API overview for external developers¶
DotID exposes partner APIs for developers who build applications on the FlexGalaxy.AI APaaS. These APIs use common product names so integrators do not need to know internal service code names.
Where APIs Are Published¶
External developer APIs are exported through the API gateway.
Environment |
Base URL |
|---|---|
Local simulation |
|
Production |
|
Local development may also use direct service ports while debugging, but examples and published API docs should use the gateway-facing names.
API Families¶
API family |
Purpose |
|---|---|
|
Identity-related APIs for users, groups, permission sets, and assignments that are safe to expose to registered applications. |
|
Application-scoped login, launch, session, and scope checks for PassPort-registered applications. |
|
Account-level discovery and account-scoped application installation workflows. |
|
Organization-level discovery and organization-scoped installation workflows. |
|
Discover services, capabilities, application registrations, and installable integrations. |
|
Register developer-facing capabilities and application scopes. |
|
Read quota information and submit quota adjustment requests where the caller is allowed. |
|
Read audit events available to the caller’s account or organization context. |
Internal service code names are not part of the external contract.
Authentication¶
Most APIs require a bearer token issued by DotID. A developer application should:
Register the application and allowed scopes.
Send users through the approved DotID sign-in flow.
Call APIs with the returned access token.
Validate token expiry and refresh behavior according to the integration type.
Do not call Keycloak Admin APIs from a partner application. Keycloak is the identity provider behind DotID, not the public management API.
Resource naming¶
Names of resources that double as stable identifiers — Identity Center groups and permission sets, IAM users (service users), groups, roles, managed and inline policies, SCPs, resource policies, and workload identities — must match the AWS IAM / Identity Center name charset ^[\w+=,.@-]+$: letters, digits, and + = , . @ _ - only (no spaces or other whitespace, and no other punctuation). These names are referenced by value (FRN segments, group↔permission-set pairing, customer-managed-policy name resolution), so anything outside the charset is rejected with a 400 at create/update time. Use - or _ for word breaks (e.g. store-manager, not Store Manager). Free-text description fields and human display names (organization and account names, user first/last names) are unaffected.
What Is Not Exported¶
The following surfaces are internal and are not partner APIs:
Platform admin-console APIs used by internal admin apps.
Console-only APIs used by first-party web apps.
Internal service-to-service endpoints.
Raw Keycloak Admin REST endpoints.
Terraform, deployment, seed, or operator endpoints.
If your integration needs a capability that appears to live behind one of those surfaces, request a partner API instead of depending on the internal route.
Documentation Format¶
External API references are published as Stoplight Elements pages. They are read-only by design so external developers can browse schemas, status codes, and examples without sending live requests from the documentation site.
See OpenAPI reference for the published specifications and External developer API example for a working integration walkthrough.