akeyless 5.0.22 → 5.0.24

data/lib/akeyless/models/auth_method_update_universal_identity.rb

@@ -28,6 +28,9 @@ module Akeyless
     # A CIDR whitelist with the IPs that the access is restricted to
     attr_accessor :bound_ips
 
+    # Maximum child token ttl allowed in uid-create-child-token
+    attr_accessor :child_ttl_limit
+
     # Protection from accidental deletion of this object [true/false]
     attr_accessor :delete_protection
 
@@ -67,6 +70,9 @@ module Akeyless
     # Authentication token (see `/auth` and `/configure`)
     attr_accessor :token
 
+    # Maximum UID tree depth allowed (child of child of ...)
+    attr_accessor :tree_length
+
     # Token ttl
     attr_accessor :ttl
 
@@ -80,6 +86,7 @@ module Akeyless
         :'allowed_client_type' => :'allowed-client-type',
         :'audit_logs_claims' => :'audit-logs-claims',
         :'bound_ips' => :'bound-ips',
+        :'child_ttl_limit' => :'child-ttl-limit',
         :'delete_protection' => :'delete_protection',
         :'deny_inheritance' => :'deny-inheritance',
         :'deny_rotate' => :'deny-rotate',
@@ -93,6 +100,7 @@ module Akeyless
         :'new_name' => :'new-name',
         :'product_type' => :'product-type',
         :'token' => :'token',
+        :'tree_length' => :'tree-length',
         :'ttl' => :'ttl',
         :'uid_token' => :'uid-token'
       }
@@ -110,6 +118,7 @@ module Akeyless
         :'allowed_client_type' => :'Array<String>',
         :'audit_logs_claims' => :'Array<String>',
         :'bound_ips' => :'Array<String>',
+        :'child_ttl_limit' => :'Integer',
         :'delete_protection' => :'String',
         :'deny_inheritance' => :'Boolean',
         :'deny_rotate' => :'Boolean',
@@ -123,6 +132,7 @@ module Akeyless
         :'new_name' => :'String',
         :'product_type' => :'Array<String>',
         :'token' => :'String',
+        :'tree_length' => :'Integer',
         :'ttl' => :'Integer',
         :'uid_token' => :'String'
       }
@@ -173,6 +183,12 @@ module Akeyless
         end
       end
 
+      if attributes.key?(:'child_ttl_limit')
+        self.child_ttl_limit = attributes[:'child_ttl_limit']
+      else
+        self.child_ttl_limit = 43200
+      end
+
       if attributes.key?(:'delete_protection')
         self.delete_protection = attributes[:'delete_protection']
       end
@@ -237,6 +253,12 @@ module Akeyless
         self.token = attributes[:'token']
       end
 
+      if attributes.key?(:'tree_length')
+        self.tree_length = attributes[:'tree_length']
+      else
+        self.tree_length = 200
+      end
+
       if attributes.key?(:'ttl')
         self.ttl = attributes[:'ttl']
       else
@@ -277,6 +299,7 @@ module Akeyless
           allowed_client_type == o.allowed_client_type &&
           audit_logs_claims == o.audit_logs_claims &&
           bound_ips == o.bound_ips &&
+          child_ttl_limit == o.child_ttl_limit &&
           delete_protection == o.delete_protection &&
           deny_inheritance == o.deny_inheritance &&
           deny_rotate == o.deny_rotate &&
@@ -290,6 +313,7 @@ module Akeyless
           new_name == o.new_name &&
           product_type == o.product_type &&
           token == o.token &&
+          tree_length == o.tree_length &&
           ttl == o.ttl &&
           uid_token == o.uid_token
     end
@@ -303,7 +327,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [access_expires, allowed_client_type, audit_logs_claims, bound_ips, delete_protection, deny_inheritance, deny_rotate, description, expiration_event_in, force_sub_claims, gw_bound_ips, json, jwt_ttl, name, new_name, product_type, token, ttl, uid_token].hash
+      [access_expires, allowed_client_type, audit_logs_claims, bound_ips, child_ttl_limit, delete_protection, deny_inheritance, deny_rotate, description, expiration_event_in, force_sub_claims, gw_bound_ips, json, jwt_ttl, name, new_name, product_type, token, tree_length, ttl, uid_token].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/aws_storage.rb

