# IAM2 API The **IAM2 API** provides identity, authentication, and authorization services for the ONEWEB platform.\ It enables secure management of **users**, **roles**, **permissions**, **objects**, and **organizations**, and allows compliant applications to integrate with ONEWEB as an **Identity Provider (IdP)**. IAM2 supports **OAuth2‑based authorization** as well as **REST‑based identity and access management operations**, enabling secure system‑to‑system and application‑to‑platform communication. *** ### OAuth 2.0 APIs IAM2 exposes OAuth 2.0 endpoints to support standardized authentication and authorization flows.\ These endpoints are typically used for acquiring and validating access tokens. #### API Endpoints | Endpoint | Description | Method | | ----------------------- | ------------------------------------------- | --------- | | `/oauth/authorize` | Request authorization code or token | GET, POST | | `/oauth/token` | Request access token | GET, POST | | `/oauth/check_token` | Validate and check token expiration | GET | | `/oauth/confirm_access` | Confirm API authentication code | GET | | `/oauth/token_key` | Retrieve public key for token verification | GET | | `/oauth/logout` | Logout from IAM2 | POST | | `/oauth/logout/idp` | Logout from external IdP (Google, Facebook) | POST | *** ### IAM API – Version 1 (Legacy) IAM API v1 uses **IAMToken‑based authentication** and is maintained for backward compatibility.\ This version is still supported but is **not recommended for new integrations**. #### Authentication & Session | Endpoint | Description | Method | | --------------------------------------------- | ----------------------------------- | ------ | | `/v1/login` | Login to IAM2 system | POST | | `/v1/logout/{accessToken}` | Logout IAM2 | GET | | `/v1/removesession/{session_id}` | Remove session and invalidate token | GET | | `/v1/logoutSSO/{username}/{sessionId}` | Logout SSO session | GET | | `/v1/checksession/{auth_session_id}` | Check session validity | GET | | `/v1/checksessionByAccessToken/{accessToken}` | Validate session by access token | GET | *** #### User & Permission Lookup | Endpoint | Description | Method | | --------------------------------------- | ------------------------------ | ------ | | `/v1/userinfo/{accessToken}` | Get user info by token | GET | | `/v1/userinfo/{accessToken}/{username}` | Get specific user info | GET | | `/v1/perms/{accessToken}` | Get user permissions | GET | | `/v1/perms/{accessToken}/{objectpath}` | Get specific object permission | GET | *** #### Object & Access Control | Endpoint | Description | Method | | -------------------------------------------- | ----------------------- | ----------- | | `/v1/objects` | Create / Get objects | POST, GET | | `/v1/objects/{object_id}` | Update / Delete object | PUT, DELETE | | `/v1/objects/{object_id}/access` | Get / Add object access | GET, PUT | | `/v1/objects/{object_id}/access/{access_id}` | Delete object access | DELETE | *** #### Organization & Role Management | Endpoint | Description | Method | | --------------------- | -------------------------- | ------------------ | | `/v1/orgs` | Create / Get organizations | POST, GET | | `/v1/orgs/{org_id}` | Update organization | PATCH, PUT | | `/v1/orgs/{org_ids}` | Delete organizations | DELETE | | `/v1/roles` | Create / Get roles | GET, POST | | `/v1/roles/{role_id}` | Update / Delete role | PATCH, PUT, DELETE | *** ### IAM API – Version 2 (OAuth‑Based) IAM API v2 is the **recommended version** and is fully integrated with **OAuth 2.0**.\ It provides a richer and more consistent REST API for identity and access management. *** #### User Management | Endpoint | Description | Method | | -------------------------------------- | --------------------------- | --------------- | | `/v2/users` | Create / Get users | GET, POST | | `/v2/users/{user_id}` | Get / Update user | GET, PUT, PATCH | | `/v2/users/{user_id}/roles` | Add roles to user | PUT | | `/v2/users/{user_id}/roles/{role_ids}` | Remove roles from user | DELETE | | `/v2/users/delete/{user_id}` | Delete user | DELETE | | `/v2/userinfo` | Get authenticated user info | GET | | `/v2/userinfo/{user_id}` | Get specific user info | GET | *** #### Permission & Role Management | Endpoint | Description | Method | | --------------------------------- | ----------------------------- | ------------------ | | `/v2/permissions` | Create / Get permissions | GET, POST, PUT | | `/v2/permissions/{permission_id}` | Get / Delete permission | GET, DELETE | | `/v2/roles` | Create / Get roles | GET, POST | | `/v2/roles/{role_id}` | Update / Delete role | PATCH, PUT, DELETE | | `/v2/roles/{role_id}/permissions` | Add / Get permissions in role | GET, PUT | *** #### Object & Access Management | Endpoint | Description | Method | | -------------------------------- | ------------------------- | ----------- | | `/v2/objects` | Create / Get objects | POST, GET | | `/v2/objects/{object_id}` | Update / Delete object | PUT, DELETE | | `/v2/objects/{object_id}/access` | Get / Add object access | GET, PUT | | `/v2/objectsAndAccess` | Create object with access | POST | *** #### Organization & System APIs | Endpoint | Description | Method | | -------------------------------- | -------------------------- | --------------- | | `/v2/orgs` | Create / Get organizations | POST, GET | | `/v2/systems` | Create / Get systems | GET, POST | | `/v2/systems/{system_id}` | Get / Update system | GET, PUT, PATCH | | `/v2/systems/{system_id}/admins` | Manage system admins | GET, PUT | *** #### Session & Logout | Endpoint | Description | Method | | ----------------------- | ------------------------------- | ------ | | `/v2/logout` | Logout IAM2 | GET | | `/facebook_user_status` | Confirm remove Facebook account | GET | *** ### Summary The **IAM2 API** is the foundation of security and identity management in ONEWEB. Key capabilities include: * OAuth 2.0–based authentication * Comprehensive user, role, and permission management * Object‑level access control * Organization and system administration * Support for both legacy (v1) and modern (v2) APIs For new integrations, **IAM API v2 with OAuth 2.0** is strongly recommended. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onewebstack.com/oneweb-platform-th/api-reference/iam2-api.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.