd) return nil } -// runClientGrantedScopesDeleteApiCmd executes the client-granted-scopes-delete-api command. -func runClientGrantedScopesDeleteApiCmd(cmd *cobra.Command, args []string) error { +// runDeleteGrantedScopesForClientCmd executes the delete-granted-scopes-for-client command. +func runDeleteGrantedScopesForClientCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientGrantedScopesDeleteAPICmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientGrantedScopesDeleteAPICmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, deleteGrantedScopesForClientCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, deleteGrantedScopesForClientCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientGrantedScopesDeleteAPIRequest](cmd, clientGrantedScopesDeleteAPICmdMeta, "", "") + req, err := flagutil.BuildRequest[operations.ClientGrantedScopesDeleteAPIRequest](cmd, deleteGrantedScopesForClientCmdMeta, "", "") if err != nil { return err } @@ -71,7 +71,7 @@ func runClientGrantedScopesDeleteApiCmd(cmd *cobra.Command, args []string) error if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientGrantedScopesDeleteAPI(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.DeleteGrantedScopesForClient(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/client/clientmanagement1/deleterequestablescopes.go b/internal/cli/client/clientmanagement/deleterequestablescopes.go similarity index 95% rename from internal/cli/client/clientmanagement1/deleterequestablescopes.go rename to internal/cli/client/clientmanagement/deleterequestablescopes.go index f4db7b6..d91117c 100644 --- a/internal/cli/client/clientmanagement1/deleterequestablescopes.go +++ b/internal/cli/client/clientmanagement/deleterequestablescopes.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -25,7 +25,7 @@ func initDeleteRequestableScopesCmd(parent *cobra.Command) error { Use: "delete-requestable-scopes", Short: "Delete Requestable Scopes", Long: "Delete requestable scopes of a client", - Example: " authlete client-management-1 delete-requestable-scopes --service-id --client-id ", + Example: " authlete client-management delete-requestable-scopes --service-id --client-id ", RunE: runDeleteRequestableScopesCmd, Aliases: []string{"drs"}, } diff --git a/internal/cli/client/clientmanagement1/getgrantedscopes.go b/internal/cli/client/clientmanagement/getgrantedscopes.go similarity index 95% rename from internal/cli/client/clientmanagement1/getgrantedscopes.go rename to internal/cli/client/clientmanagement/getgrantedscopes.go index 78b94c9..592cc68 100644 --- a/internal/cli/client/clientmanagement1/getgrantedscopes.go +++ b/internal/cli/client/clientmanagement/getgrantedscopes.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -26,7 +26,7 @@ func initGetGrantedScopesCmd(parent *cobra.Command) error { Use: "get-granted-scopes", Short: "Get Granted Scopes (by Subject)", Long: "Get the set of scopes that a user has granted to a client application.\nIn this variant, the subject is provided in the path.", - Example: " authlete client-management-1 get-granted-scopes --service-id --client-id --subject ", + Example: " authlete client-management get-granted-scopes --service-id --client-id --subject ", RunE: runGetGrantedScopesCmd, Aliases: []string{"ggs"}, } diff --git a/internal/cli/clientmanagement2/clientgrantedscopesgetapi.go b/internal/cli/client/clientmanagement/getgrantedscopesforclient.go similarity index 64% rename from internal/cli/clientmanagement2/clientgrantedscopesgetapi.go rename to internal/cli/client/clientmanagement/getgrantedscopesforclient.go index cb5da57..a7fd4c7 100644 --- a/internal/cli/clientmanagement2/clientgrantedscopesgetapi.go +++ b/internal/cli/client/clientmanagement/getgrantedscopesforclient.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,41 +14,41 @@ import ( "github.com/spf13/cobra" ) -var clientGrantedScopesGetAPICmdMeta = []flagutil.FlagMeta{ +var getGrantedScopesForClientCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "client-id", Shorthand: "c", FieldPath: "ClientID", Kind: flagutil.FlagKindString, Required: true, Description: "A client ID.\n [required]"}, {FlagName: "subject", FieldPath: "Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user.\n [required]"}, } -// initClientGrantedScopesGetApiCmd initializes the client-granted-scopes-get-api command. -func initClientGrantedScopesGetApiCmd(parent *cobra.Command) error { +// initGetGrantedScopesForClientCmd initializes the get-granted-scopes-for-client command. +func initGetGrantedScopesForClientCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-granted-scopes-get-api", + Use: "get-granted-scopes-for-client", Short: "Get Granted Scopes", Long: "Get the set of scopes that a user has granted to a client application.", - Example: " authlete client-management-2 client-granted-scopes-get-api --service-id 715948317 --client-id 1140735077 --subject ", - RunE: runClientGrantedScopesGetApiCmd, - Aliases: []string{"cgsga"}, + Example: " authlete client-management get-granted-scopes-for-client --service-id 715948317 --client-id 1140735077 --subject ", + RunE: runGetGrantedScopesForClientCmd, + Aliases: []string{"ggsfc"}, } - flagutil.RegisterFlags(cmd, clientGrantedScopesGetAPICmdMeta) - if err := flagutil.ValidateMeta[operations.ClientGrantedScopesGetAPIRequest](clientGrantedScopesGetAPICmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-granted-scopes-get-api: %w", err) + flagutil.RegisterFlags(cmd, getGrantedScopesForClientCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientGrantedScopesGetAPIRequest](getGrantedScopesForClientCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for get-granted-scopes-for-client: %w", err) } parent.AddCommand(cmd) return nil } -// runClientGrantedScopesGetApiCmd executes the client-granted-scopes-get-api command. -func runClientGrantedScopesGetApiCmd(cmd *cobra.Command, args []string) error { +// runGetGrantedScopesForClientCmd executes the get-granted-scopes-for-client command. +func runGetGrantedScopesForClientCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientGrantedScopesGetAPICmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientGrantedScopesGetAPICmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, getGrantedScopesForClientCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, getGrantedScopesForClientCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientGrantedScopesGetAPIRequest](cmd, clientGrantedScopesGetAPICmdMeta, "", "") + req, err := flagutil.BuildRequest[operations.ClientGrantedScopesGetAPIRequest](cmd, getGrantedScopesForClientCmdMeta, "", "") if err != nil { return err } @@ -71,7 +71,7 @@ func runClientGrantedScopesGetApiCmd(cmd *cobra.Command, args []string) error { if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientGrantedScopesGetAPI(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.GetGrantedScopesForClient(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/clientmanagement2/clientgrantedscopesgetapipost.go b/internal/cli/client/clientmanagement/getgrantedscopesforclientpost.go similarity index 65% rename from internal/cli/clientmanagement2/clientgrantedscopesgetapipost.go rename to internal/cli/client/clientmanagement/getgrantedscopesforclientpost.go index 578e914..355ef59 100644 --- a/internal/cli/clientmanagement2/clientgrantedscopesgetapipost.go +++ b/internal/cli/client/clientmanagement/getgrantedscopesforclientpost.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,42 +14,42 @@ import ( "github.com/spf13/cobra" ) -var clientGrantedScopesGetAPIPostCmdMeta = []flagutil.FlagMeta{ +var getGrantedScopesForClientPostCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "client-id", Shorthand: "c", FieldPath: "ClientID", Kind: flagutil.FlagKindString, Required: true, Description: "A client ID.\n [required]"}, {FlagName: "subject", FieldPath: "Body.Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user. [required]"}, } -// initClientGrantedScopesGetApiPostCmd initializes the client-granted-scopes-get-api-post command. -func initClientGrantedScopesGetApiPostCmd(parent *cobra.Command) error { +// initGetGrantedScopesForClientPostCmd initializes the get-granted-scopes-for-client-post command. +func initGetGrantedScopesForClientPostCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-granted-scopes-get-api-post", + Use: "get-granted-scopes-for-client-post", Short: "Get Granted Scopes", Long: "Get the set of scopes that a user has granted to a client application.\n\nThe subject parameter is required.", - Example: " authlete client-management-2 client-granted-scopes-get-api-post --service-id --client-id --subject ", - RunE: runClientGrantedScopesGetApiPostCmd, - Aliases: []string{"cgsgap"}, + Example: " authlete client-management get-granted-scopes-for-client-post --service-id --client-id --subject ", + RunE: runGetGrantedScopesForClientPostCmd, + Aliases: []string{"ggsfcp"}, } - flagutil.RegisterFlags(cmd, clientGrantedScopesGetAPIPostCmdMeta) - if err := flagutil.ValidateMeta[operations.ClientGrantedScopesGetAPIPostRequest](clientGrantedScopesGetAPIPostCmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-granted-scopes-get-api-post: %w", err) + flagutil.RegisterFlags(cmd, getGrantedScopesForClientPostCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientGrantedScopesGetAPIPostRequest](getGrantedScopesForClientPostCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for get-granted-scopes-for-client-post: %w", err) } cmd.Flags().String("body", "", "Request body as JSON (alternative to individual flags). Can also be provided via stdin.") parent.AddCommand(cmd) return nil } -// runClientGrantedScopesGetApiPostCmd executes the client-granted-scopes-get-api-post command. -func runClientGrantedScopesGetApiPostCmd(cmd *cobra.Command, args []string) error { +// runGetGrantedScopesForClientPostCmd executes the get-granted-scopes-for-client-post command. +func runGetGrantedScopesForClientPostCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientGrantedScopesGetAPIPostCmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientGrantedScopesGetAPIPostCmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, getGrantedScopesForClientPostCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, getGrantedScopesForClientPostCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientGrantedScopesGetAPIPostRequest](cmd, clientGrantedScopesGetAPIPostCmdMeta, "Body", "body") + req, err := flagutil.BuildRequest[operations.ClientGrantedScopesGetAPIPostRequest](cmd, getGrantedScopesForClientPostCmdMeta, "Body", "body") if err != nil { return err } @@ -72,7 +72,7 @@ func runClientGrantedScopesGetApiPostCmd(cmd *cobra.Command, args []string) erro if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientGrantedScopesGetAPIPost(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.GetGrantedScopesForClientPost(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/client/clientmanagement1/getrequestablescopes.go b/internal/cli/client/clientmanagement/getrequestablescopes.go similarity index 95% rename from internal/cli/client/clientmanagement1/getrequestablescopes.go rename to internal/cli/client/clientmanagement/getrequestablescopes.go index 7b60aad..4eb77f9 100644 --- a/internal/cli/client/clientmanagement1/getrequestablescopes.go +++ b/internal/cli/client/clientmanagement/getrequestablescopes.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -25,7 +25,7 @@ func initGetRequestableScopesCmd(parent *cobra.Command) error { Use: "get-requestable-scopes", Short: "Get Requestable Scopes", Long: "Get the requestable scopes per client", - Example: " authlete client-management-1 get-requestable-scopes --service-id --client-id ", + Example: " authlete client-management get-requestable-scopes --service-id --client-id ", RunE: runGetRequestableScopesCmd, Aliases: []string{"grs"}, } diff --git a/internal/cli/client/clientmanagement1/listauthorizations.go b/internal/cli/client/clientmanagement/listauthorizations.go similarity index 96% rename from internal/cli/client/clientmanagement1/listauthorizations.go rename to internal/cli/client/clientmanagement/listauthorizations.go index af04e26..b83bc8b 100644 --- a/internal/cli/client/clientmanagement1/listauthorizations.go +++ b/internal/cli/client/clientmanagement/listauthorizations.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -28,7 +28,7 @@ func initListAuthorizationsCmd(parent *cobra.Command) error { Use: "list-authorizations", Short: "Get Authorized Applications (by Subject)", Long: "Get a list of client applications that an end-user has authorized.\nIn this variant, the subject is provided in the path.", - Example: " authlete client-management-1 list-authorizations --service-id --subject ", + Example: " authlete client-management list-authorizations --service-id --subject ", RunE: runListAuthorizationsCmd, Aliases: []string{"la"}, } diff --git a/internal/cli/clientmanagement2/clientauthorizationgetlistapi.go b/internal/cli/client/clientmanagement/listauthorizedapplications.go similarity index 67% rename from internal/cli/clientmanagement2/clientauthorizationgetlistapi.go rename to internal/cli/client/clientmanagement/listauthorizedapplications.go index aff37d4..8fed0b8 100644 --- a/internal/cli/clientmanagement2/clientauthorizationgetlistapi.go +++ b/internal/cli/client/clientmanagement/listauthorizedapplications.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,7 +14,7 @@ import ( "github.com/spf13/cobra" ) -var clientAuthorizationGetListAPICmdMeta = []flagutil.FlagMeta{ +var listAuthorizedApplicationsCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "subject", FieldPath: "Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user.\n [required]"}, {FlagName: "developer", FieldPath: "Developer", Kind: flagutil.FlagKindString, Optional: true, Description: "Unique ID of a client developer.\n"}, @@ -22,35 +22,35 @@ var clientAuthorizationGetListAPICmdMeta = []flagutil.FlagMeta{ {FlagName: "end", Shorthand: "e", FieldPath: "End", Kind: flagutil.FlagKindInt64, Optional: true, Description: "End index of search results (exclusive). The default value is 5.\n"}, } -// initClientAuthorizationGetListApiCmd initializes the client-authorization-get-list-api command. -func initClientAuthorizationGetListApiCmd(parent *cobra.Command) error { +// initListAuthorizedApplicationsCmd initializes the list-authorized-applications command. +func initListAuthorizedApplicationsCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-authorization-get-list-api", + Use: "list-authorized-applications", Short: "Get Authorized Applications", Long: "Get a list of client applications that an end-user has authorized.\n\nThe subject parameter is required and can be provided as a query parameter.", - Example: " authlete client-management-2 client-authorization-get-list-api --service-id --subject ", - RunE: runClientAuthorizationGetListApiCmd, - Aliases: []string{"cagla"}, + Example: " authlete client-management list-authorized-applications --service-id --subject ", + RunE: runListAuthorizedApplicationsCmd, + Aliases: []string{"laa"}, } - flagutil.RegisterFlags(cmd, clientAuthorizationGetListAPICmdMeta) - if err := flagutil.ValidateMeta[operations.ClientAuthorizationGetListAPIRequest](clientAuthorizationGetListAPICmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-authorization-get-list-api: %w", err) + flagutil.RegisterFlags(cmd, listAuthorizedApplicationsCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientAuthorizationGetListAPIRequest](listAuthorizedApplicationsCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for list-authorized-applications: %w", err) } parent.AddCommand(cmd) return nil } -// runClientAuthorizationGetListApiCmd executes the client-authorization-get-list-api command. -func runClientAuthorizationGetListApiCmd(cmd *cobra.Command, args []string) error { +// runListAuthorizedApplicationsCmd executes the list-authorized-applications command. +func runListAuthorizedApplicationsCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientAuthorizationGetListAPICmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientAuthorizationGetListAPICmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, listAuthorizedApplicationsCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, listAuthorizedApplicationsCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientAuthorizationGetListAPIRequest](cmd, clientAuthorizationGetListAPICmdMeta, "", "") + req, err := flagutil.BuildRequest[operations.ClientAuthorizationGetListAPIRequest](cmd, listAuthorizedApplicationsCmdMeta, "", "") if err != nil { return err } @@ -73,7 +73,7 @@ func runClientAuthorizationGetListApiCmd(cmd *cobra.Command, args []string) erro if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientAuthorizationGetListAPI(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.ListAuthorizedApplications(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/clientmanagement2/clientauthorizationgetlistapipost.go b/internal/cli/client/clientmanagement/listauthorizedapplicationspost.go similarity index 65% rename from internal/cli/clientmanagement2/clientauthorizationgetlistapipost.go rename to internal/cli/client/clientmanagement/listauthorizedapplicationspost.go index 60d8914..8d0345c 100644 --- a/internal/cli/clientmanagement2/clientauthorizationgetlistapipost.go +++ b/internal/cli/client/clientmanagement/listauthorizedapplicationspost.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,7 +14,7 @@ import ( "github.com/spf13/cobra" ) -var clientAuthorizationGetListAPIPostCmdMeta = []flagutil.FlagMeta{ +var listAuthorizedApplicationsPostCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "subject", FieldPath: "Body.Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user. [required]"}, {FlagName: "developer", FieldPath: "Body.Developer", Kind: flagutil.FlagKindString, Optional: true, Description: "Unique ID of a client developer."}, @@ -22,36 +22,36 @@ var clientAuthorizationGetListAPIPostCmdMeta = []flagutil.FlagMeta{ {FlagName: "end", Shorthand: "e", FieldPath: "Body.End", Kind: flagutil.FlagKindInt64, Optional: true, Description: "End index of search results (exclusive)."}, } -// initClientAuthorizationGetListApiPostCmd initializes the client-authorization-get-list-api-post command. -func initClientAuthorizationGetListApiPostCmd(parent *cobra.Command) error { +// initListAuthorizedApplicationsPostCmd initializes the list-authorized-applications-post command. +func initListAuthorizedApplicationsPostCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-authorization-get-list-api-post", + Use: "list-authorized-applications-post", Short: "Get Authorized Applications", Long: "Get a list of client applications that an end-user has authorized.\n\nThe subject parameter is required.", - Example: " authlete client-management-2 client-authorization-get-list-api-post --service-id --subject ", - RunE: runClientAuthorizationGetListApiPostCmd, - Aliases: []string{"caglap"}, + Example: " authlete client-management list-authorized-applications-post --service-id --subject ", + RunE: runListAuthorizedApplicationsPostCmd, + Aliases: []string{"laap"}, } - flagutil.RegisterFlags(cmd, clientAuthorizationGetListAPIPostCmdMeta) - if err := flagutil.ValidateMeta[operations.ClientAuthorizationGetListAPIPostRequest](clientAuthorizationGetListAPIPostCmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-authorization-get-list-api-post: %w", err) + flagutil.RegisterFlags(cmd, listAuthorizedApplicationsPostCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientAuthorizationGetListAPIPostRequest](listAuthorizedApplicationsPostCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for list-authorized-applications-post: %w", err) } cmd.Flags().String("body", "", "Request body as JSON (alternative to individual flags). Can also be provided via stdin.") parent.AddCommand(cmd) return nil } -// runClientAuthorizationGetListApiPostCmd executes the client-authorization-get-list-api-post command. -func runClientAuthorizationGetListApiPostCmd(cmd *cobra.Command, args []string) error { +// runListAuthorizedApplicationsPostCmd executes the list-authorized-applications-post command. +func runListAuthorizedApplicationsPostCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientAuthorizationGetListAPIPostCmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientAuthorizationGetListAPIPostCmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, listAuthorizedApplicationsPostCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, listAuthorizedApplicationsPostCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientAuthorizationGetListAPIPostRequest](cmd, clientAuthorizationGetListAPIPostCmdMeta, "Body", "body") + req, err := flagutil.BuildRequest[operations.ClientAuthorizationGetListAPIPostRequest](cmd, listAuthorizedApplicationsPostCmdMeta, "Body", "body") if err != nil { return err } @@ -74,7 +74,7 @@ func runClientAuthorizationGetListApiPostCmd(cmd *cobra.Command, args []string) if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientAuthorizationGetListAPIPost(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.ListAuthorizedApplicationsPost(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/client/clientmanagement1/refreshsecret.go b/internal/cli/client/clientmanagement/refreshsecret.go similarity index 95% rename from internal/cli/client/clientmanagement1/refreshsecret.go rename to internal/cli/client/clientmanagement/refreshsecret.go index 69a2aa8..7f724f7 100644 --- a/internal/cli/client/clientmanagement1/refreshsecret.go +++ b/internal/cli/client/clientmanagement/refreshsecret.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -25,7 +25,7 @@ func initRefreshSecretCmd(parent *cobra.Command) error { Use: "refresh-secret", Short: "Rotate Client Secret", Long: "Refresh the client secret of a client. A new value of the client secret will be generated by the\nAuthlete server.\n\nIf you want to specify a new value, use `/api/client/secret/update` API.", - Example: " authlete client-management-1 refresh-secret --service-id --client-identifier ", + Example: " authlete client-management refresh-secret --service-id --client-identifier ", RunE: runRefreshSecretCmd, Aliases: []string{"rs"}, } diff --git a/internal/cli/clientmanagement2/clientauthorizationdeleteapi.go b/internal/cli/client/clientmanagement/revokeclienttokens.go similarity index 64% rename from internal/cli/clientmanagement2/clientauthorizationdeleteapi.go rename to internal/cli/client/clientmanagement/revokeclienttokens.go index c973c62..66ec539 100644 --- a/internal/cli/clientmanagement2/clientauthorizationdeleteapi.go +++ b/internal/cli/client/clientmanagement/revokeclienttokens.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,41 +14,41 @@ import ( "github.com/spf13/cobra" ) -var clientAuthorizationDeleteAPICmdMeta = []flagutil.FlagMeta{ +var revokeClientTokensCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "client-id", Shorthand: "c", FieldPath: "ClientID", Kind: flagutil.FlagKindString, Required: true, Description: "A client ID.\n [required]"}, {FlagName: "subject", FieldPath: "Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user.\n [required]"}, } -// initClientAuthorizationDeleteApiCmd initializes the client-authorization-delete-api command. -func initClientAuthorizationDeleteApiCmd(parent *cobra.Command) error { +// initRevokeClientTokensCmd initializes the revoke-client-tokens command. +func initRevokeClientTokensCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-authorization-delete-api", + Use: "revoke-client-tokens", Short: "Delete Client Tokens", Long: "Delete all existing access tokens issued to a client application by an end-user.\n\nThe subject parameter is required and must be provided as a query parameter.", - Example: " authlete client-management-2 client-authorization-delete-api --service-id --client-id --subject ", - RunE: runClientAuthorizationDeleteApiCmd, - Aliases: []string{"cada"}, + Example: " authlete client-management revoke-client-tokens --service-id --client-id --subject ", + RunE: runRevokeClientTokensCmd, + Aliases: []string{"rct"}, } - flagutil.RegisterFlags(cmd, clientAuthorizationDeleteAPICmdMeta) - if err := flagutil.ValidateMeta[operations.ClientAuthorizationDeleteAPIRequest](clientAuthorizationDeleteAPICmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-authorization-delete-api: %w", err) + flagutil.RegisterFlags(cmd, revokeClientTokensCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientAuthorizationDeleteAPIRequest](revokeClientTokensCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for revoke-client-tokens: %w", err) } parent.AddCommand(cmd) return nil } -// runClientAuthorizationDeleteApiCmd executes the client-authorization-delete-api command. -func runClientAuthorizationDeleteApiCmd(cmd *cobra.Command, args []string) error { +// runRevokeClientTokensCmd executes the revoke-client-tokens command. +func runRevokeClientTokensCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientAuthorizationDeleteAPICmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientAuthorizationDeleteAPICmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, revokeClientTokensCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, revokeClientTokensCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientAuthorizationDeleteAPIRequest](cmd, clientAuthorizationDeleteAPICmdMeta, "", "") + req, err := flagutil.BuildRequest[operations.ClientAuthorizationDeleteAPIRequest](cmd, revokeClientTokensCmdMeta, "", "") if err != nil { return err } @@ -71,7 +71,7 @@ func runClientAuthorizationDeleteApiCmd(cmd *cobra.Command, args []string) error if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientAuthorizationDeleteAPI(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.RevokeClientTokens(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/clientmanagement2/clientauthorizationdeleteapipost.go b/internal/cli/client/clientmanagement/revokeclienttokenspost.go similarity index 63% rename from internal/cli/clientmanagement2/clientauthorizationdeleteapipost.go rename to internal/cli/client/clientmanagement/revokeclienttokenspost.go index 317259f..c89fbd0 100644 --- a/internal/cli/clientmanagement2/clientauthorizationdeleteapipost.go +++ b/internal/cli/client/clientmanagement/revokeclienttokenspost.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,42 +14,42 @@ import ( "github.com/spf13/cobra" ) -var clientAuthorizationDeleteAPIPostCmdMeta = []flagutil.FlagMeta{ +var revokeClientTokensPostCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "client-id", Shorthand: "c", FieldPath: "ClientID", Kind: flagutil.FlagKindString, Required: true, Description: "A client ID.\n [required]"}, {FlagName: "subject", FieldPath: "Body.Subject", Kind: flagutil.FlagKindString, Required: true, Description: "Unique user ID of an end-user. [required]"}, } -// initClientAuthorizationDeleteApiPostCmd initializes the client-authorization-delete-api-post command. -func initClientAuthorizationDeleteApiPostCmd(parent *cobra.Command) error { +// initRevokeClientTokensPostCmd initializes the revoke-client-tokens-post command. +func initRevokeClientTokensPostCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-authorization-delete-api-post", + Use: "revoke-client-tokens-post", Short: "Delete Client Tokens", Long: "Delete all existing access tokens issued to a client application by an end-user.\n\nThe subject parameter is required.", - Example: " authlete client-management-2 client-authorization-delete-api-post --service-id --client-id --subject ", - RunE: runClientAuthorizationDeleteApiPostCmd, - Aliases: []string{"cadap"}, + Example: " authlete client-management revoke-client-tokens-post --service-id --client-id --subject ", + RunE: runRevokeClientTokensPostCmd, + Aliases: []string{"rctp"}, } - flagutil.RegisterFlags(cmd, clientAuthorizationDeleteAPIPostCmdMeta) - if err := flagutil.ValidateMeta[operations.ClientAuthorizationDeleteAPIPostRequest](clientAuthorizationDeleteAPIPostCmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-authorization-delete-api-post: %w", err) + flagutil.RegisterFlags(cmd, revokeClientTokensPostCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientAuthorizationDeleteAPIPostRequest](revokeClientTokensPostCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for revoke-client-tokens-post: %w", err) } cmd.Flags().String("body", "", "Request body as JSON (alternative to individual flags). Can also be provided via stdin.") parent.AddCommand(cmd) return nil } -// runClientAuthorizationDeleteApiPostCmd executes the client-authorization-delete-api-post command. -func runClientAuthorizationDeleteApiPostCmd(cmd *cobra.Command, args []string) error { +// runRevokeClientTokensPostCmd executes the revoke-client-tokens-post command. +func runRevokeClientTokensPostCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientAuthorizationDeleteAPIPostCmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientAuthorizationDeleteAPIPostCmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, revokeClientTokensPostCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, revokeClientTokensPostCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientAuthorizationDeleteAPIPostRequest](cmd, clientAuthorizationDeleteAPIPostCmdMeta, "Body", "body") + req, err := flagutil.BuildRequest[operations.ClientAuthorizationDeleteAPIPostRequest](cmd, revokeClientTokensPostCmdMeta, "Body", "body") if err != nil { return err } @@ -72,7 +72,7 @@ func runClientAuthorizationDeleteApiPostCmd(cmd *cobra.Command, args []string) e if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientAuthorizationDeleteAPIPost(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.RevokeClientTokensPost(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/client/clientmanagement/root.go b/internal/cli/client/clientmanagement/root.go new file mode 100644 index 0000000..2777f37 --- /dev/null +++ b/internal/cli/client/clientmanagement/root.go @@ -0,0 +1,101 @@ +// Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. + +package clientmanagement + +import ( + "github.com/authlete/authlete-cli/internal/usage" + "github.com/spf13/cobra" +) + +func InitClientManagementRoot(parent *cobra.Command) error { + var ClientManagementCmd = &cobra.Command{ + Use: "management", + Short: "Operations for client-management", + Long: "Operations for client-management", + RunE: func(cmd *cobra.Command, args []string) error { + if usage.UsageRequested(cmd) { + return usage.EmitSchema(cmd, cmd.OutOrStdout()) + } + return cmd.Help() + }, + } + + if err := initUpdateLockFlagCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initRefreshSecretCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initUpdateSecretCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initListAuthorizedApplicationsCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initListAuthorizedApplicationsPostCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initListAuthorizationsCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initUpdateAuthorizationsCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initRevokeClientTokensCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initRevokeClientTokensPostCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initDeleteAuthorizationsCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initGetGrantedScopesForClientCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initGetGrantedScopesForClientPostCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initGetGrantedScopesCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initDeleteGrantedScopesForClientCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initDeleteGrantedScopesCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initGetRequestableScopesCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initUpdateRequestableScopesPostCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initUpdateRequestableScopesCmd(ClientManagementCmd); err != nil { + return err + } + + if err := initDeleteRequestableScopesCmd(ClientManagementCmd); err != nil { + return err + } + + parent.AddCommand(ClientManagementCmd) + return nil +} diff --git a/internal/cli/client/clientmanagement1/updateauthorizations.go b/internal/cli/client/clientmanagement/updateauthorizations.go similarity index 96% rename from internal/cli/client/clientmanagement1/updateauthorizations.go rename to internal/cli/client/clientmanagement/updateauthorizations.go index 92e6117..92b49de 100644 --- a/internal/cli/client/clientmanagement1/updateauthorizations.go +++ b/internal/cli/client/clientmanagement/updateauthorizations.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -27,7 +27,7 @@ func initUpdateAuthorizationsCmd(parent *cobra.Command) error { Use: "update-authorizations", Short: "Update Client Tokens", Long: "Update attributes of all existing access tokens given to a client application.", - Example: " authlete client-management-1 update-authorizations --service-id --client-id --subject john", + Example: " authlete client-management update-authorizations --service-id --client-id --subject john", RunE: runUpdateAuthorizationsCmd, Aliases: []string{"ua"}, } diff --git a/internal/cli/client/clientmanagement1/updatelockflag.go b/internal/cli/client/clientmanagement/updatelockflag.go similarity index 95% rename from internal/cli/client/clientmanagement1/updatelockflag.go rename to internal/cli/client/clientmanagement/updatelockflag.go index 0e45eea..74989d9 100644 --- a/internal/cli/client/clientmanagement1/updatelockflag.go +++ b/internal/cli/client/clientmanagement/updatelockflag.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -26,7 +26,7 @@ func initUpdateLockFlagCmd(parent *cobra.Command) error { Use: "update-lock-flag", Short: "Update Client Lock", Long: "Lock and unlock a client", - Example: " authlete client-management-1 update-lock-flag --service-id --client-identifier --client-locked true", + Example: " authlete client-management update-lock-flag --service-id --client-identifier --client-locked true", RunE: runUpdateLockFlagCmd, Aliases: []string{"ulf"}, } diff --git a/internal/cli/client/clientmanagement1/updaterequestablescopes.go b/internal/cli/client/clientmanagement/updaterequestablescopes.go similarity index 96% rename from internal/cli/client/clientmanagement1/updaterequestablescopes.go rename to internal/cli/client/clientmanagement/updaterequestablescopes.go index b4e0ea0..11bc455 100644 --- a/internal/cli/client/clientmanagement1/updaterequestablescopes.go +++ b/internal/cli/client/clientmanagement/updaterequestablescopes.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -26,7 +26,7 @@ func initUpdateRequestableScopesCmd(parent *cobra.Command) error { Use: "update-requestable-scopes", Short: "Update Requestable Scopes", Long: "Update requestable scopes of a client", - Example: " authlete client-management-1 update-requestable-scopes --service-id --client-id ", + Example: " authlete client-management update-requestable-scopes --service-id --client-id ", RunE: runUpdateRequestableScopesCmd, Aliases: []string{"urs"}, } diff --git a/internal/cli/clientmanagement2/clientextensionrequestablesscopesupdateapipost.go b/internal/cli/client/clientmanagement/updaterequestablescopespost.go similarity index 62% rename from internal/cli/clientmanagement2/clientextensionrequestablesscopesupdateapipost.go rename to internal/cli/client/clientmanagement/updaterequestablescopespost.go index 16569f3..f94383b 100644 --- a/internal/cli/clientmanagement2/clientextensionrequestablesscopesupdateapipost.go +++ b/internal/cli/client/clientmanagement/updaterequestablescopespost.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement2 +package clientmanagement import ( "fmt" @@ -14,42 +14,42 @@ import ( "github.com/spf13/cobra" ) -var clientExtensionRequestablesScopesUpdateAPIPostCmdMeta = []flagutil.FlagMeta{ +var updateRequestableScopesPostCmdMeta = []flagutil.FlagMeta{ {FlagName: "service-id", Shorthand: "s", FieldPath: "ServiceID", Kind: flagutil.FlagKindString, Required: true, Description: "A service ID. [required]"}, {FlagName: "client-id", Shorthand: "c", FieldPath: "ClientID", Kind: flagutil.FlagKindString, Required: true, Description: "A client ID.\n [required]"}, {FlagName: "requestable-scopes", Shorthand: "r", FieldPath: "Body.RequestableScopes", Kind: flagutil.FlagKindStringArray, Optional: true, Description: "The set of scopes that the client application is allowed to request.\nThis parameter will be one of the following. Details are described in the description.\n\n\n- an empty set\n- a set with at least one element\n\nIf this parameter contains scopes that the service does not support, those scopes are just\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\nto calling `/client/extension/requestable_scopes/delete` API.\n"}, } -// initClientExtensionRequestablesScopesUpdateApiPostCmd initializes the client-extension-requestables-scopes-update-api-post command. -func initClientExtensionRequestablesScopesUpdateApiPostCmd(parent *cobra.Command) error { +// initUpdateRequestableScopesPostCmd initializes the update-requestable-scopes-post command. +func initUpdateRequestableScopesPostCmd(parent *cobra.Command) error { var cmd = &cobra.Command{ - Use: "client-extension-requestables-scopes-update-api-post", + Use: "update-requestable-scopes-post", Short: "Update Requestable Scopes", Long: "Update requestable scopes of a client", - Example: " authlete client-management-2 client-extension-requestables-scopes-update-api-post --service-id --client-id ", - RunE: runClientExtensionRequestablesScopesUpdateApiPostCmd, - Aliases: []string{"cersuap"}, + Example: " authlete client-management update-requestable-scopes-post --service-id --client-id ", + RunE: runUpdateRequestableScopesPostCmd, + Aliases: []string{"ursp"}, } - flagutil.RegisterFlags(cmd, clientExtensionRequestablesScopesUpdateAPIPostCmdMeta) - if err := flagutil.ValidateMeta[operations.ClientExtensionRequestablesScopesUpdateAPIPostRequest](clientExtensionRequestablesScopesUpdateAPIPostCmdMeta); err != nil { - return fmt.Errorf("invalid metadata for client-extension-requestables-scopes-update-api-post: %w", err) + flagutil.RegisterFlags(cmd, updateRequestableScopesPostCmdMeta) + if err := flagutil.ValidateMeta[operations.ClientExtensionRequestablesScopesUpdateAPIPostRequest](updateRequestableScopesPostCmdMeta); err != nil { + return fmt.Errorf("invalid metadata for update-requestable-scopes-post: %w", err) } cmd.Flags().String("body", "", "Request body as JSON (alternative to individual flags). Can also be provided via stdin.") parent.AddCommand(cmd) return nil } -// runClientExtensionRequestablesScopesUpdateApiPostCmd executes the client-extension-requestables-scopes-update-api-post command. -func runClientExtensionRequestablesScopesUpdateApiPostCmd(cmd *cobra.Command, args []string) error { +// runUpdateRequestableScopesPostCmd executes the update-requestable-scopes-post command. +func runUpdateRequestableScopesPostCmd(cmd *cobra.Command, args []string) error { if usage.UsageRequested(cmd) { return usage.EmitSchema(cmd, cmd.OutOrStdout()) } - if interactive.ShouldPrompt(cmd, clientExtensionRequestablesScopesUpdateAPIPostCmdMeta) { - if err := interactive.PromptAndSetFlags(cmd, clientExtensionRequestablesScopesUpdateAPIPostCmdMeta); err != nil { + if interactive.ShouldPrompt(cmd, updateRequestableScopesPostCmdMeta) { + if err := interactive.PromptAndSetFlags(cmd, updateRequestableScopesPostCmdMeta); err != nil { return err } } - req, err := flagutil.BuildRequest[operations.ClientExtensionRequestablesScopesUpdateAPIPostRequest](cmd, clientExtensionRequestablesScopesUpdateAPIPostCmdMeta, "Body", "body") + req, err := flagutil.BuildRequest[operations.ClientExtensionRequestablesScopesUpdateAPIPostRequest](cmd, updateRequestableScopesPostCmdMeta, "Body", "body") if err != nil { return err } @@ -72,7 +72,7 @@ func runClientExtensionRequestablesScopesUpdateApiPostCmd(cmd *cobra.Command, ar if output.WantsRawJSON(cmd) { sdkOpts = append(sdkOpts, operations.WithSkipDeserialization()) } - res, err := s.ClientManagement.ClientExtensionRequestablesScopesUpdateAPIPost(cmd.Context(), *req, sdkOpts...) + res, err := s.Client.Management.UpdateRequestableScopesPost(cmd.Context(), *req, sdkOpts...) if err != nil { return output.Error(cmd, err) } diff --git a/internal/cli/client/clientmanagement1/updatesecret.go b/internal/cli/client/clientmanagement/updatesecret.go similarity index 95% rename from internal/cli/client/clientmanagement1/updatesecret.go rename to internal/cli/client/clientmanagement/updatesecret.go index 81232f3..cd613b1 100644 --- a/internal/cli/client/clientmanagement1/updatesecret.go +++ b/internal/cli/client/clientmanagement/updatesecret.go @@ -1,6 +1,6 @@ // Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. -package clientmanagement1 +package clientmanagement import ( "fmt" @@ -26,7 +26,7 @@ func initUpdateSecretCmd(parent *cobra.Command) error { Use: "update-secret", Short: "Update Client Secret", Long: "Update the client secret of a client.\n\nIf you want to have the Authlete server generate a new value of the client secret, use `/api/client/secret/refresh`\nAPI.", - Example: " authlete client-management-1 update-secret --service-id --client-identifier --client-secret my_updated_client_secret", + Example: " authlete client-management update-secret --service-id --client-identifier --client-secret my_updated_client_secret", RunE: runUpdateSecretCmd, Aliases: []string{"us"}, } diff --git a/internal/cli/client/clientmanagement1/root.go b/internal/cli/client/clientmanagement1/root.go deleted file mode 100644 index b7f03c1..0000000 --- a/internal/cli/client/clientmanagement1/root.go +++ /dev/null @@ -1,70 +0,0 @@ -// Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. - -package clientmanagement1 - -import ( - "github.com/authlete/authlete-cli/internal/usage" - "github.com/spf13/cobra" -) - -func InitClientManagement1Root(parent *cobra.Command) error { - var ClientManagement1Cmd = &cobra.Command{ - Use: "management-1", - Short: "Operations for client-management-1", - Long: "Operations for client-management-1", - RunE: func(cmd *cobra.Command, args []string) error { - if usage.UsageRequested(cmd) { - return usage.EmitSchema(cmd, cmd.OutOrStdout()) - } - return cmd.Help() - }, - Aliases: []string{"m1"}, - } - - if err := initUpdateLockFlagCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initRefreshSecretCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initUpdateSecretCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initListAuthorizationsCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initUpdateAuthorizationsCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initDeleteAuthorizationsCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initGetGrantedScopesCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initDeleteGrantedScopesCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initGetRequestableScopesCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initUpdateRequestableScopesCmd(ClientManagement1Cmd); err != nil { - return err - } - - if err := initDeleteRequestableScopesCmd(ClientManagement1Cmd); err != nil { - return err - } - - parent.AddCommand(ClientManagement1Cmd) - return nil -} diff --git a/internal/cli/client/root.go b/internal/cli/client/root.go index 9be3ee5..9112dc3 100644 --- a/internal/cli/client/root.go +++ b/internal/cli/client/root.go @@ -3,7 +3,7 @@ package client import ( - "github.com/authlete/authlete-cli/internal/cli/client/clientmanagement1" + "github.com/authlete/authlete-cli/internal/cli/client/clientmanagement" "github.com/authlete/authlete-cli/internal/usage" "github.com/spf13/cobra" ) @@ -21,7 +21,7 @@ func InitClientRoot(parent *cobra.Command) error { }, } - if err := clientmanagement1.InitClientManagement1Root(ClientCmd); err != nil { + if err := clientmanagement.InitClientManagementRoot(ClientCmd); err != nil { return err } diff --git a/internal/cli/clientmanagement2/root.go b/internal/cli/clientmanagement2/root.go deleted file mode 100644 index 5623db3..0000000 --- a/internal/cli/clientmanagement2/root.go +++ /dev/null @@ -1,58 +0,0 @@ -// Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. - -package clientmanagement2 - -import ( - "github.com/authlete/authlete-cli/internal/usage" - "github.com/spf13/cobra" -) - -func InitClientManagement2Root(parent *cobra.Command) error { - var ClientManagement2Cmd = &cobra.Command{ - Use: "client-management-2", - Short: "API endpoints for managing OAuth clients, including creation, update, and deletion of clients", - Long: "API endpoints for managing OAuth clients, including creation, update, and deletion of clients.", - RunE: func(cmd *cobra.Command, args []string) error { - if usage.UsageRequested(cmd) { - return usage.EmitSchema(cmd, cmd.OutOrStdout()) - } - return cmd.Help() - }, - Aliases: []string{"cm2"}, - } - - if err := initClientAuthorizationGetListApiCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientAuthorizationGetListApiPostCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientAuthorizationDeleteApiCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientAuthorizationDeleteApiPostCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientGrantedScopesGetApiCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientGrantedScopesGetApiPostCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientGrantedScopesDeleteApiCmd(ClientManagement2Cmd); err != nil { - return err - } - - if err := initClientExtensionRequestablesScopesUpdateApiPostCmd(ClientManagement2Cmd); err != nil { - return err - } - - parent.AddCommand(ClientManagement2Cmd) - return nil -} diff --git a/internal/cli/root.go b/internal/cli/root.go index 69a6c6d..6d61561 100644 --- a/internal/cli/root.go +++ b/internal/cli/root.go @@ -7,7 +7,6 @@ import ( "github.com/authlete/authlete-cli/internal/cli/authorization" "github.com/authlete/authlete-cli/internal/cli/ciba" "github.com/authlete/authlete-cli/internal/cli/client" - "github.com/authlete/authlete-cli/internal/cli/clientmanagement2" "github.com/authlete/authlete-cli/internal/cli/deviceflow" "github.com/authlete/authlete-cli/internal/cli/dynamicclientregistration" "github.com/authlete/authlete-cli/internal/cli/federation" @@ -71,9 +70,6 @@ func NewRootCommand() (*cobra.Command, error) { if err := client.InitClientRoot(rootCmd); err != nil { return nil, fmt.Errorf("init client: %w", err) } - if err := clientmanagement2.InitClientManagement2Root(rootCmd); err != nil { - return nil, fmt.Errorf("init client-management-2: %w", err) - } if err := authorization.InitAuthorizationRoot(rootCmd); err != nil { return nil, fmt.Errorf("init authorization: %w", err) } diff --git a/internal/cli/version.go b/internal/cli/version.go index 7678f11..7df1490 100644 --- a/internal/cli/version.go +++ b/internal/cli/version.go @@ -13,7 +13,7 @@ import ( // which propagates the value here (see cmd/authlete/main.go): // // go build -ldflags "-X main.version=x.y.z" ./cmd/authlete -var Version = "0.0.8" +var Version = "0.0.9" // BuildTime is optionally set at build time via ldflags targeting the main package. var BuildTime string diff --git a/internal/sdk/authlete.go b/internal/sdk/authlete.go index ce425c5..bc0cd69 100644 --- a/internal/sdk/authlete.go +++ b/internal/sdk/authlete.go @@ -137,8 +137,11 @@ type Authlete struct { SDKVersion string Service *Service Client *Client - // API endpoints for managing OAuth clients, including creation, update, and deletion of clients. - ClientManagement *ClientManagement2 + // Process Device Authorization Request + // This API parses request parameters of a [device authorization request](https://datatracker.ietf.org/doc/html/rfc8628#section-3.1) + // and returns necessary data for the authorization server implementation to process the device authorization + // request further. + // Authorization *Authorization PushedAuthorization *PushedAuthorization Token *Token @@ -253,7 +256,6 @@ func New(opts ...SDKOption) *Authlete { sdk.Service = newService(sdk, sdk.sdkConfiguration, sdk.hooks) sdk.Client = newClient(sdk, sdk.sdkConfiguration, sdk.hooks) - sdk.ClientManagement = newClientManagement2(sdk, sdk.sdkConfiguration, sdk.hooks) sdk.Authorization = newAuthorization(sdk, sdk.sdkConfiguration, sdk.hooks) sdk.PushedAuthorization = newPushedAuthorization(sdk, sdk.sdkConfiguration, sdk.hooks) sdk.Token = newToken(sdk, sdk.sdkConfiguration, sdk.hooks) diff --git a/internal/sdk/client.go b/internal/sdk/client.go index cefe9ea..fbdbae2 100644 --- a/internal/sdk/client.go +++ b/internal/sdk/client.go @@ -16,7 +16,7 @@ import ( ) type Client struct { - Management *ClientManagement1 + Management *ClientManagement rootSDK *Authlete sdkConfiguration config.SDKConfiguration @@ -28,7 +28,7 @@ func newClient(rootSDK *Authlete, sdkConfig config.SDKConfiguration, hooks *hook rootSDK: rootSDK, sdkConfiguration: sdkConfig, hooks: hooks, - Management: newClientManagement1(rootSDK, sdkConfig, hooks), + Management: newClientManagement(rootSDK, sdkConfig, hooks), } } diff --git a/internal/sdk/clientmanagement1.go b/internal/sdk/clientmanagement.go similarity index 56% rename from internal/sdk/clientmanagement1.go rename to internal/sdk/clientmanagement.go index f627677..bb4992d 100644 --- a/internal/sdk/clientmanagement1.go +++ b/internal/sdk/clientmanagement.go @@ -15,14 +15,14 @@ import ( "net/http" ) -type ClientManagement1 struct { +type ClientManagement struct { rootSDK *Authlete sdkConfiguration config.SDKConfiguration hooks *hooks.Hooks } -func newClientManagement1(rootSDK *Authlete, sdkConfig config.SDKConfiguration, hooks *hooks.Hooks) *ClientManagement1 { - return &ClientManagement1{ +func newClientManagement(rootSDK *Authlete, sdkConfig config.SDKConfiguration, hooks *hooks.Hooks) *ClientManagement { + return &ClientManagement{ rootSDK: rootSDK, sdkConfiguration: sdkConfig, hooks: hooks, @@ -31,7 +31,7 @@ func newClientManagement1(rootSDK *Authlete, sdkConfig config.SDKConfiguration, // UpdateLockFlag - Update Client Lock // Lock and unlock a client -func (s *ClientManagement1) UpdateLockFlag(ctx context.Context, request operations.ClientFlagUpdateAPIRequest, opts ...operations.Option) (*operations.ClientFlagUpdateAPIResponse, error) { +func (s *ClientManagement) UpdateLockFlag(ctx context.Context, request operations.ClientFlagUpdateAPIRequest, opts ...operations.Option) (*operations.ClientFlagUpdateAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -240,7 +240,7 @@ func (s *ClientManagement1) UpdateLockFlag(ctx context.Context, request operatio // Authlete server. // // If you want to specify a new value, use `/api/client/secret/update` API. -func (s *ClientManagement1) RefreshSecret(ctx context.Context, request operations.ClientSecretRefreshAPIRequest, opts ...operations.Option) (*operations.ClientSecretRefreshAPIResponse, error) { +func (s *ClientManagement) RefreshSecret(ctx context.Context, request operations.ClientSecretRefreshAPIRequest, opts ...operations.Option) (*operations.ClientSecretRefreshAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -442,7 +442,7 @@ func (s *ClientManagement1) RefreshSecret(ctx context.Context, request operation // // If you want to have the Authlete server generate a new value of the client secret, use `/api/client/secret/refresh` // API. -func (s *ClientManagement1) UpdateSecret(ctx context.Context, request operations.ClientSecretUpdateAPIRequest, opts ...operations.Option) (*operations.ClientSecretUpdateAPIResponse, error) { +func (s *ClientManagement) UpdateSecret(ctx context.Context, request operations.ClientSecretUpdateAPIRequest, opts ...operations.Option) (*operations.ClientSecretUpdateAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -646,10 +646,11 @@ func (s *ClientManagement1) UpdateSecret(ctx context.Context, request operations } -// ListAuthorizations - Get Authorized Applications (by Subject) +// ListAuthorizedApplications - Get Authorized Applications // Get a list of client applications that an end-user has authorized. -// In this variant, the subject is provided in the path. -func (s *ClientManagement1) ListAuthorizations(ctx context.Context, request operations.ClientAuthorizationGetListBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationGetListBySubjectAPIResponse, error) { +// +// The subject parameter is required and can be provided as a query parameter. +func (s *ClientManagement) ListAuthorizedApplications(ctx context.Context, request operations.ClientAuthorizationGetListAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationGetListAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -668,7 +669,7 @@ func (s *ClientManagement1) ListAuthorizations(ctx context.Context, request oper } else { baseURL = *o.ServerURL } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/get/list/{subject}", request, nil) + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/get/list", request, nil) if err != nil { return nil, fmt.Errorf("error generating URL: %w", err) } @@ -678,7 +679,7 @@ func (s *ClientManagement1) ListAuthorizations(ctx context.Context, request oper SDKConfiguration: s.sdkConfiguration, BaseURL: baseURL, Context: ctx, - OperationID: "client_authorization_get_list_by_subject_api", + OperationID: "client_authorization_get_list_api", SecuritySource: s.sdkConfiguration.Security, } @@ -741,7 +742,7 @@ func (s *ClientManagement1) ListAuthorizations(ctx context.Context, request oper } } - res := &operations.ClientAuthorizationGetListBySubjectAPIResponse{ + res := &operations.ClientAuthorizationGetListAPIResponse{ HTTPMeta: components.HTTPMetadata{ Request: req, Response: httpRes, @@ -850,9 +851,11 @@ func (s *ClientManagement1) ListAuthorizations(ctx context.Context, request oper } -// UpdateAuthorizations - Update Client Tokens -// Update attributes of all existing access tokens given to a client application. -func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request operations.ClientAuthorizationUpdateAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationUpdateAPIResponse, error) { +// ListAuthorizedApplicationsPost - Get Authorized Applications +// Get a list of client applications that an end-user has authorized. +// +// The subject parameter is required. +func (s *ClientManagement) ListAuthorizedApplicationsPost(ctx context.Context, request operations.ClientAuthorizationGetListAPIPostRequest, opts ...operations.Option) (*operations.ClientAuthorizationGetListAPIPostResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -871,7 +874,7 @@ func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request op } else { baseURL = *o.ServerURL } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/update/{clientId}", request, nil) + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/get/list", request, nil) if err != nil { return nil, fmt.Errorf("error generating URL: %w", err) } @@ -881,10 +884,10 @@ func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request op SDKConfiguration: s.sdkConfiguration, BaseURL: baseURL, Context: ctx, - OperationID: "client_authorization_update_api", + OperationID: "client_authorization_get_list_api_post", SecuritySource: s.sdkConfiguration.Security, } - bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, true, "Body", "json", `request:"mediaType=application/json"`) + bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) if err != nil { return nil, err } @@ -947,7 +950,7 @@ func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request op } } - res := &operations.ClientAuthorizationUpdateAPIResponse{ + res := &operations.ClientAuthorizationGetListAPIPostResponse{ HTTPMeta: components.HTTPMetadata{ Request: req, Response: httpRes, @@ -964,12 +967,12 @@ func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request op return nil, err } - var out components.ClientAuthorizationUpdateResponse + var out components.ClientAuthorizationGetListResponse if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { return nil, err } - res.ClientAuthorizationUpdateResponse = &out + res.ClientAuthorizationGetListResponse = &out } default: rawBody, err := utils.ConsumeRawBody(httpRes) @@ -1032,8 +1035,6 @@ func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request op } return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) } - case httpRes.StatusCode == 404: - fallthrough case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: rawBody, err := utils.ConsumeRawBody(httpRes) if err != nil { @@ -1058,10 +1059,10 @@ func (s *ClientManagement1) UpdateAuthorizations(ctx context.Context, request op } -// DeleteAuthorizations - Delete Client Tokens (by Subject) -// Delete all existing access tokens issued to a client application by an end-user. +// ListAuthorizations - Get Authorized Applications (by Subject) +// Get a list of client applications that an end-user has authorized. // In this variant, the subject is provided in the path. -func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request operations.ClientAuthorizationDeleteBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationDeleteBySubjectAPIResponse, error) { +func (s *ClientManagement) ListAuthorizations(ctx context.Context, request operations.ClientAuthorizationGetListBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationGetListBySubjectAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -1080,7 +1081,7 @@ func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request op } else { baseURL = *o.ServerURL } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/delete/{clientId}/{subject}", request, nil) + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/get/list/{subject}", request, nil) if err != nil { return nil, fmt.Errorf("error generating URL: %w", err) } @@ -1090,7 +1091,7 @@ func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request op SDKConfiguration: s.sdkConfiguration, BaseURL: baseURL, Context: ctx, - OperationID: "client_authorization_delete_by_subject_api", + OperationID: "client_authorization_get_list_by_subject_api", SecuritySource: s.sdkConfiguration.Security, } @@ -1105,13 +1106,17 @@ func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request op defer cancel() } - req, err := http.NewRequestWithContext(ctx, "DELETE", opURL, nil) + req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) if err != nil { return nil, fmt.Errorf("error creating request: %w", err) } req.Header.Set("Accept", "application/json") req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { + return nil, fmt.Errorf("error populating query params: %w", err) + } + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { return nil, err } @@ -1149,7 +1154,7 @@ func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request op } } - res := &operations.ClientAuthorizationDeleteBySubjectAPIResponse{ + res := &operations.ClientAuthorizationGetListBySubjectAPIResponse{ HTTPMeta: components.HTTPMetadata{ Request: req, Response: httpRes, @@ -1166,12 +1171,12 @@ func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request op return nil, err } - var out components.ClientAuthorizationDeleteResponse + var out components.ClientAuthorizationGetListResponse if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { return nil, err } - res.ClientAuthorizationDeleteResponse = &out + res.ClientAuthorizationGetListResponse = &out } default: rawBody, err := utils.ConsumeRawBody(httpRes) @@ -1258,10 +1263,9 @@ func (s *ClientManagement1) DeleteAuthorizations(ctx context.Context, request op } -// GetGrantedScopes - Get Granted Scopes (by Subject) -// Get the set of scopes that a user has granted to a client application. -// In this variant, the subject is provided in the path. -func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operations.ClientGrantedScopesGetBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesGetBySubjectAPIResponse, error) { +// UpdateAuthorizations - Update Client Tokens +// Update attributes of all existing access tokens given to a client application. +func (s *ClientManagement) UpdateAuthorizations(ctx context.Context, request operations.ClientAuthorizationUpdateAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationUpdateAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -1280,7 +1284,7 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat } else { baseURL = *o.ServerURL } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/get/{clientId}/{subject}", request, nil) + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/update/{clientId}", request, nil) if err != nil { return nil, fmt.Errorf("error generating URL: %w", err) } @@ -1290,9 +1294,13 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat SDKConfiguration: s.sdkConfiguration, BaseURL: baseURL, Context: ctx, - OperationID: "client_granted_scopes_get_by_subject_api", + OperationID: "client_authorization_update_api", SecuritySource: s.sdkConfiguration.Security, } + bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, true, "Body", "json", `request:"mediaType=application/json"`) + if err != nil { + return nil, err + } timeout := o.Timeout if timeout == nil { @@ -1305,12 +1313,15 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat defer cancel() } - req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) + req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) if err != nil { return nil, fmt.Errorf("error creating request: %w", err) } req.Header.Set("Accept", "application/json") req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + if reqContentType != "" { + req.Header.Set("Content-Type", reqContentType) + } if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { return nil, err @@ -1349,7 +1360,7 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat } } - res := &operations.ClientGrantedScopesGetBySubjectAPIResponse{ + res := &operations.ClientAuthorizationUpdateAPIResponse{ HTTPMeta: components.HTTPMetadata{ Request: req, Response: httpRes, @@ -1366,12 +1377,12 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat return nil, err } - var out components.ClientAuthorizationDeleteResponse + var out components.ClientAuthorizationUpdateResponse if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { return nil, err } - res.ClientAuthorizationDeleteResponse = &out + res.ClientAuthorizationUpdateResponse = &out } default: rawBody, err := utils.ConsumeRawBody(httpRes) @@ -1434,6 +1445,8 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat } return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) } + case httpRes.StatusCode == 404: + fallthrough case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: rawBody, err := utils.ConsumeRawBody(httpRes) if err != nil { @@ -1458,10 +1471,11 @@ func (s *ClientManagement1) GetGrantedScopes(ctx context.Context, request operat } -// DeleteGrantedScopes - Delete Granted Scopes (by Subject) -// Delete the set of scopes that an end-user has granted to a client application. -// In this variant, the subject is provided in the path. -func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request operations.ClientGrantedScopesDeleteBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesDeleteBySubjectAPIResponse, error) { +// RevokeClientTokens - Delete Client Tokens +// Delete all existing access tokens issued to a client application by an end-user. +// +// The subject parameter is required and must be provided as a query parameter. +func (s *ClientManagement) RevokeClientTokens(ctx context.Context, request operations.ClientAuthorizationDeleteAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationDeleteAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -1480,7 +1494,7 @@ func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request ope } else { baseURL = *o.ServerURL } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/delete/{clientId}/{subject}", request, nil) + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/delete/{clientId}", request, nil) if err != nil { return nil, fmt.Errorf("error generating URL: %w", err) } @@ -1490,7 +1504,7 @@ func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request ope SDKConfiguration: s.sdkConfiguration, BaseURL: baseURL, Context: ctx, - OperationID: "client_granted_scopes_delete_by_subject_api", + OperationID: "client_authorization_delete_api", SecuritySource: s.sdkConfiguration.Security, } @@ -1512,6 +1526,10 @@ func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request ope req.Header.Set("Accept", "application/json") req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { + return nil, fmt.Errorf("error populating query params: %w", err) + } + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { return nil, err } @@ -1549,7 +1567,7 @@ func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request ope } } - res := &operations.ClientGrantedScopesDeleteBySubjectAPIResponse{ + res := &operations.ClientAuthorizationDeleteAPIResponse{ HTTPMeta: components.HTTPMetadata{ Request: req, Response: httpRes, @@ -1566,12 +1584,12 @@ func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request ope return nil, err } - var out components.ClientGrantedScopesDeleteResponse + var out components.ClientAuthorizationDeleteResponse if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { return nil, err } - res.ClientGrantedScopesDeleteResponse = &out + res.ClientAuthorizationDeleteResponse = &out } default: rawBody, err := utils.ConsumeRawBody(httpRes) @@ -1658,9 +1676,11 @@ func (s *ClientManagement1) DeleteGrantedScopes(ctx context.Context, request ope } -// GetRequestableScopes - Get Requestable Scopes -// Get the requestable scopes per client -func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request operations.ClientExtensionRequestablesScopesGetAPIRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesGetAPIResponse, error) { +// RevokeClientTokensPost - Delete Client Tokens +// Delete all existing access tokens issued to a client application by an end-user. +// +// The subject parameter is required. +func (s *ClientManagement) RevokeClientTokensPost(ctx context.Context, request operations.ClientAuthorizationDeleteAPIPostRequest, opts ...operations.Option) (*operations.ClientAuthorizationDeleteAPIPostResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -1679,7 +1699,7 @@ func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request op } else { baseURL = *o.ServerURL } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/extension/requestable_scopes/get/{clientId}", request, nil) + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/delete/{clientId}", request, nil) if err != nil { return nil, fmt.Errorf("error generating URL: %w", err) } @@ -1689,9 +1709,13 @@ func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request op SDKConfiguration: s.sdkConfiguration, BaseURL: baseURL, Context: ctx, - OperationID: "client_extension_requestables_scopes_get_api", + OperationID: "client_authorization_delete_api_post", SecuritySource: s.sdkConfiguration.Security, } + bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) + if err != nil { + return nil, err + } timeout := o.Timeout if timeout == nil { @@ -1704,12 +1728,15 @@ func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request op defer cancel() } - req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) + req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) if err != nil { return nil, fmt.Errorf("error creating request: %w", err) } req.Header.Set("Accept", "application/json") req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + if reqContentType != "" { + req.Header.Set("Content-Type", reqContentType) + } if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { return nil, err @@ -1748,7 +1775,7 @@ func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request op } } - res := &operations.ClientExtensionRequestablesScopesGetAPIResponse{ + res := &operations.ClientAuthorizationDeleteAPIPostResponse{ HTTPMeta: components.HTTPMetadata{ Request: req, Response: httpRes, @@ -1765,12 +1792,1527 @@ func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request op return nil, err } - var out components.ClientExtensionRequestableScopesGetResponse + var out components.ClientAuthorizationDeleteResponse if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { return nil, err } - res.ClientExtensionRequestableScopesGetResponse = &out + res.ClientAuthorizationDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// DeleteAuthorizations - Delete Client Tokens (by Subject) +// Delete all existing access tokens issued to a client application by an end-user. +// In this variant, the subject is provided in the path. +func (s *ClientManagement) DeleteAuthorizations(ctx context.Context, request operations.ClientAuthorizationDeleteBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationDeleteBySubjectAPIResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/delete/{clientId}/{subject}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_authorization_delete_by_subject_api", + SecuritySource: s.sdkConfiguration.Security, + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "DELETE", opURL, nil) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientAuthorizationDeleteBySubjectAPIResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientAuthorizationDeleteResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientAuthorizationDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 400: + fallthrough + case httpRes.StatusCode == 401: + fallthrough + case httpRes.StatusCode == 403: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 500: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// GetGrantedScopesForClient - Get Granted Scopes +// Get the set of scopes that a user has granted to a client application. +func (s *ClientManagement) GetGrantedScopesForClient(ctx context.Context, request operations.ClientGrantedScopesGetAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesGetAPIResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/get/{clientId}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_granted_scopes_get_api", + SecuritySource: s.sdkConfiguration.Security, + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + + if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { + return nil, fmt.Errorf("error populating query params: %w", err) + } + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientGrantedScopesGetAPIResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientAuthorizationDeleteResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientAuthorizationDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 400: + fallthrough + case httpRes.StatusCode == 401: + fallthrough + case httpRes.StatusCode == 403: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 500: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// GetGrantedScopesForClientPost - Get Granted Scopes +// Get the set of scopes that a user has granted to a client application. +// +// The subject parameter is required. +func (s *ClientManagement) GetGrantedScopesForClientPost(ctx context.Context, request operations.ClientGrantedScopesGetAPIPostRequest, opts ...operations.Option) (*operations.ClientGrantedScopesGetAPIPostResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/get/{clientId}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_granted_scopes_get_api_post", + SecuritySource: s.sdkConfiguration.Security, + } + bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) + if err != nil { + return nil, err + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + if reqContentType != "" { + req.Header.Set("Content-Type", reqContentType) + } + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientGrantedScopesGetAPIPostResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientAuthorizationDeleteResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientAuthorizationDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// GetGrantedScopes - Get Granted Scopes (by Subject) +// Get the set of scopes that a user has granted to a client application. +// In this variant, the subject is provided in the path. +func (s *ClientManagement) GetGrantedScopes(ctx context.Context, request operations.ClientGrantedScopesGetBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesGetBySubjectAPIResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/get/{clientId}/{subject}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_granted_scopes_get_by_subject_api", + SecuritySource: s.sdkConfiguration.Security, + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientGrantedScopesGetBySubjectAPIResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientAuthorizationDeleteResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientAuthorizationDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 400: + fallthrough + case httpRes.StatusCode == 401: + fallthrough + case httpRes.StatusCode == 403: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 500: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// DeleteGrantedScopesForClient - Delete Granted Scopes +// Delete the set of scopes that an end-user has granted to a client application. +// +// Even if records about granted scopes are deleted by calling this API, existing access tokens are +// not deleted and scopes of existing access tokens are not changed. +// The subject parameter is required and must be provided as a query parameter. +func (s *ClientManagement) DeleteGrantedScopesForClient(ctx context.Context, request operations.ClientGrantedScopesDeleteAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesDeleteAPIResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/delete/{clientId}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_granted_scopes_delete_api", + SecuritySource: s.sdkConfiguration.Security, + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "DELETE", opURL, nil) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + + if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { + return nil, fmt.Errorf("error populating query params: %w", err) + } + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientGrantedScopesDeleteAPIResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientGrantedScopesDeleteResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientGrantedScopesDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 400: + fallthrough + case httpRes.StatusCode == 401: + fallthrough + case httpRes.StatusCode == 403: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 500: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// DeleteGrantedScopes - Delete Granted Scopes (by Subject) +// Delete the set of scopes that an end-user has granted to a client application. +// In this variant, the subject is provided in the path. +func (s *ClientManagement) DeleteGrantedScopes(ctx context.Context, request operations.ClientGrantedScopesDeleteBySubjectAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesDeleteBySubjectAPIResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/delete/{clientId}/{subject}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_granted_scopes_delete_by_subject_api", + SecuritySource: s.sdkConfiguration.Security, + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "DELETE", opURL, nil) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientGrantedScopesDeleteBySubjectAPIResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientGrantedScopesDeleteResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientGrantedScopesDeleteResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 400: + fallthrough + case httpRes.StatusCode == 401: + fallthrough + case httpRes.StatusCode == 403: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 500: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// GetRequestableScopes - Get Requestable Scopes +// Get the requestable scopes per client +func (s *ClientManagement) GetRequestableScopes(ctx context.Context, request operations.ClientExtensionRequestablesScopesGetAPIRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesGetAPIResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/extension/requestable_scopes/get/{clientId}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_extension_requestables_scopes_get_api", + SecuritySource: s.sdkConfiguration.Security, + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientExtensionRequestablesScopesGetAPIResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientExtensionRequestableScopesGetResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientExtensionRequestableScopesGetResponse = &out + } + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 400: + fallthrough + case httpRes.StatusCode == 401: + fallthrough + case httpRes.StatusCode == 403: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode == 500: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out sdkerrors.ResultError + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + out.HTTPMeta = components.HTTPMetadata{ + Request: req, + Response: httpRes, + } + return nil, &out + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) + } + case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) + default: + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) + } + + return res, nil + +} + +// UpdateRequestableScopesPost - Update Requestable Scopes +// Update requestable scopes of a client +func (s *ClientManagement) UpdateRequestableScopesPost(ctx context.Context, request operations.ClientExtensionRequestablesScopesUpdateAPIPostRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesUpdateAPIPostResponse, error) { + o := operations.Options{} + supportedOptions := []string{ + operations.SupportedOptionTimeout, + operations.SupportedOptionSkipDeserialization, + } + + for _, opt := range opts { + if err := opt(&o, supportedOptions...); err != nil { + return nil, fmt.Errorf("error applying option: %w", err) + } + } + + var baseURL string + if o.ServerURL == nil { + baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) + } else { + baseURL = *o.ServerURL + } + opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/extension/requestable_scopes/update/{clientId}", request, nil) + if err != nil { + return nil, fmt.Errorf("error generating URL: %w", err) + } + + hookCtx := hooks.HookContext{ + SDK: s.rootSDK, + SDKConfiguration: s.sdkConfiguration, + BaseURL: baseURL, + Context: ctx, + OperationID: "client_extension_requestables_scopes_update_api_post", + SecuritySource: s.sdkConfiguration.Security, + } + bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) + if err != nil { + return nil, err + } + + timeout := o.Timeout + if timeout == nil { + timeout = s.sdkConfiguration.Timeout + } + + if timeout != nil { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, *timeout) + defer cancel() + } + + req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) + if err != nil { + return nil, fmt.Errorf("error creating request: %w", err) + } + req.Header.Set("Accept", "application/json") + req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) + if reqContentType != "" { + req.Header.Set("Content-Type", reqContentType) + } + + if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { + return nil, err + } + + for k, v := range o.SetHeaders { + req.Header.Set(k, v) + } + + req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) + if err != nil { + return nil, err + } + + httpRes, err := s.sdkConfiguration.Client.Do(req) + if err != nil || httpRes == nil { + if err != nil { + err = fmt.Errorf("error sending request: %w", err) + } else { + err = fmt.Errorf("error sending request: no response") + } + + _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) + return nil, err + } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { + _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) + if err != nil { + return nil, err + } else if _httpRes != nil { + httpRes = _httpRes + } + } else { + httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) + if err != nil { + return nil, err + } + } + + res := &operations.ClientExtensionRequestablesScopesUpdateAPIPostResponse{ + HTTPMeta: components.HTTPMetadata{ + Request: req, + Response: httpRes, + }, + } + + switch { + case httpRes.StatusCode == 200: + switch { + case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): + if o.SkipDeserialization == nil || !*o.SkipDeserialization { + rawBody, err := utils.ConsumeRawBody(httpRes) + if err != nil { + return nil, err + } + + var out components.ClientExtensionRequestableScopesUpdateResponse + if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { + return nil, err + } + + res.ClientExtensionRequestableScopesUpdateResponse = &out } default: rawBody, err := utils.ConsumeRawBody(httpRes) @@ -1859,7 +3401,7 @@ func (s *ClientManagement1) GetRequestableScopes(ctx context.Context, request op // UpdateRequestableScopes - Update Requestable Scopes // Update requestable scopes of a client -func (s *ClientManagement1) UpdateRequestableScopes(ctx context.Context, request operations.ClientExtensionRequestablesScopesUpdateAPIRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesUpdateAPIResponse, error) { +func (s *ClientManagement) UpdateRequestableScopes(ctx context.Context, request operations.ClientExtensionRequestablesScopesUpdateAPIRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesUpdateAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, @@ -2065,7 +3607,7 @@ func (s *ClientManagement1) UpdateRequestableScopes(ctx context.Context, request // DeleteRequestableScopes - Delete Requestable Scopes // Delete requestable scopes of a client -func (s *ClientManagement1) DeleteRequestableScopes(ctx context.Context, request operations.ClientExtensionRequestablesScopesDeleteAPIRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesDeleteAPIResponse, error) { +func (s *ClientManagement) DeleteRequestableScopes(ctx context.Context, request operations.ClientExtensionRequestablesScopesDeleteAPIRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesDeleteAPIResponse, error) { o := operations.Options{} supportedOptions := []string{ operations.SupportedOptionTimeout, diff --git a/internal/sdk/clientmanagement2.go b/internal/sdk/clientmanagement2.go deleted file mode 100644 index 38e1e8c..0000000 --- a/internal/sdk/clientmanagement2.go +++ /dev/null @@ -1,1573 +0,0 @@ -// Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT. - -package sdk - -import ( - "bytes" - "context" - "fmt" - "github.com/authlete/authlete-cli/internal/sdk/models/components" - "github.com/authlete/authlete-cli/internal/sdk/models/operations" - "github.com/authlete/authlete-cli/internal/sdk/models/sdkerrors" - "github.com/authlete/authlete-cli/internal/sdk/sdkinternal/config" - "github.com/authlete/authlete-cli/internal/sdk/sdkinternal/hooks" - "github.com/authlete/authlete-cli/internal/sdk/sdkinternal/utils" - "net/http" -) - -// ClientManagement2 - API endpoints for managing OAuth clients, including creation, update, and deletion of clients. -type ClientManagement2 struct { - rootSDK *Authlete - sdkConfiguration config.SDKConfiguration - hooks *hooks.Hooks -} - -func newClientManagement2(rootSDK *Authlete, sdkConfig config.SDKConfiguration, hooks *hooks.Hooks) *ClientManagement2 { - return &ClientManagement2{ - rootSDK: rootSDK, - sdkConfiguration: sdkConfig, - hooks: hooks, - } -} - -// ClientAuthorizationGetListAPI - Get Authorized Applications -// Get a list of client applications that an end-user has authorized. -// -// The subject parameter is required and can be provided as a query parameter. -func (s *ClientManagement2) ClientAuthorizationGetListAPI(ctx context.Context, request operations.ClientAuthorizationGetListAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationGetListAPIResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/get/list", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_authorization_get_list_api", - SecuritySource: s.sdkConfiguration.Security, - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - - if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { - return nil, fmt.Errorf("error populating query params: %w", err) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientAuthorizationGetListAPIResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientAuthorizationGetListResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientAuthorizationGetListResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 400: - fallthrough - case httpRes.StatusCode == 401: - fallthrough - case httpRes.StatusCode == 403: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 500: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientAuthorizationGetListAPIPost - Get Authorized Applications -// Get a list of client applications that an end-user has authorized. -// -// The subject parameter is required. -func (s *ClientManagement2) ClientAuthorizationGetListAPIPost(ctx context.Context, request operations.ClientAuthorizationGetListAPIPostRequest, opts ...operations.Option) (*operations.ClientAuthorizationGetListAPIPostResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/get/list", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_authorization_get_list_api_post", - SecuritySource: s.sdkConfiguration.Security, - } - bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) - if err != nil { - return nil, err - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - if reqContentType != "" { - req.Header.Set("Content-Type", reqContentType) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientAuthorizationGetListAPIPostResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientAuthorizationGetListResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientAuthorizationGetListResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 400: - fallthrough - case httpRes.StatusCode == 401: - fallthrough - case httpRes.StatusCode == 403: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 500: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientAuthorizationDeleteAPI - Delete Client Tokens -// Delete all existing access tokens issued to a client application by an end-user. -// -// The subject parameter is required and must be provided as a query parameter. -func (s *ClientManagement2) ClientAuthorizationDeleteAPI(ctx context.Context, request operations.ClientAuthorizationDeleteAPIRequest, opts ...operations.Option) (*operations.ClientAuthorizationDeleteAPIResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/delete/{clientId}", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_authorization_delete_api", - SecuritySource: s.sdkConfiguration.Security, - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "DELETE", opURL, nil) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - - if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { - return nil, fmt.Errorf("error populating query params: %w", err) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientAuthorizationDeleteAPIResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientAuthorizationDeleteResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientAuthorizationDeleteResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 400: - fallthrough - case httpRes.StatusCode == 401: - fallthrough - case httpRes.StatusCode == 403: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 500: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientAuthorizationDeleteAPIPost - Delete Client Tokens -// Delete all existing access tokens issued to a client application by an end-user. -// -// The subject parameter is required. -func (s *ClientManagement2) ClientAuthorizationDeleteAPIPost(ctx context.Context, request operations.ClientAuthorizationDeleteAPIPostRequest, opts ...operations.Option) (*operations.ClientAuthorizationDeleteAPIPostResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/authorization/delete/{clientId}", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_authorization_delete_api_post", - SecuritySource: s.sdkConfiguration.Security, - } - bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) - if err != nil { - return nil, err - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - if reqContentType != "" { - req.Header.Set("Content-Type", reqContentType) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientAuthorizationDeleteAPIPostResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientAuthorizationDeleteResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientAuthorizationDeleteResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientGrantedScopesGetAPI - Get Granted Scopes -// Get the set of scopes that a user has granted to a client application. -func (s *ClientManagement2) ClientGrantedScopesGetAPI(ctx context.Context, request operations.ClientGrantedScopesGetAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesGetAPIResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/get/{clientId}", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_granted_scopes_get_api", - SecuritySource: s.sdkConfiguration.Security, - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "GET", opURL, nil) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - - if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { - return nil, fmt.Errorf("error populating query params: %w", err) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientGrantedScopesGetAPIResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientAuthorizationDeleteResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientAuthorizationDeleteResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 400: - fallthrough - case httpRes.StatusCode == 401: - fallthrough - case httpRes.StatusCode == 403: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 500: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientGrantedScopesGetAPIPost - Get Granted Scopes -// Get the set of scopes that a user has granted to a client application. -// -// The subject parameter is required. -func (s *ClientManagement2) ClientGrantedScopesGetAPIPost(ctx context.Context, request operations.ClientGrantedScopesGetAPIPostRequest, opts ...operations.Option) (*operations.ClientGrantedScopesGetAPIPostResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/get/{clientId}", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_granted_scopes_get_api_post", - SecuritySource: s.sdkConfiguration.Security, - } - bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) - if err != nil { - return nil, err - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - if reqContentType != "" { - req.Header.Set("Content-Type", reqContentType) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientGrantedScopesGetAPIPostResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientAuthorizationDeleteResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientAuthorizationDeleteResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientGrantedScopesDeleteAPI - Delete Granted Scopes -// Delete the set of scopes that an end-user has granted to a client application. -// -// Even if records about granted scopes are deleted by calling this API, existing access tokens are -// not deleted and scopes of existing access tokens are not changed. -// The subject parameter is required and must be provided as a query parameter. -func (s *ClientManagement2) ClientGrantedScopesDeleteAPI(ctx context.Context, request operations.ClientGrantedScopesDeleteAPIRequest, opts ...operations.Option) (*operations.ClientGrantedScopesDeleteAPIResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/granted_scopes/delete/{clientId}", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_granted_scopes_delete_api", - SecuritySource: s.sdkConfiguration.Security, - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "DELETE", opURL, nil) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - - if err := utils.PopulateQueryParams(ctx, req, request, nil, nil); err != nil { - return nil, fmt.Errorf("error populating query params: %w", err) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientGrantedScopesDeleteAPIResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientGrantedScopesDeleteResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientGrantedScopesDeleteResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 400: - fallthrough - case httpRes.StatusCode == 401: - fallthrough - case httpRes.StatusCode == 403: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 500: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} - -// ClientExtensionRequestablesScopesUpdateAPIPost - Update Requestable Scopes -// Update requestable scopes of a client -func (s *ClientManagement2) ClientExtensionRequestablesScopesUpdateAPIPost(ctx context.Context, request operations.ClientExtensionRequestablesScopesUpdateAPIPostRequest, opts ...operations.Option) (*operations.ClientExtensionRequestablesScopesUpdateAPIPostResponse, error) { - o := operations.Options{} - supportedOptions := []string{ - operations.SupportedOptionTimeout, - operations.SupportedOptionSkipDeserialization, - } - - for _, opt := range opts { - if err := opt(&o, supportedOptions...); err != nil { - return nil, fmt.Errorf("error applying option: %w", err) - } - } - - var baseURL string - if o.ServerURL == nil { - baseURL = utils.ReplaceParameters(s.sdkConfiguration.GetServerDetails()) - } else { - baseURL = *o.ServerURL - } - opURL, err := utils.GenerateURL(ctx, baseURL, "/api/{serviceId}/client/extension/requestable_scopes/update/{clientId}", request, nil) - if err != nil { - return nil, fmt.Errorf("error generating URL: %w", err) - } - - hookCtx := hooks.HookContext{ - SDK: s.rootSDK, - SDKConfiguration: s.sdkConfiguration, - BaseURL: baseURL, - Context: ctx, - OperationID: "client_extension_requestables_scopes_update_api_post", - SecuritySource: s.sdkConfiguration.Security, - } - bodyReader, reqContentType, err := utils.SerializeRequestBody(ctx, request, false, false, "Body", "json", `request:"mediaType=application/json"`) - if err != nil { - return nil, err - } - - timeout := o.Timeout - if timeout == nil { - timeout = s.sdkConfiguration.Timeout - } - - if timeout != nil { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, *timeout) - defer cancel() - } - - req, err := http.NewRequestWithContext(ctx, "POST", opURL, bodyReader) - if err != nil { - return nil, fmt.Errorf("error creating request: %w", err) - } - req.Header.Set("Accept", "application/json") - req.Header.Set("User-Agent", s.sdkConfiguration.UserAgent) - if reqContentType != "" { - req.Header.Set("Content-Type", reqContentType) - } - - if err := utils.PopulateSecurity(ctx, req, s.sdkConfiguration.Security); err != nil { - return nil, err - } - - for k, v := range o.SetHeaders { - req.Header.Set(k, v) - } - - req, err = s.hooks.BeforeRequest(hooks.BeforeRequestContext{HookContext: hookCtx}, req) - if err != nil { - return nil, err - } - - httpRes, err := s.sdkConfiguration.Client.Do(req) - if err != nil || httpRes == nil { - if err != nil { - err = fmt.Errorf("error sending request: %w", err) - } else { - err = fmt.Errorf("error sending request: no response") - } - - _, err = s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, nil, err) - return nil, err - } else if utils.MatchStatusCodes([]string{"4XX", "5XX"}, httpRes.StatusCode) { - _httpRes, err := s.hooks.AfterError(hooks.AfterErrorContext{HookContext: hookCtx}, httpRes, nil) - if err != nil { - return nil, err - } else if _httpRes != nil { - httpRes = _httpRes - } - } else { - httpRes, err = s.hooks.AfterSuccess(hooks.AfterSuccessContext{HookContext: hookCtx}, httpRes) - if err != nil { - return nil, err - } - } - - res := &operations.ClientExtensionRequestablesScopesUpdateAPIPostResponse{ - HTTPMeta: components.HTTPMetadata{ - Request: req, - Response: httpRes, - }, - } - - switch { - case httpRes.StatusCode == 200: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - if o.SkipDeserialization == nil || !*o.SkipDeserialization { - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out components.ClientExtensionRequestableScopesUpdateResponse - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - res.ClientExtensionRequestableScopesUpdateResponse = &out - } - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 400: - fallthrough - case httpRes.StatusCode == 401: - fallthrough - case httpRes.StatusCode == 403: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode == 500: - switch { - case utils.MatchContentType(httpRes.Header.Get("Content-Type"), `application/json`): - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - - var out sdkerrors.ResultError - if err := utils.UnmarshalJsonFromResponseBody(bytes.NewBuffer(rawBody), &out, ""); err != nil { - return nil, err - } - - out.HTTPMeta = components.HTTPMetadata{ - Request: req, - Response: httpRes, - } - return nil, &out - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError(fmt.Sprintf("unknown content-type received: %s", httpRes.Header.Get("Content-Type")), httpRes.StatusCode, string(rawBody), httpRes) - } - case httpRes.StatusCode >= 400 && httpRes.StatusCode < 500: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - case httpRes.StatusCode >= 500 && httpRes.StatusCode < 600: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("API error occurred", httpRes.StatusCode, string(rawBody), httpRes) - default: - rawBody, err := utils.ConsumeRawBody(httpRes) - if err != nil { - return nil, err - } - return nil, sdkerrors.NewSDKDefaultError("unknown status code returned", httpRes.StatusCode, string(rawBody), httpRes) - } - - return res, nil - -} diff --git a/internal/usage/schema.go b/internal/usage/schema.go index 5e35812..75c252e 100644 --- a/internal/usage/schema.go +++ b/internal/usage/schema.go @@ -10,168 +10,165 @@ import ( ) var usageSchemas = map[string]string{ - "": "name \"authlete\"\nbin \"authlete\"\nabout \"Authlete API: Welcome to the **Authlete API documentation**. Authlete is an **API-first service** where every aspect of the \\nplatform is configurable via API. This documentation will help you authenticate and integrate with Authlete to \\nbuild powerful OAuth 2.0 and OpenID Connect servers.\\n\\nAt a high level, the Authlete API is grouped into two categories:\\n\\n- **Management APIs**: Enable you to manage services and clients.\\n- **Runtime APIs**: Allow you to build your own Authorization Servers or Verifiable Credential (VC) issuers.\\n\\n## 🌐 API Servers\\n\\nAuthlete is a global service with clusters available in multiple regions across the world:\\n\\n- 🇺🇸 **US**: `https://us.authlete.com`\\n- 🇯🇵 **Japan**: `https://jp.authlete.com`\\n- 🇪🇺 **Europe**: `https://eu.authlete.com`\\n- 🇧🇷 **Brazil**: `https://br.authlete.com`\\n\\nOur customers can host their data in the region that best meets their requirements.\\n\\n## 🔑 Authentication\\n\\nAll API endpoints are secured using **Bearer token authentication**. You must include an access token in every request:\\n\\n```\\nAuthorization: Bearer YOUR_ACCESS_TOKEN\\n```\\n\\n### Getting Your Access Token\\n\\nAuthlete supports two types of access tokens:\\n\\n**Service Access Token** - Scoped to a single service (authorization server instance)\\n\\n1. Log in to [Authlete Console](https://console.authlete.com)\\n2. Navigate to your service → **Settings** → **Access Tokens**\\n3. Click **Create Token** and select permissions (e.g., `service.read`, `client.write`)\\n4. Copy the generated token\\n\\n**Organization Token** - Scoped to your entire organization\\n\\n1. Log in to [Authlete Console](https://console.authlete.com)\\n2. Navigate to **Organization Settings** → **Access Tokens**\\n3. Click **Create Token** and select org-level permissions\\n4. Copy the generated token\\n\\n> ⚠️ **Important Note**: Tokens inherit the permissions of the account that creates them. Service tokens can only \\n> access their specific service, while organization tokens can access all services within your org.\\n\\n### Token Security Best Practices\\n\\n- **Never commit tokens to version control** - Store in environment variables or secure secret managers\\n- **Rotate regularly** - Generate new tokens periodically and revoke old ones\\n- **Scope appropriately** - Request only the permissions your application needs\\n- **Revoke unused tokens** - Delete tokens you're no longer using from the console\\n\\n### Quick Test\\n\\nVerify your token works with a simple API call:\\n\\n```bash\\ncurl -X GET https://us.authlete.com/api/service/get/list \\\\\\n -H \\\"Authorization: Bearer YOUR_ACCESS_TOKEN\\\"\\n```\\n\\n## 🎓 Tutorials\\n\\nIf you're new to Authlete or want to see sample implementations, these resources will help you get started:\\n\\n- [Getting Started with Authlete](https://www.authlete.com/developers/getting_started/)\\n- [From Sign-Up to the First API Request](https://www.authlete.com/developers/tutorial/signup/)\\n\\n## 🛠 Contact Us\\n\\nIf you have any questions or need assistance, our team is here to help:\\n\\n- [Contact Page](https://www.authlete.com/contact/)\"\nversion \"0.0.8\"\nconfig {\n file \"~/.config/authlete/config.yaml\"\n}\nflag \"--usage\" help=\"Print the CLI Usage schema in KDL format\" global=#true\nflag \"-o --output-format \" help=\"Specify the output format. Options: pretty, json, yaml, table, toon.\" global=#true config=\"output_format\" default=\"pretty\"\nflag \"--color \" help=\"Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars.\" global=#true default=\"auto\"\nflag \"-q --jq \" help=\"Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id')\" global=#true\nflag \"--server-url \" help=\"Override the default server URL\" global=#true\nflag \"--server \" help=\"Select a server by index (for indexed servers) or name (for named servers)\" global=#true\nflag \"-H --header \" help=\"Set a custom HTTP request header (format: \\\"Key: Value\\\"). Can be specified multiple times.\" global=#true var=#true\nflag \"--include-headers\" help=\"Include HTTP response headers in the output\" global=#true default=#false\nflag \"--timeout \" help=\"HTTP request timeout (e.g., 30s, 5m, 100ms)\" global=#true config=\"timeout\"\nflag \"--dry-run\" help=\"Preview the request that would be sent without executing it (output to stderr)\" global=#true default=#false\nflag \"-d --debug\" help=\"Log request and response diagnostics to stderr\" global=#true default=#false\nflag \"--agent-mode\" help=\"Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable.\" global=#true default=#false\nflag \"--bearer \" help=\"Authenticate every request with a **Service Access Token** or **Organization Token**.\\nSet the token value in the `Authorization: Bearer ` header.\\n\\n**Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows.\\n\\n**Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.\\n\\nBoth token types are issued by the Authlete console or provisioning APIs.\" global=#true env=\"AUTHLETE_BEARER\" config=\"security.bearer\"\ncmd \"service\" help=\"Operations for service\" {\n cmd \"get\" help=\"Get Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"list\" help=\"List Services\" {\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"update\" help=\"Update Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--service-name \" help=\"The name of this service.\"\n flag \"--issuer \" help=\"The issuer identifier of the service.\\n\\nA URL that starts with https:// and has no query or fragment component.\\n\\nThe value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\\nand `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--description \" help=\"The description about the service.\"\n flag \"--token-batch-notification-endpoint \" help=\"The endpoint for batch token notifications. This endpoint is called when \\nmultiple tokens are issued or revoked in a batch operation.\\n\"\n flag \"--client-assertion-aud-restricted-to-issuer\" help=\"The flag indicating whether the audience of client assertion JWTs must \\nmatch the issuer identifier of this service.\\n\"\n flag \"--clients-per-developer \" help=\"The maximum number of client applications that a developer can have.\\n\"\n flag \"--developer-authentication-callback-endpoint \" help=\"The endpoint for developer authentication callbacks. This is used when \\ndevelopers log into the developer portal.\\n\"\n flag \"--developer-authentication-callback-api-key \" help=\"The API key for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--developer-authentication-callback-api-secret \" help=\"The API secret for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--supported-snses \" help=\"Social login services (SNS) that this service supports for end-user \\nauthentication.\\n\" var=#true\n flag \"--sns-credentials \" help=\"The credentials for social login services (SNS) that are used for \\nend-user authentication.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always `true`.\"\n flag \"--metadata \" help=\"The `metadata` of the service. The content of the returned array depends on contexts.\\nThe predefined service metadata is listed in the following table.\\n\\n | Key | Description |\\n | --- | --- |\\n | `clientCount` | The number of client applications which belong to this service. |\\n\"\n flag \"--authentication-callback-endpoint \" help=\"A Web API endpoint for user authentication which is to be prepared on the service side.\\n\\nThe endpoint must be implemented if you do not implement the UI at the authorization endpoint\\nbut use the one provided by Authlete.\\n\\nThe user authentication at the authorization endpoint provided by Authlete is performed by making\\na `POST` request to this endpoint.\\n\"\n flag \"--authentication-callback-api-key \" help=\"API key for basic authentication at the authentication callback endpoint.\\n\\nIf the value is not empty, Authlete generates Authorization header for Basic authentication when\\nmaking a request to the authentication callback endpoint.\\n\"\n flag \"--authentication-callback-api-secret \" help=\"API secret for `basic` authentication at the authentication callback endpoint.\"\n flag \"--supported-grant-types \" help=\"Values of `grant_type` request parameter that the service supports.\\n\\nThe value of this property is used as `grant_types_supported property` in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-response-types \" help=\"Values of `response_type` request parameter that\\nthe service supports. Valid values are listed in Response Type.\\n\\nThe value of this property is used as `response_types_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-authorization-details-types \" help=\"The supported data types that can be used as values of the type field in `authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types_supported` metadata. See \\\"OAuth 2.0\\nRich Authorization Requests\\\" (RAR) for details.\\n\" var=#true\n flag \"--supported-service-profiles \" help=\"The profiles that this service supports.\\n\" var=#true\n flag \"--error-description-omitted\" help=\"The flag to indicate whether the `error_description` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include\\nthe `error_description` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the `error_description` response parameter in error responses.\\n\"\n flag \"--error-uri-omitted\" help=\"The flag to indicate whether the `error_uri` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the\\n`error_uri` response parameter in error responses.\\n\"\n flag \"--authorization-endpoint \" help=\"The authorization endpoint of the service.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.\\n\\nThe value of this property is used as `authorization_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-authorization-endpoint-enabled\" help=\"The flag to indicate whether the direct authorization endpoint is enabled or not.\\n\\nThe path of the endpoint is `/api/auth/authorization/direct/service-api-key`.\\n\"\n flag \"--supported-ui-locales \" help=\"UI locales that the service supports.\\n\\nEach element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.\\n\\nThe value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-displays \" help=\"Values of `display` request parameter that service supports.\\n\\nThe value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--authorization-response-duration \" help=\"The duration of authorization response JWTs in seconds.\\n\\n[Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)\\ndefines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,\\n`form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters\\nfrom the authorization endpoint will be packed into a JWT. This property is used to compute the\\nvalue of the `exp` claim of the JWT.\\n\"\n flag \"--authorization-code-duration \" help=\"The duration of authorization codes in seconds.\\n\"\n flag \"--token-endpoint \" help=\"The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.\\n\\nA URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.\\n\\nThe value of this property is used as `token_endpoint` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-token-endpoint-enabled\" help=\"The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint\\nis `/api/auth/token/direct/service-api-key`.\\n\"\n flag \"--supported-token-auth-methods \" help=\"Client authentication methods supported by the token endpoint of the service.\\n\\nThe value of this property is used as `token_endpoint_auth_methods_supports` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--missing-client-id-allowed\" help=\"The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.\\n\\nThis flag should not be set unless you have special reasons.\\n\"\n flag \"--revocation-endpoint \" help=\"The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.\\n\\nA URL that starts with `https://`. For example, `https://example.com/auth/revocation`.\\n\"\n flag \"--direct-revocation-endpoint-enabled\" help=\"The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. \"\n flag \"--supported-revocation-auth-methods \" help=\"Client authentication methods supported at the revocation endpoint.\\n\" var=#true\n flag \"--introspection-endpoint \" help=\"The URI of the introspection endpoint.\"\n flag \"--direct-introspection-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. \"\n flag \"--supported-introspection-auth-methods \" help=\"Client authentication methods supported at the introspection endpoint.\\n\" var=#true\n flag \"--pushed-auth-req-endpoint \" help=\"The URI of the pushed authorization request endpoint.\\n\\nThis property corresponds to the `pushed_authorization_request_endpoint` metadata defined in \\\"[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)\\\" of OAuth 2.0 Pushed Authorization Requests.\\n\"\n flag \"--pushed-auth-req-duration \" help=\"The duration of pushed authorization requests in seconds.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this service requires that clients use the pushed authorization\\nrequest endpoint.\\n\\nThis property corresponds to the `require_pushed_authorization_requests` server metadata defined\\nin [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether this service requires that authorization requests always utilize\\na request object by using either request or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is\\n`false`, the value of `require_signed_request_object` server metadata of this service is reported\\nas `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).\\nThat `require_signed_request_object` is `true` means that authorization requests which don't\\nconform to the JAR specification are rejected.\\n\"\n flag \"--traditional-request-object-processing-applied\" help=\"The flag to indicate whether a request object is processed based on rules defined in\\n[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT\\nSecured Authorization Request).\\n\"\n flag \"--mutual-tls-validate-pki-cert-chain\" help=\"The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.\\n\"\n flag \"--trusted-root-certificates \" help=\"The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.\\n\" var=#true\n flag \"--mtls-endpoint-aliases \" help=\"The MTLS endpoint aliases.\\n\"\n flag \"--access-token-type \" help=\"The access token type.\\n\\nThis value is used as the value of `token_type` property in access token responses. If this service\\ncomplies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should\\nbe `Bearer`.\\n\\nSee [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.\\n\"\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.\\n\"\n flag \"--access-token-duration \" help=\"The duration of access tokens in seconds. This value is used as the value of `expires_in` property\\nin access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).\\n\"\n flag \"--single-access-token-per-subject\" help=\"The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.\\n\\nIf `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.\\n\\nNote that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.\\n\"\n flag \"--access-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--access-token-signature-key-id \" help=\"The key ID to identify a JWK used for signing access tokens.\\n\\nA JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.\\nAuthlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based\\naccess token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions\\nfor access token signature. If the number of JWK candidates which satisfy the conditions is 1,\\nthere is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed\\nto be specified so that Authlete Server can pick up one JWK from among the JWK candidates.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.\"\n flag \"--refresh-token-duration-kept\" help=\"The flag to indicate whether the remaining duration of the used refresh token is taken over to\\nthe newly issued refresh token.\\n\"\n flag \"--refresh-token-duration-reset\" help=\"The flag which indicates whether duration of refresh tokens are reset when they are used even\\nif the `refreshTokenKept` property of this service set to is `true` (= even if \\\"Refresh Token\\nContinuous Use\\\" is \\\"Kept\\\").\\n\\nThis flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,\\nif this service issues a new refresh token on every refresh token request, the refresh token\\nwill have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this\\n`refreshTokenDurationReset` property is not referenced.\\n\"\n flag \"--refresh-token-kept\" help=\"The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.\\n\\nIf `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.\\n\\nSee [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.\\n\"\n flag \"--supported-scopes \" help=\"Scopes supported by the service.\\n\"\n flag \"--scope-required\" help=\"The flag to indicate whether requests that request no scope are rejected or not.\\n\"\n flag \"--id-token-duration \" help=\"'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s\\nin seconds. This value is used to calculate the value of `exp` claim in an ID token.'\\n\"\n flag \"--allowable-clock-skew \" help=\"The allowable clock skew between the server and clients in seconds.\\n\\nThe clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.\\n\"\n flag \"--supported-claim-types \" help=\"Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete\\ncurrently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.\\n\\nThe value of this property is used as `claim_types_supported` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claim-locales \" help=\"Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).\\nFor example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)\\nfor details.\\n\\nThe value of this property is used as `claims_locales_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claims \" help=\"Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,\\n5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should\\nbe supported. The following is the list of standard claims.\\n\" var=#true\n flag \"--claim-shortcut-restrictive\" help=\"The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included\\nin the issued ID token only when no access token is issued.\\n\"\n flag \"--jwks-uri \" help=\"The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For\\nexample, `http://example.com/auth/jwks`.\\n\\nClient applications accesses this URL (1) to get the public key of the service to validate the\\nsignature of an ID token issued by the service and (2) to get the public key of the service to\\nencrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures\\nand Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\\nThe value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-jwks-endpoint-enabled\" help=\"'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint\\nis `/api/service/jwks/get/direct/service-api-key`. '\\n\"\n flag \"--jwks \" help=\"The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.\\n\\nIf this property is not `null` in a `/service/create` request or a `/service/update` request,\\nAuthlete hosts the content in the database. This property must not be `null` and must contain\\npairs of public/private keys if the service wants to support asymmetric signatures for ID tokens\\nand asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and\\nEncryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\"\n flag \"--id-token-signature-key-id \" help=\"The key ID to identify a JWK used for ID token signature using an asymmetric key.\\n\"\n flag \"--user-info-signature-key-id \" help=\"The key ID to identify a JWK used for user info signature using an asymmetric key.\\n\"\n flag \"--authorization-signature-key-id \" help=\"The key ID to identify a JWK used for signing authorization responses using an asymmetric key.\\n\"\n flag \"--user-info-endpoint \" help=\"The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the\\nservice. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.\\n\\nThe value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-user-info-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path\\nof the endpoint is `/api/auth/userinfo/direct/service-api-key`.\\n\"\n flag \"--dynamic-registration-supported\" help=\"The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)\\nis supported.\\n\"\n flag \"--registration-endpoint \" help=\"The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)\\nof the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.\\n\\nThe value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--registration-management-endpoint \" help=\"The URI of the registration management endpoint. If dynamic client registration is supported,\\nand this is set, this URI will be used as the basis of the client's management endpoint by appending\\n`/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will\\nbe used as the URI base instead.\\n\"\n flag \"--policy-uri \" help=\"The URL of the \\\"Policy\\\" of the service.\\n\\nThe value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL of the \\\"Terms Of Service\\\" of the service.\\n\\nThe value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--service-documentation \" help=\"The URL of a page where documents for developers can be found.\\n\\nThe value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--backchannel-authentication-endpoint \" help=\"The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA\\n(Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\"\n flag \"--supported-backchannel-token-delivery-modes \" help=\"The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`\\nmetadata.\\n\\nBackchannel token delivery modes are defined in the specification of [CIBA (Client Initiated\\nBackchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\" var=#true\n flag \"--backchannel-auth-req-id-duration \" help=\"The duration of backchannel authentication request IDs issued from the backchannel authentication\\nendpoint in seconds. This is used as the value of the `expires_in` property in responses from\\nthe backchannel authentication endpoint.\\n\"\n flag \"--backchannel-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds. This is used as the value of the `interval` property in responses from the backchannel\\nauthentication endpoint.\\n\"\n flag \"--backchannel-user-code-parameter-supported\" help=\"The boolean flag which indicates whether the `user_code` request parameter is supported at the\\nbackchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`\\nmetadata.\\n\"\n flag \"--backchannel-binding-message-required-in-fapi\" help=\"The flag to indicate whether the `binding_message` request parameter is always required whenever\\na backchannel authentication request is judged as a request for Financial-grade API.\\n\"\n flag \"--device-authorization-endpoint \" help=\"The URI of the device authorization endpoint.\\n\\nDevice authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.\\n\"\n flag \"--device-verification-uri \" help=\"The verification URI for the device flow. This URI is used as the value of the `verification_uri`\\nparameter in responses from the device authorization endpoint.\\n\"\n flag \"--device-verification-uri-complete \" help=\"The verification URI for the device flow with a placeholder for a user code. This URI is used\\nto build the value of the `verification_uri_complete` parameter in responses from the device\\nauthorization endpoint.\\n\"\n flag \"--device-flow-code-duration \" help=\"The duration of device verification codes and end-user verification codes issued from the device\\nauthorization endpoint in seconds. This is used as the value of the `expires_in` property in responses\\nfrom the device authorization endpoint.\\n\"\n flag \"--device-flow-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds in device flow. This is used as the value of the `interval` property in responses from\\nthe device authorization endpoint.