@@ -24,6 +24,8 @@ module Akeyless
 
     attr_accessor :bucket
 
+    attr_accessor :endpoint_url
+
     attr_accessor :prefix
 
     attr_accessor :region
@@ -35,6 +37,7 @@ module Akeyless
         :'access_key_secret' => :'access_key_secret',
         :'auth_type' => :'auth_type',
         :'bucket' => :'bucket',
+        :'endpoint_url' => :'endpoint_url',
         :'prefix' => :'prefix',
         :'region' => :'region'
       }
@@ -52,6 +55,7 @@ module Akeyless
         :'access_key_secret' => :'String',
         :'auth_type' => :'String',
         :'bucket' => :'String',
+        :'endpoint_url' => :'String',
         :'prefix' => :'String',
         :'region' => :'String'
       }
@@ -94,6 +98,10 @@ module Akeyless
         self.bucket = attributes[:'bucket']
       end
 
+      if attributes.key?(:'endpoint_url')
+        self.endpoint_url = attributes[:'endpoint_url']
+      end
+
       if attributes.key?(:'prefix')
         self.prefix = attributes[:'prefix']
       end
@@ -127,6 +135,7 @@ module Akeyless
           access_key_secret == o.access_key_secret &&
           auth_type == o.auth_type &&
           bucket == o.bucket &&
+          endpoint_url == o.endpoint_url &&
           prefix == o.prefix &&
           region == o.region
     end
@@ -140,7 +149,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [access_key_id, access_key_secret, auth_type, bucket, prefix, region].hash
+      [access_key_id, access_key_secret, auth_type, bucket, endpoint_url, prefix, region].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/create_auth_method_universal_identity.rb

@@ -28,6 +28,9 @@ module Akeyless
     # A CIDR whitelist with the IPs that the access is restricted to
     attr_accessor :bound_ips
 
+    # Maximum child token ttl allowed in uid-create-child-token
+    attr_accessor :child_ttl_limit
+
     # Protection from accidental deletion of this object [true/false]
     attr_accessor :delete_protection
 
@@ -64,6 +67,9 @@ module Akeyless
     # Authentication token (see `/auth` and `/configure`)
     attr_accessor :token
 
+    # Maximum UID tree depth allowed (child of child of ...)
+    attr_accessor :tree_length
+
     # Token ttl
     attr_accessor :ttl
 
@@ -77,6 +83,7 @@ module Akeyless
         :'allowed_client_type' => :'allowed-client-type',
         :'audit_logs_claims' => :'audit-logs-claims',
         :'bound_ips' => :'bound-ips',
+        :'child_ttl_limit' => :'child-ttl-limit',
         :'delete_protection' => :'delete_protection',
         :'deny_inheritance' => :'deny-inheritance',
         :'deny_rotate' => :'deny-rotate',
@@ -89,6 +96,7 @@ module Akeyless
         :'name' => :'name',
         :'product_type' => :'product-type',
         :'token' => :'token',
+        :'tree_length' => :'tree-length',
         :'ttl' => :'ttl',
         :'uid_token' => :'uid-token'
       }
@@ -106,6 +114,7 @@ module Akeyless
         :'allowed_client_type' => :'Array<String>',
         :'audit_logs_claims' => :'Array<String>',
         :'bound_ips' => :'Array<String>',
+        :'child_ttl_limit' => :'Integer',
         :'delete_protection' => :'String',
         :'deny_inheritance' => :'Boolean',
         :'deny_rotate' => :'Boolean',
@@ -118,6 +127,7 @@ module Akeyless
         :'name' => :'String',
         :'product_type' => :'Array<String>',
         :'token' => :'String',
+        :'tree_length' => :'Integer',
         :'ttl' => :'Integer',
         :'uid_token' => :'String'
       }
@@ -168,6 +178,12 @@ module Akeyless
         end
       end
 
