openapi: 3.0.1 info: title: kp_messages/kp_my_subscriptions/v1beta1/array.proto version: version not set servers: - url: / tags: - name: InstanceDiscoveryService description: Service providing list of clusters and connection information. x-displayName: Instance Discovery Service - name: ArrayService description: This is the IDP Service consumed by Client Apps x-displayName: Array Identity Protection Service - name: ArraySupportService description: This is the IDP Service Support Interface API. Consumer which want to use this service must be authenticated using a Server-2-Server token which is authorized for the "support" scope. x-displayName: Array Identity Protection Service Support API - name: ArrayWebhookService description: This is the IDP Service Webhook Interface API. Consumer which want to use this service must be authenticated using a Server-2-Server token which is authorized for the "webhook" scope. This scope is usually only used by Array.com to send webhook events. x-displayName: Array Identity Protection Service Webhook API - name: PaymentsWebhookService description: This is the IDP Payments Webhook Interface API. Consumer which want to use this service must be authenticated using a Server-2-Server token which is authorized for the "rudderstack" scope. This scope is usually only used by Rudderstack to send webhook events. x-displayName: Payments Identity Protection Service Webhook API - name: Cloudflare Static x-displayName: Cloudflare Static - name: Subscription Receipt Service API x-displayName: Subscription Receipt Service API - name: Connection Token Service API x-displayName: Connection Token Service API - name: Chargebee Entitlements Interface x-displayName: Chargebee Entitlements Interface - name: Enclave API x-displayName: Enclave API - name: Dedicated IP Backup Service API x-displayName: Dedicated IP Backup Service API - name: Dedicated IP Token Service API x-displayName: Dedicated IP Token Service API - name: Blinded Tokens API x-displayName: Blinded Tokens API paths: /conn_status: get: tags: - InstanceDiscoveryService summary: Fetch current user location and VPN connected status parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" responses: '200': description: Successful response containing user location and VPN connection status content: application/json: schema: type: object properties: current_ip: type: string format: ipv4 OR ipv6 iso_country_code: type: string description: ISO country code for the cluster's location. isp: type: string description: ISP name latitude: type: number format: double description: Latitude coordinate of the user longitude: type: number format: double description: Longitude coordinate of the user vpn_connected: type: boolean description: If the detected user IP belongs to any of the known cluster outgoing IP ranges '429': description: Rate limited /locations_test_ips: get: tags: - InstanceDiscoveryService summary: Fetch list of locations parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" - in: header name: If-None-Match schema: type: string description: ETag of the resource to be checked for modifications responses: '200': description: Successful response containing list of locations content: application/json: schema: type: object properties: locations: type: array items: type: object required: - location_id - ips properties: location_id: type: string description: Unique identifier for the location. ips: type: array items: oneOf: - type: object properties: v4: type: string format: ipv4 description: IPv4 address. - type: object properties: v6: type: string format: ipv6 description: IPv6 address. '304': description: Not Modified - Resource has not changed '401': description: >- The Authorization Header is missing or invalid '429': description: Rate limited /ids/locations: get: tags: - InstanceDiscoveryService summary: Fetch list of locations parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" - in: header name: If-None-Match schema: type: string description: ETag of the resource to be checked for modifications responses: '200': description: Successful response containing list of locations content: application/json: schema: type: object properties: locations: type: array items: type: object required: - id - name - latitude - longitude - country_code properties: id: type: string description: Unique identifier for the cluster. name: type: string description: Name of the cluster. latitude: type: number format: double description: Latitude of the cluster location. longitude: type: number format: double description: Longitude of the cluster location. country_code: type: string description: ISO country code for the cluster's location. instance_count_min: type: integer description: Minimal number of instances in the bucket, such as N<=instances- The Authorization Header is missing or invalid '429': description: Rate limited /ids/s2s/locations: get: tags: - InstanceDiscoveryService summary: Fetch list of locations security: - X-Consumer-Id: [ ] - Server-2-Server-Secret: [ ] parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" - in: header name: If-None-Match schema: type: string description: ETag of the resource to be checked for modifications responses: '200': description: Successful response containing list of locations content: application/json: schema: type: object properties: locations: type: array items: type: object required: - id - name - latitude - longitude - country_code properties: id: type: string description: Unique identifier for the cluster. name: type: string description: Name of the cluster. latitude: type: number format: double description: Latitude of the cluster location. longitude: type: number format: double description: Longitude of the cluster location. country_code: type: string description: ISO country code for the cluster's location. instance_count_min: type: integer description: Minimal number of instances in the bucket, such as N<=instances- The Authorization Header is missing or invalid '429': description: Rate limited /ids/locations/{location_id}/instances: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" - name: location_id in: path required: true description: ID of the cluster to fetch endpoints for schema: type: integer format: int32 - in: header name: If-None-Match schema: type: string description: ETag of the resource to be checked for modifications get: tags: - InstanceDiscoveryService summary: Fetch list of endpoints for specified cluster responses: '200': description: Successful response