\\n\"\n flag \"--user-code-charset \" help=\"The character set for end-user verification codes (`user_code`) for Device Flow.\\n (options: BASE20, NUMERIC)\"\n flag \"--user-code-length \" help=\"The length of end-user verification codes (`user_code`) for Device Flow.\\n\"\n flag \"--supported-trust-frameworks \" help=\"Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-evidence \" help=\"Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-identity-documents \" help=\"Identity documents supported by this service. This corresponds to the `id_documents_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verification-methods \" help=\"Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verified-claims \" help=\"Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--verified-claims-validation-schema-set \" help=\"The verified claims validation schema set.\\n (options: standard, standard+id_document)\"\n flag \"--attributes \" help=\"The attributes of this service.\\n\"\n flag \"--nbf-optional\" help=\"The flag indicating whether the nbf claim in the request object is optional even when the authorization\\nrequest is regarded as a FAPI-Part2 request.\\n\"\n flag \"--iss-suppressed\" help=\"The flag indicating whether generation of the iss response parameter is suppressed.\\n\"\n flag \"--supported-custom-client-metadata \" help=\"custom client metadata supported by this service.\\n\" var=#true\n flag \"--token-expiration-linked\" help=\"The flag indicating whether the expiration date of an access token never exceeds that of the\\ncorresponding refresh token.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--hsm-enabled\" help=\"The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.\\n\\nWhen this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,\\n`/api/hsk/*` APIs reject all requests.\\n\\nEven if this flag is `true`, HSM-related features do not work if the configuration of the Authlete\\nserver you are using does not support HSM.\\n\"\n flag \"--hsks \" help=\"The information about keys managed on HSMs (Hardware Security Modules).\\n\\nThis `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`\\nAPI and `/api/service/update` API do not have any effect. The contents of this property is controlled\\nonly by `/api/hsk/*` APIs.\\n\"\n flag \"--grant-management-endpoint \" help=\"The URL of the grant management endpoint.\\n\"\n flag \"--grant-management-action-required\" help=\"The flag indicating whether every authorization request (and any request serving as an authorization\\nrequest such as CIBA backchannel authentication request and device authorization request) must\\ninclude the `grant_management_action` request parameter.\\n\"\n flag \"--unauthorized-on-client-config-supported\" help=\"The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as\\na value of the `action` response parameter when appropriate.\\n\"\n flag \"--dcr-scope-used-as-requestable\" help=\"The flag indicating whether the `scope` request parameter in dynamic client registration and\\nupdate requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.\\n\\nLimiting the range of scopes that a client can request is achieved by listing scopes in the\\n`client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`\\nproperty to `true`. This feature is called \\\"requestable scopes\\\".\\n\\nThis property affects behaviors of `/api/client/registration` and other family APIs.\\n\"\n flag \"--end-session-endpoint \" help=\"The endpoint for clients ending the sessions.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.\\n\\nThe value of this property is used as `end_session_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--loopback-redirection-uri-variable\" help=\"The flag indicating whether the port number component of redirection URIs can be variable when\\nthe host component indicates loopback.\\n\"\n flag \"--request-object-audience-checked\" help=\"The flag indicating whether Authlete checks whether the `aud` claim of request objects matches\\nthe issuer identifier of this service.\\n\"\n flag \"--access-token-for-external-attachment-embedded\" help=\"The flag indicating whether Authlete generates access tokens for\\nexternal attachments and embeds them in ID tokens and userinfo\\nresponses.\\n\"\n flag \"--authority-hints \" help=\"Identifiers of entities that can issue entity statements for this\\nservice. This property corresponds to the `authority_hints`\\nproperty that appears in a self-signed entity statement that is\\ndefined in OpenID Connect Federation 1.0.\\n\" var=#true\n flag \"--federation-enabled\" help=\"flag indicating whether this service supports OpenID Connect Federation 1\\n\"\n flag \"--federation-jwks \" help=\"JWK Set document containing keys that are used to sign (1) self-signed\\nentity statement of this service and (2) the response from\\n`signed_jwks_uri`.\\n\"\n flag \"--federation-signature-key-id \" help=\"A key ID to identify a JWK used to sign the entity configuration and\\nthe signed JWK Set.\\n\"\n flag \"--federation-configuration-duration \" help=\"The duration of the entity configuration in seconds.\\n\"\n flag \"--federation-registration-endpoint \" help=\"The URI of the federation registration endpoint. This property corresponds\\nto the `federation_registration_endpoint` server metadata that is\\ndefined in OpenID Connect Federation 1.0.\\n\"\n flag \"--organization-name \" help=\"The human-readable name representing the organization that operates\\nthis service. This property corresponds to the `organization_name`\\nserver metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--predefined-transformed-claims \" help=\"The transformed claims predefined by this service in JSON format.\\nThis property corresponds to the `transformed_claims_predefined`\\nserver metadata.\\n\"\n flag \"--refresh-token-idempotent\" help=\"flag indicating whether refresh token requests with the same\\nrefresh token can be made multiple times in quick succession and\\nthey can obtain the same renewed refresh token within the short\\nperiod.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this service's JWK Set document in\\nthe JWT format. This property corresponds to the `signed_jwks_uri`\\nserver metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--supported-attachments \" help=\"Supported attachment types. This property corresponds to the {@code\\nattachments_supported} server metadata which was added by the third\\nimplementer's draft of OpenID Connect for Identity Assurance 1.0.\\n\" var=#true\n flag \"--supported-digest-algorithms \" help=\"Supported algorithms used to compute digest values of external\\nattachments. This property corresponds to the\\n`digest_algorithms_supported` server metadata which was added\\nby the third implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--supported-documents \" help=\"Document types supported by this service. This property corresponds\\nto the `documents_supported` server metadata.\\n\" var=#true\n flag \"--supported-documents-methods \" help=\"validation and verification processes supported by this service.\\nThis property corresponds to the `documents_methods_supported`\\nserver metadata.\\n\\nThe third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\nrenamed the\\n`id_documents_verification_methods_supported` server metadata to\\n`documents_methods_supported`.\\n\" var=#true\n flag \"--supported-documents-validation-methods \" help=\"Document validation methods supported by this service. This property\\ncorresponds to the `documents_validation_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n\" var=#true\n flag \"--supported-documents-verification-methods \" help=\"Document verification methods supported by this service. This property\\ncorresponds to the `documents_verification_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-electronic-records \" help=\"Electronic record types supported by this service. This property\\ncorresponds to the `electronic_records_supported` server metadata\\nwhich was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-client-registration-types \" help=\"list of values\" var=#true\n flag \"--token-exchange-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nmaking token exchange requests.\\n\"\n flag \"--token-exchange-by-confidential-clients-only\" help=\"The flag indicating whether to prohibit public clients from making\\ntoken exchange requests.\\n\"\n flag \"--token-exchange-by-permitted-clients-only\" help=\"The flag indicating whether to prohibit clients that have no explicit\\npermission from making token exchange requests.\\n\"\n flag \"--token-exchange-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse encrypted JWTs as input tokens.\\n\"\n flag \"--token-exchange-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse unsigned JWTs as input tokens.\\n\"\n flag \"--jwt-grant-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nusing the grant type \\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nencrypted JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nunsigned JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--dcr-duplicate-software-id-blocked\" help=\"The flag indicating whether to block DCR (Dynamic Client Registration)\\nrequests whose \\\"software_id\\\" has already been used previously.\\n\"\n flag \"--trust-anchors \" help=\"The trust anchors that are referenced when this service resolves\\ntrust chains of relying parties.\\n\\nIf this property is empty, client registration fails regardless of\\nwhether its type is `automatic` or `explicit`. It means\\nthat OpenID Connect Federation 1.0 does not work.\\n\"\n flag \"--openid-dropped-on-refresh-without-offline-access\" help=\"The flag indicating whether the openid scope should be dropped from\\nscopes list assigned to access token issued when a refresh token grant\\nis used.\\n\"\n flag \"--supported-documents-check-methods \" help=\"Supported document check methods. This property corresponds to the `documents_check_methods_supported`\\nserver metadata which was added by the fourth implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--rs-response-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--cnonce-duration \" help=\"The duration of `c_nonce`.\\n\"\n flag \"--dpop-nonce-required\" help=\"Whether to require DPoP proof JWTs to include the `nonce` claim\\nwhenever they are presented.\\n\"\n flag \"--verifiable-credentials-enabled\" help=\"Get the flag indicating whether the feature of Verifiable Credentials\\nfor this service is enabled or not.\\n\"\n flag \"--credential-jwks-uri \" help=\"The URL at which the JWK Set document of the credential issuer is\\nexposed.\\n\"\n flag \"--credential-offer-duration \" help=\"The default duration of credential offers in seconds.\\n\"\n flag \"--dpop-nonce-duration \" help=\"The duration of nonce values for DPoP proof JWTs in seconds.\\n\"\n flag \"--pre-authorized-grant-anonymous-access-supported\" help=\"The flag indicating whether token requests using the pre-authorized\\ncode grant flow by unidentifiable clients are allowed.\\n\"\n flag \"--credential-transaction-duration \" help=\"The duration of transaction ID in seconds that may be issued as a\\nresult of a credential request or a batch credential request.\\n\"\n flag \"--introspection-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--resource-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--user-pin-length \" help=\"The default length of user PINs.\\n\"\n flag \"--supported-prompt-values \" help=\"The supported `prompt` values.\\n\" var=#true\n flag \"--id-token-reissuable\" help=\"The flag indicating whether to enable the feature of ID token\\nreissuance in the refresh token flow.\\n\"\n flag \"--credential-jwks \" help=\"The JWK Set document containing private keys that are used to sign\\nverifiable credentials.\\n\"\n flag \"--fapi-modes \" help=\"FAPI modes for this service.\\n\\nWhen the value of this property is not `null`, Authlete always processes requests to this service based\\non the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported\\nby this service.\\n\\nFor instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always\\nprocesses requests to this service based on \\\"Financial-grade API Security Profile 1.0 - Part 2:\\nAdvanced\\\" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.\\n\" var=#true\n flag \"--credential-duration \" help=\"The default duration of verifiable credentials in seconds.\\n\"\n flag \"--credential-issuer-metadata \" help=\"JSON object\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim in ID tokens.\\n\"\n flag \"--native-sso-supported\" help=\"Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.\\nFor example:\\n\\n* The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).\\n* The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.\\n\\nWhen set to `true`, the server metadata advertises `\\\"native_sso_supported\\\": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)\\nand [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.\\n\"\n flag \"--oid4vci-version \" help=\"Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.\\n\\nAccepted values are:\\n\\n* `null` or `\\\"1.0-ID1\\\"` → Implementer’s Draft 1.\\n* `\\\"1.0\\\"` or `\\\"1.0-Final\\\"` → Final 1.0 specification.\\n\\nChoose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.\\n\"\n flag \"--cimd-metadata-policy-enabled\" help=\"Flag that controls whether the CIMD metadata policy is applied to client\\nmetadata obtained through the Client ID Metadata Document (CIMD)\\nmechanism.\\n\"\n flag \"--client-id-metadata-document-supported\" help=\"Indicates whether the Client ID Metadata Document (CIMD) mechanism is\\nsupported. When `true`, the service will attempt to retrieve client\\nmetadata via CIMD where applicable.\\n\"\n flag \"--cimd-allowlist-enabled\" help=\"Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are\\non the allowlist are used.\\n\"\n flag \"--cimd-allowlist \" help=\"The allowlist of CIMD endpoints (hosts/URIs) that may be used when\\nretrieving client metadata via Client ID Metadata Documents.\\n\" var=#true\n flag \"--cimd-always-retrieved\" help=\"If `true`, CIMD retrieval is always attempted for clients, regardless of\\nother conditions.\\n\"\n flag \"--cimd-http-permitted\" help=\"Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD\\nendpoints are allowed.\\n\"\n flag \"--cimd-query-permitted\" help=\"Allows the use of query parameters when retrieving CIMD metadata. When\\n`false`, query parameters are disallowed for CIMD requests.\\n\"\n flag \"--cimd-metadata-policy \" help=\"The metadata policy applied to client metadata obtained through the CIMD\\nmechanism. The value must follow the metadata policy grammar defined in\\n[OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).\\n\"\n flag \"--http-alias-prohibited\" help=\"When `true`, client ID aliases starting with `https://` or `http://` are\\nprohibited.\\n\"\n flag \"--attestation-challenge-time-window \" help=\"The time window of attestation challenges in seconds. This is used for\\nOAuth 2.0 Attestation-Based Client Authentication.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Service ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n }\n}\ncmd \"client\" help=\"Operations for client\" {\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n }\n cmd \"list\" help=\"List Clients\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--developer \" help=\"The developer of client applications. The default value is null. If this parameter is not set\\nto `null`, client application of the specified developer are returned. Otherwise, all client\\napplications that belong to the service are returned.\\n\"\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"create\" help=\"Create Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"The client ID. [required]\"\n }\n cmd \"management-1\" help=\"Operations for client-management-1\" {\n alias \"m1\"\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n }\n}\ncmd \"client-management-2\" help=\"API endpoints for managing OAuth clients, including creation, update, and deletion of clients\" {\n alias \"cm2\"\n cmd \"client-authorization-get-list-api\" help=\"Get Authorized Applications\" {\n alias \"cagla\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"client-authorization-get-list-api-post\" help=\"Get Authorized Applications\" {\n alias \"caglap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-authorization-delete-api\" help=\"Delete Client Tokens\" {\n alias \"cada\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-authorization-delete-api-post\" help=\"Delete Client Tokens\" {\n alias \"cadap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-granted-scopes-get-api\" help=\"Get Granted Scopes\" {\n alias \"cgsga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-granted-scopes-get-api-post\" help=\"Get Granted Scopes\" {\n alias \"cgsgap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-granted-scopes-delete-api\" help=\"Delete Granted Scopes\" {\n alias \"cgsda\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-extension-requestables-scopes-update-api-post\" help=\"Update Requestable Scopes\" {\n alias \"cersuap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"authorization\" help=\"Operations for authorization\" {\n cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the authorization request.\\nFor more details, see [NO_INTERACTION] in the description of `/auth/authorization` API.\\n (options: UNKNOWN, NOT_LOGGED_IN, MAX_AGE_NOT_SUPPORTED, EXCEEDS_MAX_AGE, DIFFERENT_SUBJECT, ACR_NOT_SATISFIED, DENIED, SERVER_ERROR, NOT_AUTHENTICATED, ACCOUNT_SELECTION_REQUIRED, CONSENT_REQUIRED, INTERACTION_REQUIRED, INVALID_TARGET) [required]\"\n flag \"--description \" help=\"The custom description about the authorization failure.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Authorization Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= a user account managed by the service) who has granted authorization to the client application.\\n [required]\"\n flag \"--auth-time \" help=\"The time when the authentication of the end-user occurred. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference performed for the end-user authentication.\"\n flag \"--claims \" help=\"The claims of the end-user (= pieces of information about the end-user) in JSON format.\\nSee [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for details about the format.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with an access token and/or an authorization code.\"\n flag \"--scopes \" help=\"Scopes to associate with an access token and/or an authorization code.\\nIf a non-empty string array is given, it replaces the scopes specified by the original authorization request.\\n\" var=#true\n flag \"--sub \" help=\"The value of the `sub` claim to embed in an ID token. If this request parameter is `null` or empty,\\nthe value of the `subject` request parameter is used as the value of the `sub` claim.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens that may be issued based on\\nthe authorization request.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--session-id \" help=\"The session ID of the user's authentication session. The specified value will be embedded in the\\nID token as the value of the `sid` claim. This parameter needs to be provided only if you want\\nto support the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (a.k.a. \\\"Native SSO\\\"). To enable support for the Native SSO specification, the\\n`nativeSsoSupported` property of your service must be set to `true`.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for authorization-management\" {\n cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\ncmd \"pushed-authorization\" help=\"Operations for pushed-authorization\" {\n alias \"pa\"\n cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"token\" help=\"Operations for token\" {\n cmd \"process\" help=\"Process Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server\\nimplementation received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as\\na means of client authentication, and the request from the client application contained its client ID\\nin `Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS of the token request from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--properties \" help=\"Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)\\nfor details.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the token endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the token request. This field is used to validate the `DPoP` header.\\n\\nIn normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the token endpoint. This field is used to validate the `DPoP` header.\\n\\nIf this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the token request.\\n (options: UNKNOWN, INVALID_RESOURCE_OWNER_CREDENTIALS, INVALID_TARGET) [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Token Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the authenticated user.\\n [required]\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter is accepted only\\nwhen `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify properties.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for token-management\" {\n cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n }\n cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\ncmd \"introspection\" help=\"Operations for introspection\" {\n cmd \"process\" help=\"Process Introspection Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token to introspect. [required]\"\n flag \"--scopes \" help=\"A string array listing names of scopes which the caller (= a protected resource endpoint of the\\nservice) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`,\\nthe format of `scopes` is a space-separated list of scope names.\\n\\nIf this parameter is a non-empty array and if it contains a scope which is not covered by the\\naccess token,`action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.\\n\" var=#true\n flag \"--subject \" help=\"A subject (= a user account managed by the service) whom the caller (= a protected resource\\nendpoint of the service) requires.\\n\\nIf this parameter is not `null` and if the value does not match the subject who is associated\\nwith the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.\\n\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--resources \" help=\"The resources specified by the `resource` request parameters in the token request. See \\\"Resource Indicators for OAuth 2.0\\\" for details.\\n\" var=#true\n flag \"--acr-values \" help=\"Authentication Context Class Reference values one of which the user authentication performed during the course\\nof issuing the access token must satisfy.\\n\" var=#true\n flag \"--max-age \" help=\"The maximum authentication age which is the maximum allowable elapsed time since the user authentication\\nwas performed during the course of issuing the access token.\\n\"\n flag \"--required-components \" help=\"HTTP Message Components required to be in the signature. If absent, defaults to [ \\\"@method\\\", \\\"@target-uri\\\", \\\"authorization\\\" ].\\n\" var=#true\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the resource request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/introspection` API checks if the DPoP proof JWT includes the expected\\n`nonce` value. In this case, the response from the `/auth/introspection` API will include the\\n`dpopNonce` response parameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the resource request contains a request body.\\n\\nWhen the resource request must comply with the HTTP message signing requirements defined in the\\nFAPI 2.0 Message Signing specification, the `\\\"content-digest\\\"` component identifier must be included\\nin the signature base of the HTTP message signature (see [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html))\\nif the resource request contains a request body.\\n\\nWhen this `requestBodyContained` parameter is set to `true`, Authlete checks whether `\\\"content-digest\\\"`\\nis included in the signature base, if the FAPI profile applies to the resource request.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"revocation\" help=\"Operations for revocation\" {\n cmd \"process\" help=\"Process Revocation Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint\\n([RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)) of the authorization server implementation received from the\\nclient application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request\\nfrom the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports Basic Authentication\\nas a means of client authentication, and the request from the client application contains its client ID in\\n`Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the revocation endpoint.\\n\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"userinfo\" help=\"Operations for userinfo\" {\n cmd \"process\" help=\"Process UserInfo Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token.\\n [required]\"\n flag \"--client-certificate \" help=\"Client certificate used in the TLS connection established between the client application and the userinfo endpoint.\\n\\nThe value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to\\na client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens]\\n(https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the user info endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the user info request. This field is used to validate the DPoP header.\\nIn normal cases, the value is either `GET` or `POST`.\\n\"\n flag \"--htu \" help=\"URL of the user info endpoint. This field is used to validate the DPoP header.\\n\\nIf this parameter is omitted, the `userInfoEndpoint` property of the service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the userinfo request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/userinfo` API checks if the DPoP proof JWT includes the expected `nonce`\\nvalue. In this case, the response from the `/auth/userinfo` API will include the `dpopNonce` response\\nparameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the userinfo request contains a request body.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue UserInfo Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"The access token that has been passed to the userinfo endpoint by the client application. In other words,\\nthe access token which was contained in the userinfo request.\\n [required]\"\n flag \"--claims \" help=\"Claims in JSON format. As for the format, see [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).\\n\"\n flag \"--sub \" help=\"The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of\\nthe `sub` claim. Otherwise, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--request-signature \" help=\"The Signature header value from the request.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"grant-management\" help=\"Operations for grant-management\" {\n alias \"gm\"\n cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"JWK-set-endpoint\" help=\"API endpoints for to generate JSON Web Key Set (JWKS) for a service\" {\n alias \"Jse\"\n cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n }\n}\ncmd \"dynamic-client-registration\" help=\"Operations for dynamic-client-registration\" {\n alias \"dcr\"\n cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"ciba\" help=\"Operations for ciba\" {\n cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Backchannel Authentication Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Backchannel Authentication Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket which should be deleted on a call of Authlete's `/backchannel/authentication/fail` API.\\nThis request parameter is not mandatory but optional. If this request parameter is given and the\\nticket belongs to the service, the specified ticket is deleted from the database. Giving this\\nparameter is recommended to clean up the storage area for the service.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the backchannel authentication request. This request parameter is\\nnot mandatory but optional. However, giving this parameter is recommended. If omitted, `SERVER_ERROR`\\nis used as a reason.\\n (options: ACCESS_DENIED, EXPIRED_LOGIN_HINT_TOKEN, INVALID_BINDING_MESSAGE, INVALID_TARGET, INVALID_USER_CODE, MISSING_USER_CODE, SERVER_ERROR, UNAUTHORIZED_CLIENT, UNKNOWN_USER_ID) [required]\"\n flag \"--error-description \" help=\"The description of the error. This corresponds to the `error_description` property in the response\\nto the client.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. If this optional request parameter\\nis given, its value is used as the value of the `error_uri` property.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Backchannel Authentication\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued by Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original backchannel authentication request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"device-flow\" help=\"Operations for device-flow\" {\n alias \"df\"\n cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"jose-object\" help=\"API endpoints for JOSE objects\" {\n alias \"jo\"\n cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"federation\" help=\"Operations for federation\" {\n cmd \"configuration\" help=\"Process Entity Configuration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--body-param \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"registration\" help=\"Process Federation Registration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--entity-configuration \" help=\"The entity configuration of a relying party.\\n\"\n flag \"--trust-chain \" help=\"The trust chain of a relying party.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"hardware-security-keys\" help=\"Operations for hardware-security-keys\" {\n alias \"hsk\"\n cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n}\ncmd \"verifiable-credentials\" help=\"Operations for verifiable-credentials\" {\n alias \"vc\"\n cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"lifecycle\" help=\"Operations for lifecycle\" {\n cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n }\n}\ncmd \"native-sso\" help=\"Operations for native-sso\" {\n alias \"ns\"\n cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"configure\" help=\"Configure authentication credentials and preferences\"\ncmd \"whoami\" help=\"Display current authentication configuration\"\ncmd \"version\" help=\"Print the CLI version\"\n", - "service": "cmd \"service\" help=\"Operations for service\" {\n cmd \"get\" help=\"Get Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"list\" help=\"List Services\" {\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"update\" help=\"Update Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--service-name \" help=\"The name of this service.\"\n flag \"--issuer \" help=\"The issuer identifier of the service.\\n\\nA URL that starts with https:// and has no query or fragment component.\\n\\nThe value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\\nand `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--description \" help=\"The description about the service.\"\n flag \"--token-batch-notification-endpoint \" help=\"The endpoint for batch token notifications. This endpoint is called when \\nmultiple tokens are issued or revoked in a batch operation.\\n\"\n flag \"--client-assertion-aud-restricted-to-issuer\" help=\"The flag indicating whether the audience of client assertion JWTs must \\nmatch the issuer identifier of this service.\\n\"\n flag \"--clients-per-developer \" help=\"The maximum number of client applications that a developer can have.\\n\"\n flag \"--developer-authentication-callback-endpoint \" help=\"The endpoint for developer authentication callbacks. This is used when \\ndevelopers log into the developer portal.\\n\"\n flag \"--developer-authentication-callback-api-key \" help=\"The API key for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--developer-authentication-callback-api-secret \" help=\"The API secret for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--supported-snses \" help=\"Social login services (SNS) that this service supports for end-user \\nauthentication.\\n\" var=#true\n flag \"--sns-credentials \" help=\"The credentials for social login services (SNS) that are used for \\nend-user authentication.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always `true`.\"\n flag \"--metadata \" help=\"The `metadata` of the service. The content of the returned array depends on contexts.\\nThe predefined service metadata is listed in the following table.\\n\\n | Key | Description |\\n | --- | --- |\\n | `clientCount` | The number of client applications which belong to this service. |\\n\"\n flag \"--authentication-callback-endpoint \" help=\"A Web API endpoint for user authentication which is to be prepared on the service side.\\n\\nThe endpoint must be implemented if you do not implement the UI at the authorization endpoint\\nbut use the one provided by Authlete.\\n\\nThe user authentication at the authorization endpoint provided by Authlete is performed by making\\na `POST` request to this endpoint.\\n\"\n flag \"--authentication-callback-api-key \" help=\"API key for basic authentication at the authentication callback endpoint.\\n\\nIf the value is not empty, Authlete generates Authorization header for Basic authentication when\\nmaking a request to the authentication callback endpoint.\\n\"\n flag \"--authentication-callback-api-secret \" help=\"API secret for `basic` authentication at the authentication callback endpoint.\"\n flag \"--supported-grant-types \" help=\"Values of `grant_type` request parameter that the service supports.\\n\\nThe value of this property is used as `grant_types_supported property` in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-response-types \" help=\"Values of `response_type` request parameter that\\nthe service supports. Valid values are listed in Response Type.\\n\\nThe value of this property is used as `response_types_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-authorization-details-types \" help=\"The supported data types that can be used as values of the type field in `authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types_supported` metadata. See \\\"OAuth 2.0\\nRich Authorization Requests\\\" (RAR) for details.\\n\" var=#true\n flag \"--supported-service-profiles \" help=\"The profiles that this service supports.\\n\" var=#true\n flag \"--error-description-omitted\" help=\"The flag to indicate whether the `error_description` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include\\nthe `error_description` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the `error_description` response parameter in error responses.\\n\"\n flag \"--error-uri-omitted\" help=\"The flag to indicate whether the `error_uri` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the\\n`error_uri` response parameter in error responses.\\n\"\n flag \"--authorization-endpoint \" help=\"The authorization endpoint of the service.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.\\n\\nThe value of this property is used as `authorization_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-authorization-endpoint-enabled\" help=\"The flag to indicate whether the direct authorization endpoint is enabled or not.\\n\\nThe path of the endpoint is `/api/auth/authorization/direct/service-api-key`.\\n\"\n flag \"--supported-ui-locales \" help=\"UI locales that the service supports.\\n\\nEach element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.\\n\\nThe value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-displays \" help=\"Values of `display` request parameter that service supports.\\n\\nThe value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--authorization-response-duration \" help=\"The duration of authorization response JWTs in seconds.\\n\\n[Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)\\ndefines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,\\n`form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters\\nfrom the authorization endpoint will be packed into a JWT. This property is used to compute the\\nvalue of the `exp` claim of the JWT.\\n\"\n flag \"--authorization-code-duration \" help=\"The duration of authorization codes in seconds.\\n\"\n flag \"--token-endpoint \" help=\"The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.\\n\\nA URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.\\n\\nThe value of this property is used as `token_endpoint` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-token-endpoint-enabled\" help=\"The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint\\nis `/api/auth/token/direct/service-api-key`.\\n\"\n flag \"--supported-token-auth-methods \" help=\"Client authentication methods supported by the token endpoint of the service.\\n\\nThe value of this property is used as `token_endpoint_auth_methods_supports` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--missing-client-id-allowed\" help=\"The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.\\n\\nThis flag should not be set unless you have special reasons.\\n\"\n flag \"--revocation-endpoint \" help=\"The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.\\n\\nA URL that starts with `https://`. For example, `https://example.com/auth/revocation`.\\n\"\n flag \"--direct-revocation-endpoint-enabled\" help=\"The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. \"\n flag \"--supported-revocation-auth-methods \" help=\"Client authentication methods supported at the revocation endpoint.\\n\" var=#true\n flag \"--introspection-endpoint \" help=\"The URI of the introspection endpoint.\"\n flag \"--direct-introspection-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. \"\n flag \"--supported-introspection-auth-methods \" help=\"Client authentication methods supported at the introspection endpoint.\\n\" var=#true\n flag \"--pushed-auth-req-endpoint \" help=\"The URI of the pushed authorization request endpoint.\\n\\nThis property corresponds to the `pushed_authorization_request_endpoint` metadata defined in \\\"[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)\\\" of OAuth 2.0 Pushed Authorization Requests.\\n\"\n flag \"--pushed-auth-req-duration \" help=\"The duration of pushed authorization requests in seconds.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this service requires that clients use the pushed authorization\\nrequest endpoint.\\n\\nThis property corresponds to the `require_pushed_authorization_requests` server metadata defined\\nin [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether this service requires that authorization requests always utilize\\na request object by using either request or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is\\n`false`, the value of `require_signed_request_object` server metadata of this service is reported\\nas `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).\\nThat `require_signed_request_object` is `true` means that authorization requests which don't\\nconform to the JAR specification are rejected.\\n\"\n flag \"--traditional-request-object-processing-applied\" help=\"The flag to indicate whether a request object is processed based on rules defined in\\n[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT\\nSecured Authorization Request).\\n\"\n flag \"--mutual-tls-validate-pki-cert-chain\" help=\"The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.\\n\"\n flag \"--trusted-root-certificates \" help=\"The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.\\n\" var=#true\n flag \"--mtls-endpoint-aliases \" help=\"The MTLS endpoint aliases.\\n\"\n flag \"--access-token-type \" help=\"The access token type.\\n\\nThis value is used as the value of `token_type` property in access token responses. If this service\\ncomplies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should\\nbe `Bearer`.\\n\\nSee [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.\\n\"\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.\\n\"\n flag \"--access-token-duration \" help=\"The duration of access tokens in seconds. This value is used as the value of `expires_in` property\\nin access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).\\n\"\n flag \"--single-access-token-per-subject\" help=\"The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.\\n\\nIf `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.\\n\\nNote that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.\\n\"\n flag \"--access-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--access-token-signature-key-id \" help=\"The key ID to identify a JWK used for signing access tokens.\\n\\nA JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.\\nAuthlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based\\naccess token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions\\nfor access token signature. If the number of JWK candidates which satisfy the conditions is 1,\\nthere is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed\\nto be specified so that Authlete Server can pick up one JWK from among the JWK candidates.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.\"\n flag \"--refresh-token-duration-kept\" help=\"The flag to indicate whether the remaining duration of the used refresh token is taken over to\\nthe newly issued refresh token.\\n\"\n flag \"--refresh-token-duration-reset\" help=\"The flag which indicates whether duration of refresh tokens are reset when they are used even\\nif the `refreshTokenKept` property of this service set to is `true` (= even if \\\"Refresh Token\\nContinuous Use\\\" is \\\"Kept\\\").\\n\\nThis flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,\\nif this service issues a new refresh token on every refresh token request, the refresh token\\nwill have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this\\n`refreshTokenDurationReset` property is not referenced.\\n\"\n flag \"--refresh-token-kept\" help=\"The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.\\n\\nIf `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.\\n\\nSee [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.\\n\"\n flag \"--supported-scopes \" help=\"Scopes supported by the service.\\n\"\n flag \"--scope-required\" help=\"The flag to indicate whether requests that request no scope are rejected or not.\\n\"\n flag \"--id-token-duration \" help=\"'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s\\nin seconds. This value is used to calculate the value of `exp` claim in an ID token.'\\n\"\n flag \"--allowable-clock-skew \" help=\"The allowable clock skew between the server and clients in seconds.\\n\\nThe clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.\\n\"\n flag \"--supported-claim-types \" help=\"Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete\\ncurrently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.\\n\\nThe value of this property is used as `claim_types_supported` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claim-locales \" help=\"Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).\\nFor example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)\\nfor details.\\n\\nThe value of this property is used as `claims_locales_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claims \" help=\"Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,\\n5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should\\nbe supported. The following is the list of standard claims.\\n\" var=#true\n flag \"--claim-shortcut-restrictive\" help=\"The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included\\nin the issued ID token only when no access token is issued.\\n\"\n flag \"--jwks-uri \" help=\"The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For\\nexample, `http://example.com/auth/jwks`.\\n\\nClient applications accesses this URL (1) to get the public key of the service to validate the\\nsignature of an ID token issued by the service and (2) to get the public key of the service to\\nencrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures\\nand Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\\nThe value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-jwks-endpoint-enabled\" help=\"'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint\\nis `/api/service/jwks/get/direct/service-api-key`. '\\n\"\n flag \"--jwks \" help=\"The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.\\n\\nIf this property is not `null` in a `/service/create` request or a `/service/update` request,\\nAuthlete hosts the content in the database. This property must not be `null` and must contain\\npairs of public/private keys if the service wants to support asymmetric signatures for ID tokens\\nand asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and\\nEncryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\"\n flag \"--id-token-signature-key-id \" help=\"The key ID to identify a JWK used for ID token signature using an asymmetric key.\\n\"\n flag \"--user-info-signature-key-id \" help=\"The key ID to identify a JWK used for user info signature using an asymmetric key.\\n\"\n flag \"--authorization-signature-key-id \" help=\"The key ID to identify a JWK used for signing authorization responses using an asymmetric key.\\n\"\n flag \"--user-info-endpoint \" help=\"The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the\\nservice. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.\\n\\nThe value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-user-info-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path\\nof the endpoint is `/api/auth/userinfo/direct/service-api-key`.\\n\"\n flag \"--dynamic-registration-supported\" help=\"The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)\\nis supported.\\n\"\n flag \"--registration-endpoint \" help=\"The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)\\nof the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.\\n\\nThe value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--registration-management-endpoint \" help=\"The URI of the registration management endpoint. If dynamic client registration is supported,\\nand this is set, this URI will be used as the basis of the client's management endpoint by appending\\n`/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will\\nbe used as the URI base instead.\\n\"\n flag \"--policy-uri \" help=\"The URL of the \\\"Policy\\\" of the service.\\n\\nThe value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL of the \\\"Terms Of Service\\\" of the service.\\n\\nThe value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--service-documentation \" help=\"The URL of a page where documents for developers can be found.\\n\\nThe value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--backchannel-authentication-endpoint \" help=\"The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA\\n(Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\"\n flag \"--supported-backchannel-token-delivery-modes \" help=\"The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`\\nmetadata.\\n\\nBackchannel token delivery modes are defined in the specification of [CIBA (Client Initiated\\nBackchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\" var=#true\n flag \"--backchannel-auth-req-id-duration \" help=\"The duration of backchannel authentication request IDs issued from the backchannel authentication\\nendpoint in seconds. This is used as the value of the `expires_in` property in responses from\\nthe backchannel authentication endpoint.\\n\"\n flag \"--backchannel-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds. This is used as the value of the `interval` property in responses from the backchannel\\nauthentication endpoint.\\n\"\n flag \"--backchannel-user-code-parameter-supported\" help=\"The boolean flag which indicates whether the `user_code` request parameter is supported at the\\nbackchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`\\nmetadata.\\n\"\n flag \"--backchannel-binding-message-required-in-fapi\" help=\"The flag to indicate whether the `binding_message` request parameter is always required whenever\\na backchannel authentication request is judged as a request for Financial-grade API.\\n\"\n flag \"--device-authorization-endpoint \" help=\"The URI of the device authorization endpoint.\\n\\nDevice authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.\\n\"\n flag \"--device-verification-uri \" help=\"The verification URI for the device flow. This URI is used as the value of the `verification_uri`\\nparameter in responses from the device authorization endpoint.\\n\"\n flag \"--device-verification-uri-complete \" help=\"The verification URI for the device flow with a placeholder for a user code. This URI is used\\nto build the value of the `verification_uri_complete` parameter in responses from the device\\nauthorization endpoint.\\n\"\n flag \"--device-flow-code-duration \" help=\"The duration of device verification codes and end-user verification codes issued from the device\\nauthorization endpoint in seconds. This is used as the value of the `expires_in` property in responses\\nfrom the device authorization endpoint.\\n\"\n flag \"--device-flow-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds in device flow. This is used as the value of the `interval` property in responses from\\nthe device authorization endpoint.\\n\"\n flag \"--user-code-charset \" help=\"The character set for end-user verification codes (`user_code`) for Device Flow.\\n (options: BASE20, NUMERIC)\"\n flag \"--user-code-length \" help=\"The length of end-user verification codes (`user_code`) for Device Flow.\\n\"\n flag \"--supported-trust-frameworks \" help=\"Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-evidence \" help=\"Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-identity-documents \" help=\"Identity documents supported by this service. This corresponds to the `id_documents_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verification-methods \" help=\"Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verified-claims \" help=\"Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--verified-claims-validation-schema-set \" help=\"The verified claims validation schema set.\\n (options: standard, standard+id_document)\"\n flag \"--attributes \" help=\"The attributes of this service.\\n\"\n flag \"--nbf-optional\" help=\"The flag indicating whether the nbf claim in the request object is optional even when the authorization\\nrequest is regarded as a FAPI-Part2 request.\\n\"\n flag \"--iss-suppressed\" help=\"The flag indicating whether generation of the iss response parameter is suppressed.\\n\"\n flag \"--supported-custom-client-metadata \" help=\"custom client metadata supported by this service.\\n\" var=#true\n flag \"--token-expiration-linked\" help=\"The flag indicating whether the expiration date of an access token never exceeds that of the\\ncorresponding refresh token.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--hsm-enabled\" help=\"The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.\\n\\nWhen this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,\\n`/api/hsk/*` APIs reject all requests.\\n\\nEven if this flag is `true`, HSM-related features do not work if the configuration of the Authlete\\nserver you are using does not support HSM.\\n\"\n flag \"--hsks \" help=\"The information about keys managed on HSMs (Hardware Security Modules).\\n\\nThis `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`\\nAPI and `/api/service/update` API do not have any effect. The contents of this property is controlled\\nonly by `/api/hsk/*` APIs.\\n\"\n flag \"--grant-management-endpoint \" help=\"The URL of the grant management endpoint.\\n\"\n flag \"--grant-management-action-required\" help=\"The flag indicating whether every authorization request (and any request serving as an authorization\\nrequest such as CIBA backchannel authentication request and device authorization request) must\\ninclude the `grant_management_action` request parameter.\\n\"\n flag \"--unauthorized-on-client-config-supported\" help=\"The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as\\na value of the `action` response parameter when appropriate.\\n\"\n flag \"--dcr-scope-used-as-requestable\" help=\"The flag indicating whether the `scope` request parameter in dynamic client registration and\\nupdate requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.\\n\\nLimiting the range of scopes that a client can request is achieved by listing scopes in the\\n`client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`\\nproperty to `true`. This feature is called \\\"requestable scopes\\\".\\n\\nThis property affects behaviors of `/api/client/registration` and other family APIs.\\n\"\n flag \"--end-session-endpoint \" help=\"The endpoint for clients ending the sessions.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.\\n\\nThe value of this property is used as `end_session_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--loopback-redirection-uri-variable\" help=\"The flag indicating whether the port number component of redirection URIs can be variable when\\nthe host component indicates loopback.\\n\"\n flag \"--request-object-audience-checked\" help=\"The flag indicating whether Authlete checks whether the `aud` claim of request objects matches\\nthe issuer identifier of this service.\\n\"\n flag \"--access-token-for-external-attachment-embedded\" help=\"The flag indicating whether Authlete generates access tokens for\\nexternal attachments and embeds them in ID tokens and userinfo\\nresponses.\\n\"\n flag \"--authority-hints \" help=\"Identifiers of entities that can issue entity statements for this\\nservice. This property corresponds to the `authority_hints`\\nproperty that appears in a self-signed entity statement that is\\ndefined in OpenID Connect Federation 1.0.\\n\" var=#true\n flag \"--federation-enabled\" help=\"flag indicating whether this service supports OpenID Connect Federation 1\\n\"\n flag \"--federation-jwks \" help=\"JWK Set document containing keys that are used to sign (1) self-signed\\nentity statement of this service and (2) the response from\\n`signed_jwks_uri`.\\n\"\n flag \"--federation-signature-key-id \" help=\"A key ID to identify a JWK used to sign the entity configuration and\\nthe signed JWK Set.\\n\"\n flag \"--federation-configuration-duration \" help=\"The duration of the entity configuration in seconds.\\n\"\n flag \"--federation-registration-endpoint \" help=\"The URI of the federation registration endpoint. This property corresponds\\nto the `federation_registration_endpoint` server metadata that is\\ndefined in OpenID Connect Federation 1.0.\\n\"\n flag \"--organization-name \" help=\"The human-readable name representing the organization that operates\\nthis service. This property corresponds to the `organization_name`\\nserver metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--predefined-transformed-claims \" help=\"The transformed claims predefined by this service in JSON format.\\nThis property corresponds to the `transformed_claims_predefined`\\nserver metadata.\\n\"\n flag \"--refresh-token-idempotent\" help=\"flag indicating whether refresh token requests with the same\\nrefresh token can be made multiple times in quick succession and\\nthey can obtain the same renewed refresh token within the short\\nperiod.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this service's JWK Set document in\\nthe JWT format. This property corresponds to the `signed_jwks_uri`\\nserver metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--supported-attachments \" help=\"Supported attachment types. This property corresponds to the {@code\\nattachments_supported} server metadata which was added by the third\\nimplementer's draft of OpenID Connect for Identity Assurance 1.0.\\n\" var=#true\n flag \"--supported-digest-algorithms \" help=\"Supported algorithms used to compute digest values of external\\nattachments. This property corresponds to the\\n`digest_algorithms_supported` server metadata which was added\\nby the third implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--supported-documents \" help=\"Document types supported by this service. This property corresponds\\nto the `documents_supported` server metadata.\\n\" var=#true\n flag \"--supported-documents-methods \" help=\"validation and verification processes supported by this service.\\nThis property corresponds to the `documents_methods_supported`\\nserver metadata.\\n\\nThe third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\nrenamed the\\n`id_documents_verification_methods_supported` server metadata to\\n`documents_methods_supported`.\\n\" var=#true\n flag \"--supported-documents-validation-methods \" help=\"Document validation methods supported by this service. This property\\ncorresponds to the `documents_validation_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n\" var=#true\n flag \"--supported-documents-verification-methods \" help=\"Document verification methods supported by this service. This property\\ncorresponds to the `documents_verification_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-electronic-records \" help=\"Electronic record types supported by this service. This property\\ncorresponds to the `electronic_records_supported` server metadata\\nwhich was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-client-registration-types \" help=\"list of values\" var=#true\n flag \"--token-exchange-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nmaking token exchange requests.\\n\"\n flag \"--token-exchange-by-confidential-clients-only\" help=\"The flag indicating whether to prohibit public clients from making\\ntoken exchange requests.\\n\"\n flag \"--token-exchange-by-permitted-clients-only\" help=\"The flag indicating whether to prohibit clients that have no explicit\\npermission from making token exchange requests.\\n\"\n flag \"--token-exchange-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse encrypted JWTs as input tokens.\\n\"\n flag \"--token-exchange-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse unsigned JWTs as input tokens.\\n\"\n flag \"--jwt-grant-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nusing the grant type \\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nencrypted JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nunsigned JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--dcr-duplicate-software-id-blocked\" help=\"The flag indicating whether to block DCR (Dynamic Client Registration)\\nrequests whose \\\"software_id\\\" has already been used previously.\\n\"\n flag \"--trust-anchors \" help=\"The trust anchors that are referenced when this service resolves\\ntrust chains of relying parties.\\n\\nIf this property is empty, client registration fails regardless of\\nwhether its type is `automatic` or `explicit`. It means\\nthat OpenID Connect Federation 1.0 does not work.\\n\"\n flag \"--openid-dropped-on-refresh-without-offline-access\" help=\"The flag indicating whether the openid scope should be dropped from\\nscopes list assigned to access token issued when a refresh token grant\\nis used.\\n\"\n flag \"--supported-documents-check-methods \" help=\"Supported document check methods. This property corresponds to the `documents_check_methods_supported`\\nserver metadata which was added by the fourth implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--rs-response-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--cnonce-duration \" help=\"The duration of `c_nonce`.\\n\"\n flag \"--dpop-nonce-required\" help=\"Whether to require DPoP proof JWTs to include the `nonce` claim\\nwhenever they are presented.\\n\"\n flag \"--verifiable-credentials-enabled\" help=\"Get the flag indicating whether the feature of Verifiable Credentials\\nfor this service is enabled or not.\\n\"\n flag \"--credential-jwks-uri \" help=\"The URL at which the JWK Set document of the credential issuer is\\nexposed.\\n\"\n flag \"--credential-offer-duration \" help=\"The default duration of credential offers in seconds.\\n\"\n flag \"--dpop-nonce-duration \" help=\"The duration of nonce values for DPoP proof JWTs in seconds.\\n\"\n flag \"--pre-authorized-grant-anonymous-access-supported\" help=\"The flag indicating whether token requests using the pre-authorized\\ncode grant flow by unidentifiable clients are allowed.