+      if attributes.key?(:'child_ttl_limit')
+        self.child_ttl_limit = attributes[:'child_ttl_limit']
+      else
+        self.child_ttl_limit = 43200
+      end
+
       if attributes.key?(:'delete_protection')
         self.delete_protection = attributes[:'delete_protection']
       end
@@ -228,6 +244,12 @@ module Akeyless
         self.token = attributes[:'token']
       end
 
+      if attributes.key?(:'tree_length')
+        self.tree_length = attributes[:'tree_length']
+      else
+        self.tree_length = 200
+      end
+
       if attributes.key?(:'ttl')
         self.ttl = attributes[:'ttl']
       else
@@ -268,6 +290,7 @@ module Akeyless
           allowed_client_type == o.allowed_client_type &&
           audit_logs_claims == o.audit_logs_claims &&
           bound_ips == o.bound_ips &&
+          child_ttl_limit == o.child_ttl_limit &&
           delete_protection == o.delete_protection &&
           deny_inheritance == o.deny_inheritance &&
           deny_rotate == o.deny_rotate &&
@@ -280,6 +303,7 @@ module Akeyless
           name == o.name &&
           product_type == o.product_type &&
           token == o.token &&
+          tree_length == o.tree_length &&
           ttl == o.ttl &&
           uid_token == o.uid_token
     end
@@ -293,7 +317,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [access_expires, allowed_client_type, audit_logs_claims, bound_ips, delete_protection, deny_inheritance, deny_rotate, description, expiration_event_in, force_sub_claims, gw_bound_ips, json, jwt_ttl, name, product_type, token, ttl, uid_token].hash
+      [access_expires, allowed_client_type, audit_logs_claims, bound_ips, child_ttl_limit, delete_protection, deny_inheritance, deny_rotate, description, expiration_event_in, force_sub_claims, gw_bound_ips, json, jwt_ttl, name, product_type, token, tree_length, ttl, uid_token].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/create_role.rb

@@ -18,6 +18,9 @@ module Akeyless
     # Allow this role to view analytics. Currently only 'none', 'own', 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
     attr_accessor :analytics_access
 
+    # Allow this role to view Agentic Runtime Authority Dashboard. Currently only 'none', 'scoped', 'all' values are supported.
+    attr_accessor :ara_reports_access
+
     # Allow this role to view audit logs. Currently only 'none', 'own', 'scoped' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods.
     attr_accessor :audit_access
 
@@ -67,6 +70,7 @@ module Akeyless
     def self.attribute_map
       {
         :'analytics_access' => :'analytics-access',
+        :'ara_reports_access' => :'ara-reports-access',
         :'audit_access' => :'audit-access',
         :'comment' => :'comment',
         :'delete_protection' => :'delete_protection',
@@ -94,6 +98,7 @@ module Akeyless
     def self.openapi_types
       {
         :'analytics_access' => :'String',
+        :'ara_reports_access' => :'String',
         :'audit_access' => :'String',
         :'comment' => :'String',
         :'delete_protection' => :'String',
@@ -137,6 +142,10 @@ module Akeyless
         self.analytics_access = attributes[:'analytics_access']
       end
 
+      if attributes.key?(:'ara_reports_access')
+        self.ara_reports_access = attributes[:'ara_reports_access']
+      end
+
       if attributes.key?(:'audit_access')
         self.audit_access = attributes[:'audit_access']
       end
@@ -230,6 +239,7 @@ module Akeyless
       return true if self.equal?(o)
       self.class == o.class &&
           analytics_access == o.analytics_access &&
+          ara_reports_access == o.ara_reports_access &&
           audit_access == o.audit_access &&
           comment == o.comment &&
           delete_protection == o.delete_protection &&
@@ -256,7 +266,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [analytics_access, audit_access, comment, delete_protection, description, event_center_access, event_forwarders_access, event_forwarders_name, gw_analytics_access, json, name, reverse_rbac_access, sra_reports_access, token, uid_token, usage_reports_access].hash
+      [analytics_access, ara_reports_access, audit_access, comment, delete_protection, description, event_center_access, event_forwarders_access, event_forwarders_name, gw_analytics_access, json, name, reverse_rbac_access, sra_reports_access, token, uid_token, usage_reports_access].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/create_rotated_secret.rb