containing list of locations content: application/json: schema: type: object description: Represents instance-level details associated with a cluster. required: - location_id properties: location_id: type: string description: Identifier of the cluster associated with the instances. endpoints: type: array description: Endpoint configuration details array for this location. items: oneOf: - title: lightway type: object description: Lightway protocol configuration details. required: - ip - port - transport - mtu - cert_dn properties: ip: oneOf: - type: object properties: v4: type: string format: ipv4 description: IPv4 address. - type: object properties: v6: type: string format: ipv6 description: IPv6 address. port: type: integer format: int32 description: Port number used for the Lightway connection. transport: type: string description: Transport layer protocol used by Lightway. enum: - tcp - udp mtu: type: integer format: int32 description: Maximum Transmission Unit (MTU) enforced for the connection. cert_dn: type: string description: Distinguished Name (DN) of the certificate for connection verification. obfuscation: description: Obfuscation type for this endpoint, empty or null for no obfuscation. oneOf: - title: FM1 type: object required: - fm1_input - fm_server properties: fm1_input: type: string fm_server: type: string - title: FM2 type: object required: - fm2_input - fm_server properties: fm2_input: type: string fm_server: type: string '304': description: Not Modified - Resource has not changed '401': description: >- The Authorization Header is missing or invalid '429': description: Rate limited /array/users: post: tags: - ArrayService summary: Creates a new Array User parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: >- Creates a new Array User and activates the features according to the entitlements in the SRT. **Uses internally**: 1. Create the user via https://docs.array.com/reference/post-user 2. Adds array products to user via https://docs.array.com/reference/post_api-monitoring-v2-batch 3. Configures personal information via https://docs.array.com/reference/post_api-monitoring-v2-idp 4. Generates the token via https://docs.array.com/reference/post_api-authenticate-v2-usertoken security: - 2FA-enabled-XV-Access-Token: [ ] - CLP-Token: [ ] Server-2-Server-Secret: [ ] requestBody: content: application/json: schema: type: object properties: srts: type: array description: An array with Subscription Receipt Tokens which contain Array.com related entitlements. If provided, the user will immediately be enrolled to the appropriate products otherwise the /enroll endpoints needs to be called afterwards. items: type: string firstName: type: string description: The customer's first name. lastName: type: string description: The customer's last name. dob: type: string description: The customer's date of birth in YYYY-MM-DD format. address: type: object properties: street: type: string description: "The customer's street address, including apartment number or other designation." city: type: string description: The name of the customer's city. state: type: string description: "The customer's two-character state abbreviation.\nUS territories and armed forces codes are supported." zip: type: string description: The customer's five-digit US postal code. ssn: type: string description: >- The customer's tax ID, given as either the full nine digits (without hypens) or the last four digits. In some cases, the full nine digits is required. If you supply last-four where full-nine is required, the operation won't create the User object and returns a no content status code. emailAddress: type: string description: >- The customer's email address. The address is used as the customer's public username within Array. phoneNumber: type: string description: >- The customer's phone number (including area code), digits only. For example: "2125550123". This is the phone number to which an SMS message may be sent during the identity verification process. required: - firstName - lastName - dob - address - emailAddress responses: '200': description: A successful response. content: application/json: schema: $ref: '#/components/schemas/v1beta1CreateUserResponse' '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '402': description: >- None of the provided subscription receipts contain a valid Array.com entitlement '429': description: Rate limited /array/users/me/enroll: post: tags: - ArrayService summary: Activatesd Array.com Products parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: >- Will activate additional Array.com Products according to the provided Subscription Receipt Tokens security: - 2FA-enabled-XV-Access-Token: [ ] - CLP-Token: [ ] - Server-2-Server-Secret: [ ] requestBody: content: application/json: schema: type: object properties: srts: type: array description: An array with Subscription Receipt Tokens which contain Array.com related entitlements. If provided, the user will immediately be enrolled to the appropriate products otherwise the /enroll endpoints needs to be called afterwards. items: type: string responses: '200': description: A successful response. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /array/users/me: patch: tags: - ArrayService summary: Updates the user's profile information parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: >- This endpoint can be used to update the customer's profile via https://docs.array.com/reference/patch_api-user-v2. This is esspecially required to set an SSN and PhoneNumber in case they have not been collected during account setup as these are required to perform the user authentication for Credit Card Monitoring. security: - 2FA-enabled-XV-Access-Token: [ ] - CLP-Token: [ ] - Server-2-Server-Secret: [ ] requestBody: content: application/json: schema: type: object properties: ssn: type: string description: >- The customer's tax ID, given as either the full nine digits (without hypens) or the last four digits. In some cases, the full nine digits is required. If you supply last-four where full-nine is required, the operation won't create the User object and returns a no content status code. phoneNumber: type: string description: >- The customer's phone number (including area code), digits only. For example: "2125550123". This is the phone number to which an SMS message may be sent during the identity verification process. dob: type: string description: The customer's date of birth in YYYY-MM-DD format. address: type: object properties: street: type: string description: "The customer's street address, including apartment number or other designation." city: type: string description: The name of the customer's city. state: type: string description: "The customer's two-character state abbreviation.