docs/api.swagger.json

{
  "consumes": [
    "application/json",
    "application/x-www-form-urlencoded"
  ],
  "produces": [
    "application/json"
  ],
  "schemes": [
    "http",
    "https"
  ],
  "swagger": "2.0",
  "info": {
    "description": "Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. Keep in mind that this document reflects the latest branch, always. Support for versioned documentation is coming in the future.",
    "title": "ORY Hydra - Cloud Native OAuth 2.0 and OpenID Connect Server",
    "contact": {
      "name": "ORY",
      "url": "https://www.ory.sh",
      "email": "hi@ory.am"
    },
    "license": {
      "name": "Apache 2.0",
      "url": "https://github.com/ory/hydra/blob/master/LICENSE"
    },
    "version": "Latest"
  },
  "basePath": "/",
  "paths": {
    "/.well-known/jwks.json": {
      "get": {
        "description": "Returns metadata for discovering important JSON Web Keys. Currently, this endpoint returns the public key for verifying OpenID Connect ID Tokens.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Get Well-Known JSON Web Keys",
        "operationId": "wellKnown",
        "responses": {
          "200": {
            "description": "jsonWebKeySet",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySet"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/.well-known/openid-configuration": {
      "get": {
        "description": "The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll\nyour own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this\nflow at https://openid.net/specs/openid-connect-discovery-1_0.html",
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Server well known configuration",
        "operationId": "getWellKnown",
        "responses": {
          "200": {
            "description": "wellKnown",
            "schema": {
              "$ref": "#/definitions/wellKnown"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/clients": {
      "get": {
        "description": "This endpoint lists all clients in the database, and never returns client secrets.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "List OAuth 2.0 Clients",
        "operationId": "listOAuth2Clients",
        "parameters": [
          {
            "type": "integer",
            "format": "int64",
            "x-go-name": "Limit",
            "description": "The maximum amount of policies returned.",
            "name": "limit",
            "in": "query"
          },
          {
            "type": "integer",
            "format": "int64",
            "x-go-name": "Offset",
            "description": "The offset from where to start looking.",
            "name": "offset",
            "in": "query"
          }
        ],
        "responses": {
          "200": {
            "$ref": "#/responses/oAuth2ClientList"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "post": {
        "description": "Create a new OAuth 2.0 client If you pass `client_secret` the secret will be used, otherwise a random secret will be generated. The secret will be returned in the response and you will not be able to retrieve it later on. Write the secret down and keep it somwhere safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Create an OAuth 2.0 client",
        "operationId": "createOAuth2Client",
        "parameters": [
          {
            "name": "Body",
            "in": "body",
            "required": true,
            "schema": {
              "$ref": "#/definitions/oAuth2Client"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "oAuth2Client",
            "schema": {
              "$ref": "#/definitions/oAuth2Client"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/clients/{id}": {
      "get": {
        "description": "Get an OAUth 2.0 client by its ID. This endpoint never returns passwords.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Get an OAuth 2.0 Client.",
        "operationId": "getOAuth2Client",
        "parameters": [
          {
            "uniqueItems": true,
            "type": "string",
            "x-go-name": "ID",
            "description": "The id of the OAuth 2.0 Client.",
            "name": "id",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "description": "oAuth2Client",
            "schema": {
              "$ref": "#/definitions/oAuth2Client"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "put": {
        "description": "Update an existing OAuth 2.0 Client. If you pass `client_secret` the secret will be updated and returned via the API. This is the only time you will be able to retrieve the client secret, so write it down and keep it safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Update an OAuth 2.0 Client",
        "operationId": "updateOAuth2Client",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "ID",
            "name": "id",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "required": true,
            "schema": {
              "$ref": "#/definitions/oAuth2Client"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "oAuth2Client",
            "schema": {
              "$ref": "#/definitions/oAuth2Client"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "delete": {
        "description": "Delete an existing OAuth 2.0 Client by its ID.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Deletes an OAuth 2.0 Client",
        "operationId": "deleteOAuth2Client",
        "parameters": [
          {
            "uniqueItems": true,
            "type": "string",
            "x-go-name": "ID",
            "description": "The id of the OAuth 2.0 Client.",
            "name": "id",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/health/alive": {
      "get": {
        "description": "This endpoint returns a 200 status code when the HTTP server is up running.\nThis status does currently not include checks whether the database connection is working.\nThis endpoint does not require the `X-Forwarded-Proto` header when TLS termination is set.\n\nBe aware that if you are running multiple nodes of ORY Hydra, the health status will never refer to the cluster state, only to a single instance.",
        "tags": [
          "health"
        ],
        "summary": "Check the Alive Status",
        "operationId": "isInstanceAlive",
        "responses": {
          "200": {
            "description": "healthStatus",
            "schema": {
              "$ref": "#/definitions/healthStatus"
            }
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/health/ready": {
      "get": {
        "description": "This endpoint returns a 200 status code when the HTTP server is up running and the environment dependencies (e.g.\nthe database) are responsive as well.\n\nThis status does currently not include checks whether the database connection is working.\nThis endpoint does not require the `X-Forwarded-Proto` header when TLS termination is set.\n\nBe aware that if you are running multiple nodes of ORY Hydra, the health status will never refer to the cluster state, only to a single instance.",
        "tags": [
          "health"
        ],
        "summary": "Check the Readiness Status",
        "operationId": "isInstanceReady",
        "responses": {
          "200": {
            "description": "healthStatus",
            "schema": {
              "$ref": "#/definitions/healthStatus"
            }
          },
          "503": {
            "description": "healthNotReadyStatus",
            "schema": {
              "$ref": "#/definitions/healthNotReadyStatus"
            }
          }
        }
      }
    },
    "/keys/{set}": {
      "get": {
        "description": "This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Retrieve a JSON Web Key Set",
        "operationId": "getJsonWebKeySet",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "description": "jsonWebKeySet",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySet"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "put": {
        "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Update a JSON Web Key Set",
        "operationId": "updateJsonWebKeySet",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySet"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "jsonWebKeySet",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySet"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "post": {
        "description": "This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Generate a new JSON Web Key",
        "operationId": "createJsonWebKeySet",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySetGeneratorRequest"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "jsonWebKeySet",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySet"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "delete": {
        "description": "Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Delete a JSON Web Key Set",
        "operationId": "deleteJsonWebKeySet",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/keys/{set}/{kid}": {
      "get": {
        "description": "This endpoint can be used to retrieve JWKs stored in ORY Hydra.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Retrieve a JSON Web Key",
        "operationId": "getJsonWebKey",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "KID",
            "description": "The kid of the desired key",
            "name": "kid",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "description": "jsonWebKeySet",
            "schema": {
              "$ref": "#/definitions/jsonWebKeySet"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "put": {
        "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Update a JSON Web Key",
        "operationId": "updateJsonWebKey",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "KID",
            "description": "The kid of the desired key",
            "name": "kid",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/jsonWebKey"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "jsonWebKey",
            "schema": {
              "$ref": "#/definitions/jsonWebKey"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "delete": {
        "description": "Use this endpoint to delete a single JSON Web Key.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "jsonWebKey"