\\n\"\n flag \"--credential-transaction-duration \" help=\"The duration of transaction ID in seconds that may be issued as a\\nresult of a credential request or a batch credential request.\\n\"\n flag \"--introspection-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--resource-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--user-pin-length \" help=\"The default length of user PINs.\\n\"\n flag \"--supported-prompt-values \" help=\"The supported `prompt` values.\\n\" var=#true\n flag \"--id-token-reissuable\" help=\"The flag indicating whether to enable the feature of ID token\\nreissuance in the refresh token flow.\\n\"\n flag \"--credential-jwks \" help=\"The JWK Set document containing private keys that are used to sign\\nverifiable credentials.\\n\"\n flag \"--fapi-modes \" help=\"FAPI modes for this service.\\n\\nWhen the value of this property is not `null`, Authlete always processes requests to this service based\\non the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported\\nby this service.\\n\\nFor instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always\\nprocesses requests to this service based on \\\"Financial-grade API Security Profile 1.0 - Part 2:\\nAdvanced\\\" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.\\n\" var=#true\n flag \"--credential-duration \" help=\"The default duration of verifiable credentials in seconds.\\n\"\n flag \"--credential-issuer-metadata \" help=\"JSON object\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim in ID tokens.\\n\"\n flag \"--native-sso-supported\" help=\"Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.\\nFor example:\\n\\n* The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).\\n* The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.\\n\\nWhen set to `true`, the server metadata advertises `\\\"native_sso_supported\\\": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)\\nand [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.\\n\"\n flag \"--oid4vci-version \" help=\"Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.\\n\\nAccepted values are:\\n\\n* `null` or `\\\"1.0-ID1\\\"` → Implementer’s Draft 1.\\n* `\\\"1.0\\\"` or `\\\"1.0-Final\\\"` → Final 1.0 specification.\\n\\nChoose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.\\n\"\n flag \"--cimd-metadata-policy-enabled\" help=\"Flag that controls whether the CIMD metadata policy is applied to client\\nmetadata obtained through the Client ID Metadata Document (CIMD)\\nmechanism.\\n\"\n flag \"--client-id-metadata-document-supported\" help=\"Indicates whether the Client ID Metadata Document (CIMD) mechanism is\\nsupported. When `true`, the service will attempt to retrieve client\\nmetadata via CIMD where applicable.\\n\"\n flag \"--cimd-allowlist-enabled\" help=\"Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are\\non the allowlist are used.\\n\"\n flag \"--cimd-allowlist \" help=\"The allowlist of CIMD endpoints (hosts/URIs) that may be used when\\nretrieving client metadata via Client ID Metadata Documents.\\n\" var=#true\n flag \"--cimd-always-retrieved\" help=\"If `true`, CIMD retrieval is always attempted for clients, regardless of\\nother conditions.\\n\"\n flag \"--cimd-http-permitted\" help=\"Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD\\nendpoints are allowed.\\n\"\n flag \"--cimd-query-permitted\" help=\"Allows the use of query parameters when retrieving CIMD metadata. When\\n`false`, query parameters are disallowed for CIMD requests.\\n\"\n flag \"--cimd-metadata-policy \" help=\"The metadata policy applied to client metadata obtained through the CIMD\\nmechanism. The value must follow the metadata policy grammar defined in\\n[OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).\\n\"\n flag \"--http-alias-prohibited\" help=\"When `true`, client ID aliases starting with `https://` or `http://` are\\nprohibited.\\n\"\n flag \"--attestation-challenge-time-window \" help=\"The time window of attestation challenges in seconds. This is used for\\nOAuth 2.0 Attestation-Based Client Authentication.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Service ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n }\n}\n", - "service get": "cmd \"get\" help=\"Get Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n}\n", - "service list": "cmd \"list\" help=\"List Services\" {\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n}\n", - "service update": "cmd \"update\" help=\"Update Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--service-name \" help=\"The name of this service.\"\n flag \"--issuer \" help=\"The issuer identifier of the service.\\n\\nA URL that starts with https:// and has no query or fragment component.\\n\\nThe value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\\nand `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--description \" help=\"The description about the service.\"\n flag \"--token-batch-notification-endpoint \" help=\"The endpoint for batch token notifications. This endpoint is called when \\nmultiple tokens are issued or revoked in a batch operation.\\n\"\n flag \"--client-assertion-aud-restricted-to-issuer\" help=\"The flag indicating whether the audience of client assertion JWTs must \\nmatch the issuer identifier of this service.\\n\"\n flag \"--clients-per-developer \" help=\"The maximum number of client applications that a developer can have.\\n\"\n flag \"--developer-authentication-callback-endpoint \" help=\"The endpoint for developer authentication callbacks. This is used when \\ndevelopers log into the developer portal.\\n\"\n flag \"--developer-authentication-callback-api-key \" help=\"The API key for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--developer-authentication-callback-api-secret \" help=\"The API secret for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--supported-snses \" help=\"Social login services (SNS) that this service supports for end-user \\nauthentication.\\n\" var=#true\n flag \"--sns-credentials \" help=\"The credentials for social login services (SNS) that are used for \\nend-user authentication.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always `true`.\"\n flag \"--metadata \" help=\"The `metadata` of the service. The content of the returned array depends on contexts.\\nThe predefined service metadata is listed in the following table.\\n\\n | Key | Description |\\n | --- | --- |\\n | `clientCount` | The number of client applications which belong to this service. |\\n\"\n flag \"--authentication-callback-endpoint \" help=\"A Web API endpoint for user authentication which is to be prepared on the service side.\\n\\nThe endpoint must be implemented if you do not implement the UI at the authorization endpoint\\nbut use the one provided by Authlete.\\n\\nThe user authentication at the authorization endpoint provided by Authlete is performed by making\\na `POST` request to this endpoint.\\n\"\n flag \"--authentication-callback-api-key \" help=\"API key for basic authentication at the authentication callback endpoint.\\n\\nIf the value is not empty, Authlete generates Authorization header for Basic authentication when\\nmaking a request to the authentication callback endpoint.\\n\"\n flag \"--authentication-callback-api-secret \" help=\"API secret for `basic` authentication at the authentication callback endpoint.\"\n flag \"--supported-grant-types \" help=\"Values of `grant_type` request parameter that the service supports.\\n\\nThe value of this property is used as `grant_types_supported property` in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-response-types \" help=\"Values of `response_type` request parameter that\\nthe service supports. Valid values are listed in Response Type.\\n\\nThe value of this property is used as `response_types_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-authorization-details-types \" help=\"The supported data types that can be used as values of the type field in `authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types_supported` metadata. See \\\"OAuth 2.0\\nRich Authorization Requests\\\" (RAR) for details.\\n\" var=#true\n flag \"--supported-service-profiles \" help=\"The profiles that this service supports.\\n\" var=#true\n flag \"--error-description-omitted\" help=\"The flag to indicate whether the `error_description` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include\\nthe `error_description` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the `error_description` response parameter in error responses.\\n\"\n flag \"--error-uri-omitted\" help=\"The flag to indicate whether the `error_uri` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the\\n`error_uri` response parameter in error responses.\\n\"\n flag \"--authorization-endpoint \" help=\"The authorization endpoint of the service.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.\\n\\nThe value of this property is used as `authorization_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-authorization-endpoint-enabled\" help=\"The flag to indicate whether the direct authorization endpoint is enabled or not.\\n\\nThe path of the endpoint is `/api/auth/authorization/direct/service-api-key`.\\n\"\n flag \"--supported-ui-locales \" help=\"UI locales that the service supports.\\n\\nEach element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.\\n\\nThe value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-displays \" help=\"Values of `display` request parameter that service supports.\\n\\nThe value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--authorization-response-duration \" help=\"The duration of authorization response JWTs in seconds.\\n\\n[Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)\\ndefines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,\\n`form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters\\nfrom the authorization endpoint will be packed into a JWT. This property is used to compute the\\nvalue of the `exp` claim of the JWT.\\n\"\n flag \"--authorization-code-duration \" help=\"The duration of authorization codes in seconds.\\n\"\n flag \"--token-endpoint \" help=\"The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.\\n\\nA URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.\\n\\nThe value of this property is used as `token_endpoint` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-token-endpoint-enabled\" help=\"The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint\\nis `/api/auth/token/direct/service-api-key`.\\n\"\n flag \"--supported-token-auth-methods \" help=\"Client authentication methods supported by the token endpoint of the service.\\n\\nThe value of this property is used as `token_endpoint_auth_methods_supports` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--missing-client-id-allowed\" help=\"The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.\\n\\nThis flag should not be set unless you have special reasons.\\n\"\n flag \"--revocation-endpoint \" help=\"The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.\\n\\nA URL that starts with `https://`. For example, `https://example.com/auth/revocation`.\\n\"\n flag \"--direct-revocation-endpoint-enabled\" help=\"The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. \"\n flag \"--supported-revocation-auth-methods \" help=\"Client authentication methods supported at the revocation endpoint.\\n\" var=#true\n flag \"--introspection-endpoint \" help=\"The URI of the introspection endpoint.\"\n flag \"--direct-introspection-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. \"\n flag \"--supported-introspection-auth-methods \" help=\"Client authentication methods supported at the introspection endpoint.\\n\" var=#true\n flag \"--pushed-auth-req-endpoint \" help=\"The URI of the pushed authorization request endpoint.\\n\\nThis property corresponds to the `pushed_authorization_request_endpoint` metadata defined in \\\"[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)\\\" of OAuth 2.0 Pushed Authorization Requests.\\n\"\n flag \"--pushed-auth-req-duration \" help=\"The duration of pushed authorization requests in seconds.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this service requires that clients use the pushed authorization\\nrequest endpoint.\\n\\nThis property corresponds to the `require_pushed_authorization_requests` server metadata defined\\nin [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether this service requires that authorization requests always utilize\\na request object by using either request or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is\\n`false`, the value of `require_signed_request_object` server metadata of this service is reported\\nas `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).\\nThat `require_signed_request_object` is `true` means that authorization requests which don't\\nconform to the JAR specification are rejected.\\n\"\n flag \"--traditional-request-object-processing-applied\" help=\"The flag to indicate whether a request object is processed based on rules defined in\\n[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT\\nSecured Authorization Request).\\n\"\n flag \"--mutual-tls-validate-pki-cert-chain\" help=\"The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.\\n\"\n flag \"--trusted-root-certificates \" help=\"The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.\\n\" var=#true\n flag \"--mtls-endpoint-aliases \" help=\"The MTLS endpoint aliases.\\n\"\n flag \"--access-token-type \" help=\"The access token type.\\n\\nThis value is used as the value of `token_type` property in access token responses. If this service\\ncomplies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should\\nbe `Bearer`.\\n\\nSee [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.\\n\"\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.\\n\"\n flag \"--access-token-duration \" help=\"The duration of access tokens in seconds. This value is used as the value of `expires_in` property\\nin access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).\\n\"\n flag \"--single-access-token-per-subject\" help=\"The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.\\n\\nIf `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.\\n\\nNote that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.\\n\"\n flag \"--access-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--access-token-signature-key-id \" help=\"The key ID to identify a JWK used for signing access tokens.\\n\\nA JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.\\nAuthlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based\\naccess token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions\\nfor access token signature. If the number of JWK candidates which satisfy the conditions is 1,\\nthere is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed\\nto be specified so that Authlete Server can pick up one JWK from among the JWK candidates.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.\"\n flag \"--refresh-token-duration-kept\" help=\"The flag to indicate whether the remaining duration of the used refresh token is taken over to\\nthe newly issued refresh token.\\n\"\n flag \"--refresh-token-duration-reset\" help=\"The flag which indicates whether duration of refresh tokens are reset when they are used even\\nif the `refreshTokenKept` property of this service set to is `true` (= even if \\\"Refresh Token\\nContinuous Use\\\" is \\\"Kept\\\").\\n\\nThis flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,\\nif this service issues a new refresh token on every refresh token request, the refresh token\\nwill have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this\\n`refreshTokenDurationReset` property is not referenced.\\n\"\n flag \"--refresh-token-kept\" help=\"The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.\\n\\nIf `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.\\n\\nSee [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.\\n\"\n flag \"--supported-scopes \" help=\"Scopes supported by the service.\\n\"\n flag \"--scope-required\" help=\"The flag to indicate whether requests that request no scope are rejected or not.\\n\"\n flag \"--id-token-duration \" help=\"'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s\\nin seconds. This value is used to calculate the value of `exp` claim in an ID token.'\\n\"\n flag \"--allowable-clock-skew \" help=\"The allowable clock skew between the server and clients in seconds.\\n\\nThe clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.\\n\"\n flag \"--supported-claim-types \" help=\"Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete\\ncurrently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.\\n\\nThe value of this property is used as `claim_types_supported` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claim-locales \" help=\"Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).\\nFor example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)\\nfor details.\\n\\nThe value of this property is used as `claims_locales_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claims \" help=\"Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,\\n5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should\\nbe supported. The following is the list of standard claims.\\n\" var=#true\n flag \"--claim-shortcut-restrictive\" help=\"The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included\\nin the issued ID token only when no access token is issued.\\n\"\n flag \"--jwks-uri \" help=\"The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For\\nexample, `http://example.com/auth/jwks`.\\n\\nClient applications accesses this URL (1) to get the public key of the service to validate the\\nsignature of an ID token issued by the service and (2) to get the public key of the service to\\nencrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures\\nand Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\\nThe value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-jwks-endpoint-enabled\" help=\"'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint\\nis `/api/service/jwks/get/direct/service-api-key`. '\\n\"\n flag \"--jwks \" help=\"The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.\\n\\nIf this property is not `null` in a `/service/create` request or a `/service/update` request,\\nAuthlete hosts the content in the database. This property must not be `null` and must contain\\npairs of public/private keys if the service wants to support asymmetric signatures for ID tokens\\nand asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and\\nEncryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\"\n flag \"--id-token-signature-key-id \" help=\"The key ID to identify a JWK used for ID token signature using an asymmetric key.\\n\"\n flag \"--user-info-signature-key-id \" help=\"The key ID to identify a JWK used for user info signature using an asymmetric key.\\n\"\n flag \"--authorization-signature-key-id \" help=\"The key ID to identify a JWK used for signing authorization responses using an asymmetric key.\\n\"\n flag \"--user-info-endpoint \" help=\"The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the\\nservice. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.\\n\\nThe value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-user-info-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path\\nof the endpoint is `/api/auth/userinfo/direct/service-api-key`.\\n\"\n flag \"--dynamic-registration-supported\" help=\"The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)\\nis supported.\\n\"\n flag \"--registration-endpoint \" help=\"The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)\\nof the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.\\n\\nThe value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--registration-management-endpoint \" help=\"The URI of the registration management endpoint. If dynamic client registration is supported,\\nand this is set, this URI will be used as the basis of the client's management endpoint by appending\\n`/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will\\nbe used as the URI base instead.\\n\"\n flag \"--policy-uri \" help=\"The URL of the \\\"Policy\\\" of the service.\\n\\nThe value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL of the \\\"Terms Of Service\\\" of the service.\\n\\nThe value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--service-documentation \" help=\"The URL of a page where documents for developers can be found.\\n\\nThe value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--backchannel-authentication-endpoint \" help=\"The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA\\n(Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\"\n flag \"--supported-backchannel-token-delivery-modes \" help=\"The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`\\nmetadata.\\n\\nBackchannel token delivery modes are defined in the specification of [CIBA (Client Initiated\\nBackchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\" var=#true\n flag \"--backchannel-auth-req-id-duration \" help=\"The duration of backchannel authentication request IDs issued from the backchannel authentication\\nendpoint in seconds. This is used as the value of the `expires_in` property in responses from\\nthe backchannel authentication endpoint.\\n\"\n flag \"--backchannel-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds. This is used as the value of the `interval` property in responses from the backchannel\\nauthentication endpoint.\\n\"\n flag \"--backchannel-user-code-parameter-supported\" help=\"The boolean flag which indicates whether the `user_code` request parameter is supported at the\\nbackchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`\\nmetadata.\\n\"\n flag \"--backchannel-binding-message-required-in-fapi\" help=\"The flag to indicate whether the `binding_message` request parameter is always required whenever\\na backchannel authentication request is judged as a request for Financial-grade API.\\n\"\n flag \"--device-authorization-endpoint \" help=\"The URI of the device authorization endpoint.\\n\\nDevice authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.\\n\"\n flag \"--device-verification-uri \" help=\"The verification URI for the device flow. This URI is used as the value of the `verification_uri`\\nparameter in responses from the device authorization endpoint.\\n\"\n flag \"--device-verification-uri-complete \" help=\"The verification URI for the device flow with a placeholder for a user code. This URI is used\\nto build the value of the `verification_uri_complete` parameter in responses from the device\\nauthorization endpoint.\\n\"\n flag \"--device-flow-code-duration \" help=\"The duration of device verification codes and end-user verification codes issued from the device\\nauthorization endpoint in seconds. This is used as the value of the `expires_in` property in responses\\nfrom the device authorization endpoint.\\n\"\n flag \"--device-flow-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds in device flow. This is used as the value of the `interval` property in responses from\\nthe device authorization endpoint.\\n\"\n flag \"--user-code-charset \" help=\"The character set for end-user verification codes (`user_code`) for Device Flow.\\n (options: BASE20, NUMERIC)\"\n flag \"--user-code-length \" help=\"The length of end-user verification codes (`user_code`) for Device Flow.\\n\"\n flag \"--supported-trust-frameworks \" help=\"Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-evidence \" help=\"Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-identity-documents \" help=\"Identity documents supported by this service. This corresponds to the `id_documents_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verification-methods \" help=\"Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verified-claims \" help=\"Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--verified-claims-validation-schema-set \" help=\"The verified claims validation schema set.\\n (options: standard, standard+id_document)\"\n flag \"--attributes \" help=\"The attributes of this service.\\n\"\n flag \"--nbf-optional\" help=\"The flag indicating whether the nbf claim in the request object is optional even when the authorization\\nrequest is regarded as a FAPI-Part2 request.\\n\"\n flag \"--iss-suppressed\" help=\"The flag indicating whether generation of the iss response parameter is suppressed.\\n\"\n flag \"--supported-custom-client-metadata \" help=\"custom client metadata supported by this service.\\n\" var=#true\n flag \"--token-expiration-linked\" help=\"The flag indicating whether the expiration date of an access token never exceeds that of the\\ncorresponding refresh token.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--hsm-enabled\" help=\"The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.\\n\\nWhen this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,\\n`/api/hsk/*` APIs reject all requests.\\n\\nEven if this flag is `true`, HSM-related features do not work if the configuration of the Authlete\\nserver you are using does not support HSM.\\n\"\n flag \"--hsks \" help=\"The information about keys managed on HSMs (Hardware Security Modules).\\n\\nThis `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`\\nAPI and `/api/service/update` API do not have any effect. The contents of this property is controlled\\nonly by `/api/hsk/*` APIs.\\n\"\n flag \"--grant-management-endpoint \" help=\"The URL of the grant management endpoint.\\n\"\n flag \"--grant-management-action-required\" help=\"The flag indicating whether every authorization request (and any request serving as an authorization\\nrequest such as CIBA backchannel authentication request and device authorization request) must\\ninclude the `grant_management_action` request parameter.\\n\"\n flag \"--unauthorized-on-client-config-supported\" help=\"The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as\\na value of the `action` response parameter when appropriate.\\n\"\n flag \"--dcr-scope-used-as-requestable\" help=\"The flag indicating whether the `scope` request parameter in dynamic client registration and\\nupdate requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.\\n\\nLimiting the range of scopes that a client can request is achieved by listing scopes in the\\n`client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`\\nproperty to `true`. This feature is called \\\"requestable scopes\\\".\\n\\nThis property affects behaviors of `/api/client/registration` and other family APIs.\\n\"\n flag \"--end-session-endpoint \" help=\"The endpoint for clients ending the sessions.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.\\n\\nThe value of this property is used as `end_session_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--loopback-redirection-uri-variable\" help=\"The flag indicating whether the port number component of redirection URIs can be variable when\\nthe host component indicates loopback.\\n\"\n flag \"--request-object-audience-checked\" help=\"The flag indicating whether Authlete checks whether the `aud` claim of request objects matches\\nthe issuer identifier of this service.\\n\"\n flag \"--access-token-for-external-attachment-embedded\" help=\"The flag indicating whether Authlete generates access tokens for\\nexternal attachments and embeds them in ID tokens and userinfo\\nresponses.\\n\"\n flag \"--authority-hints \" help=\"Identifiers of entities that can issue entity statements for this\\nservice. This property corresponds to the `authority_hints`\\nproperty that appears in a self-signed entity statement that is\\ndefined in OpenID Connect Federation 1.0.\\n\" var=#true\n flag \"--federation-enabled\" help=\"flag indicating whether this service supports OpenID Connect Federation 1\\n\"\n flag \"--federation-jwks \" help=\"JWK Set document containing keys that are used to sign (1) self-signed\\nentity statement of this service and (2) the response from\\n`signed_jwks_uri`.\\n\"\n flag \"--federation-signature-key-id \" help=\"A key ID to identify a JWK used to sign the entity configuration and\\nthe signed JWK Set.\\n\"\n flag \"--federation-configuration-duration \" help=\"The duration of the entity configuration in seconds.\\n\"\n flag \"--federation-registration-endpoint \" help=\"The URI of the federation registration endpoint. This property corresponds\\nto the `federation_registration_endpoint` server metadata that is\\ndefined in OpenID Connect Federation 1.0.\\n\"\n flag \"--organization-name \" help=\"The human-readable name representing the organization that operates\\nthis service. This property corresponds to the `organization_name`\\nserver metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--predefined-transformed-claims \" help=\"The transformed claims predefined by this service in JSON format.\\nThis property corresponds to the `transformed_claims_predefined`\\nserver metadata.\\n\"\n flag \"--refresh-token-idempotent\" help=\"flag indicating whether refresh token requests with the same\\nrefresh token can be made multiple times in quick succession and\\nthey can obtain the same renewed refresh token within the short\\nperiod.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this service's JWK Set document in\\nthe JWT format. This property corresponds to the `signed_jwks_uri`\\nserver metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--supported-attachments \" help=\"Supported attachment types. This property corresponds to the {@code\\nattachments_supported} server metadata which was added by the third\\nimplementer's draft of OpenID Connect for Identity Assurance 1.0.\\n\" var=#true\n flag \"--supported-digest-algorithms \" help=\"Supported algorithms used to compute digest values of external\\nattachments. This property corresponds to the\\n`digest_algorithms_supported` server metadata which was added\\nby the third implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--supported-documents \" help=\"Document types supported by this service. This property corresponds\\nto the `documents_supported` server metadata.\\n\" var=#true\n flag \"--supported-documents-methods \" help=\"validation and verification processes supported by this service.\\nThis property corresponds to the `documents_methods_supported`\\nserver metadata.\\n\\nThe third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\nrenamed the\\n`id_documents_verification_methods_supported` server metadata to\\n`documents_methods_supported`.\\n\" var=#true\n flag \"--supported-documents-validation-methods \" help=\"Document validation methods supported by this service. This property\\ncorresponds to the `documents_validation_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n\" var=#true\n flag \"--supported-documents-verification-methods \" help=\"Document verification methods supported by this service. This property\\ncorresponds to the `documents_verification_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-electronic-records \" help=\"Electronic record types supported by this service. This property\\ncorresponds to the `electronic_records_supported` server metadata\\nwhich was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-client-registration-types \" help=\"list of values\" var=#true\n flag \"--token-exchange-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nmaking token exchange requests.\\n\"\n flag \"--token-exchange-by-confidential-clients-only\" help=\"The flag indicating whether to prohibit public clients from making\\ntoken exchange requests.\\n\"\n flag \"--token-exchange-by-permitted-clients-only\" help=\"The flag indicating whether to prohibit clients that have no explicit\\npermission from making token exchange requests.\\n\"\n flag \"--token-exchange-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse encrypted JWTs as input tokens.\\n\"\n flag \"--token-exchange-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse unsigned JWTs as input tokens.\\n\"\n flag \"--jwt-grant-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nusing the grant type \\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nencrypted JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nunsigned JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--dcr-duplicate-software-id-blocked\" help=\"The flag indicating whether to block DCR (Dynamic Client Registration)\\nrequests whose \\\"software_id\\\" has already been used previously.\\n\"\n flag \"--trust-anchors \" help=\"The trust anchors that are referenced when this service resolves\\ntrust chains of relying parties.\\n\\nIf this property is empty, client registration fails regardless of\\nwhether its type is `automatic` or `explicit`. It means\\nthat OpenID Connect Federation 1.0 does not work.\\n\"\n flag \"--openid-dropped-on-refresh-without-offline-access\" help=\"The flag indicating whether the openid scope should be dropped from\\nscopes list assigned to access token issued when a refresh token grant\\nis used.\\n\"\n flag \"--supported-documents-check-methods \" help=\"Supported document check methods. This property corresponds to the `documents_check_methods_supported`\\nserver metadata which was added by the fourth implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--rs-response-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--cnonce-duration \" help=\"The duration of `c_nonce`.\\n\"\n flag \"--dpop-nonce-required\" help=\"Whether to require DPoP proof JWTs to include the `nonce` claim\\nwhenever they are presented.\\n\"\n flag \"--verifiable-credentials-enabled\" help=\"Get the flag indicating whether the feature of Verifiable Credentials\\nfor this service is enabled or not.\\n\"\n flag \"--credential-jwks-uri \" help=\"The URL at which the JWK Set document of the credential issuer is\\nexposed.\\n\"\n flag \"--credential-offer-duration \" help=\"The default duration of credential offers in seconds.\\n\"\n flag \"--dpop-nonce-duration \" help=\"The duration of nonce values for DPoP proof JWTs in seconds.\\n\"\n flag \"--pre-authorized-grant-anonymous-access-supported\" help=\"The flag indicating whether token requests using the pre-authorized\\ncode grant flow by unidentifiable clients are allowed.\\n\"\n flag \"--credential-transaction-duration \" help=\"The duration of transaction ID in seconds that may be issued as a\\nresult of a credential request or a batch credential request.\\n\"\n flag \"--introspection-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--resource-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--user-pin-length \" help=\"The default length of user PINs.\\n\"\n flag \"--supported-prompt-values \" help=\"The supported `prompt` values.\\n\" var=#true\n flag \"--id-token-reissuable\" help=\"The flag indicating whether to enable the feature of ID token\\nreissuance in the refresh token flow.\\n\"\n flag \"--credential-jwks \" help=\"The JWK Set document containing private keys that are used to sign\\nverifiable credentials.\\n\"\n flag \"--fapi-modes \" help=\"FAPI modes for this service.\\n\\nWhen the value of this property is not `null`, Authlete always processes requests to this service based\\non the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported\\nby this service.\\n\\nFor instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always\\nprocesses requests to this service based on \\\"Financial-grade API Security Profile 1.0 - Part 2:\\nAdvanced\\\" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.\\n\" var=#true\n flag \"--credential-duration \" help=\"The default duration of verifiable credentials in seconds.\\n\"\n flag \"--credential-issuer-metadata \" help=\"JSON object\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim in ID tokens.\\n\"\n flag \"--native-sso-supported\" help=\"Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.\\nFor example:\\n\\n* The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).\\n* The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.\\n\\nWhen set to `true`, the server metadata advertises `\\\"native_sso_supported\\\": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)\\nand [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.\\n\"\n flag \"--oid4vci-version \" help=\"Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.\\n\\nAccepted values are:\\n\\n* `null` or `\\\"1.0-ID1\\\"` → Implementer’s Draft 1.\\n* `\\\"1.0\\\"` or `\\\"1.0-Final\\\"` → Final 1.0 specification.\\n\\nChoose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.\\n\"\n flag \"--cimd-metadata-policy-enabled\" help=\"Flag that controls whether the CIMD metadata policy is applied to client\\nmetadata obtained through the Client ID Metadata Document (CIMD)\\nmechanism.\\n\"\n flag \"--client-id-metadata-document-supported\" help=\"Indicates whether the Client ID Metadata Document (CIMD) mechanism is\\nsupported. When `true`, the service will attempt to retrieve client\\nmetadata via CIMD where applicable.\\n\"\n flag \"--cimd-allowlist-enabled\" help=\"Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are\\non the allowlist are used.\\n\"\n flag \"--cimd-allowlist \" help=\"The allowlist of CIMD endpoints (hosts/URIs) that may be used when\\nretrieving client metadata via Client ID Metadata Documents.\\n\" var=#true\n flag \"--cimd-always-retrieved\" help=\"If `true`, CIMD retrieval is always attempted for clients, regardless of\\nother conditions.\\n\"\n flag \"--cimd-http-permitted\" help=\"Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD\\nendpoints are allowed.\\n\"\n flag \"--cimd-query-permitted\" help=\"Allows the use of query parameters when retrieving CIMD metadata. When\\n`false`, query parameters are disallowed for CIMD requests.\\n\"\n flag \"--cimd-metadata-policy \" help=\"The metadata policy applied to client metadata obtained through the CIMD\\nmechanism. The value must follow the metadata policy grammar defined in\\n[OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).\\n\"\n flag \"--http-alias-prohibited\" help=\"When `true`, client ID aliases starting with `https://` or `http://` are\\nprohibited.\\n\"\n flag \"--attestation-challenge-time-window \" help=\"The time window of attestation challenges in seconds. This is used for\\nOAuth 2.0 Attestation-Based Client Authentication.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "service delete": "cmd \"delete\" help=\"Delete Service ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n}\n", - "service get-configuration": "cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n}\n", - "service gc": "cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n}\n", - "client": "cmd \"client\" help=\"Operations for client\" {\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n }\n cmd \"list\" help=\"List Clients\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--developer \" help=\"The developer of client applications. The default value is null. If this parameter is not set\\nto `null`, client application of the specified developer are returned. Otherwise, all client\\napplications that belong to the service are returned.\\n\"\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"create\" help=\"Create Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"The client ID. [required]\"\n }\n cmd \"management-1\" help=\"Operations for client-management-1\" {\n alias \"m1\"\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n }\n}\n", - "client get": "cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n}\n", - "client list": "cmd \"list\" help=\"List Clients\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--developer \" help=\"The developer of client applications. The default value is null. If this parameter is not set\\nto `null`, client application of the specified developer are returned. Otherwise, all client\\napplications that belong to the service are returned.\\n\"\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n}\n", - "client create": "cmd \"create\" help=\"Create Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client update": "cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client update-form": "cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client uf": "cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client delete": "cmd \"delete\" help=\"Delete Client ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"The client ID. [required]\"\n}\n", - "client management-1": "cmd \"management-1\" help=\"Operations for client-management-1\" {\n alias \"m1\"\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n}\n", - "client m1": "cmd \"management-1\" help=\"Operations for client-management-1\" {\n alias \"m1\"\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n}\n", - "client management-1 update-lock-flag": "cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 ulf": "cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 refresh-secret": "cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n}\n", - "client management-1 rs": "cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n}\n", - "client management-1 update-secret": "cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 us": "cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 list-authorizations": "cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", - "client management-1 la": "cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", - "client management-1 update-authorizations": "cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 ua": "cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 delete-authorizations": "cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client management-1 da": "cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client management-1 get-granted-scopes": "cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client management-1 ggs": "cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client management-1 delete-granted-scopes": "cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client management-1 dgs": "cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client management-1 get-requestable-scopes": "cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", - "client management-1 grs": "cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", - "client management-1 update-requestable-scopes": "cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 urs": "cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client management-1 delete-requestable-scopes": "cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", - "client management-1 drs": "cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", - "client-management-2": "cmd \"client-management-2\" help=\"API endpoints for managing OAuth clients, including creation, update, and deletion of clients\" {\n alias \"cm2\"\n cmd \"client-authorization-get-list-api\" help=\"Get Authorized Applications\" {\n alias \"cagla\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"client-authorization-get-list-api-post\" help=\"Get Authorized Applications\" {\n alias \"caglap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-authorization-delete-api\" help=\"Delete Client Tokens\" {\n alias \"cada\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-authorization-delete-api-post\" help=\"Delete Client Tokens\" {\n alias \"cadap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-granted-scopes-get-api\" help=\"Get Granted Scopes\" {\n alias \"cgsga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-granted-scopes-get-api-post\" help=\"Get Granted Scopes\" {\n alias \"cgsgap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-granted-scopes-delete-api\" help=\"Delete Granted Scopes\" {\n alias \"cgsda\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-extension-requestables-scopes-update-api-post\" help=\"Update Requestable Scopes\" {\n alias \"cersuap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "cm2": "cmd \"client-management-2\" help=\"API endpoints for managing OAuth clients, including creation, update, and deletion of clients\" {\n alias \"cm2\"\n cmd \"client-authorization-get-list-api\" help=\"Get Authorized Applications\" {\n alias \"cagla\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"client-authorization-get-list-api-post\" help=\"Get Authorized Applications\" {\n alias \"caglap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-authorization-delete-api\" help=\"Delete Client Tokens\" {\n alias \"cada\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-authorization-delete-api-post\" help=\"Delete Client Tokens\" {\n alias \"cadap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-granted-scopes-get-api\" help=\"Get Granted Scopes\" {\n alias \"cgsga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-granted-scopes-get-api-post\" help=\"Get Granted Scopes\" {\n alias \"cgsgap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"client-granted-scopes-delete-api\" help=\"Delete Granted Scopes\" {\n alias \"cgsda\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"client-extension-requestables-scopes-update-api-post\" help=\"Update Requestable Scopes\" {\n alias \"cersuap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "client-management-2 client-authorization-get-list-api": "cmd \"client-authorization-get-list-api\" help=\"Get Authorized Applications\" {\n alias \"cagla\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", - "client-management-2 cagla": "cmd \"client-authorization-get-list-api\" help=\"Get Authorized Applications\" {\n alias \"cagla\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", - "client-management-2 client-authorization-get-list-api-post": "cmd \"client-authorization-get-list-api-post\" help=\"Get Authorized Applications\" {\n alias \"caglap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 caglap": "cmd \"client-authorization-get-list-api-post\" help=\"Get Authorized Applications\" {\n alias \"caglap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 client-authorization-delete-api": "cmd \"client-authorization-delete-api\" help=\"Delete Client Tokens\" {\n alias \"cada\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client-management-2 cada": "cmd \"client-authorization-delete-api\" help=\"Delete Client Tokens\" {\n alias \"cada\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client-management-2 client-authorization-delete-api-post": "cmd \"client-authorization-delete-api-post\" help=\"Delete Client Tokens\" {\n alias \"cadap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 cadap": "cmd \"client-authorization-delete-api-post\" help=\"Delete Client Tokens\" {\n alias \"cadap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 client-granted-scopes-get-api": "cmd \"client-granted-scopes-get-api\" help=\"Get Granted Scopes\" {\n alias \"cgsga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client-management-2 cgsga": "cmd \"client-granted-scopes-get-api\" help=\"Get Granted Scopes\" {\n alias \"cgsga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client-management-2 client-granted-scopes-get-api-post": "cmd \"client-granted-scopes-get-api-post\" help=\"Get Granted Scopes\" {\n alias \"cgsgap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 cgsgap": "cmd \"client-granted-scopes-get-api-post\" help=\"Get Granted Scopes\" {\n alias \"cgsgap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 client-granted-scopes-delete-api": "cmd \"client-granted-scopes-delete-api\" help=\"Delete Granted Scopes\" {\n alias \"cgsda\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client-management-2 cgsda": "cmd \"client-granted-scopes-delete-api\" help=\"Delete Granted Scopes\" {\n alias \"cgsda\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", - "client-management-2 client-extension-requestables-scopes-update-api-post": "cmd \"client-extension-requestables-scopes-update-api-post\" help=\"Update Requestable Scopes\" {\n alias \"cersuap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "client-management-2 cersuap": "cmd \"client-extension-requestables-scopes-update-api-post\" help=\"Update Requestable Scopes\" {\n alias \"cersuap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization": "cmd \"authorization\" help=\"Operations for authorization\" {\n cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the authorization request.\\nFor more details, see [NO_INTERACTION] in the description of `/auth/authorization` API.\\n (options: UNKNOWN, NOT_LOGGED_IN, MAX_AGE_NOT_SUPPORTED, EXCEEDS_MAX_AGE, DIFFERENT_SUBJECT, ACR_NOT_SATISFIED, DENIED, SERVER_ERROR, NOT_AUTHENTICATED, ACCOUNT_SELECTION_REQUIRED, CONSENT_REQUIRED, INTERACTION_REQUIRED, INVALID_TARGET) [required]\"\n flag \"--description \" help=\"The custom description about the authorization failure.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Authorization Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= a user account managed by the service) who has granted authorization to the client application.\\n [required]\"\n flag \"--auth-time \" help=\"The time when the authentication of the end-user occurred. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference performed for the end-user authentication.\"\n flag \"--claims \" help=\"The claims of the end-user (= pieces of information about the end-user) in JSON format.\\nSee [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for details about the format.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with an access token and/or an authorization code.\"\n flag \"--scopes \" help=\"Scopes to associate with an access token and/or an authorization code.\\nIf a non-empty string array is given, it replaces the scopes specified by the original authorization request.\\n\" var=#true\n flag \"--sub \" help=\"The value of the `sub` claim to embed in an ID token. If this request parameter is `null` or empty,\\nthe value of the `subject` request parameter is used as the value of the `sub` claim.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens that may be issued based on\\nthe authorization request.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--session-id \" help=\"The session ID of the user's authentication session. The specified value will be embedded in the\\nID token as the value of the `sid` claim. This parameter needs to be provided only if you want\\nto support the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (a.k.a. \\\"Native SSO\\\"). To enable support for the Native SSO specification, the\\n`nativeSsoSupported` property of your service must be set to `true`.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for authorization-management\" {\n cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\n", - "authorization process-request": "cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization pr": "cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization fail": "cmd \"fail\" help=\"Fail Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the authorization request.\\nFor more details, see [NO_INTERACTION] in the description of `/auth/authorization` API.\\n (options: UNKNOWN, NOT_LOGGED_IN, MAX_AGE_NOT_SUPPORTED, EXCEEDS_MAX_AGE, DIFFERENT_SUBJECT, ACR_NOT_SATISFIED, DENIED, SERVER_ERROR, NOT_AUTHENTICATED, ACCOUNT_SELECTION_REQUIRED, CONSENT_REQUIRED, INTERACTION_REQUIRED, INVALID_TARGET) [required]\"\n flag \"--description \" help=\"The custom description about the authorization failure.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization issue": "cmd \"issue\" help=\"Issue Authorization Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= a user account managed by the service) who has granted authorization to the client application.\\n [required]\"\n flag \"--auth-time \" help=\"The time when the authentication of the end-user occurred. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference performed for the end-user authentication.\"\n flag \"--claims \" help=\"The claims of the end-user (= pieces of information about the end-user) in JSON format.\\nSee [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for details about the format.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with an access token and/or an authorization code.\"\n flag \"--scopes \" help=\"Scopes to associate with an access token and/or an authorization code.\\nIf a non-empty string array is given, it replaces the scopes specified by the original authorization request.\\n\" var=#true\n flag \"--sub \" help=\"The value of the `sub` claim to embed in an ID token. If this request parameter is `null` or empty,\\nthe value of the `subject` request parameter is used as the value of the `sub` claim.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens that may be issued based on\\nthe authorization request.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--session-id \" help=\"The session ID of the user's authentication session. The specified value will be embedded in the\\nID token as the value of the `sid` claim. This parameter needs to be provided only if you want\\nto support the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (a.k.a. \\\"Native SSO\\\"). To enable support for the Native SSO specification, the\\n`nativeSsoSupported` property of your service must be set to `true`.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization management": "cmd \"management\" help=\"Operations for authorization-management\" {\n cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "authorization management get-ticket-info": "cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization management gti": "cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization management update-ticket": "cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "authorization management ut": "cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "pushed-authorization": "cmd \"pushed-authorization\" help=\"Operations for pushed-authorization\" {\n alias \"pa\"\n cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "pa": "cmd \"pushed-authorization\" help=\"Operations for pushed-authorization\" {\n alias \"pa\"\n cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "pushed-authorization create": "cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token": "cmd \"token\" help=\"Operations for token\" {\n cmd \"process\" help=\"Process Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server\\nimplementation received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as\\na means of client authentication, and the request from the client application contained its client ID\\nin `Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS of the token request from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--properties \" help=\"Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)\\nfor details.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the token endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the token request. This field is used to validate the `DPoP` header.\\n\\nIn normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the token endpoint. This field is used to validate the `DPoP` header.\\n\\nIf this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the token request.\\n (options: UNKNOWN, INVALID_RESOURCE_OWNER_CREDENTIALS, INVALID_TARGET) [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Token Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the authenticated user.\\n [required]\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter is accepted only\\nwhen `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify properties.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for token-management\" {\n cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n }\n cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\n", - "token process": "cmd \"process\" help=\"Process Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server\\nimplementation received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as\\na means of client authentication, and the request from the client application contained its client ID\\nin `Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS of the token request from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--properties \" help=\"Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)\\nfor details.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the token endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the token request. This field is used to validate the `DPoP` header.\\n\\nIn normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the token endpoint. This field is used to validate the `DPoP` header.\\n\\nIf this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token fail": "cmd \"fail\" help=\"Fail Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the token request.\\n (options: UNKNOWN, INVALID_RESOURCE_OWNER_CREDENTIALS, INVALID_TARGET) [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token issue": "cmd \"issue\" help=\"Issue Token Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the authenticated user.\\n [required]\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter is accepted only\\nwhen `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify properties.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token management": "cmd \"management\" help=\"Operations for token-management\" {\n cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n }\n cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "token management reissue-id-token": "cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token management rit": "cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token management list": "cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", - "token management create": "cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token management update": "cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "token management delete": "cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n}\n", - "token management revoke": "cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "introspection": "cmd \"introspection\" help=\"Operations for introspection\" {\n cmd \"process\" help=\"Process Introspection Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token to introspect. [required]\"\n flag \"--scopes \" help=\"A string array listing names of scopes which the caller (= a protected resource endpoint of the\\nservice) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`,\\nthe format of `scopes` is a space-separated list of scope names.\\n\\nIf this parameter is a non-empty array and if it contains a scope which is not covered by the\\naccess token,`action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.\\n\" var=#true\n flag \"--subject \" help=\"A subject (= a user account managed by the service) whom the caller (= a protected resource\\nendpoint of the service) requires.\\n\\nIf this parameter is not `null` and if the value does not match the subject who is associated\\nwith the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.\\n\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--resources \" help=\"The resources specified by the `resource` request parameters in the token request. See \\\"Resource Indicators for OAuth 2.0\\\" for details.\\n\" var=#true\n flag \"--acr-values \" help=\"Authentication Context Class Reference values one of which the user authentication performed during the course\\nof issuing the access token must satisfy.\\n\" var=#true\n flag \"--max-age \" help=\"The maximum authentication age which is the maximum allowable elapsed time since the user authentication\\nwas performed during the course of issuing the access token.\\n\"\n flag \"--required-components \" help=\"HTTP Message Components required to be in the signature. If absent, defaults to [ \\\"@method\\\", \\\"@target-uri\\\", \\\"authorization\\\" ].\\n\" var=#true\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the resource request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/introspection` API checks if the DPoP proof JWT includes the expected\\n`nonce` value. In this case, the response from the `/auth/introspection` API will include the\\n`dpopNonce` response parameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the resource request contains a request body.\\n\\nWhen the resource request must comply with the HTTP message signing requirements defined in the\\nFAPI 2.0 Message Signing specification, the `\\\"content-digest\\\"` component identifier must be included\\nin the signature base of the HTTP message signature (see [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html))\\nif the resource request contains a request body.\\n\\nWhen this `requestBodyContained` parameter is set to `true`, Authlete checks whether `\\\"content-digest\\\"`\\nis included in the signature base, if the FAPI profile applies to the resource request.