\nUS territories and armed forces codes are supported." zip: type: string description: The customer's five-digit US postal code. emailAddress: type: string description: >- The customer's email address. The address is used as the customer's public username within Array. required: - ssn responses: '200': description: A successful response. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited get: tags: - ArrayService summary: Fetches the current user and account status parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: >- To verify, if a customer profile is correctly setup and authenticated, this endpoint can be called security: - Any-XV-Access-Token: [ ] - CLP-Token: [ ] - Server-2-Server-Secret: [ ] responses: '200': description: A successful response. content: application/json: schema: type: object properties: arrayUserId: type: string description: >- This is the Array.com UserId associated with the current account authenticated: type: boolean description: >- This is true if the account has been verified by one of the bureaus and can be used to fetch tokens which can be used to render web-views which are related to Credit Score feature. twoFactorEnabled: type: boolean description: >- Indicates whether 2fa on the current device has been enabled and is valid firstNameConfigured: type: boolean description: >- Indicates whether the the first name has been set or not lastNameConfigured: type: boolean description: >- Indicates whether the the last name has been set or not dobConfigured: type: boolean description: >- Indicates whether the the date of birth has been set or not addressConfigured: type: boolean description: >- Indicates whether the the address has been set or not (street, city, state & zip need to be set) emailConfigured: type: boolean description: >- Indicates whether the the e-mail has been set or not ssnConfigured: type: boolean description: >- Indicates whether the SSN is correctly configured in the account and the authentication process can be started phoneNumberConfigured: type: boolean description: >- Indicates whether the Phone Number is correctly configured in the account and the authentication process can be started lastAuthAttempt: type: string format: date-time description: >- Timestamp of the last authentication attempt, empty otherwise authAttempts: type: integer description: >- Number of authentication attempts which had been performed so far remainingAuthAttempts: type: integer description: >- Number of authentication attempts which can still be performed '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /array/users/me/verification: post: tags: - ArrayService summary: Will indicate an attempt to perform another verification parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: >- Clients will sent this, to notify the backend about another attempt to verify the customer. The backend will increase the counters. security: - 2FA-enabled-XV-Access-Token: [ ] - CLP-Token: [ ] - Server-2-Server-Secret: [ ] responses: '200': description: Clients can continue with the verification attempt. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited '423': description: The attempt was made too early or the total number or attempts has been reached. Array.com requires 24 hours to be passed between 2 attempts. The error body contains details about the reason by providing either an AttemptTooEarly or MaximumAttemptsReached error body. content: application/json: schema: $ref: '#/components/schemas/423errorResponse' /array/users/me/token: post: tags: - ArrayService summary: Generates or refreshes the Array User Token parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: >- Refreshes the Array User Token, which expires every 60 minutes using https://docs.array.com/reference/post_api-authenticate-v2-usertoken. security: - 2FA-enabled-XV-Access-Token: [ ] - CLP-Token: [ ] - Server-2-Server-Secret: [ ] responses: '200': description: A successful response. content: application/json: schema: $ref: '#/components/schemas/v1beta1GenerateUserTokenResponse' '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /support/users/{user_id}: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" - name: user_id in: path required: true description: The Kape User KRN of the User schema: type: string get: security: - Server-2-Server-Secret: [ ] - X-Consumer-Id: [ ] tags: - ArraySupportService summary: Fetches information about the user responses: '200': description: A successful response. content: application/json: schema: type: object properties: user_status_response: type: object properties: kape_user_id: type: string example: "krn::iam::xvpn:user:515296f8-75d8-415e-b9f1-093a4a0c238f" CurrentUser: type: object properties: ArraydotcomUserId: type: string example: "45ac7b00-46ab-4b89-bc72-4617b2c55340" AuthAttemps: type: integer example: 0 CreatedAt: type: string format: date-time example: "2024-11-26T15:44:07.287860952Z" UpdatedAt: type: string format: date-time example: "2024-11-26T15:44:07.287860952Z" History: type: array items: type: object properties: ArraydotcomUserId: type: string example: "e4788510-fbe9-4830-bf8d-e2b995320432" AuthAttemps: type: integer example: 0 CreatedAt: type: string format: date-time example: "2024-11-26T14:48:19.755194439Z" UpdatedAt: type: string format: date-time example: "2024-11-26T14:48:19.755194439Z" DeletedAt: type: string format: date-time example: "2024-11-26T14:53:01.319556409Z" CreatedAt: type: string format: date-time example: "2024-11-26T14:47:45.549681229Z" array_user_details: type: object properties: arrayUserId: type: string example: "45ac7b00-46ab-4b89-bc72-4617b2c55340" authenticated: type: boolean example: false twoFactorEnabled: type: boolean example: true ssnConfigured: type: boolean example: false phoneNumberConfigured: type: boolean example: false lastAuthAttempt: type: string format: date-time nullable: true example: null authAttempts: type: integer example: 0 remainingAuthAttempts: type: integer example: 3 enrollments: type: array items: type: object properties: enrollmentCode: type: string example: "exp1bStandardMonitoring" active: type: boolean example: true cancellationDate: type: string format: date-time example: "0001-01-01T00:00:00Z" enrollmentDate: type: string