        ],
        "summary": "Delete a JSON Web Key",
        "operationId": "deleteJsonWebKey",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "KID",
            "description": "The kid of the desired key",
            "name": "kid",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "x-go-name": "Set",
            "description": "The set",
            "name": "set",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/metrics/prometheus": {
      "get": {
        "description": "This endpoint returns metrics formatted for Prometheus.",
        "tags": [
          "metrics"
        ],
        "summary": "Retrieve Prometheus metrics",
        "operationId": "getPrometheusMetrics",
        "responses": {}
      }
    },
    "/oauth2/auth": {
      "get": {
        "description": "This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows.\nOAuth2 is a very popular protocol and a library for your programming language will exists.\n\nTo learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749",
        "consumes": [
          "application/x-www-form-urlencoded"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "The OAuth 2.0 authorize endpoint",
        "operationId": "oauthAuth",
        "responses": {
          "302": {
            "$ref": "#/responses/emptyResponse"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/requests/consent/{challenge}": {
      "get": {
        "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\nto authenticate the user and then tell ORY Hydra now about it. If the user authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the user's behalf.\n\nThe consent provider which handles this request and is a web app implemented and hosted by you. It shows a user interface which asks the user to\ngrant or deny the client access to the requested scope (\"Application my-dropbox-app wants write access to all your private files\").\n\nThe consent challenge is appended to the consent provider's URL to which the user's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the user accepted\nor rejected the request.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Get consent request information",
        "operationId": "getConsentRequest",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Challenge",
            "name": "challenge",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "description": "consentRequest",
            "schema": {
              "$ref": "#/definitions/consentRequest"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/requests/consent/{challenge}/accept": {
      "put": {
        "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\nto authenticate the user and then tell ORY Hydra now about it. If the user authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the user's behalf.\n\nThe consent provider which handles this request and is a web app implemented and hosted by you. It shows a user interface which asks the user to\ngrant or deny the client access to the requested scope (\"Application my-dropbox-app wants write access to all your private files\").\n\nThe consent challenge is appended to the consent provider's URL to which the user's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the user accepted\nor rejected the request.\n\nThis endpoint tells ORY Hydra that the user has authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider includes additional information, such as session data for access and ID tokens, and if the\nconsent request should be used as basis for future requests.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Accept an consent request",
        "operationId": "acceptConsentRequest",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Challenge",
            "name": "challenge",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/acceptConsentRequest"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "completedRequest",
            "schema": {
              "$ref": "#/definitions/completedRequest"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/requests/consent/{challenge}/reject": {
      "put": {
        "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\nto authenticate the user and then tell ORY Hydra now about it. If the user authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the user's behalf.\n\nThe consent provider which handles this request and is a web app implemented and hosted by you. It shows a user interface which asks the user to\ngrant or deny the client access to the requested scope (\"Application my-dropbox-app wants write access to all your private files\").\n\nThe consent challenge is appended to the consent provider's URL to which the user's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the user accepted\nor rejected the request.\n\nThis endpoint tells ORY Hydra that the user has not authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider must include a reason why the consent was not granted.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Reject an consent request",
        "operationId": "rejectConsentRequest",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Challenge",
            "name": "challenge",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/rejectRequest"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "completedRequest",
            "schema": {
              "$ref": "#/definitions/completedRequest"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/requests/login/{challenge}": {
      "get": {
        "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity provider\") to authenticate the user and then tell ORY Hydra now about it. The login\nprovider is an web-app you write and host, and it must be able to authenticate (\"show the user a login screen\")\na user (in OAuth2 the proper name for user is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the user's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Get an login request",
        "operationId": "getLoginRequest",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Challenge",
            "name": "challenge",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "description": "loginRequest",
            "schema": {
              "$ref": "#/definitions/loginRequest"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/requests/login/{challenge}/accept": {
      "put": {
        "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity provider\") to authenticate the user and then tell ORY Hydra now about it. The login\nprovider is an web-app you write and host, and it must be able to authenticate (\"show the user a login screen\")\na user (in OAuth2 the proper name for user is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the user's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells ORY Hydra that the user has successfully authenticated and includes additional information such as\nthe user's ID and if ORY Hydra should remember the user's user agent for future authentication attempts by setting\na cookie.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Accept an login request",
        "operationId": "acceptLoginRequest",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Challenge",
            "name": "challenge",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/acceptLoginRequest"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "completedRequest",
            "schema": {
              "$ref": "#/definitions/completedRequest"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/requests/login/{challenge}/reject": {
      "put": {
        "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity provider\") to authenticate the user and then tell ORY Hydra now about it. The login\nprovider is an web-app you write and host, and it must be able to authenticate (\"show the user a login screen\")\na user (in OAuth2 the proper name for user is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the user's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells ORY Hydra that the user has not authenticated and includes a reason why the authentication\nwas be denied.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Reject a login request",
        "operationId": "rejectLoginRequest",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Challenge",
            "name": "challenge",
            "in": "path",
            "required": true
          },
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/rejectRequest"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "completedRequest",
            "schema": {
              "$ref": "#/definitions/completedRequest"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/sessions/consent/{user}": {
      "get": {
        "description": "This endpoint lists all user's granted consent sessions, including client and granted scope",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Lists all consent sessions of a user",
        "operationId": "listUserConsentSessions",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "User",
            "name": "user",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "$ref": "#/responses/handledConsentRequestList"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "403": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      },
      "delete": {
        "description": "This endpoint revokes a user's granted consent sessions and invalidates all associated OAuth 2.0 Access Tokens.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Revokes all previous consent sessions of a user",
        "operationId": "revokeAllUserConsentSessions",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "User",
            "name": "user",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "404": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/sessions/consent/{user}/{client}": {
      "delete": {
        "description": "This endpoint revokes a user's granted consent sessions for a specific OAuth 2.0 Client and invalidates all\nassociated OAuth 2.0 Access Tokens.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Revokes consent sessions of a user for a specific OAuth 2.0 Client",