@@ -66,6 +66,9 @@ module Akeyless
     # The name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used)
     attr_accessor :key
 
+    # Lock this secret for read/update while an SRA session is active
+    attr_accessor :lock_during_sra_session
+
     # Deprecated - use description
     attr_accessor :metadata
 
@@ -75,7 +78,7 @@ module Akeyless
     # The length of the password to be generated
     attr_accessor :password_length
 
-    # Rotate the value of the secret after SRA session ends [true/false]
+    # StringOrBool accepts JSON strings, booleans, and numbers for backward compatibility with older SDK versions that send boolean values for rotate-after-disconnect.
     attr_accessor :rotate_after_disconnect
 
     # rotated-username password (relevant only for rotator-type=password)
@@ -199,6 +202,7 @@ module Akeyless
         :'host_provider' => :'host-provider',
         :'json' => :'json',
         :'key' => :'key',
+        :'lock_during_sra_session' => :'lock-during-sra-session',
         :'metadata' => :'metadata',
         :'name' => :'name',
         :'password_length' => :'password-length',
@@ -265,6 +269,7 @@ module Akeyless
         :'host_provider' => :'String',
         :'json' => :'Boolean',
         :'key' => :'String',
+        :'lock_during_sra_session' => :'String',
         :'metadata' => :'String',
         :'name' => :'String',
         :'password_length' => :'String',
@@ -401,6 +406,10 @@ module Akeyless
         self.key = attributes[:'key']
       end
 
+      if attributes.key?(:'lock_during_sra_session')
+        self.lock_during_sra_session = attributes[:'lock_during_sra_session']
+      end
+
       if attributes.key?(:'metadata')
         self.metadata = attributes[:'metadata']
       end
@@ -417,8 +426,6 @@ module Akeyless
 
       if attributes.key?(:'rotate_after_disconnect')
         self.rotate_after_disconnect = attributes[:'rotate_after_disconnect']
-      else
-        self.rotate_after_disconnect = 'false'
       end
 
       if attributes.key?(:'rotated_password')
@@ -630,6 +637,7 @@ module Akeyless
           host_provider == o.host_provider &&
           json == o.json &&
           key == o.key &&
+          lock_during_sra_session == o.lock_during_sra_session &&
           metadata == o.metadata &&
           name == o.name &&
           password_length == o.password_length &&
@@ -679,7 +687,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [provider_type, api_id, api_key, application_id, authentication_credentials, auto_rotate, aws_region, custom_payload, delete_protection, description, gcp_key, gcp_service_account_email, gcp_service_account_key_id, grace_rotation, host_provider, json, key, metadata, name, password_length, rotate_after_disconnect, rotated_password, rotated_username, rotation_hour, rotation_interval, rotator_creds_type, rotator_custom_cmd, rotator_type, same_password, secure_access_allow_external_user, secure_access_aws_account_id, secure_access_aws_native_cli, secure_access_bastion_issuer, secure_access_certificate_issuer, secure_access_db_name, secure_access_db_schema, secure_access_disable_concurrent_connections, secure_access_enable, secure_access_host, secure_access_rdp_domain, secure_access_rdp_user, secure_access_url, secure_access_web, secure_access_web_browsing, secure_access_web_proxy, ssh_password, ssh_username, storage_account_key_name, tags, target, target_name, token, uid_token, user_attribute, user_dn].hash
+      [provider_type, api_id, api_key, application_id, authentication_credentials, auto_rotate, aws_region, custom_payload, delete_protection, description, gcp_key, gcp_service_account_email, gcp_service_account_key_id, grace_rotation, host_provider, json, key, lock_during_sra_session, metadata, name, password_length, rotate_after_disconnect, rotated_password, rotated_username, rotation_hour, rotation_interval, rotator_creds_type, rotator_custom_cmd, rotator_type, same_password, secure_access_allow_external_user, secure_access_aws_account_id, secure_access_aws_native_cli, secure_access_bastion_issuer, secure_access_certificate_issuer, secure_access_db_name, secure_access_db_schema, secure_access_disable_concurrent_connections, secure_access_enable, secure_access_host, secure_access_rdp_domain, secure_access_rdp_user, secure_access_url, secure_access_web, secure_access_web_browsing, secure_access_web_proxy, ssh_password, ssh_username, storage_account_key_name, tags, target, target_name, token, uid_token, user_attribute, user_dn].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/create_secret.rb

