REST Resource: projects.tenants

{
  "name": string,
  "displayName": string,
  "allowPasswordSignup": boolean,
  "enableEmailLinkSignin": boolean,
  "disableAuth": boolean,
  "hashConfig": {
    object (HashConfig)
  },
  "enableAnonymousUser": boolean,
  "mfaConfig": {
    object (MultiFactorAuthConfig)
  },
  "testPhoneNumbers": {
    string: string,
    ...
  },
  "inheritance": {
    object (Inheritance)
  },
  "recaptchaConfig": {
    object (RecaptchaConfig)
  },
  "smsRegionConfig": {
    object (SmsRegionConfig)
  },
  "autodeleteAnonymousUsers": boolean,
  "monitoring": {
    object (MonitoringConfig)
  },
  "passwordPolicyConfig": {
    object (PasswordPolicyConfig)
  },
  "emailPrivacyConfig": {
    object (EmailPrivacyConfig)
  },
  "client": {
    object (ClientPermissionConfig)
  }
}

string

Output only. Resource name of a tenant. For example: "projects/{project-id}/tenants/{tenant-id}"

string

Display name of the tenant.

boolean

Whether to allow email/password user authentication.

boolean

Whether to enable email link user authentication.

boolean

Whether authentication is disabled for the tenant. If true, the users under the disabled tenant are not allowed to sign-in. Admins of the disabled tenant are not able to manage its users.

object (HashConfig)

Output only. Hash config information of a tenant for display on Pantheon. This can only be displayed on Pantheon to avoid the sensitive information to get accidentally leaked. Only returned in tenants.get response to restrict reading of this information. Requires firebaseauth.configs.getHashConfig permission on the agent project for returning this field.

boolean

Whether to enable anonymous user authentication.

object (MultiFactorAuthConfig)

The tenant-level configuration of MFA options.

map (key: string, value: string)

A map of <test phone number, fake code> pairs that can be used for MFA. The phone number should be in E.164 format (https://www.itu.int/rec/T-REC-E.164/) and a maximum of 10 pairs can be added (error will be thrown once exceeded).

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

object (Inheritance)

Specify the settings that the tenant could inherit.

object (RecaptchaConfig)

The tenant-level reCAPTCHA config.

object (SmsRegionConfig)

Configures which regions are enabled for SMS verification code sending.

boolean

Whether anonymous users will be auto-deleted after a period of 30 days.

object (MonitoringConfig)

Configuration related to monitoring project activity.

object (PasswordPolicyConfig)

The tenant-level password policy config

object (EmailPrivacyConfig)

Configuration for settings related to email privacy and public visibility.

object (ClientPermissionConfig)

Options related to how clients making requests on behalf of a project should be configured.

{
  "algorithm": enum (HashAlgorithm),
  "signerKey": string,
  "saltSeparator": string,
  "rounds": integer,
  "memoryCost": integer
}

enum (HashAlgorithm)

Output only. Different password hash algorithms used in Identity Toolkit.

string

Output only. Signer key in base64.

string

Output only. Non-printable character to be inserted between the salt and plain text password in base64.

integer

Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.

integer

Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.

{
  "state": enum (State),
  "enabledProviders": [
    enum (Provider)
  ],
  "providerConfigs": [
    {
      object (ProviderConfig)
    }
  ]
}

enum (State)

Whether MultiFactor Authentication has been enabled for this project.

enum (Provider)

A list of usable second factors for this project.

object (ProviderConfig)

A list of usable second factors for this project along with their configurations. This field does not support phone based MFA, for that use the 'enabledProviders' field.

{
  "state": enum (MfaState),

  // Union field mfa_provider_config can be only one of the following:
  "totpProviderConfig": {
    object (TotpMfaProviderConfig)
  }
  // End of list of possible types for union field mfa_provider_config.
}

enum (MfaState)

Describes the state of the MultiFactor Authentication type.

object (TotpMfaProviderConfig)

TOTP MFA provider config for this project.

{
  "adjacentIntervals": integer
}

integer

The allowed number of adjacent intervals that will be used for verification to avoid clock skew.

{
  "emailSendingConfig": boolean
}

boolean

Whether to allow the tenant to inherit custom domains, email templates, and custom SMTP settings. If true, email sent from tenant will follow the project level email sending configurations. If false (by default), emails will go with the default settings with no customizations.

{
  "managedRules": [
    {
      object (RecaptchaManagedRule)
    }
  ],
  "recaptchaKeys": [
    {
      object (RecaptchaKey)
    }
  ],
  "tollFraudManagedRules": [
    {
      object (RecaptchaTollFraudManagedRule)
    }
  ],
  "emailPasswordEnforcementState": enum (RecaptchaProviderEnforcementState),
  "useAccountDefender": boolean,
  "phoneEnforcementState": enum (RecaptchaProviderEnforcementState),
  "useSmsBotScore": boolean,
  "useSmsTollFraudProtection": boolean
}

object (RecaptchaManagedRule)

The managed rules for authentication action based on reCAPTCHA scores. The rules are shared across providers for a given tenant project.

object (RecaptchaKey)