        "operationId": "revokeUserClientConsentSessions",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "User",
            "name": "user",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "x-go-name": "Client",
            "name": "client",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "404": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/auth/sessions/login/{user}": {
      "delete": {
        "description": "This endpoint invalidates a user's authentication session. After revoking the authentication session, the user\nhas to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens.",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Invalidates a user's authentication session",
        "operationId": "revokeAuthenticationSession",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "User",
            "name": "user",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "404": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/flush": {
      "post": {
        "description": "This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be\nnot be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted\nautomatically when performing the refresh flow.",
        "consumes": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Flush Expired OAuth2 Access Tokens",
        "operationId": "flushInactiveOAuth2Tokens",
        "parameters": [
          {
            "name": "Body",
            "in": "body",
            "schema": {
              "$ref": "#/definitions/flushInactiveOAuth2TokensRequest"
            }
          }
        ],
        "responses": {
          "204": {
            "$ref": "#/responses/emptyResponse"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/introspect": {
      "post": {
        "security": [
          {
            "basic": []
          },
          {
            "oauth2": []
          }
        ],
        "description": "The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token\nis neither expired nor revoked. If a token is active, additional information on the token will be included. You can\nset additional data for a token by setting `accessTokenExtra` during the consent flow.",
        "consumes": [
          "application/x-www-form-urlencoded"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Introspect OAuth2 tokens",
        "operationId": "introspectOAuth2Token",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Token",
            "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0 [RFC6749], Section 5.1.\nThis endpoint DOES NOT accept refresh tokens for validation.",
            "name": "token",
            "in": "formData",
            "required": true
          },
          {
            "type": "string",
            "x-go-name": "Scope",
            "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.",
            "name": "scope",
            "in": "formData"
          }
        ],
        "responses": {
          "200": {
            "description": "oAuth2TokenIntrospection",
            "schema": {
              "$ref": "#/definitions/oAuth2TokenIntrospection"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/revoke": {
      "post": {
        "security": [
          {
            "basic": []
          },
          {
            "oauth2": []
          }
        ],
        "description": "Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no\nlonger be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.\nRevoking a refresh token also invalidates the access token that was created with it.",
        "consumes": [
          "application/x-www-form-urlencoded"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "Revoke OAuth2 tokens",
        "operationId": "revokeOAuth2Token",
        "parameters": [
          {
            "type": "string",
            "x-go-name": "Token",
            "name": "token",
            "in": "formData",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "$ref": "#/responses/emptyResponse"
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/oauth2/token": {
      "post": {
        "security": [
          {
            "basic": []
          },
          {
            "oauth2": []
          }
        ],
        "description": "This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows.\nOAuth2 is a very popular protocol and a library for your programming language will exists.\n\nTo learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749",
        "consumes": [
          "application/x-www-form-urlencoded"
        ],
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "The OAuth 2.0 token endpoint",
        "operationId": "oauthToken",
        "responses": {
          "200": {
            "description": "oauthTokenResponse",
            "schema": {
              "$ref": "#/definitions/oauthTokenResponse"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/userinfo": {
      "post": {
        "security": [
          {
            "oauth2": []
          }
        ],
        "description": "This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 access token.\nThe endpoint implements http://openid.net/specs/openid-connect-core-1_0.html#UserInfo .",
        "produces": [
          "application/json"
        ],
        "schemes": [
          "http",
          "https"
        ],
        "tags": [
          "oAuth2"
        ],
        "summary": "OpenID Connect Userinfo",
        "operationId": "userinfo",
        "responses": {
          "200": {
            "description": "userinfoResponse",
            "schema": {
              "$ref": "#/definitions/userinfoResponse"
            }
          },
          "401": {
            "$ref": "#/responses/genericError"
          },
          "500": {
            "$ref": "#/responses/genericError"
          }
        }
      }
    },
    "/version": {
      "get": {
        "description": "This endpoint returns the version as `{ \"version\": \"VERSION\" }`. The version is only correct with the prebuilt binary and not custom builds.",
        "tags": [
          "version"
        ],
        "summary": "Get the version of Hydra",
        "operationId": "getVersion",
        "responses": {
          "200": {
            "description": "version",
            "schema": {
              "$ref": "#/definitions/version"
            }
          }
        }
      }
    }
  },
  "definitions": {
    "AttributeTypeAndValue": {
      "description": "AttributeTypeAndValue mirrors the ASN.1 structure of the same name in\nhttp://tools.ietf.org/html/rfc5280#section-4.1.2.4",
      "type": "object",
      "properties": {
        "Type": {
          "$ref": "#/definitions/ObjectIdentifier"
        },
        "Value": {
          "type": "object"
        }
      },
      "x-go-package": "crypto/x509/pkix"
    },
    "AuthenticationSession": {
      "type": "object",
      "properties": {
        "AuthenticatedAt": {
          "type": "string",
          "format": "date-time"
        },
        "ID": {
          "type": "string"
        },
        "Subject": {
          "type": "string"
        }
      },
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "Certificate": {
      "type": "object",
      "title": "A Certificate represents an X.509 certificate.",
      "properties": {
        "AuthorityKeyId": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "BasicConstraintsValid": {
          "description": "BasicConstraintsValid indicates whether IsCA, MaxPathLen,\nand MaxPathLenZero are valid.",
          "type": "boolean"
        },
        "CRLDistributionPoints": {
          "description": "CRL Distribution Points",
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "DNSNames": {
          "description": "Subject Alternate Name values. (Note that these values may not be valid\nif invalid values were contained within a parsed certificate. For\nexample, an element of DNSNames may not be a valid DNS domain name.)",
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "EmailAddresses": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "ExcludedDNSDomains": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "ExcludedEmailAddresses": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "ExcludedIPRanges": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/IPNet"
          }
        },
        "ExcludedURIDomains": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "ExtKeyUsage": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ExtKeyUsage"
          }
        },
        "Extensions": {
          "description": "Extensions contains raw X.509 extensions. When parsing certificates,\nthis can be used to extract non-critical extensions that are not\nparsed by this package. When marshaling certificates, the Extensions\nfield is ignored, see ExtraExtensions.",
          "type": "array",
          "items": {
            "$ref": "#/definitions/Extension"
          }
        },
        "ExtraExtensions": {
          "description": "ExtraExtensions contains extensions to be copied, raw, into any\nmarshaled certificates. Values override any extensions that would\notherwise be produced based on the other fields. The ExtraExtensions\nfield is not populated when parsing certificates, see Extensions.",
          "type": "array",
          "items": {
            "$ref": "#/definitions/Extension"
          }
        },
        "IPAddresses": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/IP"
          }
        },
        "IsCA": {
          "type": "boolean"
        },
        "Issuer": {
          "$ref": "#/definitions/Name"
        },
        "IssuingCertificateURL": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "KeyUsage": {
          "$ref": "#/definitions/KeyUsage"
        },
        "MaxPathLen": {
          "description": "MaxPathLen and MaxPathLenZero indicate the presence and\nvalue of the BasicConstraints' \"pathLenConstraint\".\n\nWhen parsing a certificate, a positive non-zero MaxPathLen\nmeans that the field was specified, -1 means it was unset,\nand MaxPathLenZero being true mean that the field was\nexplicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false\nshould be treated equivalent to -1 (unset).\n\nWhen generating a certificate, an unset pathLenConstraint\ncan be requested with either MaxPathLen == -1 or using the\nzero value for both MaxPathLen and MaxPathLenZero.",