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "introspection process": "cmd \"process\" help=\"Process Introspection Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token to introspect. [required]\"\n flag \"--scopes \" help=\"A string array listing names of scopes which the caller (= a protected resource endpoint of the\\nservice) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`,\\nthe format of `scopes` is a space-separated list of scope names.\\n\\nIf this parameter is a non-empty array and if it contains a scope which is not covered by the\\naccess token,`action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.\\n\" var=#true\n flag \"--subject \" help=\"A subject (= a user account managed by the service) whom the caller (= a protected resource\\nendpoint of the service) requires.\\n\\nIf this parameter is not `null` and if the value does not match the subject who is associated\\nwith the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.\\n\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--resources \" help=\"The resources specified by the `resource` request parameters in the token request. See \\\"Resource Indicators for OAuth 2.0\\\" for details.\\n\" var=#true\n flag \"--acr-values \" help=\"Authentication Context Class Reference values one of which the user authentication performed during the course\\nof issuing the access token must satisfy.\\n\" var=#true\n flag \"--max-age \" help=\"The maximum authentication age which is the maximum allowable elapsed time since the user authentication\\nwas performed during the course of issuing the access token.\\n\"\n flag \"--required-components \" help=\"HTTP Message Components required to be in the signature. If absent, defaults to [ \\\"@method\\\", \\\"@target-uri\\\", \\\"authorization\\\" ].\\n\" var=#true\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the resource request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/introspection` API checks if the DPoP proof JWT includes the expected\\n`nonce` value. In this case, the response from the `/auth/introspection` API will include the\\n`dpopNonce` response parameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the resource request contains a request body.\\n\\nWhen the resource request must comply with the HTTP message signing requirements defined in the\\nFAPI 2.0 Message Signing specification, the `\\\"content-digest\\\"` component identifier must be included\\nin the signature base of the HTTP message signature (see [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html))\\nif the resource request contains a request body.\\n\\nWhen this `requestBodyContained` parameter is set to `true`, Authlete checks whether `\\\"content-digest\\\"`\\nis included in the signature base, if the FAPI profile applies to the resource request.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "introspection standard-process": "cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "introspection sp": "cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "revocation": "cmd \"revocation\" help=\"Operations for revocation\" {\n cmd \"process\" help=\"Process Revocation Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint\\n([RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)) of the authorization server implementation received from the\\nclient application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request\\nfrom the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports Basic Authentication\\nas a means of client authentication, and the request from the client application contains its client ID in\\n`Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the revocation endpoint.\\n\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "revocation process": "cmd \"process\" help=\"Process Revocation Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint\\n([RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)) of the authorization server implementation received from the\\nclient application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request\\nfrom the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports Basic Authentication\\nas a means of client authentication, and the request from the client application contains its client ID in\\n`Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the revocation endpoint.\\n\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "userinfo": "cmd \"userinfo\" help=\"Operations for userinfo\" {\n cmd \"process\" help=\"Process UserInfo Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token.\\n [required]\"\n flag \"--client-certificate \" help=\"Client certificate used in the TLS connection established between the client application and the userinfo endpoint.\\n\\nThe value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to\\na client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens]\\n(https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the user info endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the user info request. This field is used to validate the DPoP header.\\nIn normal cases, the value is either `GET` or `POST`.\\n\"\n flag \"--htu \" help=\"URL of the user info endpoint. This field is used to validate the DPoP header.\\n\\nIf this parameter is omitted, the `userInfoEndpoint` property of the service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the userinfo request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/userinfo` API checks if the DPoP proof JWT includes the expected `nonce`\\nvalue. In this case, the response from the `/auth/userinfo` API will include the `dpopNonce` response\\nparameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the userinfo request contains a request body.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue UserInfo Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"The access token that has been passed to the userinfo endpoint by the client application. In other words,\\nthe access token which was contained in the userinfo request.\\n [required]\"\n flag \"--claims \" help=\"Claims in JSON format. As for the format, see [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).\\n\"\n flag \"--sub \" help=\"The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of\\nthe `sub` claim. Otherwise, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--request-signature \" help=\"The Signature header value from the request.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "userinfo process": "cmd \"process\" help=\"Process UserInfo Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token.\\n [required]\"\n flag \"--client-certificate \" help=\"Client certificate used in the TLS connection established between the client application and the userinfo endpoint.\\n\\nThe value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to\\na client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens]\\n(https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the user info endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the user info request. This field is used to validate the DPoP header.\\nIn normal cases, the value is either `GET` or `POST`.\\n\"\n flag \"--htu \" help=\"URL of the user info endpoint. This field is used to validate the DPoP header.\\n\\nIf this parameter is omitted, the `userInfoEndpoint` property of the service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the userinfo request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/userinfo` API checks if the DPoP proof JWT includes the expected `nonce`\\nvalue. In this case, the response from the `/auth/userinfo` API will include the `dpopNonce` response\\nparameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the userinfo request contains a request body.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "userinfo issue": "cmd \"issue\" help=\"Issue UserInfo Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"The access token that has been passed to the userinfo endpoint by the client application. In other words,\\nthe access token which was contained in the userinfo request.\\n [required]\"\n flag \"--claims \" help=\"Claims in JSON format. As for the format, see [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).\\n\"\n flag \"--sub \" help=\"The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of\\nthe `sub` claim. Otherwise, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--request-signature \" help=\"The Signature header value from the request.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "grant-management": "cmd \"grant-management\" help=\"Operations for grant-management\" {\n alias \"gm\"\n cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "gm": "cmd \"grant-management\" help=\"Operations for grant-management\" {\n alias \"gm\"\n cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "grant-management process-request": "cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "grant-management pr": "cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "JWK-set-endpoint": "cmd \"JWK-set-endpoint\" help=\"API endpoints for to generate JSON Web Key Set (JWKS) for a service\" {\n alias \"Jse\"\n cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n }\n}\n", - "Jse": "cmd \"JWK-set-endpoint\" help=\"API endpoints for to generate JSON Web Key Set (JWKS) for a service\" {\n alias \"Jse\"\n cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n }\n}\n", - "JWK-set-endpoint service-jwks-get-api": "cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n}\n", - "JWK-set-endpoint sjga": "cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n}\n", - "dynamic-client-registration": "cmd \"dynamic-client-registration\" help=\"Operations for dynamic-client-registration\" {\n alias \"dcr\"\n cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "dcr": "cmd \"dynamic-client-registration\" help=\"Operations for dynamic-client-registration\" {\n alias \"dcr\"\n cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "dynamic-client-registration register": "cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "dynamic-client-registration get": "cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "dynamic-client-registration update": "cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "dynamic-client-registration delete": "cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "ciba": "cmd \"ciba\" help=\"Operations for ciba\" {\n cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Backchannel Authentication Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Backchannel Authentication Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket which should be deleted on a call of Authlete's `/backchannel/authentication/fail` API.\\nThis request parameter is not mandatory but optional. If this request parameter is given and the\\nticket belongs to the service, the specified ticket is deleted from the database. Giving this\\nparameter is recommended to clean up the storage area for the service.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the backchannel authentication request. This request parameter is\\nnot mandatory but optional. However, giving this parameter is recommended. If omitted, `SERVER_ERROR`\\nis used as a reason.\\n (options: ACCESS_DENIED, EXPIRED_LOGIN_HINT_TOKEN, INVALID_BINDING_MESSAGE, INVALID_TARGET, INVALID_USER_CODE, MISSING_USER_CODE, SERVER_ERROR, UNAUTHORIZED_CLIENT, UNKNOWN_USER_ID) [required]\"\n flag \"--error-description \" help=\"The description of the error. This corresponds to the `error_description` property in the response\\nto the client.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. If this optional request parameter\\nis given, its value is used as the value of the `error_uri` property.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Backchannel Authentication\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued by Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original backchannel authentication request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "ciba process-authentication": "cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "ciba pa": "cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "ciba issue": "cmd \"issue\" help=\"Issue Backchannel Authentication Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "ciba fail": "cmd \"fail\" help=\"Fail Backchannel Authentication Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket which should be deleted on a call of Authlete's `/backchannel/authentication/fail` API.\\nThis request parameter is not mandatory but optional. If this request parameter is given and the\\nticket belongs to the service, the specified ticket is deleted from the database. Giving this\\nparameter is recommended to clean up the storage area for the service.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the backchannel authentication request. This request parameter is\\nnot mandatory but optional. However, giving this parameter is recommended. If omitted, `SERVER_ERROR`\\nis used as a reason.\\n (options: ACCESS_DENIED, EXPIRED_LOGIN_HINT_TOKEN, INVALID_BINDING_MESSAGE, INVALID_TARGET, INVALID_USER_CODE, MISSING_USER_CODE, SERVER_ERROR, UNAUTHORIZED_CLIENT, UNKNOWN_USER_ID) [required]\"\n flag \"--error-description \" help=\"The description of the error. This corresponds to the `error_description` property in the response\\nto the client.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. If this optional request parameter\\nis given, its value is used as the value of the `error_uri` property.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "ciba complete": "cmd \"complete\" help=\"Complete Backchannel Authentication\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued by Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original backchannel authentication request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "device-flow": "cmd \"device-flow\" help=\"Operations for device-flow\" {\n alias \"df\"\n cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "df": "cmd \"device-flow\" help=\"Operations for device-flow\" {\n alias \"df\"\n cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "device-flow authorization": "cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "device-flow verification": "cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "device-flow complete": "cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "jose-object": "cmd \"jose-object\" help=\"API endpoints for JOSE objects\" {\n alias \"jo\"\n cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "jo": "cmd \"jose-object\" help=\"API endpoints for JOSE objects\" {\n alias \"jo\"\n cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "jose-object jose-verify-api": "cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "jose-object jva": "cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "federation": "cmd \"federation\" help=\"Operations for federation\" {\n cmd \"configuration\" help=\"Process Entity Configuration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--body-param \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"registration\" help=\"Process Federation Registration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--entity-configuration \" help=\"The entity configuration of a relying party.\\n\"\n flag \"--trust-chain \" help=\"The trust chain of a relying party.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "federation configuration": "cmd \"configuration\" help=\"Process Entity Configuration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--body-param \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "federation registration": "cmd \"registration\" help=\"Process Federation Registration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--entity-configuration \" help=\"The entity configuration of a relying party.\\n\"\n flag \"--trust-chain \" help=\"The trust chain of a relying party.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "hardware-security-keys": "cmd \"hardware-security-keys\" help=\"Operations for hardware-security-keys\" {\n alias \"hsk\"\n cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n}\n", - "hsk": "cmd \"hardware-security-keys\" help=\"Operations for hardware-security-keys\" {\n alias \"hsk\"\n cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n}\n", - "hardware-security-keys create": "cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "hardware-security-keys delete": "cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n}\n", - "hardware-security-keys get": "cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n}\n", - "hardware-security-keys list": "cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n}\n", - "verifiable-credentials": "cmd \"verifiable-credentials\" help=\"Operations for verifiable-credentials\" {\n alias \"vc\"\n cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "vc": "cmd \"verifiable-credentials\" help=\"Operations for verifiable-credentials\" {\n alias \"vc\"\n cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "verifiable-credentials get-metadata": "cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials gm": "cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials get-jwt-issuer": "cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials gji": "cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials get-jwks": "cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials gj": "cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials create-offer": "cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials co": "cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials get-offer-info": "cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials goi": "cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials parse": "cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials issue": "cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials batch-parse": "cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials bp": "cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials batch-issue": "cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials bi": "cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials deferred-parse": "cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials dp": "cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials deferred-issue": "cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "verifiable-credentials di": "cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "lifecycle": "cmd \"lifecycle\" help=\"Operations for lifecycle\" {\n cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n }\n}\n", - "lifecycle get-api-lifecycle-healthcheck": "cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n}\n", - "lifecycle galh": "cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n}\n", - "native-sso": "cmd \"native-sso\" help=\"Operations for native-sso\" {\n alias \"ns\"\n cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "ns": "cmd \"native-sso\" help=\"Operations for native-sso\" {\n alias \"ns\"\n cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", - "native-sso process": "cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "native-sso logout": "cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", - "configure": "cmd \"configure\" help=\"Configure authentication credentials and preferences\"\n", - "whoami": "cmd \"whoami\" help=\"Display current authentication configuration\"\n", - "version": "cmd \"version\" help=\"Print the CLI version\"\n", + "": "name \"authlete\"\nbin \"authlete\"\nabout \"Authlete API: Welcome to the **Authlete API documentation**. Authlete is an **API-first service** where every aspect of the \\nplatform is configurable via API. This documentation will help you authenticate and integrate with Authlete to \\nbuild powerful OAuth 2.0 and OpenID Connect servers.\\n\\nAt a high level, the Authlete API is grouped into two categories:\\n\\n- **Management APIs**: Enable you to manage services and clients.\\n- **Runtime APIs**: Allow you to build your own Authorization Servers or Verifiable Credential (VC) issuers.\\n\\n## 🌐 API Servers\\n\\nAuthlete is a global service with clusters available in multiple regions across the world:\\n\\n- 🇺🇸 **US**: `https://us.authlete.com`\\n- 🇯🇵 **Japan**: `https://jp.authlete.com`\\n- 🇪🇺 **Europe**: `https://eu.authlete.com`\\n- 🇧🇷 **Brazil**: `https://br.authlete.com`\\n\\nOur customers can host their data in the region that best meets their requirements.\\n\\n## 🔑 Authentication\\n\\nAll API endpoints are secured using **Bearer token authentication**. You must include an access token in every request:\\n\\n```\\nAuthorization: Bearer YOUR_ACCESS_TOKEN\\n```\\n\\n### Getting Your Access Token\\n\\nAuthlete supports two types of access tokens:\\n\\n**Service Access Token** - Scoped to a single service (authorization server instance)\\n\\n1. Log in to [Authlete Console](https://console.authlete.com)\\n2. Navigate to your service → **Settings** → **Access Tokens**\\n3. Click **Create Token** and select permissions (e.g., `service.read`, `client.write`)\\n4. Copy the generated token\\n\\n**Organization Token** - Scoped to your entire organization\\n\\n1. Log in to [Authlete Console](https://console.authlete.com)\\n2. Navigate to **Organization Settings** → **Access Tokens**\\n3. Click **Create Token** and select org-level permissions\\n4. Copy the generated token\\n\\n> ⚠️ **Important Note**: Tokens inherit the permissions of the account that creates them. Service tokens can only \\n> access their specific service, while organization tokens can access all services within your org.\\n\\n### Token Security Best Practices\\n\\n- **Never commit tokens to version control** - Store in environment variables or secure secret managers\\n- **Rotate regularly** - Generate new tokens periodically and revoke old ones\\n- **Scope appropriately** - Request only the permissions your application needs\\n- **Revoke unused tokens** - Delete tokens you're no longer using from the console\\n\\n### Quick Test\\n\\nVerify your token works with a simple API call:\\n\\n```bash\\ncurl -X GET https://us.authlete.com/api/service/get/list \\\\\\n -H \\\"Authorization: Bearer YOUR_ACCESS_TOKEN\\\"\\n```\\n\\n## 🎓 Tutorials\\n\\nIf you're new to Authlete or want to see sample implementations, these resources will help you get started:\\n\\n- [Getting Started with Authlete](https://www.authlete.com/developers/getting_started/)\\n- [From Sign-Up to the First API Request](https://www.authlete.com/developers/tutorial/signup/)\\n\\n## 🛠 Contact Us\\n\\nIf you have any questions or need assistance, our team is here to help:\\n\\n- [Contact Page](https://www.authlete.com/contact/)\"\nversion \"0.0.9\"\nconfig {\n file \"~/.config/authlete/config.yaml\"\n}\nflag \"--usage\" help=\"Print the CLI Usage schema in KDL format\" global=#true\nflag \"-o --output-format \" help=\"Specify the output format. Options: pretty, json, yaml, table, toon.\" global=#true config=\"output_format\" default=\"pretty\"\nflag \"--color \" help=\"Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars.\" global=#true default=\"auto\"\nflag \"-q --jq \" help=\"Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id')\" global=#true\nflag \"--server-url \" help=\"Override the default server URL\" global=#true\nflag \"--server \" help=\"Select a server by index (for indexed servers) or name (for named servers)\" global=#true\nflag \"-H --header \" help=\"Set a custom HTTP request header (format: \\\"Key: Value\\\"). Can be specified multiple times.\" global=#true var=#true\nflag \"--include-headers\" help=\"Include HTTP response headers in the output\" global=#true default=#false\nflag \"--timeout \" help=\"HTTP request timeout (e.g., 30s, 5m, 100ms)\" global=#true config=\"timeout\"\nflag \"--dry-run\" help=\"Preview the request that would be sent without executing it (output to stderr)\" global=#true default=#false\nflag \"-d --debug\" help=\"Log request and response diagnostics to stderr\" global=#true default=#false\nflag \"--agent-mode\" help=\"Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable.\" global=#true default=#false\nflag \"--bearer \" help=\"Authenticate every request with a **Service Access Token** or **Organization Token**.\\nSet the token value in the `Authorization: Bearer ` header.\\n\\n**Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows.\\n\\n**Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.\\n\\nBoth token types are issued by the Authlete console or provisioning APIs.\" global=#true env=\"AUTHLETE_BEARER\" config=\"security.bearer\"\ncmd \"service\" help=\"Operations for service\" {\n cmd \"get\" help=\"Get Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"list\" help=\"List Services\" {\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"update\" help=\"Update Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--service-name \" help=\"The name of this service.\"\n flag \"--issuer \" help=\"The issuer identifier of the service.\\n\\nA URL that starts with https:// and has no query or fragment component.\\n\\nThe value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\\nand `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--description \" help=\"The description about the service.\"\n flag \"--token-batch-notification-endpoint \" help=\"The endpoint for batch token notifications. This endpoint is called when \\nmultiple tokens are issued or revoked in a batch operation.\\n\"\n flag \"--client-assertion-aud-restricted-to-issuer\" help=\"The flag indicating whether the audience of client assertion JWTs must \\nmatch the issuer identifier of this service.\\n\"\n flag \"--clients-per-developer \" help=\"The maximum number of client applications that a developer can have.\\n\"\n flag \"--developer-authentication-callback-endpoint \" help=\"The endpoint for developer authentication callbacks. This is used when \\ndevelopers log into the developer portal.\\n\"\n flag \"--developer-authentication-callback-api-key \" help=\"The API key for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--developer-authentication-callback-api-secret \" help=\"The API secret for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--supported-snses \" help=\"Social login services (SNS) that this service supports for end-user \\nauthentication.\\n\" var=#true\n flag \"--sns-credentials \" help=\"The credentials for social login services (SNS) that are used for \\nend-user authentication.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always `true`.\"\n flag \"--metadata \" help=\"The `metadata` of the service. The content of the returned array depends on contexts.\\nThe predefined service metadata is listed in the following table.\\n\\n | Key | Description |\\n | --- | --- |\\n | `clientCount` | The number of client applications which belong to this service. |\\n\"\n flag \"--authentication-callback-endpoint \" help=\"A Web API endpoint for user authentication which is to be prepared on the service side.\\n\\nThe endpoint must be implemented if you do not implement the UI at the authorization endpoint\\nbut use the one provided by Authlete.\\n\\nThe user authentication at the authorization endpoint provided by Authlete is performed by making\\na `POST` request to this endpoint.\\n\"\n flag \"--authentication-callback-api-key \" help=\"API key for basic authentication at the authentication callback endpoint.\\n\\nIf the value is not empty, Authlete generates Authorization header for Basic authentication when\\nmaking a request to the authentication callback endpoint.\\n\"\n flag \"--authentication-callback-api-secret \" help=\"API secret for `basic` authentication at the authentication callback endpoint.\"\n flag \"--supported-grant-types \" help=\"Values of `grant_type` request parameter that the service supports.\\n\\nThe value of this property is used as `grant_types_supported property` in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-response-types \" help=\"Values of `response_type` request parameter that\\nthe service supports. Valid values are listed in Response Type.\\n\\nThe value of this property is used as `response_types_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-authorization-details-types \" help=\"The supported data types that can be used as values of the type field in `authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types_supported` metadata. See \\\"OAuth 2.0\\nRich Authorization Requests\\\" (RAR) for details.\\n\" var=#true\n flag \"--supported-service-profiles \" help=\"The profiles that this service supports.\\n\" var=#true\n flag \"--error-description-omitted\" help=\"The flag to indicate whether the `error_description` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include\\nthe `error_description` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the `error_description` response parameter in error responses.\\n\"\n flag \"--error-uri-omitted\" help=\"The flag to indicate whether the `error_uri` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the\\n`error_uri` response parameter in error responses.\\n\"\n flag \"--authorization-endpoint \" help=\"The authorization endpoint of the service.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.\\n\\nThe value of this property is used as `authorization_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-authorization-endpoint-enabled\" help=\"The flag to indicate whether the direct authorization endpoint is enabled or not.\\n\\nThe path of the endpoint is `/api/auth/authorization/direct/service-api-key`.\\n\"\n flag \"--supported-ui-locales \" help=\"UI locales that the service supports.\\n\\nEach element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.\\n\\nThe value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-displays \" help=\"Values of `display` request parameter that service supports.\\n\\nThe value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--authorization-response-duration \" help=\"The duration of authorization response JWTs in seconds.\\n\\n[Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)\\ndefines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,\\n`form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters\\nfrom the authorization endpoint will be packed into a JWT. This property is used to compute the\\nvalue of the `exp` claim of the JWT.\\n\"\n flag \"--authorization-code-duration \" help=\"The duration of authorization codes in seconds.\\n\"\n flag \"--token-endpoint \" help=\"The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.\\n\\nA URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.\\n\\nThe value of this property is used as `token_endpoint` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-token-endpoint-enabled\" help=\"The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint\\nis `/api/auth/token/direct/service-api-key`.\\n\"\n flag \"--supported-token-auth-methods \" help=\"Client authentication methods supported by the token endpoint of the service.\\n\\nThe value of this property is used as `token_endpoint_auth_methods_supports` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--missing-client-id-allowed\" help=\"The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.\\n\\nThis flag should not be set unless you have special reasons.\\n\"\n flag \"--revocation-endpoint \" help=\"The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.\\n\\nA URL that starts with `https://`. For example, `https://example.com/auth/revocation`.\\n\"\n flag \"--direct-revocation-endpoint-enabled\" help=\"The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. \"\n flag \"--supported-revocation-auth-methods \" help=\"Client authentication methods supported at the revocation endpoint.\\n\" var=#true\n flag \"--introspection-endpoint \" help=\"The URI of the introspection endpoint.\"\n flag \"--direct-introspection-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. \"\n flag \"--supported-introspection-auth-methods \" help=\"Client authentication methods supported at the introspection endpoint.\\n\" var=#true\n flag \"--pushed-auth-req-endpoint \" help=\"The URI of the pushed authorization request endpoint.\\n\\nThis property corresponds to the `pushed_authorization_request_endpoint` metadata defined in \\\"[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)\\\" of OAuth 2.0 Pushed Authorization Requests.\\n\"\n flag \"--pushed-auth-req-duration \" help=\"The duration of pushed authorization requests in seconds.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this service requires that clients use the pushed authorization\\nrequest endpoint.\\n\\nThis property corresponds to the `require_pushed_authorization_requests` server metadata defined\\nin [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether this service requires that authorization requests always utilize\\na request object by using either request or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is\\n`false`, the value of `require_signed_request_object` server metadata of this service is reported\\nas `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).\\nThat `require_signed_request_object` is `true` means that authorization requests which don't\\nconform to the JAR specification are rejected.\\n\"\n flag \"--traditional-request-object-processing-applied\" help=\"The flag to indicate whether a request object is processed based on rules defined in\\n[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT\\nSecured Authorization Request).\\n\"\n flag \"--mutual-tls-validate-pki-cert-chain\" help=\"The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.\\n\"\n flag \"--trusted-root-certificates \" help=\"The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.\\n\" var=#true\n flag \"--mtls-endpoint-aliases \" help=\"The MTLS endpoint aliases.\\n\"\n flag \"--access-token-type \" help=\"The access token type.\\n\\nThis value is used as the value of `token_type` property in access token responses. If this service\\ncomplies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should\\nbe `Bearer`.\\n\\nSee [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.\\n\"\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.\\n\"\n flag \"--access-token-duration \" help=\"The duration of access tokens in seconds. This value is used as the value of `expires_in` property\\nin access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).\\n\"\n flag \"--single-access-token-per-subject\" help=\"The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.\\n\\nIf `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.\\n\\nNote that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.\\n\"\n flag \"--access-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--access-token-signature-key-id \" help=\"The key ID to identify a JWK used for signing access tokens.\\n\\nA JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.\\nAuthlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based\\naccess token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions\\nfor access token signature. If the number of JWK candidates which satisfy the conditions is 1,\\nthere is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed\\nto be specified so that Authlete Server can pick up one JWK from among the JWK candidates.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.\"\n flag \"--refresh-token-duration-kept\" help=\"The flag to indicate whether the remaining duration of the used refresh token is taken over to\\nthe newly issued refresh token.\\n\"\n flag \"--refresh-token-duration-reset\" help=\"The flag which indicates whether duration of refresh tokens are reset when they are used even\\nif the `refreshTokenKept` property of this service set to is `true` (= even if \\\"Refresh Token\\nContinuous Use\\\" is \\\"Kept\\\").\\n\\nThis flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,\\nif this service issues a new refresh token on every refresh token request, the refresh token\\nwill have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this\\n`refreshTokenDurationReset` property is not referenced.\\n\"\n flag \"--refresh-token-kept\" help=\"The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.\\n\\nIf `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.\\n\\nSee [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.\\n\"\n flag \"--supported-scopes \" help=\"Scopes supported by the service.\\n\"\n flag \"--scope-required\" help=\"The flag to indicate whether requests that request no scope are rejected or not.\\n\"\n flag \"--id-token-duration \" help=\"'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s\\nin seconds. This value is used to calculate the value of `exp` claim in an ID token.'\\n\"\n flag \"--allowable-clock-skew \" help=\"The allowable clock skew between the server and clients in seconds.\\n\\nThe clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.\\n\"\n flag \"--supported-claim-types \" help=\"Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete\\ncurrently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.\\n\\nThe value of this property is used as `claim_types_supported` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claim-locales \" help=\"Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).\\nFor example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)\\nfor details.\\n\\nThe value of this property is used as `claims_locales_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claims \" help=\"Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,\\n5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should\\nbe supported. The following is the list of standard claims.\\n\" var=#true\n flag \"--claim-shortcut-restrictive\" help=\"The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included\\nin the issued ID token only when no access token is issued.\\n\"\n flag \"--jwks-uri \" help=\"The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For\\nexample, `http://example.com/auth/jwks`.\\n\\nClient applications accesses this URL (1) to get the public key of the service to validate the\\nsignature of an ID token issued by the service and (2) to get the public key of the service to\\nencrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures\\nand Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\\nThe value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-jwks-endpoint-enabled\" help=\"'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint\\nis `/api/service/jwks/get/direct/service-api-key`. '\\n\"\n flag \"--jwks \" help=\"The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.\\n\\nIf this property is not `null` in a `/service/create` request or a `/service/update` request,\\nAuthlete hosts the content in the database. This property must not be `null` and must contain\\npairs of public/private keys if the service wants to support asymmetric signatures for ID tokens\\nand asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and\\nEncryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\"\n flag \"--id-token-signature-key-id \" help=\"The key ID to identify a JWK used for ID token signature using an asymmetric key.\\n\"\n flag \"--user-info-signature-key-id \" help=\"The key ID to identify a JWK used for user info signature using an asymmetric key.\\n\"\n flag \"--authorization-signature-key-id \" help=\"The key ID to identify a JWK used for signing authorization responses using an asymmetric key.\\n\"\n flag \"--user-info-endpoint \" help=\"The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the\\nservice. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.\\n\\nThe value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-user-info-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path\\nof the endpoint is `/api/auth/userinfo/direct/service-api-key`.\\n\"\n flag \"--dynamic-registration-supported\" help=\"The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)\\nis supported.\\n\"\n flag \"--registration-endpoint \" help=\"The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)\\nof the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.\\n\\nThe value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--registration-management-endpoint \" help=\"The URI of the registration management endpoint. If dynamic client registration is supported,\\nand this is set, this URI will be used as the basis of the client's management endpoint by appending\\n`/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will\\nbe used as the URI base instead.\\n\"\n flag \"--policy-uri \" help=\"The URL of the \\\"Policy\\\" of the service.\\n\\nThe value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL of the \\\"Terms Of Service\\\" of the service.\\n\\nThe value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--service-documentation \" help=\"The URL of a page where documents for developers can be found.\\n\\nThe value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--backchannel-authentication-endpoint \" help=\"The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA\\n(Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\"\n flag \"--supported-backchannel-token-delivery-modes \" help=\"The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`\\nmetadata.\\n\\nBackchannel token delivery modes are defined in the specification of [CIBA (Client Initiated\\nBackchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\" var=#true\n flag \"--backchannel-auth-req-id-duration \" help=\"The duration of backchannel authentication request IDs issued from the backchannel authentication\\nendpoint in seconds. This is used as the value of the `expires_in` property in responses from\\nthe backchannel authentication endpoint.\\n\"\n flag \"--backchannel-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds. This is used as the value of the `interval` property in responses from the backchannel\\nauthentication endpoint.\\n\"\n flag \"--backchannel-user-code-parameter-supported\" help=\"The boolean flag which indicates whether the `user_code` request parameter is supported at the\\nbackchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`\\nmetadata.\\n\"\n flag \"--backchannel-binding-message-required-in-fapi\" help=\"The flag to indicate whether the `binding_message` request parameter is always required whenever\\na backchannel authentication request is judged as a request for Financial-grade API.\\n\"\n flag \"--device-authorization-endpoint \" help=\"The URI of the device authorization endpoint.\\n\\nDevice authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.\\n\"\n flag \"--device-verification-uri \" help=\"The verification URI for the device flow. This URI is used as the value of the `verification_uri`\\nparameter in responses from the device authorization endpoint.\\n\"\n flag \"--device-verification-uri-complete \" help=\"The verification URI for the device flow with a placeholder for a user code. This URI is used\\nto build the value of the `verification_uri_complete` parameter in responses from the device\\nauthorization endpoint.\\n\"\n flag \"--device-flow-code-duration \" help=\"The duration of device verification codes and end-user verification codes issued from the device\\nauthorization endpoint in seconds. This is used as the value of the `expires_in` property in responses\\nfrom the device authorization endpoint.\\n\"\n flag \"--device-flow-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds in device flow. This is used as the value of the `interval` property in responses from\\nthe device authorization endpoint.\\n\"\n flag \"--user-code-charset \" help=\"The character set for end-user verification codes (`user_code`) for Device Flow.\\n (options: BASE20, NUMERIC)\"\n flag \"--user-code-length \" help=\"The length of end-user verification codes (`user_code`) for Device Flow.\\n\"\n flag \"--supported-trust-frameworks \" help=\"Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-evidence \" help=\"Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-identity-documents \" help=\"Identity documents supported by this service. This corresponds to the `id_documents_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verification-methods \" help=\"Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verified-claims \" help=\"Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--verified-claims-validation-schema-set \" help=\"The verified claims validation schema set.\\n (options: standard, standard+id_document)\"\n flag \"--attributes \" help=\"The attributes of this service.\\n\"\n flag \"--nbf-optional\" help=\"The flag indicating whether the nbf claim in the request object is optional even when the authorization\\nrequest is regarded as a FAPI-Part2 request.\\n\"\n flag \"--iss-suppressed\" help=\"The flag indicating whether generation of the iss response parameter is suppressed.\\n\"\n flag \"--supported-custom-client-metadata \" help=\"custom client metadata supported by this service.\\n\" var=#true\n flag \"--token-expiration-linked\" help=\"The flag indicating whether the expiration date of an access token never exceeds that of the\\ncorresponding refresh token.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--hsm-enabled\" help=\"The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.\\n\\nWhen this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,\\n`/api/hsk/*` APIs reject all requests.\\n\\nEven if this flag is `true`, HSM-related features do not work if the configuration of the Authlete\\nserver you are using does not support HSM.\\n\"\n flag \"--hsks \" help=\"The information about keys managed on HSMs (Hardware Security Modules).\\n\\nThis `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`\\nAPI and `/api/service/update` API do not have any effect. The contents of this property is controlled\\nonly by `/api/hsk/*` APIs.\\n\"\n flag \"--grant-management-endpoint \" help=\"The URL of the grant management endpoint.\\n\"\n flag \"--grant-management-action-required\" help=\"The flag indicating whether every authorization request (and any request serving as an authorization\\nrequest such as CIBA backchannel authentication request and device authorization request) must\\ninclude the `grant_management_action` request parameter.\\n\"\n flag \"--unauthorized-on-client-config-supported\" help=\"The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as\\na value of the `action` response parameter when appropriate.\\n\"\n flag \"--dcr-scope-used-as-requestable\" help=\"The flag indicating whether the `scope` request parameter in dynamic client registration and\\nupdate requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.\\n\\nLimiting the range of scopes that a client can request is achieved by listing scopes in the\\n`client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`\\nproperty to `true`. This feature is called \\\"requestable scopes\\\".\\n\\nThis property affects behaviors of `/api/client/registration` and other family APIs.\\n\"\n flag \"--end-session-endpoint \" help=\"The endpoint for clients ending the sessions.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.\\n\\nThe value of this property is used as `end_session_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--loopback-redirection-uri-variable\" help=\"The flag indicating whether the port number component of redirection URIs can be variable when\\nthe host component indicates loopback.\\n\"\n flag \"--request-object-audience-checked\" help=\"The flag indicating whether Authlete checks whether the `aud` claim of request objects matches\\nthe issuer identifier of this service.\\n\"\n flag \"--access-token-for-external-attachment-embedded\" help=\"The flag indicating whether Authlete generates access tokens for\\nexternal attachments and embeds them in ID tokens and userinfo\\nresponses.\\n\"\n flag \"--authority-hints \" help=\"Identifiers of entities that can issue entity statements for this\\nservice. This property corresponds to the `authority_hints`\\nproperty that appears in a self-signed entity statement that is\\ndefined in OpenID Connect Federation 1.0.\\n\" var=#true\n flag \"--federation-enabled\" help=\"flag indicating whether this service supports OpenID Connect Federation 1\\n\"\n flag \"--federation-jwks \" help=\"JWK Set document containing keys that are used to sign (1) self-signed\\nentity statement of this service and (2) the response from\\n`signed_jwks_uri`.\\n\"\n flag \"--federation-signature-key-id \" help=\"A key ID to identify a JWK used to sign the entity configuration and\\nthe signed JWK Set.\\n\"\n flag \"--federation-configuration-duration \" help=\"The duration of the entity configuration in seconds.\\n\"\n flag \"--federation-registration-endpoint \" help=\"The URI of the federation registration endpoint. This property corresponds\\nto the `federation_registration_endpoint` server metadata that is\\ndefined in OpenID Connect Federation 1.0.\\n\"\n flag \"--organization-name \" help=\"The human-readable name representing the organization that operates\\nthis service. This property corresponds to the `organization_name`\\nserver metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--predefined-transformed-claims \" help=\"The transformed claims predefined by this service in JSON format.\\nThis property corresponds to the `transformed_claims_predefined`\\nserver metadata.\\n\"\n flag \"--refresh-token-idempotent\" help=\"flag indicating whether refresh token requests with the same\\nrefresh token can be made multiple times in quick succession and\\nthey can obtain the same renewed refresh token within the short\\nperiod.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this service's JWK Set document in\\nthe JWT format. This property corresponds to the `signed_jwks_uri`\\nserver metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--supported-attachments \" help=\"Supported attachment types. This property corresponds to the {@code\\nattachments_supported} server metadata which was added by the third\\nimplementer's draft of OpenID Connect for Identity Assurance 1.0.\\n\" var=#true\n flag \"--supported-digest-algorithms \" help=\"Supported algorithms used to compute digest values of external\\nattachments. This property corresponds to the\\n`digest_algorithms_supported` server metadata which was added\\nby the third implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--supported-documents \" help=\"Document types supported by this service. This property corresponds\\nto the `documents_supported` server metadata.\\n\" var=#true\n flag \"--supported-documents-methods \" help=\"validation and verification processes supported by this service.\\nThis property corresponds to the `documents_methods_supported`\\nserver metadata.\\n\\nThe third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\nrenamed the\\n`id_documents_verification_methods_supported` server metadata to\\n`documents_methods_supported`.\\n\" var=#true\n flag \"--supported-documents-validation-methods \" help=\"Document validation methods supported by this service. This property\\ncorresponds to the `documents_validation_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n\" var=#true\n flag \"--supported-documents-verification-methods \" help=\"Document verification methods supported by this service. This property\\ncorresponds to the `documents_verification_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-electronic-records \" help=\"Electronic record types supported by this service. This property\\ncorresponds to the `electronic_records_supported` server metadata\\nwhich was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-client-registration-types \" help=\"list of values\" var=#true\n flag \"--token-exchange-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nmaking token exchange requests.\\n\"\n flag \"--token-exchange-by-confidential-clients-only\" help=\"The flag indicating whether to prohibit public clients from making\\ntoken exchange requests.\\n\"\n flag \"--token-exchange-by-permitted-clients-only\" help=\"The flag indicating whether to prohibit clients that have no explicit\\npermission from making token exchange requests.\\n\"\n flag \"--token-exchange-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse encrypted JWTs as input tokens.\\n\"\n flag \"--token-exchange-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse unsigned JWTs as input tokens.\\n\"\n flag \"--jwt-grant-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nusing the grant type \\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nencrypted JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nunsigned JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--dcr-duplicate-software-id-blocked\" help=\"The flag indicating whether to block DCR (Dynamic Client Registration)\\nrequests whose \\\"software_id\\\" has already been used previously.\\n\"\n flag \"--trust-anchors \" help=\"The trust anchors that are referenced when this service resolves\\ntrust chains of relying parties.\\n\\nIf this property is empty, client registration fails regardless of\\nwhether its type is `automatic` or `explicit`. It means\\nthat OpenID Connect Federation 1.0 does not work.\\n\"\n flag \"--openid-dropped-on-refresh-without-offline-access\" help=\"The flag indicating whether the openid scope should be dropped from\\nscopes list assigned to access token issued when a refresh token grant\\nis used.\\n\"\n flag \"--supported-documents-check-methods \" help=\"Supported document check methods. This property corresponds to the `documents_check_methods_supported`\\nserver metadata which was added by the fourth implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--rs-response-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--cnonce-duration \" help=\"The duration of `c_nonce`.\\n\"\n flag \"--dpop-nonce-required\" help=\"Whether to require DPoP proof JWTs to include the `nonce` claim\\nwhenever they are presented.\\n\"\n flag \"--verifiable-credentials-enabled\" help=\"Get the flag indicating whether the feature of Verifiable Credentials\\nfor this service is enabled or not.\\n\"\n flag \"--credential-jwks-uri \" help=\"The URL at which the JWK Set document of the credential issuer is\\nexposed.\\n\"\n flag \"--credential-offer-duration \" help=\"The default duration of credential offers in seconds.\\n\"\n flag \"--dpop-nonce-duration \" help=\"The duration of nonce values for DPoP proof JWTs in seconds.\\n\"\n flag \"--pre-authorized-grant-anonymous-access-supported\" help=\"The flag indicating whether token requests using the pre-authorized\\ncode grant flow by unidentifiable clients are allowed.\\n\"\n flag \"--credential-transaction-duration \" help=\"The duration of transaction ID in seconds that may be issued as a\\nresult of a credential request or a batch credential request.\\n\"\n flag \"--introspection-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--resource-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--user-pin-length \" help=\"The default length of user PINs.\\n\"\n flag \"--supported-prompt-values \" help=\"The supported `prompt` values.\\n\" var=#true\n flag \"--id-token-reissuable\" help=\"The flag indicating whether to enable the feature of ID token\\nreissuance in the refresh token flow.\\n\"\n flag \"--credential-jwks \" help=\"The JWK Set document containing private keys that are used to sign\\nverifiable credentials.\\n\"\n flag \"--fapi-modes \" help=\"FAPI modes for this service.\\n\\nWhen the value of this property is not `null`, Authlete always processes requests to this service based\\non the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported\\nby this service.\\n\\nFor instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always\\nprocesses requests to this service based on \\\"Financial-grade API Security Profile 1.0 - Part 2:\\nAdvanced\\\" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.\\n\" var=#true\n flag \"--credential-duration \" help=\"The default duration of verifiable credentials in seconds.\\n\"\n flag \"--credential-issuer-metadata \" help=\"JSON object\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim in ID tokens.\\n\"\n flag \"--native-sso-supported\" help=\"Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.\\nFor example:\\n\\n* The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).\\n* The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.\\n\\nWhen set to `true`, the server metadata advertises `\\\"native_sso_supported\\\": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)\\nand [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.\\n\"\n flag \"--oid4vci-version \" help=\"Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.\\n\\nAccepted values are:\\n\\n* `null` or `\\\"1.0-ID1\\\"` → Implementer’s Draft 1.\\n* `\\\"1.0\\\"` or `\\\"1.0-Final\\\"` → Final 1.0 specification.\\n\\nChoose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.\\n\"\n flag \"--cimd-metadata-policy-enabled\" help=\"Flag that controls whether the CIMD metadata policy is applied to client\\nmetadata obtained through the Client ID Metadata Document (CIMD)\\nmechanism.\\n\"\n flag \"--client-id-metadata-document-supported\" help=\"Indicates whether the Client ID Metadata Document (CIMD) mechanism is\\nsupported. When `true`, the service will attempt to retrieve client\\nmetadata via CIMD where applicable.\\n\"\n flag \"--cimd-allowlist-enabled\" help=\"Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are\\non the allowlist are used.\\n\"\n flag \"--cimd-allowlist \" help=\"The allowlist of CIMD endpoints (hosts/URIs) that may be used when\\nretrieving client metadata via Client ID Metadata Documents.\\n\" var=#true\n flag \"--cimd-always-retrieved\" help=\"If `true`, CIMD retrieval is always attempted for clients, regardless of\\nother conditions.\\n\"\n flag \"--cimd-http-permitted\" help=\"Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD\\nendpoints are allowed.\\n\"\n flag \"--cimd-query-permitted\" help=\"Allows the use of query parameters when retrieving CIMD metadata. When\\n`false`, query parameters are disallowed for CIMD requests.\\n\"\n flag \"--cimd-metadata-policy \" help=\"The metadata policy applied to client metadata obtained through the CIMD\\nmechanism. The value must follow the metadata policy grammar defined in\\n[OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).\\n\"\n flag \"--http-alias-prohibited\" help=\"When `true`, client ID aliases starting with `https://` or `http://` are\\nprohibited.\\n\"\n flag \"--attestation-challenge-time-window \" help=\"The time window of attestation challenges in seconds. This is used for\\nOAuth 2.0 Attestation-Based Client Authentication.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Service ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n }\n}\ncmd \"client\" help=\"Operations for client\" {\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n }\n cmd \"list\" help=\"List Clients\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--developer \" help=\"The developer of client applications. The default value is null. If this parameter is not set\\nto `null`, client application of the specified developer are returned. Otherwise, all client\\napplications that belong to the service are returned.\\n\"\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"create\" help=\"Create Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"The client ID. [required]\"\n }\n cmd \"management\" help=\"Operations for client-management\" {\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorized-applications\" help=\"Get Authorized Applications\" {\n alias \"laa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"list-authorized-applications-post\" help=\"Get Authorized Applications\" {\n alias \"laap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"revoke-client-tokens\" help=\"Delete Client Tokens\" {\n alias \"rct\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"revoke-client-tokens-post\" help=\"Delete Client Tokens\" {\n alias \"rctp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes-for-client\" help=\"Get Granted Scopes\" {\n alias \"ggsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes-for-client-post\" help=\"Get Granted Scopes\" {\n alias \"ggsfcp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes-for-client\" help=\"Delete Granted Scopes\" {\n alias \"dgsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes-post\" help=\"Update Requestable Scopes\" {\n alias \"ursp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n }\n}\ncmd \"authorization\" help=\"Operations for authorization\" {\n cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the authorization request.\\nFor more details, see [NO_INTERACTION] in the description of `/auth/authorization` API.