format: date-time example: "2024-11-26T15:44:16.731Z" '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited delete: security: - Server-2-Server-Secret: [ ] - X-Consumer-Id: [ ] tags: - ArraySupportService summary: Deletes and unenrolls an Array User responses: '200': description: A successful response. content: application/json: schema: $ref: '#/components/schemas/v1beta1CreateUserResponse' '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid '429': description: Rate limited patch: tags: - ArraySupportService summary: Updates the user's profile information description: >- This endpoint can be used to update the customer's profile via https://docs.array.com/reference/patch_api-user-v2. This is esspecially required to set an SSN and PhoneNumber in case they have not been collected during account setup as these are required to perform the user authentication for Credit Card Monitoring. security: - Server-2-Server-Secret: [ ] - X-Consumer-Id: [ ] requestBody: content: application/json: schema: type: object properties: ssn: type: string description: >- The customer's tax ID, given as either the full nine digits (without hypens) or the last four digits. In some cases, the full nine digits is required. If you supply last-four where full-nine is required, the operation won't create the User object and returns a no content status code. phoneNumber: type: string description: >- The customer's phone number (including area code), digits only. For example: "2125550123". This is the phone number to which an SMS message may be sent during the identity verification process. dob: type: string description: The customer's date of birth in YYYY-MM-DD format. address: type: object properties: street: type: string description: "The customer's street address, including apartment number or other designation." city: type: string description: The name of the customer's city. state: type: string description: "The customer's two-character state abbreviation.\nUS territories and armed forces codes are supported." zip: type: string description: The customer's five-digit US postal code. emailAddress: type: string description: >- The customer's email address. The address is used as the customer's public username within Array. required: - ssn responses: '200': description: A successful response. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /support/users/{user_id}/enroll: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" - name: user_id in: path required: true description: The Kape User KRN of the User schema: type: string post: security: - Server-2-Server-Secret: [ ] - X-Consumer-Id: [ ] tags: - ArraySupportService summary: Activates Array.com Products description: >- Will activate additional Array.com Products according to the provided Subscription Receipt Tokens requestBody: content: application/json: schema: type: object properties: srts: type: array description: An array with Subscription Receipt Tokens which contain Array.com related entitlements. If provided, the user will immediately be enrolled to the appropriate products otherwise the /enroll endpoints needs to be called afterwards. items: type: string responses: '200': description: A successful response. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /array/webhook: post: security: - Bearer: [ ] tags: - ArrayWebhookService summary: Receives Webhooks description: >- Receives Webhooks by Array.com and forwards them to Rudderstack responses: '200': description: A successful response. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /payments/webhook: post: security: - Bearer: [ ] tags: - PaymentsWebhookService summary: Receives Webhooks description: >- Receives Payment Webhooks by Rudderstack to un-enroll users responses: '200': description: A successful response. '400': description: There was a problem executing the request. The payload will contain additional information about the failure reason content: application/json: schema: $ref: '#/components/schemas/errorResponse' '401': description: >- The Authorization Header is missing or invalid (e.g. lacking 2FA) '429': description: Rate limited /.well-known/pcrs.json: servers: - url: https://api.pcrs.kape.com get: tags: - Cloudflare Static summary: Fetches the expected PCR registers (hashes) for the enclave. responses: '200': description: The response contains a list of PCR sets content: application/json: schema: type: object properties: pcrs: type: array items: type: object properties: pcr_0: type: string pcr_1: type: string pcr_2: type: string /.well-known/jwks.json: servers: - url: https://api.jwks.kape.com get: tags: - Cloudflare Static summary: Fetches the JWKs. description: >- Fetches the JWK storage file containing all public keys. Can be generated with e.g. https://russelldavies.github.io/jwk-creator/ responses: '200': description: The response contains the JSON JWK content: application/json: schema: type: object properties: keys: type: array items: type: object properties: kty: type: string use: type: string 'n': type: string e: type: string alg: type: string kid: type: string x5u: type: string example: keys: - kty: RSA - use: sig - 'n': >- 0ECMFyUY8pjlgjP6vc-hW4Nh4bsg0uVFb66Q96ApDvOMOd2KJpCFZdmZxM-qLTKsH63fEJz0zZesiAFwi4KuWy17_ky0viKAAJvpfTxFOOCD81MyBUAZHH6r_R0H9cazPjrPK0Wn3j8dY_fak7HzS0BKhkNP932dpAncX_nzMbDl5xKBRKhuYaBCuB8IlGnr8aExSwXuwmreGionZpP6bcuttthPntx2sqNDFvCludErDVxB173D0Fvo_2CLsx0hKYcGrg2_UUqTjy0LT5xwDthbohDK_YYWbNrzthyKzjPrWYI8YI6X-A6Bu9qddDx0ZK26q8APGwZ__rO3AQg2Dw - e: AQAB - alg: RS256 - kid: 8cdde4571ea799fdc6d0982c84b84673e72f487c - x5u: https://api.jwks.kape.com/.well-known/nyv1cic.pem /subscription_receipts/clp: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://xv-cp.apis-staging.xvtest.net/srs/ - url: https://cp.expressapisv2.net/srs/ post: tags: - Subscription Receipt Service API summary: Creates a new subscription receipt for the CLP description: Creates a new set of receipts for the specified subscriptions. This is a Server2Server Endpoint being called only by the CLP pages requestBody: content: application/json: schema: type: object properties: subscription_ids: description: Array of subscription ids, a receipt should be created for. type: array items: type: string example: subscription_ids: - '1' responses: '200': description: The response contains an array of the Subscription Receipts content: application/jwt: schema: type: object properties: srts: type: array items: type: object properties: subscription_id: type: string description: Subscription ID for