          "type": "integer",
          "format": "int64"
        },
        "MaxPathLenZero": {
          "description": "MaxPathLenZero indicates that BasicConstraintsValid==true\nand MaxPathLen==0 should be interpreted as an actual\nmaximum path length of zero. Otherwise, that combination is\ninterpreted as MaxPathLen not being set.",
          "type": "boolean"
        },
        "NotBefore": {
          "type": "string",
          "format": "date-time"
        },
        "OCSPServer": {
          "description": "RFC 5280, 4.2.2.1 (Authority Information Access)",
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "PermittedDNSDomains": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "PermittedDNSDomainsCritical": {
          "description": "Name constraints",
          "type": "boolean"
        },
        "PermittedEmailAddresses": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "PermittedIPRanges": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/IPNet"
          }
        },
        "PermittedURIDomains": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "PolicyIdentifiers": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ObjectIdentifier"
          }
        },
        "PublicKey": {
          "type": "object"
        },
        "PublicKeyAlgorithm": {
          "$ref": "#/definitions/PublicKeyAlgorithm"
        },
        "Raw": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "RawIssuer": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "RawSubject": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "RawSubjectPublicKeyInfo": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "RawTBSCertificate": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "SerialNumber": {
          "$ref": "#/definitions/Int"
        },
        "Signature": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "SignatureAlgorithm": {
          "$ref": "#/definitions/SignatureAlgorithm"
        },
        "Subject": {
          "$ref": "#/definitions/Name"
        },
        "SubjectKeyId": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        },
        "URIs": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/URL"
          }
        },
        "UnhandledCriticalExtensions": {
          "description": "UnhandledCriticalExtensions contains a list of extension IDs that\nwere not (fully) processed when parsing. Verify will fail if this\nslice is non-empty, unless verification is delegated to an OS\nlibrary which understands all the critical extensions.\n\nUsers can access these extensions using Extensions and can remove\nelements from this slice if they believe that they have been\nhandled.",
          "type": "array",
          "items": {
            "$ref": "#/definitions/ObjectIdentifier"
          }
        },
        "UnknownExtKeyUsage": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/ObjectIdentifier"
          }
        },
        "Version": {
          "type": "integer",
          "format": "int64"
        }
      },
      "x-go-package": "crypto/x509"
    },
    "ExtKeyUsage": {
      "description": "Each of the ExtKeyUsage* constants define a unique action.",
      "type": "integer",
      "format": "int64",
      "title": "ExtKeyUsage represents an extended set of actions that are valid for a given key.",
      "x-go-package": "crypto/x509"
    },
    "Extension": {
      "description": "Extension represents the ASN.1 structure of the same name. See RFC\n5280, section 4.2.",
      "type": "object",
      "properties": {
        "Critical": {
          "type": "boolean"
        },
        "Id": {
          "$ref": "#/definitions/ObjectIdentifier"
        },
        "Value": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "uint8"
          }
        }
      },
      "x-go-package": "crypto/x509/pkix"
    },
    "IP": {
      "description": "Note that in this documentation, referring to an\nIP address as an IPv4 address or an IPv6 address\nis a semantic property of the address, not just the\nlength of the byte slice: a 16-byte slice can still\nbe an IPv4 address.",
      "type": "array",
      "title": "An IP is a single IP address, a slice of bytes.\nFunctions in this package accept either 4-byte (IPv4)\nor 16-byte (IPv6) slices as input.",
      "items": {
        "type": "integer",
        "format": "uint8"
      },
      "x-go-package": "net"
    },
    "IPMask": {
      "type": "array",
      "title": "An IP mask is an IP address.",
      "items": {
        "type": "integer",
        "format": "uint8"
      },
      "x-go-package": "net"
    },
    "IPNet": {
      "type": "object",
      "title": "An IPNet represents an IP network.",
      "properties": {
        "IP": {
          "$ref": "#/definitions/IP"
        },
        "Mask": {
          "$ref": "#/definitions/IPMask"
        }
      },
      "x-go-package": "net"
    },
    "Int": {
      "description": "The zero value for an Int represents the value 0.",
      "type": "object",
      "title": "An Int represents a signed multi-precision integer.",
      "x-go-package": "math/big"
    },
    "JSONWebKey": {
      "type": "object",
      "title": "JSONWebKey represents a public or private key in JWK format.",
      "properties": {
        "Algorithm": {
          "type": "string"
        },
        "Certificates": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/Certificate"
          }
        },
        "Key": {
          "type": "object"
        },
        "KeyID": {
          "type": "string"
        },
        "Use": {
          "type": "string"
        }
      },
      "x-go-package": "github.com/ory/hydra/vendor/gopkg.in/square/go-jose.v2"
    },
    "JSONWebKeySet": {
      "type": "object",
      "title": "JSONWebKeySet represents a JWK Set object.",
      "properties": {
        "keys": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/JSONWebKey"
          },
          "x-go-name": "Keys"
        }
      },
      "x-go-package": "github.com/ory/hydra/vendor/gopkg.in/square/go-jose.v2"
    },
    "KeyUsage": {
      "description": "KeyUsage represents the set of actions that are valid for a given key. It's\na bitmap of the KeyUsage* constants.",
      "type": "integer",
      "format": "int64",
      "x-go-package": "crypto/x509"
    },
    "Name": {
      "description": "Name represents an X.509 distinguished name. This only includes the common\nelements of a DN. When parsing, all elements are stored in Names and\nnon-standard elements can be extracted from there. When marshaling, elements\nin ExtraNames are appended and override other values with the same OID.",
      "type": "object",
      "properties": {
        "Country": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "ExtraNames": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/AttributeTypeAndValue"
          }
        },
        "Locality": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "Names": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/AttributeTypeAndValue"
          }
        },
        "SerialNumber": {
          "type": "string"
        },
        "StreetAddress": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      },
      "x-go-package": "crypto/x509/pkix"
    },
    "ObjectIdentifier": {
      "type": "array",
      "title": "An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.",
      "items": {
        "type": "integer",
        "format": "int64"
      },
      "x-go-package": "encoding/asn1"
    },
    "PreviousConsentSession": {
      "description": "The response used to return handled consent requests\nsame as HandledAuthenticationRequest, just with consent_request exposed as json",
      "type": "object",
      "properties": {
        "consent_request": {
          "$ref": "#/definitions/consentRequest"
        },
        "grant_scope": {
          "description": "GrantScope sets the scope the user authorized the client to use. Should be a subset of `requested_scope`",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "GrantedScope"
        },
        "remember": {
          "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.",
          "type": "boolean",
          "x-go-name": "Remember"
        },
        "remember_for": {
          "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "RememberFor"
        },
        "session": {
          "$ref": "#/definitions/consentRequestSession"
        }
      },
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "PublicKeyAlgorithm": {
      "type": "integer",
      "format": "int64",
      "x-go-package": "crypto/x509"
    },
    "RawMessage": {
      "description": "It implements Marshaler and Unmarshaler and can\nbe used to delay JSON decoding or precompute a JSON encoding.",
      "type": "array",
      "title": "RawMessage is a raw encoded JSON value.",
      "items": {
        "type": "integer",
        "format": "uint8"
      },
      "x-go-package": "encoding/json"
    },
    "SignatureAlgorithm": {
      "type": "integer",
      "format": "int64",
      "x-go-package": "crypto/x509"
    },
    "URL": {
      "description": "The general form represented is:\n\n[scheme:][//[userinfo@]host][/]path[?query][#fragment]\n\nURLs that do not start with a slash after the scheme are interpreted as:\n\nscheme:opaque[?query][#fragment]\n\nNote that the Path field is stored in decoded form: /%47%6f%2f becomes /Go/.\nA consequence is that it is impossible to tell which slashes in the Path were\nslashes in the raw URL and which were %2f. This distinction is rarely important,\nbut when it is, code must not use Path directly.\nThe Parse function sets both Path and RawPath in the URL it returns,\nand URL's String method uses RawPath if it is a valid encoding of Path,\nby calling the EscapedPath method.",
      "type": "object",
      "title": "A URL represents a parsed URL (technically, a URI reference).",
      "properties": {
        "ForceQuery": {
          "type": "boolean"
        },
        "Fragment": {
          "type": "string"
        },
        "Host": {