\\n (options: UNKNOWN, NOT_LOGGED_IN, MAX_AGE_NOT_SUPPORTED, EXCEEDS_MAX_AGE, DIFFERENT_SUBJECT, ACR_NOT_SATISFIED, DENIED, SERVER_ERROR, NOT_AUTHENTICATED, ACCOUNT_SELECTION_REQUIRED, CONSENT_REQUIRED, INTERACTION_REQUIRED, INVALID_TARGET) [required]\"\n flag \"--description \" help=\"The custom description about the authorization failure.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Authorization Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= a user account managed by the service) who has granted authorization to the client application.\\n [required]\"\n flag \"--auth-time \" help=\"The time when the authentication of the end-user occurred. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference performed for the end-user authentication.\"\n flag \"--claims \" help=\"The claims of the end-user (= pieces of information about the end-user) in JSON format.\\nSee [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for details about the format.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with an access token and/or an authorization code.\"\n flag \"--scopes \" help=\"Scopes to associate with an access token and/or an authorization code.\\nIf a non-empty string array is given, it replaces the scopes specified by the original authorization request.\\n\" var=#true\n flag \"--sub \" help=\"The value of the `sub` claim to embed in an ID token. If this request parameter is `null` or empty,\\nthe value of the `subject` request parameter is used as the value of the `sub` claim.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens that may be issued based on\\nthe authorization request.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--session-id \" help=\"The session ID of the user's authentication session. The specified value will be embedded in the\\nID token as the value of the `sid` claim. This parameter needs to be provided only if you want\\nto support the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (a.k.a. \\\"Native SSO\\\"). To enable support for the Native SSO specification, the\\n`nativeSsoSupported` property of your service must be set to `true`.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for authorization-management\" {\n cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\ncmd \"pushed-authorization\" help=\"Operations for pushed-authorization\" {\n alias \"pa\"\n cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"token\" help=\"Operations for token\" {\n cmd \"process\" help=\"Process Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server\\nimplementation received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as\\na means of client authentication, and the request from the client application contained its client ID\\nin `Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS of the token request from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--properties \" help=\"Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)\\nfor details.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the token endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the token request. This field is used to validate the `DPoP` header.\\n\\nIn normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the token endpoint. This field is used to validate the `DPoP` header.\\n\\nIf this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the token request.\\n (options: UNKNOWN, INVALID_RESOURCE_OWNER_CREDENTIALS, INVALID_TARGET) [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Token Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the authenticated user.\\n [required]\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter is accepted only\\nwhen `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify properties.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for token-management\" {\n cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n }\n cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\ncmd \"introspection\" help=\"Operations for introspection\" {\n cmd \"process\" help=\"Process Introspection Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token to introspect. [required]\"\n flag \"--scopes \" help=\"A string array listing names of scopes which the caller (= a protected resource endpoint of the\\nservice) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`,\\nthe format of `scopes` is a space-separated list of scope names.\\n\\nIf this parameter is a non-empty array and if it contains a scope which is not covered by the\\naccess token,`action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.\\n\" var=#true\n flag \"--subject \" help=\"A subject (= a user account managed by the service) whom the caller (= a protected resource\\nendpoint of the service) requires.\\n\\nIf this parameter is not `null` and if the value does not match the subject who is associated\\nwith the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.\\n\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--resources \" help=\"The resources specified by the `resource` request parameters in the token request. See \\\"Resource Indicators for OAuth 2.0\\\" for details.\\n\" var=#true\n flag \"--acr-values \" help=\"Authentication Context Class Reference values one of which the user authentication performed during the course\\nof issuing the access token must satisfy.\\n\" var=#true\n flag \"--max-age \" help=\"The maximum authentication age which is the maximum allowable elapsed time since the user authentication\\nwas performed during the course of issuing the access token.\\n\"\n flag \"--required-components \" help=\"HTTP Message Components required to be in the signature. If absent, defaults to [ \\\"@method\\\", \\\"@target-uri\\\", \\\"authorization\\\" ].\\n\" var=#true\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the resource request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/introspection` API checks if the DPoP proof JWT includes the expected\\n`nonce` value. In this case, the response from the `/auth/introspection` API will include the\\n`dpopNonce` response parameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the resource request contains a request body.\\n\\nWhen the resource request must comply with the HTTP message signing requirements defined in the\\nFAPI 2.0 Message Signing specification, the `\\\"content-digest\\\"` component identifier must be included\\nin the signature base of the HTTP message signature (see [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html))\\nif the resource request contains a request body.\\n\\nWhen this `requestBodyContained` parameter is set to `true`, Authlete checks whether `\\\"content-digest\\\"`\\nis included in the signature base, if the FAPI profile applies to the resource request.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"revocation\" help=\"Operations for revocation\" {\n cmd \"process\" help=\"Process Revocation Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint\\n([RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)) of the authorization server implementation received from the\\nclient application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request\\nfrom the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports Basic Authentication\\nas a means of client authentication, and the request from the client application contains its client ID in\\n`Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the revocation endpoint.\\n\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"userinfo\" help=\"Operations for userinfo\" {\n cmd \"process\" help=\"Process UserInfo Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token.\\n [required]\"\n flag \"--client-certificate \" help=\"Client certificate used in the TLS connection established between the client application and the userinfo endpoint.\\n\\nThe value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to\\na client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens]\\n(https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the user info endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the user info request. This field is used to validate the DPoP header.\\nIn normal cases, the value is either `GET` or `POST`.\\n\"\n flag \"--htu \" help=\"URL of the user info endpoint. This field is used to validate the DPoP header.\\n\\nIf this parameter is omitted, the `userInfoEndpoint` property of the service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the userinfo request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/userinfo` API checks if the DPoP proof JWT includes the expected `nonce`\\nvalue. In this case, the response from the `/auth/userinfo` API will include the `dpopNonce` response\\nparameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the userinfo request contains a request body.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue UserInfo Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"The access token that has been passed to the userinfo endpoint by the client application. In other words,\\nthe access token which was contained in the userinfo request.\\n [required]\"\n flag \"--claims \" help=\"Claims in JSON format. As for the format, see [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).\\n\"\n flag \"--sub \" help=\"The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of\\nthe `sub` claim. Otherwise, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--request-signature \" help=\"The Signature header value from the request.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"grant-management\" help=\"Operations for grant-management\" {\n alias \"gm\"\n cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"JWK-set-endpoint\" help=\"API endpoints for to generate JSON Web Key Set (JWKS) for a service\" {\n alias \"Jse\"\n cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n }\n}\ncmd \"dynamic-client-registration\" help=\"Operations for dynamic-client-registration\" {\n alias \"dcr\"\n cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"ciba\" help=\"Operations for ciba\" {\n cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Backchannel Authentication Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Backchannel Authentication Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket which should be deleted on a call of Authlete's `/backchannel/authentication/fail` API.\\nThis request parameter is not mandatory but optional. If this request parameter is given and the\\nticket belongs to the service, the specified ticket is deleted from the database. Giving this\\nparameter is recommended to clean up the storage area for the service.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the backchannel authentication request. This request parameter is\\nnot mandatory but optional. However, giving this parameter is recommended. If omitted, `SERVER_ERROR`\\nis used as a reason.\\n (options: ACCESS_DENIED, EXPIRED_LOGIN_HINT_TOKEN, INVALID_BINDING_MESSAGE, INVALID_TARGET, INVALID_USER_CODE, MISSING_USER_CODE, SERVER_ERROR, UNAUTHORIZED_CLIENT, UNKNOWN_USER_ID) [required]\"\n flag \"--error-description \" help=\"The description of the error. This corresponds to the `error_description` property in the response\\nto the client.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. If this optional request parameter\\nis given, its value is used as the value of the `error_uri` property.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Backchannel Authentication\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued by Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original backchannel authentication request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"device-flow\" help=\"Operations for device-flow\" {\n alias \"df\"\n cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"jose-object\" help=\"API endpoints for JOSE objects\" {\n alias \"jo\"\n cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"federation\" help=\"Operations for federation\" {\n cmd \"configuration\" help=\"Process Entity Configuration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--body-param \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"registration\" help=\"Process Federation Registration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--entity-configuration \" help=\"The entity configuration of a relying party.\\n\"\n flag \"--trust-chain \" help=\"The trust chain of a relying party.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"hardware-security-keys\" help=\"Operations for hardware-security-keys\" {\n alias \"hsk\"\n cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n}\ncmd \"verifiable-credentials\" help=\"Operations for verifiable-credentials\" {\n alias \"vc\"\n cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"lifecycle\" help=\"Operations for lifecycle\" {\n cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n }\n}\ncmd \"native-sso\" help=\"Operations for native-sso\" {\n alias \"ns\"\n cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\ncmd \"configure\" help=\"Configure authentication credentials and preferences\"\ncmd \"whoami\" help=\"Display current authentication configuration\"\ncmd \"version\" help=\"Print the CLI version\"\n", + "service": "cmd \"service\" help=\"Operations for service\" {\n cmd \"get\" help=\"Get Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"list\" help=\"List Services\" {\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"update\" help=\"Update Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--service-name \" help=\"The name of this service.\"\n flag \"--issuer \" help=\"The issuer identifier of the service.\\n\\nA URL that starts with https:// and has no query or fragment component.\\n\\nThe value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\\nand `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--description \" help=\"The description about the service.\"\n flag \"--token-batch-notification-endpoint \" help=\"The endpoint for batch token notifications. This endpoint is called when \\nmultiple tokens are issued or revoked in a batch operation.\\n\"\n flag \"--client-assertion-aud-restricted-to-issuer\" help=\"The flag indicating whether the audience of client assertion JWTs must \\nmatch the issuer identifier of this service.\\n\"\n flag \"--clients-per-developer \" help=\"The maximum number of client applications that a developer can have.\\n\"\n flag \"--developer-authentication-callback-endpoint \" help=\"The endpoint for developer authentication callbacks. This is used when \\ndevelopers log into the developer portal.\\n\"\n flag \"--developer-authentication-callback-api-key \" help=\"The API key for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--developer-authentication-callback-api-secret \" help=\"The API secret for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--supported-snses \" help=\"Social login services (SNS) that this service supports for end-user \\nauthentication.\\n\" var=#true\n flag \"--sns-credentials \" help=\"The credentials for social login services (SNS) that are used for \\nend-user authentication.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always `true`.\"\n flag \"--metadata \" help=\"The `metadata` of the service. The content of the returned array depends on contexts.\\nThe predefined service metadata is listed in the following table.\\n\\n | Key | Description |\\n | --- | --- |\\n | `clientCount` | The number of client applications which belong to this service. |\\n\"\n flag \"--authentication-callback-endpoint \" help=\"A Web API endpoint for user authentication which is to be prepared on the service side.\\n\\nThe endpoint must be implemented if you do not implement the UI at the authorization endpoint\\nbut use the one provided by Authlete.\\n\\nThe user authentication at the authorization endpoint provided by Authlete is performed by making\\na `POST` request to this endpoint.\\n\"\n flag \"--authentication-callback-api-key \" help=\"API key for basic authentication at the authentication callback endpoint.\\n\\nIf the value is not empty, Authlete generates Authorization header for Basic authentication when\\nmaking a request to the authentication callback endpoint.\\n\"\n flag \"--authentication-callback-api-secret \" help=\"API secret for `basic` authentication at the authentication callback endpoint.\"\n flag \"--supported-grant-types \" help=\"Values of `grant_type` request parameter that the service supports.\\n\\nThe value of this property is used as `grant_types_supported property` in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-response-types \" help=\"Values of `response_type` request parameter that\\nthe service supports. Valid values are listed in Response Type.\\n\\nThe value of this property is used as `response_types_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-authorization-details-types \" help=\"The supported data types that can be used as values of the type field in `authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types_supported` metadata. See \\\"OAuth 2.0\\nRich Authorization Requests\\\" (RAR) for details.\\n\" var=#true\n flag \"--supported-service-profiles \" help=\"The profiles that this service supports.\\n\" var=#true\n flag \"--error-description-omitted\" help=\"The flag to indicate whether the `error_description` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include\\nthe `error_description` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the `error_description` response parameter in error responses.\\n\"\n flag \"--error-uri-omitted\" help=\"The flag to indicate whether the `error_uri` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the\\n`error_uri` response parameter in error responses.\\n\"\n flag \"--authorization-endpoint \" help=\"The authorization endpoint of the service.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.\\n\\nThe value of this property is used as `authorization_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-authorization-endpoint-enabled\" help=\"The flag to indicate whether the direct authorization endpoint is enabled or not.\\n\\nThe path of the endpoint is `/api/auth/authorization/direct/service-api-key`.\\n\"\n flag \"--supported-ui-locales \" help=\"UI locales that the service supports.\\n\\nEach element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.\\n\\nThe value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-displays \" help=\"Values of `display` request parameter that service supports.\\n\\nThe value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--authorization-response-duration \" help=\"The duration of authorization response JWTs in seconds.\\n\\n[Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)\\ndefines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,\\n`form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters\\nfrom the authorization endpoint will be packed into a JWT. This property is used to compute the\\nvalue of the `exp` claim of the JWT.\\n\"\n flag \"--authorization-code-duration \" help=\"The duration of authorization codes in seconds.\\n\"\n flag \"--token-endpoint \" help=\"The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.\\n\\nA URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.\\n\\nThe value of this property is used as `token_endpoint` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-token-endpoint-enabled\" help=\"The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint\\nis `/api/auth/token/direct/service-api-key`.\\n\"\n flag \"--supported-token-auth-methods \" help=\"Client authentication methods supported by the token endpoint of the service.\\n\\nThe value of this property is used as `token_endpoint_auth_methods_supports` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--missing-client-id-allowed\" help=\"The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.\\n\\nThis flag should not be set unless you have special reasons.\\n\"\n flag \"--revocation-endpoint \" help=\"The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.\\n\\nA URL that starts with `https://`. For example, `https://example.com/auth/revocation`.\\n\"\n flag \"--direct-revocation-endpoint-enabled\" help=\"The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. \"\n flag \"--supported-revocation-auth-methods \" help=\"Client authentication methods supported at the revocation endpoint.\\n\" var=#true\n flag \"--introspection-endpoint \" help=\"The URI of the introspection endpoint.\"\n flag \"--direct-introspection-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. \"\n flag \"--supported-introspection-auth-methods \" help=\"Client authentication methods supported at the introspection endpoint.\\n\" var=#true\n flag \"--pushed-auth-req-endpoint \" help=\"The URI of the pushed authorization request endpoint.\\n\\nThis property corresponds to the `pushed_authorization_request_endpoint` metadata defined in \\\"[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)\\\" of OAuth 2.0 Pushed Authorization Requests.\\n\"\n flag \"--pushed-auth-req-duration \" help=\"The duration of pushed authorization requests in seconds.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this service requires that clients use the pushed authorization\\nrequest endpoint.\\n\\nThis property corresponds to the `require_pushed_authorization_requests` server metadata defined\\nin [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether this service requires that authorization requests always utilize\\na request object by using either request or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is\\n`false`, the value of `require_signed_request_object` server metadata of this service is reported\\nas `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).\\nThat `require_signed_request_object` is `true` means that authorization requests which don't\\nconform to the JAR specification are rejected.\\n\"\n flag \"--traditional-request-object-processing-applied\" help=\"The flag to indicate whether a request object is processed based on rules defined in\\n[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT\\nSecured Authorization Request).\\n\"\n flag \"--mutual-tls-validate-pki-cert-chain\" help=\"The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.\\n\"\n flag \"--trusted-root-certificates \" help=\"The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.\\n\" var=#true\n flag \"--mtls-endpoint-aliases \" help=\"The MTLS endpoint aliases.\\n\"\n flag \"--access-token-type \" help=\"The access token type.\\n\\nThis value is used as the value of `token_type` property in access token responses. If this service\\ncomplies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should\\nbe `Bearer`.\\n\\nSee [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.\\n\"\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.\\n\"\n flag \"--access-token-duration \" help=\"The duration of access tokens in seconds. This value is used as the value of `expires_in` property\\nin access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).\\n\"\n flag \"--single-access-token-per-subject\" help=\"The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.\\n\\nIf `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.\\n\\nNote that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.\\n\"\n flag \"--access-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--access-token-signature-key-id \" help=\"The key ID to identify a JWK used for signing access tokens.\\n\\nA JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.\\nAuthlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based\\naccess token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions\\nfor access token signature. If the number of JWK candidates which satisfy the conditions is 1,\\nthere is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed\\nto be specified so that Authlete Server can pick up one JWK from among the JWK candidates.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.\"\n flag \"--refresh-token-duration-kept\" help=\"The flag to indicate whether the remaining duration of the used refresh token is taken over to\\nthe newly issued refresh token.\\n\"\n flag \"--refresh-token-duration-reset\" help=\"The flag which indicates whether duration of refresh tokens are reset when they are used even\\nif the `refreshTokenKept` property of this service set to is `true` (= even if \\\"Refresh Token\\nContinuous Use\\\" is \\\"Kept\\\").\\n\\nThis flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,\\nif this service issues a new refresh token on every refresh token request, the refresh token\\nwill have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this\\n`refreshTokenDurationReset` property is not referenced.\\n\"\n flag \"--refresh-token-kept\" help=\"The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.\\n\\nIf `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.\\n\\nSee [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.\\n\"\n flag \"--supported-scopes \" help=\"Scopes supported by the service.\\n\"\n flag \"--scope-required\" help=\"The flag to indicate whether requests that request no scope are rejected or not.\\n\"\n flag \"--id-token-duration \" help=\"'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s\\nin seconds. This value is used to calculate the value of `exp` claim in an ID token.'\\n\"\n flag \"--allowable-clock-skew \" help=\"The allowable clock skew between the server and clients in seconds.\\n\\nThe clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.\\n\"\n flag \"--supported-claim-types \" help=\"Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete\\ncurrently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.\\n\\nThe value of this property is used as `claim_types_supported` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claim-locales \" help=\"Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).\\nFor example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)\\nfor details.\\n\\nThe value of this property is used as `claims_locales_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claims \" help=\"Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,\\n5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should\\nbe supported. The following is the list of standard claims.\\n\" var=#true\n flag \"--claim-shortcut-restrictive\" help=\"The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included\\nin the issued ID token only when no access token is issued.\\n\"\n flag \"--jwks-uri \" help=\"The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For\\nexample, `http://example.com/auth/jwks`.\\n\\nClient applications accesses this URL (1) to get the public key of the service to validate the\\nsignature of an ID token issued by the service and (2) to get the public key of the service to\\nencrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures\\nand Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\\nThe value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-jwks-endpoint-enabled\" help=\"'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint\\nis `/api/service/jwks/get/direct/service-api-key`. '\\n\"\n flag \"--jwks \" help=\"The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.\\n\\nIf this property is not `null` in a `/service/create` request or a `/service/update` request,\\nAuthlete hosts the content in the database. This property must not be `null` and must contain\\npairs of public/private keys if the service wants to support asymmetric signatures for ID tokens\\nand asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and\\nEncryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\"\n flag \"--id-token-signature-key-id \" help=\"The key ID to identify a JWK used for ID token signature using an asymmetric key.\\n\"\n flag \"--user-info-signature-key-id \" help=\"The key ID to identify a JWK used for user info signature using an asymmetric key.\\n\"\n flag \"--authorization-signature-key-id \" help=\"The key ID to identify a JWK used for signing authorization responses using an asymmetric key.\\n\"\n flag \"--user-info-endpoint \" help=\"The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the\\nservice. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.\\n\\nThe value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-user-info-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path\\nof the endpoint is `/api/auth/userinfo/direct/service-api-key`.\\n\"\n flag \"--dynamic-registration-supported\" help=\"The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)\\nis supported.\\n\"\n flag \"--registration-endpoint \" help=\"The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)\\nof the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.\\n\\nThe value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--registration-management-endpoint \" help=\"The URI of the registration management endpoint. If dynamic client registration is supported,\\nand this is set, this URI will be used as the basis of the client's management endpoint by appending\\n`/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will\\nbe used as the URI base instead.\\n\"\n flag \"--policy-uri \" help=\"The URL of the \\\"Policy\\\" of the service.\\n\\nThe value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL of the \\\"Terms Of Service\\\" of the service.\\n\\nThe value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--service-documentation \" help=\"The URL of a page where documents for developers can be found.\\n\\nThe value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--backchannel-authentication-endpoint \" help=\"The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA\\n(Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\"\n flag \"--supported-backchannel-token-delivery-modes \" help=\"The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`\\nmetadata.\\n\\nBackchannel token delivery modes are defined in the specification of [CIBA (Client Initiated\\nBackchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\" var=#true\n flag \"--backchannel-auth-req-id-duration \" help=\"The duration of backchannel authentication request IDs issued from the backchannel authentication\\nendpoint in seconds. This is used as the value of the `expires_in` property in responses from\\nthe backchannel authentication endpoint.\\n\"\n flag \"--backchannel-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds. This is used as the value of the `interval` property in responses from the backchannel\\nauthentication endpoint.\\n\"\n flag \"--backchannel-user-code-parameter-supported\" help=\"The boolean flag which indicates whether the `user_code` request parameter is supported at the\\nbackchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`\\nmetadata.\\n\"\n flag \"--backchannel-binding-message-required-in-fapi\" help=\"The flag to indicate whether the `binding_message` request parameter is always required whenever\\na backchannel authentication request is judged as a request for Financial-grade API.\\n\"\n flag \"--device-authorization-endpoint \" help=\"The URI of the device authorization endpoint.\\n\\nDevice authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.\\n\"\n flag \"--device-verification-uri \" help=\"The verification URI for the device flow. This URI is used as the value of the `verification_uri`\\nparameter in responses from the device authorization endpoint.\\n\"\n flag \"--device-verification-uri-complete \" help=\"The verification URI for the device flow with a placeholder for a user code. This URI is used\\nto build the value of the `verification_uri_complete` parameter in responses from the device\\nauthorization endpoint.\\n\"\n flag \"--device-flow-code-duration \" help=\"The duration of device verification codes and end-user verification codes issued from the device\\nauthorization endpoint in seconds. This is used as the value of the `expires_in` property in responses\\nfrom the device authorization endpoint.\\n\"\n flag \"--device-flow-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds in device flow. This is used as the value of the `interval` property in responses from\\nthe device authorization endpoint.\\n\"\n flag \"--user-code-charset \" help=\"The character set for end-user verification codes (`user_code`) for Device Flow.\\n (options: BASE20, NUMERIC)\"\n flag \"--user-code-length \" help=\"The length of end-user verification codes (`user_code`) for Device Flow.\\n\"\n flag \"--supported-trust-frameworks \" help=\"Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-evidence \" help=\"Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-identity-documents \" help=\"Identity documents supported by this service. This corresponds to the `id_documents_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verification-methods \" help=\"Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verified-claims \" help=\"Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--verified-claims-validation-schema-set \" help=\"The verified claims validation schema set.\\n (options: standard, standard+id_document)\"\n flag \"--attributes \" help=\"The attributes of this service.\\n\"\n flag \"--nbf-optional\" help=\"The flag indicating whether the nbf claim in the request object is optional even when the authorization\\nrequest is regarded as a FAPI-Part2 request.\\n\"\n flag \"--iss-suppressed\" help=\"The flag indicating whether generation of the iss response parameter is suppressed.\\n\"\n flag \"--supported-custom-client-metadata \" help=\"custom client metadata supported by this service.\\n\" var=#true\n flag \"--token-expiration-linked\" help=\"The flag indicating whether the expiration date of an access token never exceeds that of the\\ncorresponding refresh token.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--hsm-enabled\" help=\"The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.\\n\\nWhen this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,\\n`/api/hsk/*` APIs reject all requests.\\n\\nEven if this flag is `true`, HSM-related features do not work if the configuration of the Authlete\\nserver you are using does not support HSM.\\n\"\n flag \"--hsks \" help=\"The information about keys managed on HSMs (Hardware Security Modules).\\n\\nThis `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`\\nAPI and `/api/service/update` API do not have any effect. The contents of this property is controlled\\nonly by `/api/hsk/*` APIs.\\n\"\n flag \"--grant-management-endpoint \" help=\"The URL of the grant management endpoint.\\n\"\n flag \"--grant-management-action-required\" help=\"The flag indicating whether every authorization request (and any request serving as an authorization\\nrequest such as CIBA backchannel authentication request and device authorization request) must\\ninclude the `grant_management_action` request parameter.\\n\"\n flag \"--unauthorized-on-client-config-supported\" help=\"The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as\\na value of the `action` response parameter when appropriate.\\n\"\n flag \"--dcr-scope-used-as-requestable\" help=\"The flag indicating whether the `scope` request parameter in dynamic client registration and\\nupdate requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.\\n\\nLimiting the range of scopes that a client can request is achieved by listing scopes in the\\n`client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`\\nproperty to `true`. This feature is called \\\"requestable scopes\\\".\\n\\nThis property affects behaviors of `/api/client/registration` and other family APIs.\\n\"\n flag \"--end-session-endpoint \" help=\"The endpoint for clients ending the sessions.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.\\n\\nThe value of this property is used as `end_session_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--loopback-redirection-uri-variable\" help=\"The flag indicating whether the port number component of redirection URIs can be variable when\\nthe host component indicates loopback.\\n\"\n flag \"--request-object-audience-checked\" help=\"The flag indicating whether Authlete checks whether the `aud` claim of request objects matches\\nthe issuer identifier of this service.\\n\"\n flag \"--access-token-for-external-attachment-embedded\" help=\"The flag indicating whether Authlete generates access tokens for\\nexternal attachments and embeds them in ID tokens and userinfo\\nresponses.\\n\"\n flag \"--authority-hints \" help=\"Identifiers of entities that can issue entity statements for this\\nservice. This property corresponds to the `authority_hints`\\nproperty that appears in a self-signed entity statement that is\\ndefined in OpenID Connect Federation 1.0.\\n\" var=#true\n flag \"--federation-enabled\" help=\"flag indicating whether this service supports OpenID Connect Federation 1\\n\"\n flag \"--federation-jwks \" help=\"JWK Set document containing keys that are used to sign (1) self-signed\\nentity statement of this service and (2) the response from\\n`signed_jwks_uri`.\\n\"\n flag \"--federation-signature-key-id \" help=\"A key ID to identify a JWK used to sign the entity configuration and\\nthe signed JWK Set.\\n\"\n flag \"--federation-configuration-duration \" help=\"The duration of the entity configuration in seconds.\\n\"\n flag \"--federation-registration-endpoint \" help=\"The URI of the federation registration endpoint. This property corresponds\\nto the `federation_registration_endpoint` server metadata that is\\ndefined in OpenID Connect Federation 1.0.\\n\"\n flag \"--organization-name \" help=\"The human-readable name representing the organization that operates\\nthis service. This property corresponds to the `organization_name`\\nserver metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--predefined-transformed-claims \" help=\"The transformed claims predefined by this service in JSON format.\\nThis property corresponds to the `transformed_claims_predefined`\\nserver metadata.\\n\"\n flag \"--refresh-token-idempotent\" help=\"flag indicating whether refresh token requests with the same\\nrefresh token can be made multiple times in quick succession and\\nthey can obtain the same renewed refresh token within the short\\nperiod.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this service's JWK Set document in\\nthe JWT format. This property corresponds to the `signed_jwks_uri`\\nserver metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--supported-attachments \" help=\"Supported attachment types. This property corresponds to the {@code\\nattachments_supported} server metadata which was added by the third\\nimplementer's draft of OpenID Connect for Identity Assurance 1.0.\\n\" var=#true\n flag \"--supported-digest-algorithms \" help=\"Supported algorithms used to compute digest values of external\\nattachments. This property corresponds to the\\n`digest_algorithms_supported` server metadata which was added\\nby the third implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--supported-documents \" help=\"Document types supported by this service. This property corresponds\\nto the `documents_supported` server metadata.\\n\" var=#true\n flag \"--supported-documents-methods \" help=\"validation and verification processes supported by this service.\\nThis property corresponds to the `documents_methods_supported`\\nserver metadata.\\n\\nThe third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\nrenamed the\\n`id_documents_verification_methods_supported` server metadata to\\n`documents_methods_supported`.\\n\" var=#true\n flag \"--supported-documents-validation-methods \" help=\"Document validation methods supported by this service. This property\\ncorresponds to the `documents_validation_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n\" var=#true\n flag \"--supported-documents-verification-methods \" help=\"Document verification methods supported by this service. This property\\ncorresponds to the `documents_verification_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-electronic-records \" help=\"Electronic record types supported by this service. This property\\ncorresponds to the `electronic_records_supported` server metadata\\nwhich was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-client-registration-types \" help=\"list of values\" var=#true\n flag \"--token-exchange-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nmaking token exchange requests.\\n\"\n flag \"--token-exchange-by-confidential-clients-only\" help=\"The flag indicating whether to prohibit public clients from making\\ntoken exchange requests.\\n\"\n flag \"--token-exchange-by-permitted-clients-only\" help=\"The flag indicating whether to prohibit clients that have no explicit\\npermission from making token exchange requests.\\n\"\n flag \"--token-exchange-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse encrypted JWTs as input tokens.\\n\"\n flag \"--token-exchange-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse unsigned JWTs as input tokens.\\n\"\n flag \"--jwt-grant-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nusing the grant type \\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nencrypted JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nunsigned JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--dcr-duplicate-software-id-blocked\" help=\"The flag indicating whether to block DCR (Dynamic Client Registration)\\nrequests whose \\\"software_id\\\" has already been used previously.\\n\"\n flag \"--trust-anchors \" help=\"The trust anchors that are referenced when this service resolves\\ntrust chains of relying parties.\\n\\nIf this property is empty, client registration fails regardless of\\nwhether its type is `automatic` or `explicit`. It means\\nthat OpenID Connect Federation 1.0 does not work.\\n\"\n flag \"--openid-dropped-on-refresh-without-offline-access\" help=\"The flag indicating whether the openid scope should be dropped from\\nscopes list assigned to access token issued when a refresh token grant\\nis used.\\n\"\n flag \"--supported-documents-check-methods \" help=\"Supported document check methods. This property corresponds to the `documents_check_methods_supported`\\nserver metadata which was added by the fourth implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--rs-response-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--cnonce-duration \" help=\"The duration of `c_nonce`.\\n\"\n flag \"--dpop-nonce-required\" help=\"Whether to require DPoP proof JWTs to include the `nonce` claim\\nwhenever they are presented.\\n\"\n flag \"--verifiable-credentials-enabled\" help=\"Get the flag indicating whether the feature of Verifiable Credentials\\nfor this service is enabled or not.\\n\"\n flag \"--credential-jwks-uri \" help=\"The URL at which the JWK Set document of the credential issuer is\\nexposed.\\n\"\n flag \"--credential-offer-duration \" help=\"The default duration of credential offers in seconds.\\n\"\n flag \"--dpop-nonce-duration \" help=\"The duration of nonce values for DPoP proof JWTs in seconds.\\n\"\n flag \"--pre-authorized-grant-anonymous-access-supported\" help=\"The flag indicating whether token requests using the pre-authorized\\ncode grant flow by unidentifiable clients are allowed.\\n\"\n flag \"--credential-transaction-duration \" help=\"The duration of transaction ID in seconds that may be issued as a\\nresult of a credential request or a batch credential request.\\n\"\n flag \"--introspection-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--resource-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--user-pin-length \" help=\"The default length of user PINs.\\n\"\n flag \"--supported-prompt-values \" help=\"The supported `prompt` values.\\n\" var=#true\n flag \"--id-token-reissuable\" help=\"The flag indicating whether to enable the feature of ID token\\nreissuance in the refresh token flow.\\n\"\n flag \"--credential-jwks \" help=\"The JWK Set document containing private keys that are used to sign\\nverifiable credentials.\\n\"\n flag \"--fapi-modes \" help=\"FAPI modes for this service.\\n\\nWhen the value of this property is not `null`, Authlete always processes requests to this service based\\non the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported\\nby this service.\\n\\nFor instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always\\nprocesses requests to this service based on \\\"Financial-grade API Security Profile 1.0 - Part 2:\\nAdvanced\\\" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.\\n\" var=#true\n flag \"--credential-duration \" help=\"The default duration of verifiable credentials in seconds.\\n\"\n flag \"--credential-issuer-metadata \" help=\"JSON object\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim in ID tokens.\\n\"\n flag \"--native-sso-supported\" help=\"Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.\\nFor example:\\n\\n* The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).\\n* The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.\\n\\nWhen set to `true`, the server metadata advertises `\\\"native_sso_supported\\\": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)\\nand [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.\\n\"\n flag \"--oid4vci-version \" help=\"Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.\\n\\nAccepted values are:\\n\\n* `null` or `\\\"1.0-ID1\\\"` → Implementer’s Draft 1.\\n* `\\\"1.0\\\"` or `\\\"1.0-Final\\\"` → Final 1.0 specification.\\n\\nChoose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.\\n\"\n flag \"--cimd-metadata-policy-enabled\" help=\"Flag that controls whether the CIMD metadata policy is applied to client\\nmetadata obtained through the Client ID Metadata Document (CIMD)\\nmechanism.\\n\"\n flag \"--client-id-metadata-document-supported\" help=\"Indicates whether the Client ID Metadata Document (CIMD) mechanism is\\nsupported. When `true`, the service will attempt to retrieve client\\nmetadata via CIMD where applicable.\\n\"\n flag \"--cimd-allowlist-enabled\" help=\"Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are\\non the allowlist are used.\\n\"\n flag \"--cimd-allowlist \" help=\"The allowlist of CIMD endpoints (hosts/URIs) that may be used when\\nretrieving client metadata via Client ID Metadata Documents.\\n\" var=#true\n flag \"--cimd-always-retrieved\" help=\"If `true`, CIMD retrieval is always attempted for clients, regardless of\\nother conditions.\\n\"\n flag \"--cimd-http-permitted\" help=\"Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD\\nendpoints are allowed.\\n\"\n flag \"--cimd-query-permitted\" help=\"Allows the use of query parameters when retrieving CIMD metadata. When\\n`false`, query parameters are disallowed for CIMD requests.\\n\"\n flag \"--cimd-metadata-policy \" help=\"The metadata policy applied to client metadata obtained through the CIMD\\nmechanism. The value must follow the metadata policy grammar defined in\\n[OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).\\n\"\n flag \"--http-alias-prohibited\" help=\"When `true`, client ID aliases starting with `https://` or `http://` are\\nprohibited.\\n\"\n flag \"--attestation-challenge-time-window \" help=\"The time window of attestation challenges in seconds. This is used for\\nOAuth 2.0 Attestation-Based Client Authentication.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Service ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n }\n}\n", + "service get": "cmd \"get\" help=\"Get Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n}\n", + "service list": "cmd \"list\" help=\"List Services\" {\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n}\n", + "service update": "cmd \"update\" help=\"Update Service\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--service-name \" help=\"The name of this service.\"\n flag \"--issuer \" help=\"The issuer identifier of the service.\\n\\nA URL that starts with https:// and has no query or fragment component.\\n\\nThe value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\\nand `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--description \" help=\"The description about the service.\"\n flag \"--token-batch-notification-endpoint \" help=\"The endpoint for batch token notifications. This endpoint is called when \\nmultiple tokens are issued or revoked in a batch operation.\\n\"\n flag \"--client-assertion-aud-restricted-to-issuer\" help=\"The flag indicating whether the audience of client assertion JWTs must \\nmatch the issuer identifier of this service.\\n\"\n flag \"--clients-per-developer \" help=\"The maximum number of client applications that a developer can have.\\n\"\n flag \"--developer-authentication-callback-endpoint \" help=\"The endpoint for developer authentication callbacks. This is used when \\ndevelopers log into the developer portal.\\n\"\n flag \"--developer-authentication-callback-api-key \" help=\"The API key for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--developer-authentication-callback-api-secret \" help=\"The API secret for basic authentication at the developer authentication \\ncallback endpoint.\\n\"\n flag \"--supported-snses \" help=\"Social login services (SNS) that this service supports for end-user \\nauthentication.\\n\" var=#true\n flag \"--sns-credentials \" help=\"The credentials for social login services (SNS) that are used for \\nend-user authentication.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always `true`.\"\n flag \"--metadata \" help=\"The `metadata` of the service. The content of the returned array depends on contexts.\\nThe predefined service metadata is listed in the following table.\\n\\n | Key | Description |\\n | --- | --- |\\n | `clientCount` | The number of client applications which belong to this service. |\\n\"\n flag \"--authentication-callback-endpoint \" help=\"A Web API endpoint for user authentication which is to be prepared on the service side.\\n\\nThe endpoint must be implemented if you do not implement the UI at the authorization endpoint\\nbut use the one provided by Authlete.\\n\\nThe user authentication at the authorization endpoint provided by Authlete is performed by making\\na `POST` request to this endpoint.\\n\"\n flag \"--authentication-callback-api-key \" help=\"API key for basic authentication at the authentication callback endpoint.\\n\\nIf the value is not empty, Authlete generates Authorization header for Basic authentication when\\nmaking a request to the authentication callback endpoint.\\n\"\n flag \"--authentication-callback-api-secret \" help=\"API secret for `basic` authentication at the authentication callback endpoint.\"\n flag \"--supported-grant-types \" help=\"Values of `grant_type` request parameter that the service supports.\\n\\nThe value of this property is used as `grant_types_supported property` in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-response-types \" help=\"Values of `response_type` request parameter that\\nthe service supports. Valid values are listed in Response Type.\\n\\nThe value of this property is used as `response_types_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-authorization-details-types \" help=\"The supported data types that can be used as values of the type field in `authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types_supported` metadata. See \\\"OAuth 2.0\\nRich Authorization Requests\\\" (RAR) for details.\\n\" var=#true\n flag \"--supported-service-profiles \" help=\"The profiles that this service supports.\\n\" var=#true\n flag \"--error-description-omitted\" help=\"The flag to indicate whether the `error_description` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include\\nthe `error_description` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the `error_description` response parameter in error responses.\\n\"\n flag \"--error-uri-omitted\" help=\"The flag to indicate whether the `error_uri` response parameter is omitted.\\n\\nAccording to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.\\n\\nIf `true`, Authlete does not embed the\\n`error_uri` response parameter in error responses.\\n\"\n flag \"--authorization-endpoint \" help=\"The authorization endpoint of the service.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.\\n\\nThe value of this property is used as `authorization_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-authorization-endpoint-enabled\" help=\"The flag to indicate whether the direct authorization endpoint is enabled or not.\\n\\nThe path of the endpoint is `/api/auth/authorization/direct/service-api-key`.\\n\"\n flag \"--supported-ui-locales \" help=\"UI locales that the service supports.\\n\\nEach element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.\\n\\nThe value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-displays \" help=\"Values of `display` request parameter that service supports.\\n\\nThe value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--authorization-response-duration \" help=\"The duration of authorization response JWTs in seconds.\\n\\n[Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)\\ndefines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,\\n`form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters\\nfrom the authorization endpoint will be packed into a JWT. This property is used to compute the\\nvalue of the `exp` claim of the JWT.\\n\"\n flag \"--authorization-code-duration \" help=\"The duration of authorization codes in seconds.\\n\"\n flag \"--token-endpoint \" help=\"The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.\\n\\nA URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.\\n\\nThe value of this property is used as `token_endpoint` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-token-endpoint-enabled\" help=\"The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint\\nis `/api/auth/token/direct/service-api-key`.\\n\"\n flag \"--supported-token-auth-methods \" help=\"Client authentication methods supported by the token endpoint of the service.\\n\\nThe value of this property is used as `token_endpoint_auth_methods_supports` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--missing-client-id-allowed\" help=\"The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.\\n\\nThis flag should not be set unless you have special reasons.\\n\"\n flag \"--revocation-endpoint \" help=\"The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.\\n\\nA URL that starts with `https://`. For example, `https://example.com/auth/revocation`.\\n\"\n flag \"--direct-revocation-endpoint-enabled\" help=\"The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. \"\n flag \"--supported-revocation-auth-methods \" help=\"Client authentication methods supported at the revocation endpoint.\\n\" var=#true\n flag \"--introspection-endpoint \" help=\"The URI of the introspection endpoint.\"\n flag \"--direct-introspection-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. \"\n flag \"--supported-introspection-auth-methods \" help=\"Client authentication methods supported at the introspection endpoint.\\n\" var=#true\n flag \"--pushed-auth-req-endpoint \" help=\"The URI of the pushed authorization request endpoint.\\n\\nThis property corresponds to the `pushed_authorization_request_endpoint` metadata defined in \\\"[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)\\\" of OAuth 2.0 Pushed Authorization Requests.\\n\"\n flag \"--pushed-auth-req-duration \" help=\"The duration of pushed authorization requests in seconds.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this service requires that clients use the pushed authorization\\nrequest endpoint.\\n\\nThis property corresponds to the `require_pushed_authorization_requests` server metadata defined\\nin [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether this service requires that authorization requests always utilize\\na request object by using either request or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is\\n`false`, the value of `require_signed_request_object` server metadata of this service is reported\\nas `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).\\nThat `require_signed_request_object` is `true` means that authorization requests which don't\\nconform to the JAR specification are rejected.\\n\"\n flag \"--traditional-request-object-processing-applied\" help=\"The flag to indicate whether a request object is processed based on rules defined in\\n[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT\\nSecured Authorization Request).\\n\"\n flag \"--mutual-tls-validate-pki-cert-chain\" help=\"The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.\\n\"\n flag \"--trusted-root-certificates \" help=\"The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.\\n\" var=#true\n flag \"--mtls-endpoint-aliases \" help=\"The MTLS endpoint aliases.\\n\"\n flag \"--access-token-type \" help=\"The access token type.\\n\\nThis value is used as the value of `token_type` property in access token responses. If this service\\ncomplies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should\\nbe `Bearer`.\\n\\nSee [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.\\n\"\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.\\n\"\n flag \"--access-token-duration \" help=\"The duration of access tokens in seconds. This value is used as the value of `expires_in` property\\nin access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).\\n\"\n flag \"--single-access-token-per-subject\" help=\"The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.\\n\\nIf `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.\\n\\nNote that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.\\n\"\n flag \"--access-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--access-token-signature-key-id \" help=\"The key ID to identify a JWK used for signing access tokens.\\n\\nA JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.\\nAuthlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based\\naccess token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions\\nfor access token signature. If the number of JWK candidates which satisfy the conditions is 1,\\nthere is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed\\nto be specified so that Authlete Server can pick up one JWK from among the JWK candidates.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.\"\n flag \"--refresh-token-duration-kept\" help=\"The flag to indicate whether the remaining duration of the used refresh token is taken over to\\nthe newly issued refresh token.\\n\"\n flag \"--refresh-token-duration-reset\" help=\"The flag which indicates whether duration of refresh tokens are reset when they are used even\\nif the `refreshTokenKept` property of this service set to is `true` (= even if \\\"Refresh Token\\nContinuous Use\\\" is \\\"Kept\\\").\\n\\nThis flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,\\nif this service issues a new refresh token on every refresh token request, the refresh token\\nwill have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this\\n`refreshTokenDurationReset` property is not referenced.\\n\"\n flag \"--refresh-token-kept\" help=\"The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.\\n\\nIf `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.\\n\\nSee [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.\\n\"\n flag \"--supported-scopes \" help=\"Scopes supported by the service.\\n\"\n flag \"--scope-required\" help=\"The flag to indicate whether requests that request no scope are rejected or not.\\n\"\n flag \"--id-token-duration \" help=\"'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s\\nin seconds. This value is used to calculate the value of `exp` claim in an ID token.'\\n\"\n flag \"--allowable-clock-skew \" help=\"The allowable clock skew between the server and clients in seconds.\\n\\nThe clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.\\n\"\n flag \"--supported-claim-types \" help=\"Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete\\ncurrently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.\\n\\nThe value of this property is used as `claim_types_supported` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claim-locales \" help=\"Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).\\nFor example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)\\nfor details.\\n\\nThe value of this property is used as `claims_locales_supported` property in the\\n[OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\" var=#true\n flag \"--supported-claims \" help=\"Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,\\n5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should\\nbe supported. The following is the list of standard claims.