Password Store API references

The OneWelcome Identity Platform provides the Password Store service. The Password Store service provides secure password lifecycle management including creation, verification, updates, deletion, and import or migration. It supports multi-tenancy with complete data isolation and is built on an Argon2id hashing algorithm with automatic rehashing.

Password Store APIs

The Password Store service inlcudes the following APIs:

• Authentication API: Provides endpoints for the following tasks:

  • Password verification: Verify a user's password against the stored credentials and tracks failed attempts.

  • Password change: Allow a user to change their password by providing the old and new passwords.

• Password Management API: Provides endpoints for the following tasks:

  • Create password: Create a new password for an identity with optional policy selection.

  • Get password details: Retrieve password metadata (timestamps, lock status, policy) without exposing the actual password value.

  • Reset password: Provides an administrative operation that resets a password without requiring the old password.

  • Delete password: Permanently remove a password for an identity.

• Password Import API: Provides endpoints for the following task:

  • Import pre-hashed passwords: Migrate existing users by importing their passwords in various formats (SHA-256/512, Argon2id, PBKDF2, bcrypt) without requiring a password reset.

• Policy Management API: Provides endpoints for the following tasks:

  • Create, update, and delete policies: Define password requirements such as length, character composition, expiration, and lockout behavior.

  • Retrieve policies: List all policies, get a specific policy, or retrieve the default and root policies.

Authentication

All Password Store API endpoints require OAuth2 Bearer tokens. The password-store-admin scope is required for administrative operations.