The reCAPTCHA keys.

object (RecaptchaTollFraudManagedRule)

The managed rules for the authentication action based on reCAPTCHA toll fraud risk scores. Toll fraud managed rules will only take effect when the phoneEnforcementState is AUDIT or ENFORCE and useSmsTollFraudProtection is true.

enum (RecaptchaProviderEnforcementState)

The reCAPTCHA config for email/password provider, containing the enforcement status. The email/password provider contains all email related user flows protected by reCAPTCHA.

boolean

Whether to use the account defender for reCAPTCHA assessment. Defaults to false.

enum (RecaptchaProviderEnforcementState)

The reCAPTCHA config for phone provider, containing the enforcement status. The phone provider contains all SMS related user flows protected by reCAPTCHA.

boolean

Whether to use the rCE bot score for reCAPTCHA phone provider. Can only be true when the phoneEnforcementState is AUDIT or ENFORCE.

boolean

Whether to use the rCE sms toll fraud protection risk score for reCAPTCHA phone provider. Can only be true when the phoneEnforcementState is AUDIT or ENFORCE.

{
  "endScore": number,
  "action": enum (RecaptchaAction)
}

number

The end score (inclusive) of the score range for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, ... 0.9, 1.0. A score of 0.0 indicates the riskiest request (likely a bot), whereas 1.0 indicates the safest request (likely a human). See https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment.

enum (RecaptchaAction)

The action taken if the reCAPTCHA score of a request is within the interval [startScore, endScore].

{
  "key": string,
  "type": enum (RecaptchaKeyClientType)
}

string

The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}"

enum (RecaptchaKeyClientType)

The client's platform type.

{
  "startScore": number,
  "action": enum (RecaptchaAction)
}

number

The start score (inclusive) for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, ... 0.9, 1.0. A score of 0.0 indicates the safest request (likely legitimate), whereas 1.0 indicates the riskiest request (likely toll fraud). See https://cloud.google.com/recaptcha-enterprise/docs/sms-fraud-detection#create-assessment-sms.

enum (RecaptchaAction)

The action taken if the reCAPTCHA score of a request is within the interval [startScore, endScore].

{

  // Union field sms_region_policy can be only one of the following:
  "allowByDefault": {
    object (AllowByDefault)
  },
  "allowlistOnly": {
    object (AllowlistOnly)
  }
  // End of list of possible types for union field sms_region_policy.
}

object (AllowByDefault)

A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.

object (AllowlistOnly)

A policy of only allowing regions by explicitly adding them to an allowlist.

{
  "disallowedRegions": [
    string
  ]
}

string

Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json

{
  "allowedRegions": [
    string
  ]
}

string

Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json

{
  "requestLogging": {
    object (RequestLogging)
  }
}

object (RequestLogging)

Configuration for logging requests made to this project to Stackdriver Logging

{
  "enabled": boolean
}

boolean

Whether logging is enabled for this project or not.

{
  "passwordPolicyEnforcementState": enum (PasswordPolicyEnforcementState),
  "passwordPolicyVersions": [
    {
      object (PasswordPolicyVersion)
    }
  ],
  "forceUpgradeOnSignin": boolean,
  "lastUpdateTime": string
}

enum (PasswordPolicyEnforcementState)

Which enforcement mode to use for the password policy.

object (PasswordPolicyVersion)

Must be of length 1. Contains the strength attributes for the password policy.

boolean

Users must have a password compliant with the password policy to sign-in.

string (Timestamp format)

Output only. The last time the password policy on the project was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

{
  "customStrengthOptions": {
    object (CustomStrengthOptions)
  },
  "schemaVersion": integer
}

object (CustomStrengthOptions)

The custom strength options enforced by the password policy.

integer

Output only. schema version number for the password policy

{
  "minPasswordLength": integer,
  "maxPasswordLength": integer,
  "containsLowercaseCharacter": boolean,
  "containsUppercaseCharacter": boolean,
  "containsNumericCharacter": boolean,
  "containsNonAlphanumericCharacter": boolean
}

integer

Minimum password length. Range from 6 to 30

integer

Maximum password length. No default max length

boolean

The password must contain a lower case character.

boolean

The password must contain an upper case character.

boolean

The password must contain a number.

boolean

The password must contain a non alpha numeric character.

{
  "enableImprovedEmailPrivacy": boolean
}

boolean

Migrates the project to a state of improved email privacy. For example certain error codes are more generic to avoid giving away information on whether the account exists. In addition, this disables certain features that as a side-effect allow user enumeration. Enabling this toggle disables the fetchSignInMethodsForEmail functionality and changing the user's email to an unverified email. It is recommended to remove dependence on this functionality and enable this toggle to improve user privacy.

{
  "permissions": {
    object (ClientPermissions)
  }
}

object (ClientPermissions)

Configuration related to restricting a user's ability to affect their account.

{
  "disabledUserSignup": boolean,
  "disabledUserDeletion": boolean
}

boolean

When true, end users cannot sign up for a new account on the associated project through any of our API methods

boolean

When true, end users cannot delete their account on the associated project through any of our API methods