          "type": "string"
        },
        "Opaque": {
          "type": "string"
        },
        "Path": {
          "type": "string"
        },
        "RawPath": {
          "type": "string"
        },
        "RawQuery": {
          "type": "string"
        },
        "Scheme": {
          "type": "string"
        },
        "User": {
          "$ref": "#/definitions/Userinfo"
        }
      },
      "x-go-package": "net/url"
    },
    "Userinfo": {
      "description": "The Userinfo type is an immutable encapsulation of username and\npassword details for a URL. An existing Userinfo value is guaranteed\nto have a username set (potentially empty, as allowed by RFC 2396),\nand optionally a password.",
      "type": "object",
      "x-go-package": "net/url"
    },
    "acceptConsentRequest": {
      "type": "object",
      "title": "The request payload used to accept a consent request.",
      "properties": {
        "grant_scope": {
          "description": "GrantScope sets the scope the user authorized the client to use. Should be a subset of `requested_scope`",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "GrantedScope"
        },
        "remember": {
          "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.",
          "type": "boolean",
          "x-go-name": "Remember"
        },
        "remember_for": {
          "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "RememberFor"
        },
        "session": {
          "$ref": "#/definitions/consentRequestSession"
        }
      },
      "x-go-name": "HandledConsentRequest",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "acceptLoginRequest": {
      "type": "object",
      "title": "The request payload used to accept a login request.",
      "properties": {
        "acr": {
          "description": "ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.",
          "type": "string",
          "x-go-name": "ACR"
        },
        "remember": {
          "description": "Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store\na cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she\nwill not be asked to log in again.",
          "type": "boolean",
          "x-go-name": "Remember"
        },
        "remember_for": {
          "description": "RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "RememberFor"
        },
        "subject": {
          "description": "Subject is the user ID of the end-user that authenticated.",
          "type": "string",
          "x-go-name": "Subject"
        }
      },
      "x-go-name": "HandledAuthenticationRequest",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "completedRequest": {
      "type": "object",
      "title": "The response payload sent when accepting or rejecting a login or consent request.",
      "properties": {
        "redirect_to": {
          "description": "RedirectURL is the URL which you should redirect the user to once the authentication process is completed.",
          "type": "string",
          "x-go-name": "RedirectTo"
        }
      },
      "x-go-name": "RequestHandlerResponse",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "consentRequest": {
      "type": "object",
      "title": "Contains information on an ongoing consent request.",
      "properties": {
        "challenge": {
          "description": "Challenge is the identifier (\"authorization challenge\") of the consent authorization request. It is used to\nidentify the session.",
          "type": "string",
          "x-go-name": "Challenge"
        },
        "client": {
          "$ref": "#/definitions/oAuth2Client"
        },
        "oidc_context": {
          "$ref": "#/definitions/openIDConnectContext"
        },
        "request_url": {
          "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.",
          "type": "string",
          "x-go-name": "RequestURL"
        },
        "requested_scope": {
          "description": "RequestedScope contains all scopes requested by the OAuth 2.0 client.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "RequestedScope"
        },
        "skip": {
          "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you must not ask the user to grant the requested scopes. You must however either allow or deny the\nconsent request using the usual API call.",
          "type": "boolean",
          "x-go-name": "Skip"
        },
        "subject": {
          "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.",
          "type": "string",
          "x-go-name": "Subject"
        }
      },
      "x-go-name": "ConsentRequest",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "consentRequestSession": {
      "type": "object",
      "title": "Used to pass session data to a consent request.",
      "properties": {
        "access_token": {
          "description": "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the\nrefresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.\nIf only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties\ncan access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!",
          "type": "object",
          "additionalProperties": {
            "type": "object"
          },
          "x-go-name": "AccessToken"
        },
        "id_token": {
          "description": "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable\nby anyone that has access to the ID Challenge. Use with care!",
          "type": "object",
          "additionalProperties": {
            "type": "object"
          },
          "x-go-name": "IDToken"
        }
      },
      "x-go-name": "ConsentRequestSessionData",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "flushInactiveOAuth2TokensRequest": {
      "type": "object",
      "properties": {
        "notAfter": {
          "description": "NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history\nof recently issued tokens for auditing.",
          "type": "string",
          "format": "date-time",
          "x-go-name": "NotAfter"
        }
      },
      "x-go-name": "FlushInactiveOAuth2TokensRequest",
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "healthNotReadyStatus": {
      "type": "object",
      "properties": {
        "errors": {
          "description": "Errors contains a list of errors that caused the not ready status.",
          "type": "object",
          "additionalProperties": {
            "type": "string"
          },
          "x-go-name": "Errors"
        }
      },
      "x-go-name": "swaggerNotReadyStatus",
      "x-go-package": "github.com/ory/hydra/health"
    },
    "healthStatus": {
      "type": "object",
      "properties": {
        "status": {
          "description": "Status always contains \"ok\".",
          "type": "string",
          "x-go-name": "Status"
        }
      },
      "x-go-name": "swaggerHealthStatus",
      "x-go-package": "github.com/ory/hydra/health"
    },
    "joseWebKeySetRequest": {
      "type": "object",
      "properties": {
        "keys": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/RawMessage"
          },
          "x-go-name": "Keys"
        }
      },
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "jsonWebKey": {
      "type": "object",
      "properties": {
        "alg": {
          "description": "The \"alg\" (algorithm) parameter identifies the algorithm intended for\nuse with the key.  The values used should either be registered in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.",
          "type": "string",
          "x-go-name": "Alg"
        },
        "crv": {
          "type": "string",
          "x-go-name": "Crv"
        },
        "d": {
          "type": "string",
          "x-go-name": "D"
        },
        "dp": {
          "type": "string",
          "x-go-name": "Dp"
        },
        "dq": {
          "type": "string",
          "x-go-name": "Dq"
        },
        "e": {
          "type": "string",
          "x-go-name": "E"
        },
        "k": {
          "type": "string",
          "x-go-name": "K"
        },
        "kid": {
          "description": "The \"kid\" (key ID) parameter is used to match a specific key.  This\nis used, for instance, to choose among a set of keys within a JWK Set\nduring key rollover.  The structure of the \"kid\" value is\nunspecified.  When \"kid\" values are used within a JWK Set, different\nkeys within the JWK Set SHOULD use distinct \"kid\" values.  (One\nexample in which different keys might use the same \"kid\" value is if\nthey have different \"kty\" (key type) values but are considered to be\nequivalent alternatives by the application using them.)  The \"kid\"\nvalue is a case-sensitive string.",
          "type": "string",
          "x-go-name": "Kid"
        },
        "kty": {
          "description": "The \"kty\" (key type) parameter identifies the cryptographic algorithm\nfamily used with the key, such as \"RSA\" or \"EC\". \"kty\" values should\neither be registered in the IANA \"JSON Web Key Types\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.  The \"kty\" value is a case-sensitive string.",
          "type": "string",
          "x-go-name": "Kty"
        },
        "n": {
          "type": "string",
          "x-go-name": "N"
        },
        "p": {
          "type": "string",
          "x-go-name": "P"
        },
        "q": {
          "type": "string",
          "x-go-name": "Q"
        },
        "qi": {
          "type": "string",
          "x-go-name": "Qi"
        },
        "use": {
          "description": "The \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Values are commonly \"sig\" (signature) or \"enc\" (encryption).",
          "type": "string",
          "x-go-name": "Use"
        },
        "x": {
          "type": "string",
          "x-go-name": "X"
        },
        "x5c": {
          "description": "The \"x5c\" (X.509 certificate chain) parameter contains a chain of one\nor more PKIX certificates [RFC5280].  The certificate chain is\nrepresented as a JSON array of certificate value strings.  Each\nstring in the array is a base64-encoded (Section 4 of [RFC4648] --\nnot base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.\nThe PKIX certificate containing the key value MUST be the first\ncertificate.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "X5c"