that receipt srt: type: string description: Base64 Encoded JWT Subscription Receipt Token (SRT) example: srts: - subscription_id: '1' srt: >- eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjhjZGRlNDU3MWVhNzk5ZmRjNmQwOTgyYzg0Yjg0NjczZTcyZjQ4N2MifQ.eyJzdWIiOiIxIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MTYyMzkwMjIsImVudGl0bGVtZW50cyI6WyJ4di52cG4iXX0.aRAZA2ioFUoL_GDpQ3_OSZaU50NVjIGkMRtF2bRzSiX7jsNycZ5fqjrS8mnPyu5k39j8JVUBAf1DIKtuJdNAoX9fc35_JcwVc2IzkvC0MNUSZ5ERpIG0ePwaU4rV5-2mMaevpQIjcJmHFVbyiRsc-ei6frP7Yr6VGaSoXI9AThmTm4CxsCIV9wdTverE0McwgCzYjL7O7eukeLYhPNKhWiTn2rRaLU8oHg_7rIqdP16OjZce8WAK64vpV3JfpQlRpfOXaCjIG4Gid4ESAxDSHX52jVGl8Xhj_hAfVjMq8Aj8leTTT7kgzo2lr17fL1LD3x7UWmZzZxhwk3Ux-M_exg '400': description: Authorization header is missing '401': description: >- The provided authorization token is invalid, no customer id could be obtained for that access token '429': description: Rate limited security: - X-CLP-Token: [ ] - S2S_Token: [ ] /subscription_receipts: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://xv-cp.apis-staging.xvtest.net/srs/ - url: https://cp.expressapisv2.net/srs/ post: tags: - Subscription Receipt Service API summary: Creates a new subscription receipt for the subscription id provided in the Access Token's sub_krn claim description: Creates a new set of receipts for the specified subscription and related Addons responses: '200': description: The response contains an array of the Subscription Receipts content: application/jwt: schema: type: object properties: srts: type: array items: type: object properties: subscription_id: type: string description: Subscription ID for that receipt srt: type: string description: Base64 Encoded JWT Subscription Receipt Token (SRT) example: srts: - subscription_id: '1' srt: >- eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjhjZGRlNDU3MWVhNzk5ZmRjNmQwOTgyYzg0Yjg0NjczZTcyZjQ4N2MifQ.eyJzdWIiOiIxIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MTYyMzkwMjIsImVudGl0bGVtZW50cyI6WyJ4di52cG4iXX0.aRAZA2ioFUoL_GDpQ3_OSZaU50NVjIGkMRtF2bRzSiX7jsNycZ5fqjrS8mnPyu5k39j8JVUBAf1DIKtuJdNAoX9fc35_JcwVc2IzkvC0MNUSZ5ERpIG0ePwaU4rV5-2mMaevpQIjcJmHFVbyiRsc-ei6frP7Yr6VGaSoXI9AThmTm4CxsCIV9wdTverE0McwgCzYjL7O7eukeLYhPNKhWiTn2rRaLU8oHg_7rIqdP16OjZce8WAK64vpV3JfpQlRpfOXaCjIG4Gid4ESAxDSHX52jVGl8Xhj_hAfVjMq8Aj8leTTT7kgzo2lr17fL1LD3x7UWmZzZxhwk3Ux-M_exg '400': description: Authorization header is missing '401': description: >- The provided authorization token is invalid, no customer id could be obtained for that access token '429': description: Rate limited security: - Any-XV-Access-Token: [ ] /increment-dip-version: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://xv-cp.apis-staging.xvtest.net/srs/ - url: https://cp.expressapisv2.net/srs/ post: tags: - Subscription Receipt Service API summary: Increments the DIP Version ID for the subscription description: | This will increment the DIP version for the provided subscription. This is a S2S call available to the DTS. requestBody: content: application/json: schema: type: object properties: subscription_ids: description: The subscription ID to increase the version of type: string example: subscription_id: '1' responses: '204': description: The version has been incremented '400': description: The request json is invalid or could not be decoded '401': description: The provided S2S security token was missing or invalid '404': description: The subscription was not found '429': description: Rate limited security: - S2S_DTS_SRS: [ ] /connection_token: servers: - url: https://xv-cp.apis-staging.xvtest.net/srs/ - url: https://cp.expressapisv2.net/srs/ parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" description: Connection Authorization Token Service post: tags: - Connection Token Service API security: - Subscription_Receipt_Token: [ ] summary: Creates a new Connection Authorization Token description: >- Creates a new Connection Authorization Token using the Subscription Receipt to authorize. responses: '200': description: The response contains the raw, base4 encoded JWT content: application/json: schema: type: object properties: jwt: type: string description: The Connection Authorization Token example: cat: >- eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjhjZGRlNDU3MWVhNzk5ZmRjNmQwOTgyYzg0Yjg0NjczZTcyZjQ4N2MifQ.eyJhdWQiOlsieHYudnBuIl0sImlzcyI6Inh2LmNhdHMiLCJpYXQiOjE3MDEyMzkwMjIsImV4cCI6MTcxNzIzOTAyMiwiZW50aXRsZW1lbnRzIjpbInh2LnZwbiIsInh2LnZwbi5kaXAiXX0.bCYBMFaRz6gaDCAPYJfHRLW2dP7cMS8Zjsmip0--FB1WUPvnnLPZtDHC2dyjmLJNwPzzLrnLkhGKZDaDM8NbyGOfmSmZOgIwHRIYshiCT_IdVZkZuN_KrhzA-157-Si6LZ7Y6rXDXUA4l74xnoil-pv4EVvehziEnwzoNB7fAv1LcnLsDsjUIIG9yVfZkx9i1imm07p9UK1QyyXo0Iy45fnrkFwR_K38bnzaz_xGKiPSYDgJSTch0JioU4bTs3XaXJ1mWcBPThIA1k_kWSONZTMBOhHffVx6pKsAo7u7Av5ElWorh51JOXUkgoBjqnsyKf3d8N2WTADeiYE5r5ujMA '400': description: Authorization header is missing '401': description: The provided subscription receipt is invalid or expired '403': description: >- The provided subscription receipt is valid but lacks the VPN entitlement '429': description: Rate limited /subscription_entitlements: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.privateinternetaccess.com - url: https://api.cyberghostvpn.com - url: https://api.expressvpn.com post: security: - S2S_Token: [ ] tags: - Chargebee Entitlements Interface summary: Fetches subscription entitlements description: >- Fetches subscription entitlements for the specified customer id, grouped by subscription id from kp_my_subscriptions (via Chargebee) requestBody: content: application/json: schema: type: object properties: customer_id: type: string description: An XV User KRN (kp_user claim) subscription_ids: description: An array of subscription krn's (sub_krn claim) type: array items: type: string responses: '200': description: Ok content: application/json: schema: type: object properties: entitlements: type: array items: type: object properties: subscription_id: type: string entitlements: type: object properties: entitlement1: type: object properties: value1: type: string value2: type: string entitlement2: type: object properties: value1: type: string value2: type: string example: entitlements: - subscription_id: '123' entitlements: xv.vpn: { } - subscription_id: '456' entitlements: xv.vpn.dip: ip: 1.2.3.4 '400': description: Authorization header is missing '404': description: Customer could not be resolved '429': description: Rate limited /attestation: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.enc.kape.com post: tags: - Enclave API summary: Asks the Enclave to generate a new attestation document requestBody: content: application/json: schema: type: object properties: nonce: type: string description: Random nonce, generated by the client example: nonce: random_nonce responses: '200': description: Request was ok and result contains the attestation document content: application/json: schema: type: object properties: attestation: type: string description: >- Contains the attestation raw document. See https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html /status: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.enc.kape.com get: tags: - Enclave API summary: Indicates the enclave status (e.g. for load balancer to use) responses: '200': description: Enclave is healthy '503': description: Enclave has not yet been initialized /initialize_enclave: servers: - url: https://api.enc.kape.com post: tags: - Enclave API summary: >- After the enclave has been booted up, the EC2 parent proxy will call this to initialize the enclave with the Private Key used to sign JWT Tokens requestBody: content: application/json: schema: type: object properties: jwt_private_key: type: string description: The PEM encoded Private Key used to sign JWT Tokens jwks: type: string description: The JWKS used to validate JWT Tokens kid: type: string description: The KID to be used when issuing tokens s2s_secret: type: string description: Service-2-service bearer authentication token example: jwt_private_key: base64(---BEGIN RSA PRIVATE KEY--- ...) jwks: base64({"keys"...}) kid: kid e2e_secret: dont tell anyone responses: '200': description: Initialization successful '400': description: Initialization failed /issue_dip: servers: - url: https://api.enc.kape.com post: tags: - Enclave API summary: >- Sends the encrypted SRT, Public Key,a pre-allocated free IP and the associated location id to the enclave requestBody: content: application/json: schema: type: object properties: ip: type: string description: The pre-allocated IP location_id: type: string description: >- The location id belonging to that IP, will be included in the DIP entitlement esrt: type: string description: Encrypted Subscription Receipt Token client_pub_key: type: string description: >- PEM encoded client public key required for the session key generation example: ip: 134.3.3.1 location_id: '1' esrt: EncRypTedSubScriptionRece!pt client_pub_key: Mggaakkfkf... responses: '200': description: >- The SRT was valid and a DRT has been issued. DIP Service should continue to mark the IP expired content: application/json: schema: type: object properties: edrt: type: string description: Encrypted DRT dat: type: string description: the generated DAT ip: type: string description: IP which got assigned to the DAT exp: type: integer description: Expiration date of the IP assignment as Unix-Timestamp example: edrt: 3ncrypTedNotExpiredDrt dat: EncRypTedDATToken ip: 134.3.3.1 exp: 12345678 '400': description: The ESRT could not be decoded '401': description: The caller did not provide a valid service-to-service bearer token '402': description: The SRT expired or does not have an DIP entitlement (anymore) '403': description: The decoded SRT has an invalid signature /refresh_dip: servers: - url: https://api.enc.kape.com post: tags: - Enclave API summary: Refreshes a DRT requestBody: content: application/json: schema: type: object properties: edrt: type: string description: Encrypted DRT esrt: type: string description: Encrypted Subscription Receipt Token client_pub_key: type: string description: >- PEM encoded client public key required for the session key generation example: edrt: EncryptedButNotExpiredDRT esrt: EncryptedButNotExpiredSRT client_pub_key: Mggaakkfkf... responses: '200': description: >- The DRT was valid and a new DAT and DRT has been issued. DIP Service should continue to extend the IP expiration date content: application/json: schema: type: object properties: edrt: type: string description: Encrypted DRT dat: type: string description: DAT ip: type: string description: IP which got assigned to the DAT exp: type: integer description: Expiration date of the IP assignment as Unix-Timestamp '400': description: The DRT or SRT could not be decoded '401': description: The caller did not provide a valid service-to-service bearer token '402': description: The SRT expired or does not have an DIP entitlement (anymore) '403': description: The DRT or SRT have an invalid signature '410': description: >- Either the subscription got reset by support or the DRT expired. Customer needs to make a new DIP reservation /store: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dbs.kape.com post: tags: - Dedicated IP Backup Service API summary: Backups a set of DRT description: >- Stores the provided DRTs. It will overwrite any existing stored entry, so it's important that the customer would first need to recover any existing storage entry. That also guarantess, that for one subscription all DRTs are encrypted with the same password. requestBody: content: application/json: schema: type: object properties: version: type: integer description: >- The version of the backup, must match the most recent restore edrts: type: array items: type: string description: The encrypted DRTs content in base64 example: version: 1 edrts: - >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIEpXVCB0b2tlbiB3aGljaCBnb3QgZW5jcnlwdGVkLg== - another encrypted DRT responses: '200': description: >- Updated. The response contains the version of the newly stored backup content: application/json: schema: type: object properties: version: type: integer description: >- The version of the new backup, must be passed back to /store on next update example: version: '1' '201': description: >- Created. The response contains the version of the newly stored backup content: application/json: schema: type: object properties: version: type: integer description: >- The version of the new backup, must be passed back to /store on next update example: version: '1' '400': description: Authorization header is missing '401': description: The provided Subscription token is invalid or did expire '402': description: >- The provided Subscription token has no DIP entitlement, or an attempt was made to store more EDRTs than the subscription entitlement allows '409': description: The provided version was not the most recent version '413': description: At least one EDRT is larger than the server limit '429': description: Rate limited security: - Subscription_Receipt_Token: [ ] /restore: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dbs.kape.com get: tags: - Dedicated IP Backup Service API summary: Fetches the stored DRTs description: Will return the stored DRTs associated with that subscription responses: '200': description: >- The response contains an array of all DRTs assigned to that encryption content: application/json: schema: type: object properties: version: type: integer description: >- The version of the backup, must be passed back to /store on update edrts: type: array description: Encrypted DRT in base64 items: type: string example: version: '1' edrts: - >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIEpXVCB0b2tlbiB3aGljaCBnb3QgZW5jcnlwdGVkLg== - another encrypted DRT '400': description: The request json is invalid or could not be decoded '401': description: The provided Subscription token is invalid or did expire '402': description: The provided Subscription token has no DIP entitlement '429': description: Rate limited security: - Subscription_Receipt_Token: [ ] /delete-backup: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dbs.kape.com post: tags: - Dedicated IP Backup Service API summary: Deletes the backup for a subscription description: | This will delete the backup for the provided subscription. This is a S2S call available to the DTS. requestBody: content: application/json: schema: type: object properties: subscription_ids: description: The subscription ID to delete the backup for type: string example: subscription_id: '1' responses: '204': description: The backup has been deleted '400': description: The request json is invalid or could not be decoded '401': description: The provided S2S security token was missing or invalid '404': description: The subscription was not found '429': description: Rate limited security: - S2S_DTS_DBS: [ ] /locations: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dts.kape.com get: tags: - Dedicated IP Token Service API summary: Fetch DIP locations description: >- Fetches a list of all locations. The lib will ensure exposure of locations, based on the use case responses: '200': description: The response contains an array of all DIP locations content: application/json: schema: type: object properties: locations: type: array items: type: object properties: id: type: string name: type: string country: type: string continent: type: string region: type: string available_ips: type: integer total_ips: type: integer example: locations: - id: '1' country: US continent: NA region: US-East name: New York - 1 available_ips: 0 total_ips: 10 - id: '2' country: US continent: NA region: US-East name: New York - 2 available_ips: 4 total_ips: 22 '400': description: Authorization header is missing '401': description: The provided Subscription token is invalid or did expire '429': description: Rate limited security: - Subscription_Receipt_Token: [ ] /health_status: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dts.kape.com get: tags: - Dedicated IP Token Service API summary: Fetches the health status of an IP description: >- Will check, if the provided IP is healthy or not available (anymore) in our system responses: '200': description: The IP is known and supposed to be available '400': description: Authorization header is missing '401': description: The provided DAT token is invalid or did expire '404': description: >- The provided DAT token is valid but the IP seems not to exist anymore '423': description: >- The IP is known and supposed to be available but currently offline due to maintenance '429': description: Rate limited security: - DAT_Token: [ ] /protocol_configurations: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dts.kape.com get: tags: - Dedicated IP Token Service API summary: Fetches the VPN Protocol configuration for a specific DIP description: >- Fetches detailed protocol configurations for a specific DIP. The DIP needs to be extracted from the DAT token in the Authorization header responses: '200': description: The response contains the protocol configurations content: application/json: schema: type: object properties: lightway: type: array items: type: object properties: host: type: string port: type: integer transport: type: string ip_version: type: string example: lightway: - host: 123.123.123.123 port: 1337 transport: udp ip_version: v4 - host: 123.123.123.123 port: 1339 transport: tcp ip_version: v4 '400': description: Authorization header is missing '401': description: The provided DAT token is invalid or did expire '404': description: >- The provided DAT token is valid but the IP seems not to exist anymore '429': description: Rate limited security: - DAT_Token: [ ] /.well-known/attestation: servers: - url: https://api.dts.kape.com post: tags: - Dedicated IP Token Service API summary: Forwards to the Enclave to generate a new attestation document requestBody: content: application/json: schema: type: object properties: nonce: type: string description: Random nonce, generated by the client example: nonce: random_nonce responses: '200': description: Request was ok and result contains the attestation document content: application/json: schema: type: object properties: attestation: type: string description: >- Contains the attestation raw document. See https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html session_cookie: type: string description: >- The cookie to be used in a subsequent /reservation or /refresh request which is used to create stickiness /reservation: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dts.kape.com post: tags: - Dedicated IP Token Service API summary: Create a new DIP reservation description: >- The user can ask for a new Dedicated IP if there is none yet assigned to their subscription ID. The user can specify a preferred location this DIP should be assigned. If no location is specified an automatic assignment will be made. requestBody: content: application/json: schema: type: object properties: unblinded_token: type: string description: A random token (base64) unblinded_token_signature: type: string description: The signature of unblinded_token (base64) unblinded_token_signature_kid: type: string description: >- The key id of the key corresponding to unblinded_token_signature client_pub_key: type: string description: >- The Public key generated by the client, required for the ECDH key exchange esrt: type: string description: >- Encrypted Subscription Token in base64, encrypted with the generated session key (ECDH) location: type: string