\\n\" var=#true\n flag \"--claim-shortcut-restrictive\" help=\"The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included\\nin the issued ID token only when no access token is issued.\\n\"\n flag \"--jwks-uri \" help=\"The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For\\nexample, `http://example.com/auth/jwks`.\\n\\nClient applications accesses this URL (1) to get the public key of the service to validate the\\nsignature of an ID token issued by the service and (2) to get the public key of the service to\\nencrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures\\nand Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\\nThe value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-jwks-endpoint-enabled\" help=\"'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint\\nis `/api/service/jwks/get/direct/service-api-key`. '\\n\"\n flag \"--jwks \" help=\"The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.\\n\\nIf this property is not `null` in a `/service/create` request or a `/service/update` request,\\nAuthlete hosts the content in the database. This property must not be `null` and must contain\\npairs of public/private keys if the service wants to support asymmetric signatures for ID tokens\\nand asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and\\nEncryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.\\n\"\n flag \"--id-token-signature-key-id \" help=\"The key ID to identify a JWK used for ID token signature using an asymmetric key.\\n\"\n flag \"--user-info-signature-key-id \" help=\"The key ID to identify a JWK used for user info signature using an asymmetric key.\\n\"\n flag \"--authorization-signature-key-id \" help=\"The key ID to identify a JWK used for signing authorization responses using an asymmetric key.\\n\"\n flag \"--user-info-endpoint \" help=\"The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the\\nservice. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.\\n\\nThe value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--direct-user-info-endpoint-enabled\" help=\"The flag to indicate whether the direct userinfo endpoint is enabled or not. The path\\nof the endpoint is `/api/auth/userinfo/direct/service-api-key`.\\n\"\n flag \"--dynamic-registration-supported\" help=\"The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)\\nis supported.\\n\"\n flag \"--registration-endpoint \" help=\"The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)\\nof the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.\\n\\nThe value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--registration-management-endpoint \" help=\"The URI of the registration management endpoint. If dynamic client registration is supported,\\nand this is set, this URI will be used as the basis of the client's management endpoint by appending\\n`/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will\\nbe used as the URI base instead.\\n\"\n flag \"--policy-uri \" help=\"The URL of the \\\"Policy\\\" of the service.\\n\\nThe value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL of the \\\"Terms Of Service\\\" of the service.\\n\\nThe value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--service-documentation \" help=\"The URL of a page where documents for developers can be found.\\n\\nThe value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--backchannel-authentication-endpoint \" help=\"The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA\\n(Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\"\n flag \"--supported-backchannel-token-delivery-modes \" help=\"The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`\\nmetadata.\\n\\nBackchannel token delivery modes are defined in the specification of [CIBA (Client Initiated\\nBackchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).\\n\" var=#true\n flag \"--backchannel-auth-req-id-duration \" help=\"The duration of backchannel authentication request IDs issued from the backchannel authentication\\nendpoint in seconds. This is used as the value of the `expires_in` property in responses from\\nthe backchannel authentication endpoint.\\n\"\n flag \"--backchannel-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds. This is used as the value of the `interval` property in responses from the backchannel\\nauthentication endpoint.\\n\"\n flag \"--backchannel-user-code-parameter-supported\" help=\"The boolean flag which indicates whether the `user_code` request parameter is supported at the\\nbackchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`\\nmetadata.\\n\"\n flag \"--backchannel-binding-message-required-in-fapi\" help=\"The flag to indicate whether the `binding_message` request parameter is always required whenever\\na backchannel authentication request is judged as a request for Financial-grade API.\\n\"\n flag \"--device-authorization-endpoint \" help=\"The URI of the device authorization endpoint.\\n\\nDevice authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.\\n\"\n flag \"--device-verification-uri \" help=\"The verification URI for the device flow. This URI is used as the value of the `verification_uri`\\nparameter in responses from the device authorization endpoint.\\n\"\n flag \"--device-verification-uri-complete \" help=\"The verification URI for the device flow with a placeholder for a user code. This URI is used\\nto build the value of the `verification_uri_complete` parameter in responses from the device\\nauthorization endpoint.\\n\"\n flag \"--device-flow-code-duration \" help=\"The duration of device verification codes and end-user verification codes issued from the device\\nauthorization endpoint in seconds. This is used as the value of the `expires_in` property in responses\\nfrom the device authorization endpoint.\\n\"\n flag \"--device-flow-polling-interval \" help=\"The minimum interval between polling requests to the token endpoint from client applications in\\nseconds in device flow. This is used as the value of the `interval` property in responses from\\nthe device authorization endpoint.\\n\"\n flag \"--user-code-charset \" help=\"The character set for end-user verification codes (`user_code`) for Device Flow.\\n (options: BASE20, NUMERIC)\"\n flag \"--user-code-length \" help=\"The length of end-user verification codes (`user_code`) for Device Flow.\\n\"\n flag \"--supported-trust-frameworks \" help=\"Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-evidence \" help=\"Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-identity-documents \" help=\"Identity documents supported by this service. This corresponds to the `id_documents_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verification-methods \" help=\"Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--supported-verified-claims \" help=\"Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`\\n[metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).\\n\" var=#true\n flag \"--verified-claims-validation-schema-set \" help=\"The verified claims validation schema set.\\n (options: standard, standard+id_document)\"\n flag \"--attributes \" help=\"The attributes of this service.\\n\"\n flag \"--nbf-optional\" help=\"The flag indicating whether the nbf claim in the request object is optional even when the authorization\\nrequest is regarded as a FAPI-Part2 request.\\n\"\n flag \"--iss-suppressed\" help=\"The flag indicating whether generation of the iss response parameter is suppressed.\\n\"\n flag \"--supported-custom-client-metadata \" help=\"custom client metadata supported by this service.\\n\" var=#true\n flag \"--token-expiration-linked\" help=\"The flag indicating whether the expiration date of an access token never exceeds that of the\\ncorresponding refresh token.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata of the client that has sent the request object.\\n\"\n flag \"--hsm-enabled\" help=\"The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.\\n\\nWhen this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,\\n`/api/hsk/*` APIs reject all requests.\\n\\nEven if this flag is `true`, HSM-related features do not work if the configuration of the Authlete\\nserver you are using does not support HSM.\\n\"\n flag \"--hsks \" help=\"The information about keys managed on HSMs (Hardware Security Modules).\\n\\nThis `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`\\nAPI and `/api/service/update` API do not have any effect. The contents of this property is controlled\\nonly by `/api/hsk/*` APIs.\\n\"\n flag \"--grant-management-endpoint \" help=\"The URL of the grant management endpoint.\\n\"\n flag \"--grant-management-action-required\" help=\"The flag indicating whether every authorization request (and any request serving as an authorization\\nrequest such as CIBA backchannel authentication request and device authorization request) must\\ninclude the `grant_management_action` request parameter.\\n\"\n flag \"--unauthorized-on-client-config-supported\" help=\"The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as\\na value of the `action` response parameter when appropriate.\\n\"\n flag \"--dcr-scope-used-as-requestable\" help=\"The flag indicating whether the `scope` request parameter in dynamic client registration and\\nupdate requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.\\n\\nLimiting the range of scopes that a client can request is achieved by listing scopes in the\\n`client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`\\nproperty to `true`. This feature is called \\\"requestable scopes\\\".\\n\\nThis property affects behaviors of `/api/client/registration` and other family APIs.\\n\"\n flag \"--end-session-endpoint \" help=\"The endpoint for clients ending the sessions.\\n\\nA URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.\\n\\nThe value of this property is used as `end_session_endpoint` property in the [OpenID Provider\\nMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\\n\"\n flag \"--loopback-redirection-uri-variable\" help=\"The flag indicating whether the port number component of redirection URIs can be variable when\\nthe host component indicates loopback.\\n\"\n flag \"--request-object-audience-checked\" help=\"The flag indicating whether Authlete checks whether the `aud` claim of request objects matches\\nthe issuer identifier of this service.\\n\"\n flag \"--access-token-for-external-attachment-embedded\" help=\"The flag indicating whether Authlete generates access tokens for\\nexternal attachments and embeds them in ID tokens and userinfo\\nresponses.\\n\"\n flag \"--authority-hints \" help=\"Identifiers of entities that can issue entity statements for this\\nservice. This property corresponds to the `authority_hints`\\nproperty that appears in a self-signed entity statement that is\\ndefined in OpenID Connect Federation 1.0.\\n\" var=#true\n flag \"--federation-enabled\" help=\"flag indicating whether this service supports OpenID Connect Federation 1\\n\"\n flag \"--federation-jwks \" help=\"JWK Set document containing keys that are used to sign (1) self-signed\\nentity statement of this service and (2) the response from\\n`signed_jwks_uri`.\\n\"\n flag \"--federation-signature-key-id \" help=\"A key ID to identify a JWK used to sign the entity configuration and\\nthe signed JWK Set.\\n\"\n flag \"--federation-configuration-duration \" help=\"The duration of the entity configuration in seconds.\\n\"\n flag \"--federation-registration-endpoint \" help=\"The URI of the federation registration endpoint. This property corresponds\\nto the `federation_registration_endpoint` server metadata that is\\ndefined in OpenID Connect Federation 1.0.\\n\"\n flag \"--organization-name \" help=\"The human-readable name representing the organization that operates\\nthis service. This property corresponds to the `organization_name`\\nserver metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--predefined-transformed-claims \" help=\"The transformed claims predefined by this service in JSON format.\\nThis property corresponds to the `transformed_claims_predefined`\\nserver metadata.\\n\"\n flag \"--refresh-token-idempotent\" help=\"flag indicating whether refresh token requests with the same\\nrefresh token can be made multiple times in quick succession and\\nthey can obtain the same renewed refresh token within the short\\nperiod.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this service's JWK Set document in\\nthe JWT format. This property corresponds to the `signed_jwks_uri`\\nserver metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--supported-attachments \" help=\"Supported attachment types. This property corresponds to the {@code\\nattachments_supported} server metadata which was added by the third\\nimplementer's draft of OpenID Connect for Identity Assurance 1.0.\\n\" var=#true\n flag \"--supported-digest-algorithms \" help=\"Supported algorithms used to compute digest values of external\\nattachments. This property corresponds to the\\n`digest_algorithms_supported` server metadata which was added\\nby the third implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--supported-documents \" help=\"Document types supported by this service. This property corresponds\\nto the `documents_supported` server metadata.\\n\" var=#true\n flag \"--supported-documents-methods \" help=\"validation and verification processes supported by this service.\\nThis property corresponds to the `documents_methods_supported`\\nserver metadata.\\n\\nThe third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\nrenamed the\\n`id_documents_verification_methods_supported` server metadata to\\n`documents_methods_supported`.\\n\" var=#true\n flag \"--supported-documents-validation-methods \" help=\"Document validation methods supported by this service. This property\\ncorresponds to the `documents_validation_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n\" var=#true\n flag \"--supported-documents-verification-methods \" help=\"Document verification methods supported by this service. This property\\ncorresponds to the `documents_verification_methods_supported` server\\nmetadata which was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-electronic-records \" help=\"Electronic record types supported by this service. This property\\ncorresponds to the `electronic_records_supported` server metadata\\nwhich was added by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)\\n\" var=#true\n flag \"--supported-client-registration-types \" help=\"list of values\" var=#true\n flag \"--token-exchange-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nmaking token exchange requests.\\n\"\n flag \"--token-exchange-by-confidential-clients-only\" help=\"The flag indicating whether to prohibit public clients from making\\ntoken exchange requests.\\n\"\n flag \"--token-exchange-by-permitted-clients-only\" help=\"The flag indicating whether to prohibit clients that have no explicit\\npermission from making token exchange requests.\\n\"\n flag \"--token-exchange-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse encrypted JWTs as input tokens.\\n\"\n flag \"--token-exchange-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token exchange requests which\\nuse unsigned JWTs as input tokens.\\n\"\n flag \"--jwt-grant-by-identifiable-clients-only\" help=\"The flag indicating whether to prohibit unidentifiable clients from\\nusing the grant type \\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-encrypted-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nencrypted JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--jwt-grant-unsigned-jwt-rejected\" help=\"The flag indicating whether to reject token requests that use an\\nunsigned JWT as an authorization grant with the grant type\\n\\\"urn:ietf:params:oauth:grant-type:jwt-bearer\\\".\\n\"\n flag \"--dcr-duplicate-software-id-blocked\" help=\"The flag indicating whether to block DCR (Dynamic Client Registration)\\nrequests whose \\\"software_id\\\" has already been used previously.\\n\"\n flag \"--trust-anchors \" help=\"The trust anchors that are referenced when this service resolves\\ntrust chains of relying parties.\\n\\nIf this property is empty, client registration fails regardless of\\nwhether its type is `automatic` or `explicit`. It means\\nthat OpenID Connect Federation 1.0 does not work.\\n\"\n flag \"--openid-dropped-on-refresh-without-offline-access\" help=\"The flag indicating whether the openid scope should be dropped from\\nscopes list assigned to access token issued when a refresh token grant\\nis used.\\n\"\n flag \"--supported-documents-check-methods \" help=\"Supported document check methods. This property corresponds to the `documents_check_methods_supported`\\nserver metadata which was added by the fourth implementer's draft of OpenID Connect for Identity\\nAssurance 1.0.\\n\" var=#true\n flag \"--rs-response-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--cnonce-duration \" help=\"The duration of `c_nonce`.\\n\"\n flag \"--dpop-nonce-required\" help=\"Whether to require DPoP proof JWTs to include the `nonce` claim\\nwhenever they are presented.\\n\"\n flag \"--verifiable-credentials-enabled\" help=\"Get the flag indicating whether the feature of Verifiable Credentials\\nfor this service is enabled or not.\\n\"\n flag \"--credential-jwks-uri \" help=\"The URL at which the JWK Set document of the credential issuer is\\nexposed.\\n\"\n flag \"--credential-offer-duration \" help=\"The default duration of credential offers in seconds.\\n\"\n flag \"--dpop-nonce-duration \" help=\"The duration of nonce values for DPoP proof JWTs in seconds.\\n\"\n flag \"--pre-authorized-grant-anonymous-access-supported\" help=\"The flag indicating whether token requests using the pre-authorized\\ncode grant flow by unidentifiable clients are allowed.\\n\"\n flag \"--credential-transaction-duration \" help=\"The duration of transaction ID in seconds that may be issued as a\\nresult of a credential request or a batch credential request.\\n\"\n flag \"--introspection-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--resource-signature-key-id \" help=\"The key ID of the key for signing introspection responses.\\n\"\n flag \"--user-pin-length \" help=\"The default length of user PINs.\\n\"\n flag \"--supported-prompt-values \" help=\"The supported `prompt` values.\\n\" var=#true\n flag \"--id-token-reissuable\" help=\"The flag indicating whether to enable the feature of ID token\\nreissuance in the refresh token flow.\\n\"\n flag \"--credential-jwks \" help=\"The JWK Set document containing private keys that are used to sign\\nverifiable credentials.\\n\"\n flag \"--fapi-modes \" help=\"FAPI modes for this service.\\n\\nWhen the value of this property is not `null`, Authlete always processes requests to this service based\\non the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported\\nby this service.\\n\\nFor instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always\\nprocesses requests to this service based on \\\"Financial-grade API Security Profile 1.0 - Part 2:\\nAdvanced\\\" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.\\n\" var=#true\n flag \"--credential-duration \" help=\"The default duration of verifiable credentials in seconds.\\n\"\n flag \"--credential-issuer-metadata \" help=\"JSON object\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim in ID tokens.\\n\"\n flag \"--native-sso-supported\" help=\"Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.\\nFor example:\\n\\n* The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).\\n* The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.\\n\\nWhen set to `true`, the server metadata advertises `\\\"native_sso_supported\\\": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)\\nand [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.\\n\"\n flag \"--oid4vci-version \" help=\"Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.\\n\\nAccepted values are:\\n\\n* `null` or `\\\"1.0-ID1\\\"` → Implementer’s Draft 1.\\n* `\\\"1.0\\\"` or `\\\"1.0-Final\\\"` → Final 1.0 specification.\\n\\nChoose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.\\n\"\n flag \"--cimd-metadata-policy-enabled\" help=\"Flag that controls whether the CIMD metadata policy is applied to client\\nmetadata obtained through the Client ID Metadata Document (CIMD)\\nmechanism.\\n\"\n flag \"--client-id-metadata-document-supported\" help=\"Indicates whether the Client ID Metadata Document (CIMD) mechanism is\\nsupported. When `true`, the service will attempt to retrieve client\\nmetadata via CIMD where applicable.\\n\"\n flag \"--cimd-allowlist-enabled\" help=\"Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are\\non the allowlist are used.\\n\"\n flag \"--cimd-allowlist \" help=\"The allowlist of CIMD endpoints (hosts/URIs) that may be used when\\nretrieving client metadata via Client ID Metadata Documents.\\n\" var=#true\n flag \"--cimd-always-retrieved\" help=\"If `true`, CIMD retrieval is always attempted for clients, regardless of\\nother conditions.\\n\"\n flag \"--cimd-http-permitted\" help=\"Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD\\nendpoints are allowed.\\n\"\n flag \"--cimd-query-permitted\" help=\"Allows the use of query parameters when retrieving CIMD metadata. When\\n`false`, query parameters are disallowed for CIMD requests.\\n\"\n flag \"--cimd-metadata-policy \" help=\"The metadata policy applied to client metadata obtained through the CIMD\\nmechanism. The value must follow the metadata policy grammar defined in\\n[OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).\\n\"\n flag \"--http-alias-prohibited\" help=\"When `true`, client ID aliases starting with `https://` or `http://` are\\nprohibited.\\n\"\n flag \"--attestation-challenge-time-window \" help=\"The time window of attestation challenges in seconds. This is used for\\nOAuth 2.0 Attestation-Based Client Authentication.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "service delete": "cmd \"delete\" help=\"Delete Service ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n}\n", + "service get-configuration": "cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n}\n", + "service gc": "cmd \"get-configuration\" help=\"Get Service Configuration\" {\n alias \"gc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n flag \"--patch \" help=\"Get the JSON Patch [RFC 6902 JavaScript Object Notation (JSON) Patch](https://www.rfc-editor.org/rfc/rfc6902) to be applied.\"\n}\n", + "client": "cmd \"client\" help=\"Operations for client\" {\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n }\n cmd \"list\" help=\"List Clients\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--developer \" help=\"The developer of client applications. The default value is null. If this parameter is not set\\nto `null`, client application of the specified developer are returned. Otherwise, all client\\napplications that belong to the service are returned.\\n\"\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n }\n cmd \"create\" help=\"Create Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"The client ID. [required]\"\n }\n cmd \"management\" help=\"Operations for client-management\" {\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorized-applications\" help=\"Get Authorized Applications\" {\n alias \"laa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"list-authorized-applications-post\" help=\"Get Authorized Applications\" {\n alias \"laap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"revoke-client-tokens\" help=\"Delete Client Tokens\" {\n alias \"rct\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"revoke-client-tokens-post\" help=\"Delete Client Tokens\" {\n alias \"rctp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes-for-client\" help=\"Get Granted Scopes\" {\n alias \"ggsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes-for-client-post\" help=\"Get Granted Scopes\" {\n alias \"ggsfcp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes-for-client\" help=\"Delete Granted Scopes\" {\n alias \"dgsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes-post\" help=\"Update Requestable Scopes\" {\n alias \"ursp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n }\n}\n", + "client get": "cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n}\n", + "client list": "cmd \"list\" help=\"List Clients\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--developer \" help=\"The developer of client applications. The default value is null. If this parameter is not set\\nto `null`, client application of the specified developer are returned. Otherwise, all client\\napplications that belong to the service are returned.\\n\"\n flag \"--start \" help=\"Start index (inclusive) of the result set. The default value is 0. Must not be a negative number.\"\n flag \"--end \" help=\"End index (exclusive) of the result set. The default value is 5. Must not be a negative number.\"\n}\n", + "client create": "cmd \"create\" help=\"Create Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client update": "cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--client-name \" help=\"The name of the client application. This property corresponds to `client_name` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-names \" help=\"Client names with language tags. If the client application has different names for different\\nlanguages, this property can be used to register the names.\\n\"\n flag \"--description \" help=\"The description about the client application.\"\n flag \"--descriptions \" help=\"Descriptions about the client application with language tags. If the client application has different\\ndescriptions for different languages, this property can be used to register the descriptions.\\n\"\n flag \"--client-id-alias \" help=\"The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By\\ndefault, this is a string version of the `clientId` property.\\n\"\n flag \"--client-id-alias-enabled\" help=\"Deprecated. Always set to `true`.\"\n flag \"--client-type \" help=\"The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)\\nfor details.\\n (options: PUBLIC, CONFIDENTIAL)\"\n flag \"--application-type \" help=\"The application type. The value of this property affects the validation steps for a redirect URI.\\nSee the description about `redirectUris` property for more details.\\n (options: WEB, NATIVE)\"\n flag \"--logo-uri \" help=\"The URL pointing to the logo image of the client application.\\n\\nThis property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.\\nClient Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--logo-uris \" help=\"Logo image URLs with language tags. If the client application has different logo images for\\ndifferent languages, this property can be used to register URLs of the images.\\n\"\n flag \"--contacts \" help=\"An array of email addresses of people responsible for the client application.\\n\\nThis property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client\\nMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--tls-client-certificate-bound-access-tokens\" help=\"The flag to indicate whether this client use TLS client certificate bound access tokens.\\n\"\n flag \"--software-id \" help=\"The unique identifier string assigned by the client developer or software publisher used by\\nregistration endpoints to identify the client software to be dynamically registered.\\n\\nThis property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--developer \" help=\"The unique identifier of the developer who created this client application.\\n\"\n flag \"--software-version \" help=\"The version identifier string for the client software identified by the software ID.\\n\\nThis property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)\\nof [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).\\n\"\n flag \"--registration-access-token-hash \" help=\"The hash of the registration access token for this client.\\n\"\n flag \"--grant-types \" help=\"A string array of grant types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--response-types \" help=\"A string array of response types which the client application declares that it will restrict itself to using.\\nThis property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,\\n2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\" var=#true\n flag \"--redirect-uris \" help=\"Redirect URIs that the client application uses to receive a response from the authorization endpoint.\\nRequirements for a redirect URI are as follows.\\n\" var=#true\n flag \"--authorization-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--authorization-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--authorization-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--token-auth-method \" help=\"The client authentication method that the client application declares that it uses at the token\\nendpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic\\nClient Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: NONE, CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH, ATTEST_JWT_CLIENT_AUTH)\"\n flag \"--token-auth-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--self-signed-certificate-key-id \" help=\"The key ID of a JWK containing a self-signed certificate of this client.\\n\"\n flag \"--tls-client-auth-subject-dn \" help=\"The string representation of the expected subject distinguished name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_subject_dn` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-dns \" help=\"The string representation of the expected DNS subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_dns` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-uri \" help=\"The string representation of the expected URI subject alternative name of the certificate this\\nclient will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_uri` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-ip \" help=\"The string representation of the expected IP address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_ip` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--tls-client-auth-san-email \" help=\"The string representation of the expected email address subject alternative name of the certificate\\nthis client will use in mutual TLS authentication.\\n\\nSee `tls_client_auth_san_email` in \\\"Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client\\nRegistration\\\" for details.\\n\"\n flag \"--par-required\" help=\"The flag to indicate whether this client is required to use the pushed authorization request endpoint.\\nThis property corresponds to the `require_pushed_authorization_requests` client metadata defined\\nin \\\"OAuth 2.0 Pushed Authorization Requests\\\".\\n\"\n flag \"--request-object-required\" help=\"The flag to indicate whether authorization requests from this client are always required to\\nutilize a request object by using either `request` or `request_uri` request parameter.\\n\\nIf this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is\\nset to `false`, authorization requests from this client are processed as if `require_signed_request_object`\\nclient metadata of this client is `true`. The metadata is defined in \\\"JAR (JWT Secured Authorization Request)\\\".\\n\"\n flag \"--request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--request-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--request-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--request-uris \" help=\"An array of URLs each of which points to a request object.\\n\\nAuthlete requires that URLs used as values for `request_uri` request parameter be pre-registered.\\nThis property is used for the pre-registration.\\nSee [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.\\n\" var=#true\n flag \"--default-max-age \" help=\"The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.\\n\\nThis property corresponds to `default_max_age` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--default-acrs \" help=\"The default ACRs (Authentication Context Class References). This value is used when an authorization\\nrequest from the client application has neither `acr_values` request parameter nor `acr` claim\\nin claims request parameter.\\n\" var=#true\n flag \"--id-token-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--id-token-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--id-token-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--auth-time-required\" help=\"The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.\\n\\nThis property corresponds to `require_auth_time` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--subject-type \" help=\"The subject type that the client application requests. Details about the subject type are described in\\n[OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).\\n\\nThis property corresponds to `subject_type` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n (options: PUBLIC, PAIRWISE)\"\n flag \"--sector-identifier-uri \" help=\"The value of the sector identifier URI.\\nThis represents the `sector_identifier_uri` client metadata which is defined in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)\\n\"\n flag \"--jwks-uri \" help=\"The URL pointing to the JWK Set of the client application.\\nThe content pointed to by the URL is JSON which complies with the format described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--jwks \" help=\"The content of the JWK Set of the client application.\\nThe format is described in\\n[JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).\\nThe JWK Set must not include private keys of the client application.\\n\"\n flag \"--user-info-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--user-info-encryption-alg \" help=\"this is the 'alg' header value for encrypted JWT tokens.\\nDepending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:\\n- as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects\\n- as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object\\n- as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens\\n\\n**Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.\\n (options: RSA1_5, RSA_OAEP, RSA_OAEP_256, A128KW, A192KW, A256KW, DIR, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128GCMKW, A192GCMKW, A256GCMKW, PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW)\"\n flag \"--user-info-encryption-enc \" help=\"This is the encryption algorithm to be used when encrypting a JWT on client or server side.\\nDepending upon the context, this refers to encryption done by the client or by the server. For instance:\\n - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response\\n - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object\\n - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens\\n (options: A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM, A256GCM)\"\n flag \"--login-uri \" help=\"The URL which a third party can use to initiate a login by the client application.\\n\\nThis property corresponds to `initiate_login_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uri \" help=\"The URL pointing to the \\\"Terms Of Service\\\" page.\\n\\nThis property corresponds to `tos_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--tos-uris \" help=\"URLs of \\\"Terms Of Service\\\" pages with language tags.\\n\\nIf the client application has different \\\"Terms Of Service\\\" pages for different languages,\\nthis property can be used to register the URLs.\\n\"\n flag \"--policy-uri \" help=\"The URL pointing to the page which describes the policy as to how end-user's profile data is used.\\n\\nThis property corresponds to `policy_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--policy-uris \" help=\"URLs of policy pages with language tags.\\nIf the client application has different policy pages for different languages, this property can be used to register the URLs.\\n\"\n flag \"--client-uri \" help=\"The URL pointing to the home page of the client application.\\n\\nThis property corresponds to `client_uri` in\\n[OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).\\n\"\n flag \"--client-uris \" help=\"Home page URLs with language tags.\\nIf the client application has different home pages for different languages, this property can\\nbe used to register the URLs.\\n\"\n flag \"--bc-delivery-mode \" help=\"The backchannel token delivery mode.\\n\\nThis property corresponds to the `backchannel_token_delivery_mode` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-notification-endpoint \" help=\"The backchannel client notification endpoint.\\n\\nThis property corresponds to the `backchannel_client_notification_endpoint` metadata.\\nThe backchannel token delivery mode is defined in the specification of \\\"CIBA (Client Initiated\\nBackchannel Authentication)\\\".\\n\"\n flag \"--bc-request-sign-alg \" help=\"The signature algorithm for JWT. This value is represented on 'alg' attribute\\nof the header of JWT.\\n\\nit's semantics depends upon where is this defined, for instance:\\n - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).\\n - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).\\n - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).\\n (options: NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, ES256K, EdDSA)\"\n flag \"--bc-user-code-required\" help=\"The boolean flag to indicate whether a user code is required when this client makes a backchannel\\nauthentication request.\\n\\nThis property corresponds to the `backchannel_user_code_parameter` metadata.\\n\"\n flag \"--attributes \" help=\"The attributes of this client.\\n\"\n flag \"--extension \" help=\"JSON object\"\n flag \"--authorization-details-types \" help=\"The authorization details types that this client may use as values of the `type` field in\\n`authorization_details`.\\n\\nThis property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich\\nAuthorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.\\n\\nNote that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes\\nto align with the change made by the 5th draft of the RAR specification.\\n\" var=#true\n flag \"--custom-metadata \" help=\"The custom client metadata in JSON format.\\n\"\n flag \"--front-channel-request-object-encryption-required\" help=\"The flag indicating whether encryption of request object is required when the request object\\nis passed through the front channel.\\n\"\n flag \"--request-object-encryption-alg-match-required\" help=\"The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`\\nclient metadata.\\n\"\n flag \"--request-object-encryption-enc-match-required\" help=\"The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`\\nclient metadata.\\n\"\n flag \"--digest-algorithm \" help=\"The digest algorithm that this client requests the server to use\\nwhen it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens\\nor userinfo responses (or any place that can have the `verified_claims` claim).\\nPossible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),\\nbut the server does not necessarily support all the values there. When\\nthis property is omitted, `sha-256` is used as the default algorithm.\\nThis property corresponds to the `digest_algorithm` client metadata\\nwhich was defined by the third implementer's draft of\\n[OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html).\\n\"\n flag \"--single-access-token-per-subject\" help=\"If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.\\n\\nNote that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.\\n\\nEven if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.\\n\"\n flag \"--pkce-required\" help=\"The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.\\n\\nIf `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.\\n\\nSee [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.\\n\"\n flag \"--pkce-s256-required\" help=\"The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.\\n\\nIf this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request\\nwhenever it includes the `code_challenge` request parameter.\\nNeither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.\\n\"\n flag \"--dpop-required\" help=\"If the DPoP is required for this client\\n\"\n flag \"--automatically-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"automatic\\\" client registration of OIDC Federation.\\n\"\n flag \"--explicitly-registered\" help=\"The flag indicating whether this client was registered by the\\n\\\"explicit\\\" client registration of OIDC Federation.\\n\"\n flag \"--rs-request-signed\" help=\"The flag indicating whether this service signs responses from the resource server.\\n\"\n flag \"--rs-signed-request-key-id \" help=\"The key ID of a JWK containing the public key used by this client to sign requests to the resource server.\\n\"\n flag \"--client-registration-types \" help=\"The client registration types that the client has declared it may use.\\n\" var=#true\n flag \"--organization-name \" help=\"The human-readable name representing the organization that manages this client. This property corresponds\\nto the organization_name client metadata that is defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--signed-jwks-uri \" help=\"The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property\\ncorresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.\\n\"\n flag \"--entity-id \" help=\"the entity ID of this client.\\n\"\n flag \"--trust-anchor-id \" help=\"The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by\\nthe mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--trust-chain \" help=\"The trust chain that was used when this client was registered or updated by the mechanism defined in\\nOpenID Connect Federation 1.0\\n\" var=#true\n flag \"--trust-chain-expires-at \" help=\"the expiration time of the trust chain that was used when this client was registered or updated by the mechanism\\ndefined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).\\n\"\n flag \"--trust-chain-updated-at \" help=\"the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0\\n\"\n flag \"--locked\" help=\"The flag which indicates whether this client is locked.\\n\"\n flag \"--credential-offer-endpoint \" help=\"The URL of the credential offer endpoint at which this client\\n(wallet) receives a credential offer from the credential issuer.\\n\"\n flag \"--fapi-modes \" help=\"The FAPI modes for this client.\\n\" var=#true\n flag \"--response-modes \" help=\"The response modes that this client may use.\" var=#true\n flag \"--credential-response-encryption-required\" help=\"True if credential responses to this client must be always encrypted.\"\n flag \"--mtls-endpoint-aliases-used\" help=\"The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.\\n\\nThis property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in\\n[FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).\\n\"\n flag \"--in-scope-for-token-migration\" help=\"The flag indicating whether this client is in scope for token migration \\noperations.\\n\"\n flag \"--metadata-document-location \" help=\"Location of the Client ID Metadata Document that was used for this client.\\n\"\n flag \"--metadata-document-expires-at \" help=\"Expiration time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--metadata-document-updated-at \" help=\"Last-updated time of the metadata document (UNIX time in milliseconds).\\n\"\n flag \"--discovered-by-metadata-document\" help=\"Indicates whether this client was discovered via a Client ID Metadata Document.\\n\"\n flag \"--client-source \" help=\"Source of this client record.\\n (options: DYNAMIC_REGISTRATION, AUTOMATIC_REGISTRATION, EXPLICIT_REGISTRATION, METADATA_DOCUMENT, STATIC_REGISTRATION)\"\n flag \"--additional-properties \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client update-form": "cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client uf": "cmd \"update-form\" help=\"Update Client\" {\n alias \"uf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID. [required]\"\n flag \"--body-param \" help=\"value\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client delete": "cmd \"delete\" help=\"Delete Client ⚡\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"The client ID. [required]\"\n}\n", + "client management": "cmd \"management\" help=\"Operations for client-management\" {\n cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n }\n cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorized-applications\" help=\"Get Authorized Applications\" {\n alias \"laa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"list-authorized-applications-post\" help=\"Get Authorized Applications\" {\n alias \"laap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"revoke-client-tokens\" help=\"Delete Client Tokens\" {\n alias \"rct\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"revoke-client-tokens-post\" help=\"Delete Client Tokens\" {\n alias \"rctp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes-for-client\" help=\"Get Granted Scopes\" {\n alias \"ggsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-granted-scopes-for-client-post\" help=\"Get Granted Scopes\" {\n alias \"ggsfcp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes-for-client\" help=\"Delete Granted Scopes\" {\n alias \"dgsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n }\n cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n cmd \"update-requestable-scopes-post\" help=\"Update Requestable Scopes\" {\n alias \"ursp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n }\n}\n", + "client management update-lock-flag": "cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management ulf": "cmd \"update-lock-flag\" help=\"Update Client Lock\" {\n alias \"ulf\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"A client ID. [required]\"\n flag \"--client-locked\" help=\"The flag value to be set\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management refresh-secret": "cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n}\n", + "client management rs": "cmd \"refresh-secret\" help=\"Rotate Client Secret\" {\n alias \"rs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n}\n", + "client management update-secret": "cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management us": "cmd \"update-secret\" help=\"Update Client Secret\" {\n alias \"us\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"The client ID or the client ID alias of a client.\\n [required]\"\n flag \"--client-secret \" help=\"The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`,\\n`-`, and `_`. The maximum length of a client secret is 86.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management list-authorized-applications": "cmd \"list-authorized-applications\" help=\"Get Authorized Applications\" {\n alias \"laa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", + "client management laa": "cmd \"list-authorized-applications\" help=\"Get Authorized Applications\" {\n alias \"laa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", + "client management list-authorized-applications-post": "cmd \"list-authorized-applications-post\" help=\"Get Authorized Applications\" {\n alias \"laap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management laap": "cmd \"list-authorized-applications-post\" help=\"Get Authorized Applications\" {\n alias \"laap\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\"\n flag \"--start \" help=\"Start index of search results (inclusive).\"\n flag \"--end \" help=\"End index of search results (exclusive).\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management list-authorizations": "cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", + "client management la": "cmd \"list-authorizations\" help=\"Get Authorized Applications (by Subject)\" {\n alias \"la\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n flag \"--developer \" help=\"Unique ID of a client developer.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", + "client management update-authorizations": "cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management ua": "cmd \"update-authorizations\" help=\"Update Client Tokens\" {\n alias \"ua\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user who has granted authorization to the client\\napplication.\\n [required]\"\n flag \"--scopes \" help=\"An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all\\nexisting access tokens. If an API call is made using `\\\"Content-Type: application/x-www-form-urlencoded\\\"`,\\nscope names listed in this request parameter should be delimited by spaces (after form encoding,\\nspaces are converted to `+`).\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management revoke-client-tokens": "cmd \"revoke-client-tokens\" help=\"Delete Client Tokens\" {\n alias \"rct\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management rct": "cmd \"revoke-client-tokens\" help=\"Delete Client Tokens\" {\n alias \"rct\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management revoke-client-tokens-post": "cmd \"revoke-client-tokens-post\" help=\"Delete Client Tokens\" {\n alias \"rctp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management rctp": "cmd \"revoke-client-tokens-post\" help=\"Delete Client Tokens\" {\n alias \"rctp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management delete-authorizations": "cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management da": "cmd \"delete-authorizations\" help=\"Delete Client Tokens (by Subject)\" {\n alias \"da\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management get-granted-scopes-for-client": "cmd \"get-granted-scopes-for-client\" help=\"Get Granted Scopes\" {\n alias \"ggsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management ggsfc": "cmd \"get-granted-scopes-for-client\" help=\"Get Granted Scopes\" {\n alias \"ggsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management get-granted-scopes-for-client-post": "cmd \"get-granted-scopes-for-client-post\" help=\"Get Granted Scopes\" {\n alias \"ggsfcp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management ggsfcp": "cmd \"get-granted-scopes-for-client-post\" help=\"Get Granted Scopes\" {\n alias \"ggsfcp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management get-granted-scopes": "cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management ggs": "cmd \"get-granted-scopes\" help=\"Get Granted Scopes (by Subject)\" {\n alias \"ggs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management delete-granted-scopes-for-client": "cmd \"delete-granted-scopes-for-client\" help=\"Delete Granted Scopes\" {\n alias \"dgsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management dgsfc": "cmd \"delete-granted-scopes-for-client\" help=\"Delete Granted Scopes\" {\n alias \"dgsfc\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management delete-granted-scopes": "cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management dgs": "cmd \"delete-granted-scopes\" help=\"Delete Granted Scopes (by Subject)\" {\n alias \"dgs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--subject \" help=\"Unique user ID of an end-user.\\n [required]\"\n}\n", + "client management get-requestable-scopes": "cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", + "client management grs": "cmd \"get-requestable-scopes\" help=\"Get Requestable Scopes\" {\n alias \"grs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", + "client management update-requestable-scopes-post": "cmd \"update-requestable-scopes-post\" help=\"Update Requestable Scopes\" {\n alias \"ursp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management ursp": "cmd \"update-requestable-scopes-post\" help=\"Update Requestable Scopes\" {\n alias \"ursp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management update-requestable-scopes": "cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management urs": "cmd \"update-requestable-scopes\" help=\"Update Requestable Scopes\" {\n alias \"urs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n flag \"--requestable-scopes \" help=\"The set of scopes that the client application is allowed to request.\\nThis parameter will be one of the following. Details are described in the description.\\n\\n\\n- an empty set\\n- a set with at least one element\\n\\nIf this parameter contains scopes that the service does not support, those scopes are just\\nignored. Also, if this parameter is `null` or is not included in the request, it is equivalent\\nto calling `/client/extension/requestable_scopes/delete` API.\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "client management delete-requestable-scopes": "cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", + "client management drs": "cmd \"delete-requestable-scopes\" help=\"Delete Requestable Scopes\" {\n alias \"drs\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-id \" help=\"A client ID.\\n [required]\"\n}\n", + "authorization": "cmd \"authorization\" help=\"Operations for authorization\" {\n cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the authorization request.\\nFor more details, see [NO_INTERACTION] in the description of `/auth/authorization` API.\\n (options: UNKNOWN, NOT_LOGGED_IN, MAX_AGE_NOT_SUPPORTED, EXCEEDS_MAX_AGE, DIFFERENT_SUBJECT, ACR_NOT_SATISFIED, DENIED, SERVER_ERROR, NOT_AUTHENTICATED, ACCOUNT_SELECTION_REQUIRED, CONSENT_REQUIRED, INTERACTION_REQUIRED, INVALID_TARGET) [required]\"\n flag \"--description \" help=\"The custom description about the authorization failure.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Authorization Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= a user account managed by the service) who has granted authorization to the client application.\\n [required]\"\n flag \"--auth-time \" help=\"The time when the authentication of the end-user occurred. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference performed for the end-user authentication.\"\n flag \"--claims \" help=\"The claims of the end-user (= pieces of information about the end-user) in JSON format.\\nSee [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for details about the format.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with an access token and/or an authorization code.\"\n flag \"--scopes \" help=\"Scopes to associate with an access token and/or an authorization code.\\nIf a non-empty string array is given, it replaces the scopes specified by the original authorization request.\\n\" var=#true\n flag \"--sub \" help=\"The value of the `sub` claim to embed in an ID token. If this request parameter is `null` or empty,\\nthe value of the `subject` request parameter is used as the value of the `sub` claim.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens that may be issued based on\\nthe authorization request.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--session-id \" help=\"The session ID of the user's authentication session. The specified value will be embedded in the\\nID token as the value of the `sid` claim. This parameter needs to be provided only if you want\\nto support the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (a.k.a. \\\"Native SSO\\\"). To enable support for the Native SSO specification, the\\n`nativeSsoSupported` property of your service must be set to `true`.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for authorization-management\" {\n cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\n", + "authorization process-request": "cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization pr": "cmd \"process-request\" help=\"Process Authorization Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of\\nthe authorization server implementation received from the client application.\\n\\nThe value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is `GET`\\nor (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from\\nthe client application is `POST`.\\n [required]\"\n flag \"--context \" help=\"The arbitrary text to be attached to the ticket that will be issued from the `/auth/authorization`\\nAPI.\\n\\nThe text can be retrieved later by the `/auth/authorization/ticket/info` API and can be updated\\nby the `/auth/authorization/ticket/update` API.\\n\\nThe text will be compressed and encrypted when it is saved in the Authlete database.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization fail": "cmd \"fail\" help=\"Fail Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the authorization request.\\nFor more details, see [NO_INTERACTION] in the description of `/auth/authorization` API.\\n (options: UNKNOWN, NOT_LOGGED_IN, MAX_AGE_NOT_SUPPORTED, EXCEEDS_MAX_AGE, DIFFERENT_SUBJECT, ACR_NOT_SATISFIED, DENIED, SERVER_ERROR, NOT_AUTHENTICATED, ACCOUNT_SELECTION_REQUIRED, CONSENT_REQUIRED, INTERACTION_REQUIRED, INVALID_TARGET) [required]\"\n flag \"--description \" help=\"The custom description about the authorization failure.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization issue": "cmd \"issue\" help=\"Issue Authorization Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/authorization` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= a user account managed by the service) who has granted authorization to the client application.\\n [required]\"\n flag \"--auth-time \" help=\"The time when the authentication of the end-user occurred. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference performed for the end-user authentication.\"\n flag \"--claims \" help=\"The claims of the end-user (= pieces of information about the end-user) in JSON format.\\nSee [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for details about the format.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with an access token and/or an authorization code.\"\n flag \"--scopes \" help=\"Scopes to associate with an access token and/or an authorization code.\\nIf a non-empty string array is given, it replaces the scopes specified by the original authorization request.\\n\" var=#true\n flag \"--sub \" help=\"The value of the `sub` claim to embed in an ID token. If this request parameter is `null` or empty,\\nthe value of the `subject` request parameter is used as the value of the `sub` claim.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens that may be issued based on\\nthe authorization request.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--session-id \" help=\"The session ID of the user's authentication session. The specified value will be embedded in the\\nID token as the value of the `sid` claim. This parameter needs to be provided only if you want\\nto support the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)\\nspecification (a.k.a. \\\"Native SSO\\\"). To enable support for the Native SSO specification, the\\n`nativeSsoSupported` property of your service must be set to `true`.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization management": "cmd \"management\" help=\"Operations for authorization-management\" {\n cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "authorization management get-ticket-info": "cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization management gti": "cmd \"get-ticket-info\" help=\"Get Ticket Information\" {\n alias \"gti\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket that has been issued from the `/auth/authorization` API. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization management update-ticket": "cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "authorization management ut": "cmd \"update-ticket\" help=\"Update Ticket Information\" {\n alias \"ut\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket. [required]\"\n flag \"--info \" help=\"The information about the ticket. [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "pushed-authorization": "cmd \"pushed-authorization\" help=\"Operations for pushed-authorization\" {\n alias \"pa\"\n cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "pa": "cmd \"pushed-authorization\" help=\"Operations for pushed-authorization\" {\n alias \"pa\"\n cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "pushed-authorization create": "cmd \"create\" help=\"Process Pushed Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"The pushed authorization request body received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the pushed request from the client application.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the pushed authorization request from the client application.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS connection to pushed authorization endpoint from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--dpop \" help=\"DPoP Header\\n\"\n flag \"--htm \" help=\"HTTP Method (for DPoP validation).\\n\"\n flag \"--htu \" help=\"HTTP URL base (for DPoP validation).