        },
        "y": {
          "type": "string",
          "x-go-name": "Y"
        }
      },
      "x-go-name": "swaggerJSONWebKey",
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "jsonWebKeySet": {
      "type": "object",
      "properties": {
        "keys": {
          "description": "The value of the \"keys\" parameter is an array of JWK values.  By\ndefault, the order of the JWK values within the array does not imply\nan order of preference among them, although applications of JWK Sets\ncan choose to assign a meaning to the order for their purposes, if\ndesired.",
          "type": "array",
          "items": {
            "$ref": "#/definitions/jsonWebKey"
          },
          "x-go-name": "Keys"
        }
      },
      "x-go-name": "swaggerJSONWebKeySet",
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "jsonWebKeySetGeneratorRequest": {
      "type": "object",
      "required": [
        "alg",
        "use",
        "kid"
      ],
      "properties": {
        "alg": {
          "description": "The algorithm to be used for creating the key. Supports \"RS256\", \"ES512\", \"HS512\", and \"HS256\"",
          "type": "string",
          "x-go-name": "Algorithm"
        },
        "kid": {
          "description": "The kid of the key to be created",
          "type": "string",
          "x-go-name": "KeyID"
        },
        "use": {
          "description": "The \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Valid values are \"enc\" and \"sig\".",
          "type": "string",
          "x-go-name": "Use"
        }
      },
      "x-go-name": "createRequest",
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "loginRequest": {
      "type": "object",
      "title": "Contains information on an ongoing login request.",
      "properties": {
        "challenge": {
          "description": "Challenge is the identifier (\"authentication challenge\") of the consent authentication request. It is used to\nidentify the session.",
          "type": "string",
          "x-go-name": "Challenge"
        },
        "client": {
          "$ref": "#/definitions/oAuth2Client"
        },
        "oidc_context": {
          "$ref": "#/definitions/openIDConnectContext"
        },
        "request_url": {
          "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.",
          "type": "string",
          "x-go-name": "RequestURL"
        },
        "requested_scope": {
          "description": "RequestedScope contains all scopes requested by the OAuth 2.0 client.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "RequestedScope"
        },
        "skip": {
          "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.",
          "type": "boolean",
          "x-go-name": "Skip"
        },
        "subject": {
          "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.",
          "type": "string",
          "x-go-name": "Subject"
        }
      },
      "x-go-name": "AuthenticationRequest",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "oAuth2Client": {
      "type": "object",
      "title": "Client represents an OAuth 2.0 Client.",
      "properties": {
        "client_id": {
          "description": "ClientID  is the id for this client.",
          "type": "string",
          "x-go-name": "ClientID"
        },
        "client_name": {
          "description": "Name is the human-readable string name of the client to be presented to the\nend-user during authorization.",
          "type": "string",
          "x-go-name": "Name"
        },
        "client_secret": {
          "description": "Secret is the client's secret. The secret will be included in the create request as cleartext, and then\nnever again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users\nthat they need to write the secret down as it will not be made available again.",
          "type": "string",
          "x-go-name": "Secret"
        },
        "client_secret_expires_at": {
          "description": "SecretExpiresAt is an integer holding the time at which the client\nsecret will expire or 0 if it will not expire. The time is\nrepresented as the number of seconds from 1970-01-01T00:00:00Z as\nmeasured in UTC until the date/time of expiration.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "SecretExpiresAt"
        },
        "client_uri": {
          "description": "ClientURI is an URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.",
          "type": "string",
          "x-go-name": "ClientURI"
        },
        "contacts": {
          "description": "Contacts is a array of strings representing ways to contact people responsible\nfor this client, typically email addresses.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "Contacts"
        },
        "grant_types": {
          "description": "GrantTypes is an array of grant types the client is allowed to use.",
          "type": "array",
          "pattern": "client_credentials|authorize_code|implicit|refresh_token",
          "items": {
            "type": "string"
          },
          "x-go-name": "GrantTypes"
        },
        "jwks": {
          "$ref": "#/definitions/JSONWebKeySet"
        },
        "jwks_uri": {
          "description": "URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.",
          "type": "string",
          "x-go-name": "JSONWebKeysURI"
        },
        "logo_uri": {
          "description": "LogoURI is an URL string that references a logo for the client.",
          "type": "string",
          "x-go-name": "LogoURI"
        },
        "owner": {
          "description": "Owner is a string identifying the owner of the OAuth 2.0 Client.",
          "type": "string",
          "x-go-name": "Owner"
        },
        "policy_uri": {
          "description": "PolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.",
          "type": "string",
          "x-go-name": "PolicyURI"
        },
        "redirect_uris": {
          "description": "RedirectURIs is an array of allowed redirect urls for the client, for example http://mydomain/oauth/callback .",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "RedirectURIs"
        },
        "request_object_signing_alg": {
          "description": "JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.",
          "type": "string",
          "x-go-name": "RequestObjectSigningAlgorithm"
        },
        "request_uris": {
          "description": "Array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY cache the\ncontents of the files referenced by these URIs and not retrieve them at the time they are used in a request.\nOPs can require that request_uri values used be pre-registered with the require_request_uri_registration\ndiscovery parameter.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "RequestURIs"
        },
        "response_types": {
          "description": "ResponseTypes is an array of the OAuth 2.0 response type strings that the client can\nuse at the authorization endpoint.",
          "type": "array",
          "pattern": "id_token|code|token",
          "items": {
            "type": "string"
          },
          "x-go-name": "ResponseTypes"
        },
        "scope": {
          "description": "Scope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.",
          "type": "string",
          "pattern": "([a-zA-Z0-9\\.\\*]+\\s?)+",
          "x-go-name": "Scope"
        },
        "sector_identifier_uri": {
          "description": "URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.",
          "type": "string",
          "x-go-name": "SectorIdentifierURI"
        },
        "token_endpoint_auth_method": {
          "description": "Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,\nclient_secret_basic, private_key_jwt, and none.",
          "type": "string",
          "x-go-name": "TokenEndpointAuthMethod"
        },
        "tos_uri": {
          "description": "TermsOfServiceURI is a URL string that points to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.",
          "type": "string",
          "x-go-name": "TermsOfServiceURI"
        },
        "userinfo_signed_response_alg": {
          "description": "JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.",
          "type": "string",
          "x-go-name": "UserinfoSignedResponseAlg"
        }
      },
      "x-go-name": "Client",
      "x-go-package": "github.com/ory/hydra/client"
    },
    "oAuth2TokenIntrospection": {
      "description": "https://tools.ietf.org/html/rfc7662",
      "type": "object",
      "title": "Introspection contains an access token's session data as specified by IETF RFC 7662, see:",
      "required": [
        "active"
      ],
      "properties": {
        "active": {
          "description": "Active is a boolean indicator of whether or not the presented token\nis currently active.  The specifics of a token's \"active\" state\nwill vary depending on the implementation of the authorization\nserver and the information it keeps about its tokens, but a \"true\"\nvalue return for the \"active\" property will generally indicate\nthat a given token has been issued by this authorization server,\nhas not been revoked by the resource owner, and is within its\ngiven time window of validity (e.g., after its issuance time and\nbefore its expiration time).",
          "type": "boolean",
          "x-go-name": "Active"
        },
        "aud": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "Audience"
        },
        "client_id": {
          "description": "ClientID is aclient identifier for the OAuth 2.0 client that\nrequested this token.",
          "type": "string",
          "x-go-name": "ClientID"
        },
        "exp": {
          "description": "Expires at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token will expire.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "ExpiresAt"
        },
        "ext": {
          "description": "Extra is arbitrary data set by the session.",
          "type": "object",
          "additionalProperties": {