@@ -42,6 +42,9 @@ module Akeyless
     # Set output format to JSON
     attr_accessor :json
 
+    # Lock this secret for read/update while an SRA session is active
+    attr_accessor :lock_during_sra_session
+
     # Set the maximum number of versions, limited by the account settings defaults.
     attr_accessor :max_versions
 
@@ -122,6 +125,7 @@ module Akeyless
         :'inject_url' => :'inject-url',
         :'item_custom_fields' => :'item-custom-fields',
         :'json' => :'json',
+        :'lock_during_sra_session' => :'lock-during-sra-session',
         :'max_versions' => :'max-versions',
         :'metadata' => :'metadata',
         :'multiline_value' => :'multiline_value',
@@ -165,6 +169,7 @@ module Akeyless
         :'inject_url' => :'Array<String>',
         :'item_custom_fields' => :'Hash<String, String>',
         :'json' => :'Boolean',
+        :'lock_during_sra_session' => :'String',
         :'max_versions' => :'String',
         :'metadata' => :'String',
         :'multiline_value' => :'Boolean',
@@ -260,6 +265,10 @@ module Akeyless
         self.json = false
       end
 
+      if attributes.key?(:'lock_during_sra_session')
+        self.lock_during_sra_session = attributes[:'lock_during_sra_session']
+      end
+
       if attributes.key?(:'max_versions')
         self.max_versions = attributes[:'max_versions']
       end
@@ -406,6 +415,7 @@ module Akeyless
           inject_url == o.inject_url &&
           item_custom_fields == o.item_custom_fields &&
           json == o.json &&
+          lock_during_sra_session == o.lock_during_sra_session &&
           max_versions == o.max_versions &&
           metadata == o.metadata &&
           multiline_value == o.multiline_value &&
@@ -440,7 +450,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [accessibility, change_event, custom_field, delete_protection, description, format, inject_url, item_custom_fields, json, max_versions, metadata, multiline_value, name, password, protection_key, secure_access_bastion_issuer, secure_access_certificate_issuer, secure_access_enable, secure_access_gateway, secure_access_host, secure_access_rdp_user, secure_access_ssh_creds, secure_access_ssh_user, secure_access_url, secure_access_web_browsing, secure_access_web_proxy, tags, token, type, uid_token, username, value].hash
+      [accessibility, change_event, custom_field, delete_protection, description, format, inject_url, item_custom_fields, json, lock_during_sra_session, max_versions, metadata, multiline_value, name, password, protection_key, secure_access_bastion_issuer, secure_access_certificate_issuer, secure_access_enable, secure_access_gateway, secure_access_host, secure_access_rdp_user, secure_access_ssh_creds, secure_access_ssh_user, secure_access_url, secure_access_web_browsing, secure_access_web_proxy, tags, token, type, uid_token, username, value].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/create_usc.rb

@@ -49,7 +49,7 @@ module Akeyless
     # Universal Secrets Connector name
     attr_accessor :name
 
-    # The organization name to create the secret in (only relevant for: github-scope=organization)
+    # The organization name to create the secret in
     attr_accessor :organization_name
 
     attr_accessor :repository_access
@@ -72,9 +72,15 @@ module Akeyless
     # Prefix for all secrets created in AWS Secrets Manager
     attr_accessor :usc_prefix
 
+    # Comma-separated list of tags to apply to all secrets created on the remote USC
+    attr_accessor :usc_tags
+
     # Whether to filter the USC secret list using the specified usc-prefix [true/false]
     attr_accessor :use_prefix_as_filter
 