\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/pushed_auth_req` API with\\nthis `dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP\\nproof JWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token": "cmd \"token\" help=\"Operations for token\" {\n cmd \"process\" help=\"Process Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server\\nimplementation received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as\\na means of client authentication, and the request from the client application contained its client ID\\nin `Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS of the token request from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--properties \" help=\"Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)\\nfor details.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the token endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the token request. This field is used to validate the `DPoP` header.\\n\\nIn normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the token endpoint. This field is used to validate the `DPoP` header.\\n\\nIf this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the token request.\\n (options: UNKNOWN, INVALID_RESOURCE_OWNER_CREDENTIALS, INVALID_TARGET) [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Token Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the authenticated user.\\n [required]\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter is accepted only\\nwhen `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify properties.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"management\" help=\"Operations for token-management\" {\n cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n }\n cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n }\n}\n", + "token process": "cmd \"process\" help=\"Process Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server\\nimplementation received from the client application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from\\nthe client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as\\na means of client authentication, and the request from the client application contained its client ID\\nin `Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the token request from the client application.\\n\\nIf the token endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate from the MTLS of the token request from the client application.\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication. These certificates are strings in PEM format.\\n\" var=#true\n flag \"--properties \" help=\"Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)\\nfor details.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the token endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the token request. This field is used to validate the `DPoP` header.\\n\\nIn normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the token endpoint. This field is used to validate the `DPoP` header.\\n\\nIf this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token fail": "cmd \"fail\" help=\"Fail Token Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the token request.\\n (options: UNKNOWN, INVALID_RESOURCE_OWNER_CREDENTIALS, INVALID_TARGET) [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token issue": "cmd \"issue\" help=\"Issue Token Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete `/auth/token` API.\\n [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the authenticated user.\\n [required]\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter is accepted only\\nwhen `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify properties.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token management": "cmd \"management\" help=\"Operations for token-management\" {\n cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n }\n cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n }\n cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "token management reissue-id-token": "cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token management rit": "cmd \"reissue-id-token\" help=\"Reissue ID Token\" {\n alias \"rit\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be (a) the value of the\\n\\\"`jwtAccessToken`\\\" parameter in a response from the\\n`/auth/token` API when the value is available, or (b)\\nthe value of the \\\"`accessToken`\\\" parameter in the\\nresponse from the `/auth/token` API when the value of\\nthe \\\"`jwtAccessToken`\\\" parameter is not available.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the\\n\\\"`refreshToken`\\\" parameter in a response from the\\n`/auth/token` API.\\n [required]\"\n flag \"--sub \" help=\"The value that should be used as the value of the \\\"`sub`\\\"\\nclaim of the ID token.\\nThis parameter is optional. When omitted, the value of the subject\\nassociated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of\\nthe ID token. The format is a JSON object.\\nThis parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the \\\"`aud`\\\" claim of the ID token being issued.\\nValid values of this parameter are as follows.\\n> | Value | Description |\\n> | --- | --- |\\n> | \\\"`array`\\\" | The type of the `aud` claim becomes an array of strings. |\\n> | \\\"`string`\\\" | The type of the `aud` claim becomes a single string. |\\nThis parameter is optional, and the default value on omission is\\n\\\"`array`\\\".\\nThis parameter takes precedence over the `idTokenAudType` property\\nof {@link Service} (cf. {@link Service#getIdTokenAudType()}).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token management list": "cmd \"list\" help=\"List Issued Tokens\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--client-identifier \" help=\"Client Identifier (client ID or client ID alias).\\n\"\n flag \"--subject \" help=\"Unique user ID.\\n\"\n flag \"--start \" help=\"Start index of search results (inclusive). The default value is 0.\"\n flag \"--end \" help=\"End index of search results (exclusive). The default value is 5.\\n\"\n}\n", + "token management create": "cmd \"create\" help=\"Create Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--grant-type \" help=\"The grant type of the access token when the access token was created.\\n (options: AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER, PRE_AUTHORIZED_CODE) [required]\"\n flag \"--client-id \" help=\"The ID of the client application which will be associated with a newly created access token.\\n\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the user who will be associated with a newly created access\\ntoken. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must\\nconsist of only ASCII characters and its length must not exceed 100.\\n\"\n flag \"--scopes \" help=\"The scopes which will be associated with a newly created access token. Scopes that are not supported\\nby the service cannot be specified and requesting them will cause an error.\\n\" var=#true\n flag \"--access-token-duration \" help=\"The duration of a newly created access token in seconds. If the value is 0, the duration is determined\\naccording to the settings of the service.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration of a newly created refresh token in seconds. If the value is 0, the duration is\\ndetermined according to the settings of the service.\\n\\nA refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the\\nspecified grant type is either `IMPLICIT`or `CLIENT_CREDENTIALS`.\\n\"\n flag \"--properties \" help=\"Extra properties to associate with a newly created access token. Note that properties parameter\\nis accepted only when the HTTP method of the request is POST and Content-Type of the request is\\n`application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want\\nto specify properties.\\n\"\n flag \"--client-id-alias-used\" help=\"A boolean request parameter which indicates whether to emulate that the client ID alias is used\\ninstead of the original numeric client ID when a new access token is created.\\n\"\n flag \"--access-token \" help=\"The value of the new access token.\\n\"\n flag \"--refresh-token \" help=\"The value of the new refresh token.\\n\"\n flag \"--access-token-persistent\" help=\"Get whether the access token expires or not. By default, all access tokens expire after a period\\nof time determined by their service.\\n\\nIf this request parameter is `true`, then the access token will not automatically expire and must\\nbe revoked or deleted manually at the service. If this request parameter is true, the `accessTokenDuration`\\nrequest parameter is ignored.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--resources \" help=\"The value of the resources to associate with the token. This property represents the value of\\none or more `resource` request parameters which is defined in \\\"RFC8707 Resource Indicators for\\nOAuth 2.0\\\".\\n\" var=#true\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication that the authorization server performed\\nduring the course of issuing the access token.\\n\"\n flag \"--auth-time \" help=\"The time when the user authentication was performed during the course of issuing the access token.\\n\"\n flag \"--client-entity-id-used\" help=\"Flag which indicates whether the entity ID of the client was used when the request for the access token was made.\\n\"\n flag \"--client-identifier \" help=\"The client Identifier associated with the newly issued access token.\\n\"\n flag \"--session-id \" help=\"The session ID, which is the ID of the user's authentication session, associated with a newly\\ncreated access token.\\n\"\n flag \"--metadata-document-used\" help=\"Flag indicating whether a metadata document was used to resolve client metadata for this request.\\n\\nWhen `true`, the client metadata was retrieved via the [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD) mechanism rather than from the Authlete database.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token management update": "cmd \"update\" help=\"Update Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token.\\n\"\n flag \"--access-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the access token is not changed.\\n\"\n flag \"--scopes \" help=\"A new set of scopes assigned to the access token. Scopes that are not supported by the service\\nand those that the client application associated with the access token is not allowed to request\\nare ignored on the server side. If the `scopes` request parameter is not included in a request or\\nits value is `null`, the scopes of the access token are not changed. Note that `properties` parameter\\nis accepted only when `Content-Type` of the request is `application/json`, so don't use `application/x-www-form-urlencoded`\\nif you want to specify `properties`.\\n\" var=#true\n flag \"--properties \" help=\"A new set of properties assigned to the access token. If the `properties` request parameter is\\nnot included in a request or its value is null, the properties of the access token are not changed.\\n\"\n flag \"--access-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the access token when the scopes linked to the access token are changed by this request.\\n\"\n flag \"--access-token-hash \" help=\"The hash of the access token value. Used when the hash of the token is known (perhaps from lookup)\\nbut the value of the token itself is not. The value of the `accessToken` parameter takes precedence.\\n\"\n flag \"--access-token-value-updated\" help=\"A boolean request parameter which indicates whether to update the value of the access token in\\nthe data store. If this parameter is set to `true` then a new access token value is generated\\nby the server and returned in the response.\\n\"\n flag \"--access-token-persistent\" help=\"The flag which indicates whether the access token expires or not. By default, all access tokens\\nexpire after a period of time determined by their service. If this request parameter is `true`\\nthen the access token will not automatically expire and must be revoked or deleted manually at\\nthe service.\\n\\nIf this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored.\\nIf this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed\\nnormally.\\n\"\n flag \"--certificate-thumbprint \" help=\"The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate\\nwith the corresponding value MUST be presented with the access token when it is used by a client.\\nThe value of this property must be a SHA256 certificate thumbprint, base64url encoded.\\n\"\n flag \"--dpop-key-thumbprint \" help=\"The thumbprint of the public key used for DPoP presentation of this token. If this property is\\nset, a DPoP proof signed with the corresponding private key MUST be presented with the access\\ntoken when it is used by a client. Additionally, the token's `token_type` will be set to 'DPoP'.\\n\"\n flag \"--authorization-details \" help=\"The authorization details. This represents the value of the `authorization_details`\\nrequest parameter in the preceding device authorization request which is defined in\\n\\\"OAuth 2.0 Rich Authorization Requests\\\".\\n\"\n flag \"--for-external-attachment\" help=\"the flag which indicates whether the access token is for an external\\nattachment.\\n\"\n flag \"--refresh-token-expires-at \" help=\"A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01).\\nIf the `refreshTokenExpiresAt` request parameter is not included in a request or its value is 0\\n(or negative), the expiration date of the refresh token is not changed.\\n\"\n flag \"--refresh-token-expires-at-updated-on-scope-update\" help=\"A boolean request parameter which indicates whether the API attempts to update the expiration\\ndate of the refresh token when the scopes linked to the refresh token are changed by this request.\\n\"\n flag \"--token-id \" help=\"The token identifier.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "token management delete": "cmd \"delete\" help=\"Delete Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an existing access token. The identifier is the value of the access token\\nor the value of the hash of the access token.\\n [required]\"\n}\n", + "token management revoke": "cmd \"revoke\" help=\"Revoke Access Token\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token-identifier \" help=\"The identifier of an access token to revoke\\n\\nThe hash of an access token is recognized as an identifier as well as the access token itself.\\n\"\n flag \"--refresh-token-identifier \" help=\"The identifier of a refresh token to revoke.\\n\\nThe hash of a refresh token is recognized as an identifier as well as the refresh token itself.\\n\"\n flag \"--client-identifier \" help=\"The client ID of the access token to be revoked.\\n\\nBoth the numeric client ID and the alias are recognized as an identifier\\nof a client.\\n\"\n flag \"--subject \" help=\"The subject of a resource owner.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "introspection": "cmd \"introspection\" help=\"Operations for introspection\" {\n cmd \"process\" help=\"Process Introspection Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token to introspect. [required]\"\n flag \"--scopes \" help=\"A string array listing names of scopes which the caller (= a protected resource endpoint of the\\nservice) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`,\\nthe format of `scopes` is a space-separated list of scope names.\\n\\nIf this parameter is a non-empty array and if it contains a scope which is not covered by the\\naccess token,`action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.\\n\" var=#true\n flag \"--subject \" help=\"A subject (= a user account managed by the service) whom the caller (= a protected resource\\nendpoint of the service) requires.\\n\\nIf this parameter is not `null` and if the value does not match the subject who is associated\\nwith the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.\\n\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--resources \" help=\"The resources specified by the `resource` request parameters in the token request. See \\\"Resource Indicators for OAuth 2.0\\\" for details.\\n\" var=#true\n flag \"--acr-values \" help=\"Authentication Context Class Reference values one of which the user authentication performed during the course\\nof issuing the access token must satisfy.\\n\" var=#true\n flag \"--max-age \" help=\"The maximum authentication age which is the maximum allowable elapsed time since the user authentication\\nwas performed during the course of issuing the access token.\\n\"\n flag \"--required-components \" help=\"HTTP Message Components required to be in the signature. If absent, defaults to [ \\\"@method\\\", \\\"@target-uri\\\", \\\"authorization\\\" ].\\n\" var=#true\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the resource request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/introspection` API checks if the DPoP proof JWT includes the expected\\n`nonce` value. In this case, the response from the `/auth/introspection` API will include the\\n`dpopNonce` response parameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the resource request contains a request body.\\n\\nWhen the resource request must comply with the HTTP message signing requirements defined in the\\nFAPI 2.0 Message Signing specification, the `\\\"content-digest\\\"` component identifier must be included\\nin the signature base of the HTTP message signature (see [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html))\\nif the resource request contains a request body.\\n\\nWhen this `requestBodyContained` parameter is set to `true`, Authlete checks whether `\\\"content-digest\\\"`\\nis included in the signature base, if the FAPI profile applies to the resource request.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "introspection process": "cmd \"process\" help=\"Process Introspection Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token to introspect. [required]\"\n flag \"--scopes \" help=\"A string array listing names of scopes which the caller (= a protected resource endpoint of the\\nservice) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`,\\nthe format of `scopes` is a space-separated list of scope names.\\n\\nIf this parameter is a non-empty array and if it contains a scope which is not covered by the\\naccess token,`action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.\\n\" var=#true\n flag \"--subject \" help=\"A subject (= a user account managed by the service) whom the caller (= a protected resource\\nendpoint of the service) requires.\\n\\nIf this parameter is not `null` and if the value does not match the subject who is associated\\nwith the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.\\n\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--resources \" help=\"The resources specified by the `resource` request parameters in the token request. See \\\"Resource Indicators for OAuth 2.0\\\" for details.\\n\" var=#true\n flag \"--acr-values \" help=\"Authentication Context Class Reference values one of which the user authentication performed during the course\\nof issuing the access token must satisfy.\\n\" var=#true\n flag \"--max-age \" help=\"The maximum authentication age which is the maximum allowable elapsed time since the user authentication\\nwas performed during the course of issuing the access token.\\n\"\n flag \"--required-components \" help=\"HTTP Message Components required to be in the signature. If absent, defaults to [ \\\"@method\\\", \\\"@target-uri\\\", \\\"authorization\\\" ].\\n\" var=#true\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the resource request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/introspection` API checks if the DPoP proof JWT includes the expected\\n`nonce` value. In this case, the response from the `/auth/introspection` API will include the\\n`dpopNonce` response parameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the resource request contains a request body.\\n\\nWhen the resource request must comply with the HTTP message signing requirements defined in the\\nFAPI 2.0 Message Signing specification, the `\\\"content-digest\\\"` component identifier must be included\\nin the signature base of the HTTP message signature (see [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html))\\nif the resource request contains a request body.\\n\\nWhen this `requestBodyContained` parameter is set to `true`, Authlete checks whether `\\\"content-digest\\\"`\\nis included in the signature base, if the FAPI profile applies to the resource request.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "introspection standard-process": "cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "introspection sp": "cmd \"standard-process\" help=\"Process OAuth 2.0 Introspection Request\" {\n alias \"sp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Request parameters which comply with the introspection request defined\\nin \\\"[2.1. Introspection Request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1)\\\" in\\nRFC 7662.\\n\\nThe implementation of the introspection endpoint of your authorization server will receive an\\nHTTP POST [[RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231)] request with parameters\\nin the `application/x-www-form-urlencoded` format. It is the entity body of the request that\\nAuthlete's `/api/auth/introspection/standard` API expects as the value of `parameters`.\\n [required]\"\n flag \"--with-hidden-properties\" help=\"Flag indicating whether to include hidden properties in the output.\\n\\nAuthlete has a mechanism whereby to associate arbitrary key-value pairs with an access token.\\nEach key-value pair has a hidden attribute. By default, key-value pairs whose hidden attribute\\nis set to `true` are not embedded in the standard introspection output.\\n\\nIf the `withHiddenProperties` request parameter is given and its value is `true`, `/api/auth/introspection/standard\\nAPI includes all the associated key-value pairs into the output regardless of the value of the\\nhidden attribute.\\n\"\n flag \"--rs-uri \" help=\"The URI of the resource server making the introspection request.\\n\\nIf the `rsUri` request parameter is given and the token has audience values, Authlete checks if\\nthe value of the `rsUri` request parameter is contained in the audience values. If not contained,\\nAuthlete generates an introspection response with the `active` property set to `false`.\\n\\nThe `rsUri` request parameter is required when the resource server requests a JWT introspection\\nresponse, i.e., when the value of the `httpAcceptHeader` request parameter is set to `\\\"application/token-introspection+jwt\\\"`.\\n\"\n flag \"--http-accept-header \" help=\"The value of the `HTTP Accept` header in the introspection request.\\n\\nIf the value of the `httpAcceptHeader` request parameter is `\\\"application/token-introspection+jwt\\\"`,\\nAuthlete generates a JWT introspection response. See \\\"[4. Requesting a JWT Response](https://www.rfc-editor.org/rfc/rfc9701.html#section-4)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\"\\nfor more details.\\n\"\n flag \"--introspection-sign-alg \" help=\"The JWS `alg` algorithm for signing the introspection response. This parameter corresponds to\\n`introspection_signed_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `RS256`.\\n\"\n flag \"--introspection-encryption-alg \" help=\"The JWE `alg` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_alg` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nIf the `introspectionEncryptionAlg` request parameter is specified, Authlete generates a JWT\\nintrospection response encrypted with the algorithm by this property and the algorithm specified by\\nthe `introspectionEncryptionEnc` request parameter.\\n\"\n flag \"--introspection-encryption-enc \" help=\"The JWE `enc` algorithm for encrypting the introspection response. This parameter corresponds\\nto `introspection_encrypted_response_enc` defined in \\\"[6. Client Metadata](https://www.rfc-editor.org/rfc/rfc9701.html#section-6)\\\"\\nof \\\"[RFC 9701: JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html)\\\".\\n\\nThe default value is `A128CBC_HS256`.\\n\"\n flag \"--shared-key-for-sign \" help=\"The shared key for signing the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForSign` request parameter is required when the introspection response is requested\\nto be signed with a symmetric algorithm.\\n\"\n flag \"--shared-key-for-encryption \" help=\"The shared key for encrypting the introspection response with a symmetric algorithm.\\n\\nThe `sharedKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with a symmetric algorithm.\\n\"\n flag \"--public-key-for-encryption \" help=\"The public key for signing the introspection response with an asymmetric algorithm.\\n\\nThe `publicKeyForEncryption` request parameter is required when the introspection response is\\nrequested to be encrypted with an asymmetric algorithm.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "revocation": "cmd \"revocation\" help=\"Operations for revocation\" {\n cmd \"process\" help=\"Process Revocation Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint\\n([RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)) of the authorization server implementation received from the\\nclient application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request\\nfrom the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports Basic Authentication\\nas a means of client authentication, and the request from the client application contains its client ID in\\n`Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the revocation endpoint.\\n\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "revocation process": "cmd \"process\" help=\"Process Revocation Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint\\n([RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)) of the authorization server implementation received from the\\nclient application.\\n\\nThe value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request\\nfrom the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports Basic Authentication\\nas a means of client authentication, and the request from the client application contains its client ID in\\n`Authorization` header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the revocation request from the client application.\\n\\nIf the revocation endpoint of the authorization server implementation supports basic authentication as a means of\\nclient authentication, and the request from the client application contained its client secret in `Authorization` header,\\nthe value should be extracted and set to this parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the revocation endpoint.\\n\"\n flag \"--client-certificate-path \" help=\"The certificate path presented by the client during client authentication.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "userinfo": "cmd \"userinfo\" help=\"Operations for userinfo\" {\n cmd \"process\" help=\"Process UserInfo Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token.\\n [required]\"\n flag \"--client-certificate \" help=\"Client certificate used in the TLS connection established between the client application and the userinfo endpoint.\\n\\nThe value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to\\na client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens]\\n(https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the user info endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the user info request. This field is used to validate the DPoP header.\\nIn normal cases, the value is either `GET` or `POST`.\\n\"\n flag \"--htu \" help=\"URL of the user info endpoint. This field is used to validate the DPoP header.\\n\\nIf this parameter is omitted, the `userInfoEndpoint` property of the service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the userinfo request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/userinfo` API checks if the DPoP proof JWT includes the expected `nonce`\\nvalue. In this case, the response from the `/auth/userinfo` API will include the `dpopNonce` response\\nparameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the userinfo request contains a request body.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue UserInfo Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"The access token that has been passed to the userinfo endpoint by the client application. In other words,\\nthe access token which was contained in the userinfo request.\\n [required]\"\n flag \"--claims \" help=\"Claims in JSON format. As for the format, see [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).\\n\"\n flag \"--sub \" help=\"The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of\\nthe `sub` claim. Otherwise, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--request-signature \" help=\"The Signature header value from the request.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "userinfo process": "cmd \"process\" help=\"Process UserInfo Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"An access token.\\n [required]\"\n flag \"--client-certificate \" help=\"Client certificate used in the TLS connection established between the client application and the userinfo endpoint.\\n\\nThe value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to\\na client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens]\\n(https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the user info endpoint.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htm \" help=\"HTTP method of the user info request. This field is used to validate the DPoP header.\\nIn normal cases, the value is either `GET` or `POST`.\\n\"\n flag \"--htu \" help=\"URL of the user info endpoint. This field is used to validate the DPoP header.\\n\\nIf this parameter is omitted, the `userInfoEndpoint` property of the service is used as the default value.\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--uri \" help=\"The full URL of the userinfo endpoint.\\n\"\n flag \"--message \" help=\"The HTTP message body of the request, if present.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--target-uri \" help=\"The target URI of the userinfo request, including the query part, if any.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to check if the DPoP proof JWT includes the expected `nonce` value.\\n\\nIf this request parameter is set to `true` or if the service's `dpopNonceRequired` property is\\nset to `true`, the `/auth/userinfo` API checks if the DPoP proof JWT includes the expected `nonce`\\nvalue. In this case, the response from the `/auth/userinfo` API will include the `dpopNonce` response\\nparameter, which should be used as the value of the DPoP-Nonce HTTP header.\\n\"\n flag \"--request-body-contained\" help=\"The flag indicating whether the userinfo request contains a request body.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "userinfo issue": "cmd \"issue\" help=\"Issue UserInfo Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--token \" help=\"The access token that has been passed to the userinfo endpoint by the client application. In other words,\\nthe access token which was contained in the userinfo request.\\n [required]\"\n flag \"--claims \" help=\"Claims in JSON format. As for the format, see [OpenID Connect Core 1.0, 5.1. Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).\\n\"\n flag \"--sub \" help=\"The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of\\nthe `sub` claim. Otherwise, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims-for-tx \" help=\"Claim key-value pairs that are used to compute transformed claims.\\n\"\n flag \"--request-signature \" help=\"The Signature header value from the request.\\n\"\n flag \"--headers \" help=\"HTTP headers to be included in processing the signature. If this is a signed request, this must include the\\nSignature and Signature-Input headers, as well as any additional headers covered by the signature.\\n\"\n flag \"--verified-claims-for-tx \" help=\"Values of verified claims requested indirectly by \\\"transformed claims\\\".\\n\" var=#true\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "grant-management": "cmd \"grant-management\" help=\"Operations for grant-management\" {\n alias \"gm\"\n cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "gm": "cmd \"grant-management\" help=\"Operations for grant-management\" {\n alias \"gm\"\n cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "grant-management process-request": "cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "grant-management pr": "cmd \"process-request\" help=\"Process Grant Management Request\" {\n alias \"pr\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"An access token to introspect.\"\n flag \"--client-certificate \" help=\"Client certificate in PEM format, used to validate binding against access tokens using the TLS\\nclient certificate confirmation method.\\n\"\n flag \"--dpop \" help=\"`DPoP` header presented by the client during the request to the resource server.\\n\\nThe header contains a signed JWT which includes the public key that is paired with the private\\nkey used to sign the JWT. See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application\\nLayer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) for details.\\n\"\n flag \"--htm \" help=\"HTTP method of the request from the client to the protected resource endpoint. This field is\\nused to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--htu \" help=\"URL of the protected resource endpoint. This field is used to validate the `DPoP` header.\\n\\nSee [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)\\nfor details.\\n\"\n flag \"--gm-action \" help=\"The grant management action of the device authorization request.\\n\\nThe `grant_management_action` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).\\n (options: CREATE, QUERY, REPLACE, REVOKE, MERGE)\"\n flag \"--grant-id \" help=\"The value of the `grant_id` request parameter of the device authorization request.\\n\\nThe `grant_id` request parameter is defined in\\n[Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html)\\n, which is supported by Authlete 2.3 and newer versions.\\n\"\n flag \"--dpop-nonce-required\" help=\"The flag indicating whether to require the DPoP proof JWT to include the `nonce` claim. Even if\\nthe service's `dpopNonceRequired` property is `false`, calling the `/auth/gm` API with this\\n`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof\\nJWT includes the expected `nonce` value.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "JWK-set-endpoint": "cmd \"JWK-set-endpoint\" help=\"API endpoints for to generate JSON Web Key Set (JWKS) for a service\" {\n alias \"Jse\"\n cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n }\n}\n", + "Jse": "cmd \"JWK-set-endpoint\" help=\"API endpoints for to generate JSON Web Key Set (JWKS) for a service\" {\n alias \"Jse\"\n cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n }\n}\n", + "JWK-set-endpoint service-jwks-get-api": "cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n}\n", + "JWK-set-endpoint sjga": "cmd \"service-jwks-get-api\" help=\"Get JWK Set\" {\n alias \"sjga\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--include-private-keys\" help=\"The boolean value that indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is `false`.\"\n flag \"--pretty\" help=\"This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is `false`.\"\n}\n", + "dynamic-client-registration": "cmd \"dynamic-client-registration\" help=\"Operations for dynamic-client-registration\" {\n alias \"dcr\"\n cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "dcr": "cmd \"dynamic-client-registration\" help=\"Operations for dynamic-client-registration\" {\n alias \"dcr\"\n cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "dynamic-client-registration register": "cmd \"register\" help=\"Register Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "dynamic-client-registration get": "cmd \"get\" help=\"Get Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "dynamic-client-registration update": "cmd \"update\" help=\"Update Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n [required]\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "dynamic-client-registration delete": "cmd \"delete\" help=\"Delete Client\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--json \" help=\"Client metadata in JSON format that complies with [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591)\\n(OAuth 2.0 Dynamic Client Registration Protocol).\\n\"\n flag \"--token \" help=\"The client registration access token. Used only for GET, UPDATE, and DELETE requests.\\n [required]\"\n flag \"--client-id \" help=\"The client's identifier. Used for GET, UPDATE, and DELETE requests\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "ciba": "cmd \"ciba\" help=\"Operations for ciba\" {\n cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Backchannel Authentication Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"fail\" help=\"Fail Backchannel Authentication Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket which should be deleted on a call of Authlete's `/backchannel/authentication/fail` API.\\nThis request parameter is not mandatory but optional. If this request parameter is given and the\\nticket belongs to the service, the specified ticket is deleted from the database. Giving this\\nparameter is recommended to clean up the storage area for the service.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the backchannel authentication request. This request parameter is\\nnot mandatory but optional. However, giving this parameter is recommended. If omitted, `SERVER_ERROR`\\nis used as a reason.\\n (options: ACCESS_DENIED, EXPIRED_LOGIN_HINT_TOKEN, INVALID_BINDING_MESSAGE, INVALID_TARGET, INVALID_USER_CODE, MISSING_USER_CODE, SERVER_ERROR, UNAUTHORIZED_CLIENT, UNKNOWN_USER_ID) [required]\"\n flag \"--error-description \" help=\"The description of the error. This corresponds to the `error_description` property in the response\\nto the client.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. If this optional request parameter\\nis given, its value is used as the value of the `error_uri` property.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Backchannel Authentication\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued by Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original backchannel authentication request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "ciba process-authentication": "cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "ciba pa": "cmd \"process-authentication\" help=\"Process Backchannel Authentication Request\" {\n alias \"pa\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a backchannel authentication request which are the request parameters that the\\nbackchannel authentication endpoint of the OpenID provider implementation received from the client\\napplication.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the backchannel authentication request from\\nthe client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client ID in Authorization header, the value should be extracted and set to this parameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from Authorization header of the backchannel authentication request\\nfrom the client application.\\n\\nIf the backchannel authentication endpoint of the OpenID provider implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in Authorization header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certification used in the TLS connection between the client application and the\\nbackchannel authentication endpoint of the OpenID provider.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "ciba issue": "cmd \"issue\" help=\"Issue Backchannel Authentication Response\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued from Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "ciba fail": "cmd \"fail\" help=\"Fail Backchannel Authentication Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket which should be deleted on a call of Authlete's `/backchannel/authentication/fail` API.\\nThis request parameter is not mandatory but optional. If this request parameter is given and the\\nticket belongs to the service, the specified ticket is deleted from the database. Giving this\\nparameter is recommended to clean up the storage area for the service.\\n [required]\"\n flag \"--reason \" help=\"The reason of the failure of the backchannel authentication request. This request parameter is\\nnot mandatory but optional. However, giving this parameter is recommended. If omitted, `SERVER_ERROR`\\nis used as a reason.\\n (options: ACCESS_DENIED, EXPIRED_LOGIN_HINT_TOKEN, INVALID_BINDING_MESSAGE, INVALID_TARGET, INVALID_USER_CODE, MISSING_USER_CODE, SERVER_ERROR, UNAUTHORIZED_CLIENT, UNKNOWN_USER_ID) [required]\"\n flag \"--error-description \" help=\"The description of the error. This corresponds to the `error_description` property in the response\\nto the client.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. If this optional request parameter\\nis given, its value is used as the value of the `error_uri` property.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "ciba complete": "cmd \"complete\" help=\"Complete Backchannel Authentication\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--ticket \" help=\"The ticket issued by Authlete's `/backchannel/authentication` API.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original backchannel authentication request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token \" help=\"The representation of an access token that may be issued as a result of the Authlete API call.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "device-flow": "cmd \"device-flow\" help=\"Operations for device-flow\" {\n alias \"df\"\n cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "df": "cmd \"device-flow\" help=\"Operations for device-flow\" {\n alias \"df\"\n cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "device-flow authorization": "cmd \"authorization\" help=\"Process Device Authorization Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--parameters \" help=\"Parameters of a device authorization request which are the request parameters that the device\\nauthorization endpoint of the authorization server implementation received from the client application.\\n\\nThe value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`)\\nof the request from the client application.\\n [required]\"\n flag \"--client-id \" help=\"The client ID extracted from Authorization header of the device authorization request from the\\nclient application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\n`Authentication` as a means of client authentication, and the request from the client application\\ncontained its client ID in `Authorization` header, the value should be extracted and set to this\\nparameter.\\n\"\n flag \"--client-secret \" help=\"The client secret extracted from `Authorization` header of the device authorization request from\\nthe client application.\\n\\nIf the device authorization endpoint of the authorization server implementation supports Basic\\nAuthentication as a means of client authentication, and the request from the client application\\ncontained its client secret in `Authorization` header, the value should be extracted and set to\\nthis parameter.\\n\"\n flag \"--client-certificate \" help=\"The client certificate used in the TLS connection between the client application and the device\\nauthorization endpoint of the authorization server.\\n\"\n flag \"--client-certificate-path \" help=\"The client certificate path presented by the client during client authentication. Each element\\nis a string in PEM format.\\n\" var=#true\n flag \"--oauth-client-attestation \" help=\"The value of the `OAuth-Client-Attestation` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--oauth-client-attestation-pop \" help=\"The value of the `OAuth-Client-Attestation-PoP` HTTP header, which is defined in the specification\\nof [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).\\n\"\n flag \"--cimd-options \" help=\"Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).\\n\\nThese options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "device-flow verification": "cmd \"verification\" help=\"Process Device Verification Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "device-flow complete": "cmd \"complete\" help=\"Complete Device Authorization\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--user-code \" help=\"A user code.\\n [required]\"\n flag \"--result \" help=\"The result of the end-user authentication and authorization. One of the following. Details are\\ndescribed in the description.\\n (options: TRANSACTION_FAILED, ACCESS_DENIED, AUTHORIZED) [required]\"\n flag \"--subject \" help=\"The subject (= unique identifier) of the end-user.\\n [required]\"\n flag \"--sub \" help=\"The value of the sub claim that should be used in the ID token.\\n\"\n flag \"--auth-time \" help=\"The time at which the end-user was authenticated. Its value is the number of seconds from `1970-01-01`.\\n\"\n flag \"--acr \" help=\"The reference of the authentication context class which the end-user authentication satisfied.\\n\"\n flag \"--claims \" help=\"Additional claims which will be embedded in the ID token.\\n\"\n flag \"--properties \" help=\"The extra properties associated with the access token.\\n\"\n flag \"--scopes \" help=\"Scopes to replace the scopes specified in the original device authorization request with.\\nWhen nothing is specified for this parameter, replacement is not performed.\\n\" var=#true\n flag \"--error-description \" help=\"The description of the error. If this optional request parameter is given, its value is used as\\nthe value of the `error_description` property, but it is used only when the result is not `AUTHORIZED`.\\nTo comply with the specification strictly, the description must not include characters outside\\nthe set `%x20-21 / %x23-5B / %x5D-7E`.\\n\"\n flag \"--error-uri \" help=\"The URI of a document which describes the error in detail. This corresponds to the `error_uri`\\nproperty in the response to the client.\\n\"\n flag \"--idt-header-params \" help=\"JSON that represents additional JWS header parameters for ID tokens.\\n\"\n flag \"--consented-claims \" help=\"the claims that the user has consented for the client application\\nto know.\\n\" var=#true\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT access token.\\n\"\n flag \"--access-token-duration \" help=\"The duration (in seconds) of the access token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the access\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--refresh-token-duration \" help=\"The duration (in seconds) of the refresh token that may be issued as a result of the Authlete\\nAPI call.\\n\\nWhen this request parameter holds a positive integer, it is used as the duration of the refresh\\ntoken in. In other cases, this request parameter is ignored.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values are as follows.\\n\\n| Value | Description |\\n| ----- | ----------- |\\n| \\\"array\\\" | The type of the aud claim is always an array of strings. |\\n| \\\"string\\\" | The type of the aud claim is always a single string. |\\n| null | The type of the aud claim remains the same as before. |\\n\\nThis request parameter takes precedence over the `idTokenAudType` property of the service.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "jose-object": "cmd \"jose-object\" help=\"API endpoints for JOSE objects\" {\n alias \"jo\"\n cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "jo": "cmd \"jose-object\" help=\"API endpoints for JOSE objects\" {\n alias \"jo\"\n cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "jose-object jose-verify-api": "cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "jose-object jva": "cmd \"jose-verify-api\" help=\"Verify JOSE\" {\n alias \"jva\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--jose \" help=\"A JOSE object.\\n [required]\"\n flag \"--mandatory-claims \" help=\"Mandatory claims that are required to be included in the JOSE object.\\n\" var=#true\n flag \"--clock-skew \" help=\"Allowable clock skew in seconds.\\n\"\n flag \"--client-identifier \" help=\"The identifier of the client application whose keys are required for verification of the JOSE\\nobject.\\n\"\n flag \"--signed-by-client\" help=\"The flag which indicates whether the signature of the JOSE object has been signed by a client\\napplication with the client's private key or a shared symmetric key.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "federation": "cmd \"federation\" help=\"Operations for federation\" {\n cmd \"configuration\" help=\"Process Entity Configuration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--body-param \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"registration\" help=\"Process Federation Registration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--entity-configuration \" help=\"The entity configuration of a relying party.\\n\"\n flag \"--trust-chain \" help=\"The trust chain of a relying party.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "federation configuration": "cmd \"configuration\" help=\"Process Entity Configuration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--body-param \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "federation registration": "cmd \"registration\" help=\"Process Federation Registration Request\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--entity-configuration \" help=\"The entity configuration of a relying party.\\n\"\n flag \"--trust-chain \" help=\"The trust chain of a relying party.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "hardware-security-keys": "cmd \"hardware-security-keys\" help=\"Operations for hardware-security-keys\" {\n alias \"hsk\"\n cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n}\n", + "hsk": "cmd \"hardware-security-keys\" help=\"Operations for hardware-security-keys\" {\n alias \"hsk\"\n cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n }\n cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n }\n}\n", + "hardware-security-keys create": "cmd \"create\" help=\"Create Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--kty \" help=\"The key type (EC or RSA)\\n\"\n flag \"--use \" help=\"The key on the HSM.\\nWhen the key use is \\\"sig\\\" (signature), the private key on the HSM is used to sign data and the corresponding public key is used to verify the signature.\\nWhen the key use is \\\"enc\\\" (encryption), the private key on the HSM is used to decrypt encrypted data which have been encrypted with the corresponding public key\\n\"\n flag \"--kid \" help=\"Key ID for the key on the HSM.\\n\"\n flag \"--hsm-name \" help=\"The name of the HSM.\\nThe identifier for the HSM that sits behind the Authlete server. For example, \\\"google\\\".\\n\"\n flag \"--alg \" help=\"The algorithm of the key on the HSM. When the key use is `\\\"sig\\\"`, the algorithm represents a signing\\nalgorithm such as `\\\"ES256\\\"`. When the key use is `\\\"enc\\\"`, the algorithm represents an encryption\\nalgorithm such as `\\\"RSA-OAEP-256\\\"`.\\n\\nIt is rare that HSMs support all the algorithms listed in [RFC 7518 JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518.html).\\nWhen the specified algorithm is not supported by the HSM, the request to the `/hsk/create` API\\nfails.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "hardware-security-keys delete": "cmd \"delete\" help=\"Delete Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n}\n", + "hardware-security-keys get": "cmd \"get\" help=\"Get Security Key\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--handle \" help=\"[required]\"\n}\n", + "hardware-security-keys list": "cmd \"list\" help=\"List Security Keys\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n}\n", + "verifiable-credentials": "cmd \"verifiable-credentials\" help=\"Operations for verifiable-credentials\" {\n alias \"vc\"\n cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "vc": "cmd \"verifiable-credentials\" help=\"Operations for verifiable-credentials\" {\n alias \"vc\"\n cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "verifiable-credentials get-metadata": "cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials gm": "cmd \"get-metadata\" help=\"Get Verifiable Credential Issuer Metadata\" {\n alias \"gm\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials get-jwt-issuer": "cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials gji": "cmd \"get-jwt-issuer\" help=\"Get JWT Issuer Information\" {\n alias \"gji\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials get-jwks": "cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials gj": "cmd \"get-jwks\" help=\"Get JSON Web Key Set\" {\n alias \"gj\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--pretty\" help=\"The flag indicating whether the metadata is written in the pretty\\nformat or not.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials create-offer": "cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials co": "cmd \"create-offer\" help=\"Create Credential Offer\" {\n alias \"co\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--authorization-code-grant-included\" help=\"The flag indicating whether the `authorization_code` object is\\nincluded in the `grants` object.\\n\"\n flag \"--issuer-state-included\" help=\"The flag indicating whether the `issuer_state` property is\\nincluded in the `authorization_code` object in the `grants`\\nobject.\\n\"\n flag \"--pre-authorized-code-grant-included\" help=\"The flag to include the\\n`urn:ietf:params:oauth:grant-type:pre-authorized_code` object\\nin the `grants` object.\\n\"\n flag \"--subject \" help=\"The subject associated with the credential offer.\"\n flag \"--duration \" help=\"The duration of the credential offer.\"\n flag \"--context \" help=\"The general-purpose arbitrary string.\"\n flag \"--properties \" help=\"Extra properties to associate with the credential offer.\"\n flag \"--jwt-at-claims \" help=\"Additional claims that are added to the payload part of the JWT\\naccess token.\\n\"\n flag \"--auth-time \" help=\"The time at which the user authentication was performed during\\nthe course of issuing the credential offer.\\n\"\n flag \"--acr \" help=\"The Authentication Context Class Reference of the user authentication\\nperformed during the course of issuing the credential offer.\\n\"\n flag \"--credential-configuration-ids \" help=\"The value of the `credential_configuration_ids` array.\\n\" var=#true\n flag \"--tx-code \" help=\"The transaction code that should be associated with the credential offer.\\n\"\n flag \"--tx-code-input-mode \" help=\"The input mode of the transaction code.\\n\"\n flag \"--tx-code-description \" help=\"The description of the transaction code.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials get-offer-info": "cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials goi": "cmd \"get-offer-info\" help=\"Get Credential Offer Information\" {\n alias \"goi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--identifier \" help=\"The identifier of the credential offer.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials parse": "cmd \"parse\" help=\"Parse Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials issue": "cmd \"issue\" help=\"Issue Single Credential\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials batch-parse": "cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials bp": "cmd \"batch-parse\" help=\"Parse Batch Credentials\" {\n alias \"bp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--request-content \" help=\"The message body of the batch credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials batch-issue": "cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials bi": "cmd \"batch-issue\" help=\"Issue Batch Credentials\" {\n alias \"bi\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the credential request.\"\n flag \"--orders \" help=\"The instructions for issuance of credentials and/or transaction IDs.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials deferred-parse": "cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials dp": "cmd \"deferred-parse\" help=\"Parse Deferred Credential\" {\n alias \"dp\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The access token that came along with the deferred credential request.\"\n flag \"--request-content \" help=\"The message body of the deferred credential request.\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials deferred-issue": "cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "verifiable-credentials di": "cmd \"deferred-issue\" help=\"Issue Deferred Credential\" {\n alias \"di\"\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--order \" help=\"JSON object\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "lifecycle": "cmd \"lifecycle\" help=\"Operations for lifecycle\" {\n cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n }\n}\n", + "lifecycle get-api-lifecycle-healthcheck": "cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n}\n", + "lifecycle galh": "cmd \"get-api-lifecycle-healthcheck\" help=\"Health Check\" {\n alias \"galh\"\n flag \"--extended\" help=\"If `true`, perform extended health checks (e.g. database connectivity).\\n\"\n}\n", + "native-sso": "cmd \"native-sso\" help=\"Operations for native-sso\" {\n alias \"ns\"\n cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "ns": "cmd \"native-sso\" help=\"Operations for native-sso\" {\n alias \"ns\"\n cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n }\n}\n", + "native-sso process": "cmd \"process\" help=\"Native SSO Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--access-token \" help=\"The value of this parameter should be: (a) the value of the `jwtAccessToken` parameter in a response\\nfrom the `/auth/token` API when the value is available, or (b) the value of the `accessToken`\\nparameter in the response from the `/auth/token` API when the `jwtAccessToken` parameter is not\\navailable.\\n [required]\"\n flag \"--refresh-token \" help=\"The value of this parameter should be the value of the `refreshToken` parameter in a response\\nfrom the `/auth/token` API.\\n\"\n flag \"--sub \" help=\"The value that should be used as the value of the `sub` claim of the ID token. This parameter\\nis optional. When omitted, the value of the subject associated with the access token is used.\\n\"\n flag \"--claims \" help=\"Additional claims that should be embedded in the payload part of the ID token. The format is a\\nJSON object. This parameter is optional.\\n\"\n flag \"--idt-header-params \" help=\"Additional parameters that should be embedded in the JWS header of the ID token. The format is\\na JSON object. This parameter is optional.\\n\"\n flag \"--id-token-aud-type \" help=\"The type of the `aud` claim of the ID token being issued. Valid values of this parameter are\\nas follows:\\n\"\n flag \"--device-secret \" help=\"The device secret. The value of this parameter should be the value of the `deviceSecret` parameter\\nin the response from the `/auth/token` API, if the parameter is present. Otherwise, the authorization\\nserver should generate a new device secret and specify it as the value of this parameter.\\n [required]\"\n flag \"--device-secret-hash \" help=\"The device secret hash. The specified device secret hash is included as the value of the `ds_hash`\\nclaim in the ID token generated by the `/nativesso` API. If the `deviceSecretHash` request parameter\\nis omitted, the value of the `deviceSecret` request parameter is used to compute the hash.\\n\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "native-sso logout": "cmd \"logout\" help=\"Native SSO Logout Processing\" {\n flag \"--service-id \" help=\"A service ID. [required]\"\n flag \"--session-id \" help=\"The session ID of a user's authentication session.\\n [required]\"\n flag \"--body \" help=\"Request body as JSON (alternative to individual flags). Can also be provided via stdin.\"\n}\n", + "configure": "cmd \"configure\" help=\"Configure authentication credentials and preferences\"\n", + "whoami": "cmd \"whoami\" help=\"Display current authentication configuration\"\n", + "version": "cmd \"version\" help=\"Print the CLI version\"\n", } func UsageRequested(cmd *cobra.Command) bool {