Retrieve a user's enterprise SSO identity and associated token secret (if token storage is enabled).

GET /api/users/{userId}/sso-identities/{ssoConnectorId}

This API retrieves the user's enterprise SSO identity and associated token set record from the Logto Secret Vault. The token set will only be available if token storage is enabled for the corresponding SSO connector.

Path parameters

  • userId string Required

    The unique identifier of the user.

  • ssoConnectorId string Required

    The unique identifier of the sso connector.

Query parameters

  • includeTokenSecret string

    Whether to include the token secret in the response. Defaults to false. Token storage must be supported and enabled by the connector to return the token secret.

Responses

  • 200 application/json

    Returns the user's enterprise SSO identity and associated token secret.

    Hide response attributes Show response attributes object
    • ssoIdentity object Required

      The user's enterprise SSO identity.

      Hide ssoIdentity attributes Show ssoIdentity attributes object
      • tenantId string Required

        Maximum length is 21.

      • id string Required

        Minimum length is 1, maximum length is 21.

      • userId string Required

        Minimum length is 1, maximum length is 12.

      • issuer string Required

        Minimum length is 1, maximum length is 256.

      • identityId string Required

        Minimum length is 1, maximum length is 128.

      • detail object Required

        arbitrary

      • createdAt number Required
      • updatedAt number Required
      • ssoConnectorId string Required

        Minimum length is 1, maximum length is 128.

    • tokenSecret object

      The desensitized token set secret associated with the user's SSO identity. This field is included only if the includeTokenSecret query parameter is provided and the corresponding connector has token storage enabled.

      Hide tokenSecret attributes Show tokenSecret attributes object
      • tenantId string Required

        Maximum length is 21.

      • id string Required

        Minimum length is 1, maximum length is 21.

      • userId string Required

        Minimum length is 1, maximum length is 21.

      • type string("federated_token_set") Required
      • metadata object Required
        Hide metadata attributes Show metadata attributes object
        • scope string
        • expiresAt number
        • tokenType string
        • hasRefreshToken boolean Required
      • createdAt number Required
      • updatedAt number Required
      • ssoConnectorId string Required
      • issuer string Required
      • identityId string Required
  • 400

    Bad Request

  • 401

    Unauthorized

  • 403

    Forbidden

  • 404

    User enterprise SSO identity not found.

GET /api/users/{userId}/sso-identities/{ssoConnectorId}
curl \
 --request GET 'https://[tenant_id].logto.app/api/users/{userId}/sso-identities/{ssoConnectorId}' \
 --header "Authorization: Bearer $ACCESS_TOKEN"
Response examples (200)
{
  "ssoIdentity": {
    "tenantId": "string",
    "id": "string",
    "userId": "string",
    "issuer": "string",
    "identityId": "string",
    "detail": {},
    "createdAt": 42.0,
    "updatedAt": 42.0,
    "ssoConnectorId": "string"
  },
  "tokenSecret": {
    "tenantId": "string",
    "id": "string",
    "userId": "string",
    "type": "string",
    "metadata": {
      "scope": "string",
      "expiresAt": 42.0,
      "tokenType": "string",
      "hasRefreshToken": true
    },
    "createdAt": 42.0,
    "updatedAt": 42.0,
    "ssoConnectorId": "string",
    "issuer": "string",
    "identityId": "string"
  }
}