+    # Filter the USC secret list by the value(s) of --usc-tags. [true|false]
+    attr_accessor :use_tags_as_filter
+
     # Attribute mapping from ruby-style variable name to JSON key.
     def self.attribute_map
       {
@@ -97,7 +103,9 @@ module Akeyless
         :'token' => :'token',
         :'uid_token' => :'uid-token',
         :'usc_prefix' => :'usc-prefix',
-        :'use_prefix_as_filter' => :'use-prefix-as-filter'
+        :'usc_tags' => :'usc-tags',
+        :'use_prefix_as_filter' => :'use-prefix-as-filter',
+        :'use_tags_as_filter' => :'use-tags-as-filter'
       }
     end
 
@@ -128,7 +136,9 @@ module Akeyless
         :'token' => :'String',
         :'uid_token' => :'String',
         :'usc_prefix' => :'String',
-        :'use_prefix_as_filter' => :'String'
+        :'usc_tags' => :'String',
+        :'use_prefix_as_filter' => :'String',
+        :'use_tags_as_filter' => :'Boolean'
       }
     end
 
@@ -243,11 +253,19 @@ module Akeyless
         self.usc_prefix = attributes[:'usc_prefix']
       end
 
+      if attributes.key?(:'usc_tags')
+        self.usc_tags = attributes[:'usc_tags']
+      end
+
       if attributes.key?(:'use_prefix_as_filter')
         self.use_prefix_as_filter = attributes[:'use_prefix_as_filter']
       else
         self.use_prefix_as_filter = 'false'
       end
+
+      if attributes.key?(:'use_tags_as_filter')
+        self.use_tags_as_filter = attributes[:'use_tags_as_filter']
+      end
     end
 
     # Show invalid properties with the reasons. Usually used together with valid?
@@ -299,7 +317,9 @@ module Akeyless
           token == o.token &&
           uid_token == o.uid_token &&
           usc_prefix == o.usc_prefix &&
-          use_prefix_as_filter == o.use_prefix_as_filter
+          usc_tags == o.usc_tags &&
+          use_prefix_as_filter == o.use_prefix_as_filter &&
+          use_tags_as_filter == o.use_tags_as_filter
     end
 
     # @see the `==` method
@@ -311,7 +331,7 @@ module Akeyless
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [azure_kv_name, delete_protection, description, environment_names, gcp_project_id, gcp_sm_regions, github_scope, item_custom_fields, json, k8s_namespace, name, organization_name, repository_access, repository_names, tags, target_to_associate, token, uid_token, usc_prefix, use_prefix_as_filter].hash
+      [azure_kv_name, delete_protection, description, environment_names, gcp_project_id, gcp_sm_regions, github_scope, item_custom_fields, json, k8s_namespace, name, organization_name, repository_access, repository_names, tags, target_to_associate, token, uid_token, usc_prefix, usc_tags, use_prefix_as_filter, use_tags_as_filter].hash
     end
 
     # Builds the object from hash

data/lib/akeyless/models/delete_role_rule.rb

@@ -24,7 +24,7 @@ module Akeyless
     # The role name to be updated
     attr_accessor :role_name
 
-    # item-rule, role-rule, auth-method-rule, search-rule, reports-rule, gw-reports-rule or sra-reports-rule
+    # item-rule, role-rule, auth-method-rule, search-rule, reports-rule, gw-reports-rule, sra-reports-rule, ara-reports-rule, sra-rule, ara-rule, usage-reports-rule, event-rule, event-forwarder-rule, reverse-rbac-rule
     attr_accessor :rule_type
 
     # Authentication token (see `/auth` and `/configure`)

data/lib/akeyless/models/describe_permissions.rb

@@ -25,7 +25,7 @@ module Akeyless
     # Authentication token (see `/auth` and `/configure`)
     attr_accessor :token
 
-    # Type of object (item, am, role, target)
+    # Type of object (item, am, role, target, sra, ara)
     attr_accessor :type
 
     # The universal identity token, Required only for universal_identity authentication