            "type": "object"
          },
          "x-go-name": "Extra"
        },
        "iat": {
          "description": "Issued at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token was\noriginally issued.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "IssuedAt"
        },
        "iss": {
          "description": "IssuerURL is a string representing the issuer of this token",
          "type": "string",
          "x-go-name": "Issuer"
        },
        "nbf": {
          "description": "NotBefore is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token is not to be\nused before.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "NotBefore"
        },
        "scope": {
          "description": "Scope is a JSON string containing a space-separated list of\nscopes associated with this token.",
          "type": "string",
          "x-go-name": "Scope"
        },
        "sub": {
          "description": "Subject of the token, as defined in JWT [RFC7519].\nUsually a machine-readable identifier of the resource owner who\nauthorized this token.",
          "type": "string",
          "x-go-name": "Subject"
        },
        "token_type": {
          "description": "TokenType is the introspected token's type, for example `access_token` or `refresh_token`.",
          "type": "string",
          "x-go-name": "TokenType"
        },
        "username": {
          "description": "Username is a human-readable identifier for the resource owner who\nauthorized this token.",
          "type": "string",
          "x-go-name": "Username"
        }
      },
      "x-go-name": "Introspection",
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "oauthTokenResponse": {
      "description": "The token response",
      "type": "object",
      "properties": {
        "access_token": {
          "description": "The access token issued by the authorization server.",
          "type": "string",
          "x-go-name": "AccessToken"
        },
        "expires_in": {
          "description": "The lifetime in seconds of the access token.  For\nexample, the value \"3600\" denotes that the access token will\nexpire in one hour from the time the response was generated.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "ExpiresIn"
        },
        "id_token": {
          "description": "To retrieve a refresh token request the id_token scope.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "IDToken"
        },
        "refresh_token": {
          "description": "The refresh token, which can be used to obtain new\naccess tokens. To retrieve it add the scope \"offline\" to your access token request.",
          "type": "string",
          "x-go-name": "RefreshToken"
        },
        "scope": {
          "description": "The scope of the access token",
          "type": "integer",
          "format": "int64",
          "x-go-name": "Scope"
        },
        "token_type": {
          "description": "The type of the token issued",
          "type": "string",
          "x-go-name": "TokenType"
        }
      },
      "x-go-name": "swaggerOAuthTokenResponse",
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "openIDConnectContext": {
      "type": "object",
      "title": "Contains optional information about the OpenID Connect request.",
      "properties": {
        "acr_values": {
          "description": "ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.\nIt is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.\n\nOpenID Connect defines it as follows:\n\u003e Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values\nthat the Authorization Server is being requested to use for processing this Authentication Request, with the\nvalues appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication\nperformed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a\nVoluntary Claim by this parameter.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "ACRValues"
        },
        "display": {
          "description": "Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.\nThe defined values are:\npage: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.\npopup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.\ntouch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.\nwap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display.\n\nThe Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.",
          "type": "string",
          "x-go-name": "Display"
        },
        "id_token_hint_claims": {
          "description": "IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the\nEnd-User's current or past authenticated session with the Client.",
          "type": "object",
          "additionalProperties": {
            "type": "object"
          },
          "x-go-name": "IDTokenHintClaims"
        },
        "login_hint": {
          "description": "LoginHint hints about the login identifier the End-User might use to log in (if necessary).\nThis hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)\nand then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a\nphone number in the format specified for the phone_number Claim. The use of this parameter is optional.",
          "type": "string",
          "x-go-name": "LoginHint"
        },
        "ui_locales": {
          "description": "UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a\nspace-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value\n\"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation),\nfollowed by English (without a region designation). An error SHOULD NOT result if some or all of the requested\nlocales are not supported by the OpenID Provider.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "UILocales"
        }
      },
      "x-go-name": "OpenIDConnectContext",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "rejectRequest": {
      "type": "object",
      "title": "The request payload used to accept a login or consent request.",
      "properties": {
        "error": {
          "type": "string",
          "x-go-name": "Name"
        },
        "error_debug": {
          "type": "string",
          "x-go-name": "Debug"
        },
        "error_description": {
          "type": "string",
          "x-go-name": "Description"
        },
        "error_hint": {
          "type": "string",
          "x-go-name": "Hint"
        },
        "status_code": {
          "type": "integer",
          "format": "int64",
          "x-go-name": "Code"
        }
      },
      "x-go-name": "RequestDeniedError",
      "x-go-package": "github.com/ory/hydra/consent"
    },
    "swaggerFlushInactiveAccessTokens": {
      "type": "object",
      "properties": {
        "Body": {
          "$ref": "#/definitions/flushInactiveOAuth2TokensRequest"
        }
      },
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "swaggerJsonWebKeyQuery": {
      "type": "object",
      "required": [
        "kid",
        "set"
      ],
      "properties": {
        "kid": {
          "description": "The kid of the desired key\nin: path",
          "type": "string",
          "x-go-name": "KID"
        },
        "set": {
          "description": "The set\nin: path",
          "type": "string",
          "x-go-name": "Set"
        }
      },
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "swaggerJwkCreateSet": {
      "type": "object",
      "required": [
        "set"
      ],
      "properties": {
        "Body": {
          "$ref": "#/definitions/jsonWebKeySetGeneratorRequest"
        },
        "set": {
          "description": "The set\nin: path",
          "type": "string",
          "x-go-name": "Set"
        }
      },
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "swaggerJwkSetQuery": {
      "type": "object",
      "required": [
        "set"
      ],
      "properties": {
        "set": {
          "description": "The set\nin: path",
          "type": "string",
          "x-go-name": "Set"
        }
      },
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "swaggerJwkUpdateSet": {
      "type": "object",
      "required": [
        "set"
      ],
      "properties": {
        "Body": {
          "$ref": "#/definitions/jsonWebKeySet"
        },
        "set": {
          "description": "The set\nin: path",
          "type": "string",
          "x-go-name": "Set"
        }
      },
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "swaggerJwkUpdateSetKey": {
      "type": "object",
      "required": [
        "kid",
        "set"
      ],
      "properties": {
        "Body": {
          "$ref": "#/definitions/jsonWebKey"
        },
        "kid": {
          "description": "The kid of the desired key\nin: path",
          "type": "string",
          "x-go-name": "KID"
        },
        "set": {
          "description": "The set\nin: path",
          "type": "string",
          "x-go-name": "Set"
        }
      },
      "x-go-package": "github.com/ory/hydra/jwk"
    },
    "swaggerOAuthIntrospectionRequest": {
      "type": "object",
      "required": [
        "token"
      ],
      "properties": {
        "scope": {
          "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.\n\nin: formData",
          "type": "string",
          "x-go-name": "Scope"
        },
        "token": {
          "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0 [RFC6749], Section 5.1.\nThis endpoint DOES NOT accept refresh tokens for validation.",
          "type": "string",
          "x-go-name": "Token"
        }
      },
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "swaggerRevokeOAuth2TokenParameters": {
      "type": "object",
      "required": [
        "token"
      ],
      "properties": {
        "token": {
          "description": "in: formData",
          "type": "string",
          "x-go-name": "Token"
        }
      },
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "userinfoResponse": {
      "description": "The userinfo response",
      "type": "object",
      "properties": {
        "birthdate": {
          "description": "End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.",
          "type": "string",
          "x-go-name": "Birthdate"
        },
        "email": {
          "description": "End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.",
          "type": "string",
          "x-go-name": "Email"
        },
        "email_verified": {
          "description": "True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.",
          "type": "boolean",
          "x-go-name": "EmailVerified"
        },
        "family_name": {
          "description": "Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.",
          "type": "string",
          "x-go-name": "FamilyName"
        },
        "gender": {
          "description": "End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.",
          "type": "string",
          "x-go-name": "Gender"
        },
        "given_name": {
          "description": "Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.",
          "type": "string",
          "x-go-name": "GivenName"
        },
        "locale": {
          "description": "End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.",
          "type": "string",
          "x-go-name": "Locale"
        },
        "middle_name": {
          "description": "Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.",
          "type": "string",
          "x-go-name": "MiddleName"
        },
        "name": {
          "description": "End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.",
          "type": "string",
          "x-go-name": "Name"
        },
        "nickname": {
          "description": "Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.",
          "type": "string",
          "x-go-name": "Nickname"
        },
        "phone_number": {
          "description": "End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.",
          "type": "string",
          "x-go-name": "PhoneNumber"
        },
        "phone_number_verified": {
          "description": "True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.",
          "type": "boolean",
          "x-go-name": "PhoneNumberVerified"
        },
        "picture": {
          "description": "URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.",
          "type": "string",
          "x-go-name": "Picture"
        },
        "preferred_username": {
          "description": "Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.",
          "type": "string",
          "x-go-name": "PreferredUsername"
        },
        "profile": {
          "description": "URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.",
          "type": "string",
          "x-go-name": "Profile"
        },
        "sub": {
          "description": "Subject - Identifier for the End-User at the IssuerURL.",
          "type": "string",
          "x-go-name": "Subject"
        },
        "updated_at": {
          "description": "Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.",
          "type": "integer",
          "format": "int64",
          "x-go-name": "UpdatedAt"
        },
        "website": {
          "description": "URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.",
          "type": "string",
          "x-go-name": "Website"
        },
        "zoneinfo": {
          "description": "String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.",
          "type": "string",
          "x-go-name": "Zoneinfo"
        }
      },
      "x-go-name": "swaggeruserinfoResponsePayload",
      "x-go-package": "github.com/ory/hydra/oauth2"
    },
    "version": {
      "type": "object",
      "properties": {
        "version": {
          "type": "string",
          "x-go-name": "Version"
        }
      },
      "x-go-name": "swaggerVersion",
      "x-go-package": "github.com/ory/hydra/health"
    },
    "wellKnown": {
      "type": "object",
      "required": [
        "issuer",
        "authorization_endpoint",
        "token_endpoint",
        "jwks_uri",
        "subject_types_supported",
        "response_types_supported",
        "id_token_signing_alg_values_supported"
      ],
      "properties": {
        "authorization_endpoint": {
          "description": "URL of the OP's OAuth 2.0 Authorization Endpoint.",
          "type": "string",
          "x-go-name": "AuthURL"
        },
        "claims_parameter_supported": {
          "description": "Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.",
          "type": "boolean",
          "x-go-name": "ClaimsParameterSupported"
        },
        "claims_supported": {
          "description": "JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply\nvalues for. Note that for privacy or other reasons, this might not be an exhaustive list.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "ClaimsSupported"
        },
        "grant_types_supported": {
          "description": "JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "GrantTypesSupported"
        },
        "id_token_signing_alg_values_supported": {
          "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "IDTokenSigningAlgValuesSupported"
        },
        "issuer": {
          "description": "URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.",
          "type": "string",
          "x-go-name": "Issuer"
        },
        "jwks_uri": {
          "description": "URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate\nsignatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs\nto encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)\nparameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.\nAlthough some algorithms allow the same key to be used for both signatures and encryption, doing so is\nNOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of\nkeys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
          "type": "string",
          "x-go-name": "JWKsURI"
        },
        "registration_endpoint": {
          "description": "URL of the OP's Dynamic Client Registration Endpoint.",
          "type": "string",
          "x-go-name": "RegistrationEndpoint"
        },
        "request_parameter_supported": {
          "description": "Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.",
          "type": "boolean",
          "x-go-name": "RequestParameterSupported"
        },
        "request_uri_parameter_supported": {
          "description": "Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.",
          "type": "boolean",
          "x-go-name": "RequestURIParameterSupported"
        },
        "require_request_uri_registration": {
          "description": "Boolean value specifying whether the OP requires any request_uri values used to be pre-registered\nusing the request_uris registration parameter.",
          "type": "boolean",
          "x-go-name": "RequireRequestURIRegistration"
        },
        "response_modes_supported": {
          "description": "JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "ResponseModesSupported"
        },
        "response_types_supported": {
          "description": "JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID\nProviders MUST support the code, id_token, and the token id_token Response Type values.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "ResponseTypes"
        },
        "scopes_supported": {
          "description": "SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST\nsupport the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "ScopesSupported"
        },
        "subject_types_supported": {
          "description": "JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include\npairwise and public.",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "SubjectTypes"
        },
        "token_endpoint": {
          "description": "URL of the OP's OAuth 2.0 Token Endpoint",
          "type": "string",
          "x-go-name": "TokenURL"
        },
        "token_endpoint_auth_methods_supported": {
          "description": "JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "TokenEndpointAuthMethodsSupported"
        },
        "userinfo_endpoint": {
          "description": "URL of the OP's UserInfo Endpoint.",
          "type": "string",
          "x-go-name": "UserinfoEndpoint"
        },
        "userinfo_signing_alg_values_supported": {
          "description": "JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].",
          "type": "array",
          "items": {
            "type": "string"
          },
          "x-go-name": "UserinfoSigningAlgValuesSupported"
        }
      },
      "x-go-name": "WellKnown",
      "x-go-package": "github.com/ory/hydra/oauth2"
    }
  },
  "responses": {
    "emptyResponse": {
      "description": "An empty response"
    },
    "genericError": {
      "description": "The standard error format",
      "schema": {
        "type": "object",
        "properties": {
          "error": {
            "type": "string",
            "x-go-name": "Name"
          },
          "error_code": {
            "type": "integer",
            "format": "int64",
            "x-go-name": "Code"
          },
          "error_debug": {
            "type": "integer",
            "format": "int64",
            "x-go-name": "Debug"
          },
          "error_hint": {
            "type": "string",
            "x-go-name": "Hint"
          }
        }
      }
    },
    "handledConsentRequestList": {
      "description": "A list of handled consent requests.",
      "schema": {
        "type": "array",
        "items": {
          "$ref": "#/definitions/PreviousConsentSession"
        }
      }
    },
    "oAuth2ClientList": {
      "description": "A list of clients.",
      "schema": {
        "type": "array",
        "items": {
          "$ref": "#/definitions/oAuth2Client"
        }
      }
    }
  },
  "securityDefinitions": {
    "basic": {
      "type": "basic"
    },
    "oauth2": {
      "type": "oauth2",
      "flow": "accessCode",
      "authorizationUrl": "https://your-hydra-instance.com/oauth2/auth",
      "tokenUrl": "https://your-hydra-instance.com/oauth2/token",
      "scopes": {
        "offline": "A scope required when requesting refresh tokens",
        "openid": "Request an OpenID Connect ID Token"
      }
    }
  },
  "x-forwarded-proto": "string",
  "x-request-id": "string"
}