description: ID of the location to make a reservation for session_cookie: type: string description: >- The cookie received from the attestation request which is used to create stickiness example: unblinded_token: eqKKkBMNValllasd... unblinded_token_signature: bbpq2CF4QBS... unblinded_token_signature_kid: vTnNZJYymfOWchoiX2hJN8OIIwo= client_pub_key: MMfadLldk18alasdfl... esrt: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIEpXVCB0b2tlbiB3aGljaCBnb3QgZW5jcnlwdGVkLg== location: US-EAST-1 session_cookie: AWSALB_COOKIE responses: '200': description: >- The response contains the encrypted Dedicated IP Access toke (DAT) and the encrypted Dedicated IP Refresh Token (DRT). content: application/json: schema: type: object properties: dat: type: string description: DAT in base64 edrt: type: string description: Encrypted DRT in base64 example: dat: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIERBVCBKV1QgdG9rZW4gd2hpY2ggZ290IGVuY3J5cHRlZC4= edrt: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIERSVCBKV1QgdG9rZW4gd2hpY2ggZ290IGVuY3J5cHRlZC4= '400': description: The request json is invalid or could not be decoded '401': description: The provided Subscription token is invalid or did expire '402': description: The provided Unblinded token has already been redeemed '404': description: No DIP was available '429': description: Rate limited /refresh: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.dts.kape.com post: tags: - Dedicated IP Token Service API summary: Refreshes a DAT description: >- A DAT has a short lifetime of a few days and needs to frequently be refreshed using an up-2-date SRT and the DRT. requestBody: content: application/json: schema: type: object properties: client_pub_key: type: string description: >- The Public key generated by the client, required for the ECDH key exchange esrt: type: string description: >- Encrypted Subscription Token in base64, encrypted with the generated session key (ECDH) edrt: type: string description: >- Encrypted DRT Token in base64, encrypted with the session key session_cookie: type: string description: >- The cookie received from the attestation request which is used to create stickiness example: client_pub_key: MMfadLldk18alasdfl... esrt: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIEpXVCB0b2tlbiB3aGljaCBnb3QgZW5jcnlwdGVkLg== edrt: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIERSVCBKV1QgdG9rZW4gd2hpY2ggZ290IGVuY3J5cHRlZC4= session_cookie: AWSALB_COOKIE responses: '200': description: >- The response contains the refreshed, encrypted Dedicated IP Access toke (DAT) and the encrypted Dedicated IP Refresh Token (DRT) which might got extended as well. content: application/json: schema: type: object properties: dat: type: string description: DAT in base64 edrt: type: string description: Encrypted DRT in base64 example: edat: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIERBVCBKV1QgdG9rZW4gd2hpY2ggZ290IGVuY3J5cHRlZC4= edrt: >- VGhpcyB3b3VsZCBiZSBhY3R1YWxseSBhIERSVCBKV1QgdG9rZW4gd2hpY2ggZ290IGVuY3J5cHRlZC4= '400': description: The request json is invalid or could not be decoded '401': description: The provided Subscription token is invalid or did expire '429': description: Rate limited /reset-subscription: servers: - url: https://api.dts.kape.com post: tags: - Dedicated IP Token Service API summary: Resets a DIP subscription description: This will reset the provided subscription. requestBody: content: application/json: schema: type: object properties: subscription_ids: description: The subscription ID to reset type: string example: subscription_id: '1' responses: '204': description: The subscription has been reset '400': description: The request json is invalid or could not be decoded '401': description: The provided shared secret was invalid '404': description: The subscription was not found '429': description: Rate limited security: - S2S_RESET_SUBSCRIPTION: [ ] /reset-dip-reservations: servers: - url: https://api.dts.kape.com post: tags: - Dedicated IP Token Service API summary: Reset / Release DIP reservations description: | This endpoint will only be available on staging. requestBody: content: application/json: schema: type: object properties: ips: description: Array of IP reservations to be reset. type: array items: type: string example: ips: - 1.2.3.4 - 1.2.3.5 responses: '200': description: | Describes the result of the attempt to reset. Note: endpoint will return 200 even if all IPs failed to reset. content: application/json: schema: type: object properties: msg: type: string failed_to_reset: type: array items: type: object properties: ip: type: string error: type: string '400': description: The request json is invalid or could not be decoded '401': description: The provided shared secret was invalid '429': description: Rate limited security: - S2S_RESET_IP_RESERVATIONS: [ ] /sign_blinded_token: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.blts.kape.com post: tags: - Blinded Tokens API security: - Subscription_Receipt_Token: [ ] summary: Signs a blinded message description: >- Signs a blinded token sent by the client. Signing requests will only be performed if the provided SRT has DIP entitlements. requestBody: content: application/json: schema: type: object properties: message: type: string description: base64 encoded token to be signed example: message: AQIDBAUGBwgK responses: '200': description: The response contains the signed blinded token content: application/json: schema: type: object properties: signature: type: string description: Base64 encoded signature signature_kid: type: string description: The key id of the signing key used for signature example: signature: CQoLDA0ODw== signature_kid: vTnNZJYymfOWchoiX2hJN8OIIwo= '400': description: Authorization header is missing '401': description: The provided subscription receipt is invalid or expired '402': description: >- All tokens have already been issued for this subscription receipt's entitlement '403': description: >- The provided subscription receipt is valid does not contain a DIP entitlement '429': description: Rate limited /dip_redemption_status: parameters: - $ref: "#/components/parameters/XClientAppVersionHeader" - $ref: "#/components/parameters/XClientDeviceModelHeader" - $ref: "#/components/parameters/XClientOSHeader" - $ref: "#/components/parameters/XClientOSVersionHeader" - $ref: "#/components/parameters/XClientSdkVersionHeader" servers: - url: https://api.blts.kape.com get: tags: - Blinded Tokens API summary: >- Fetches the number of redemptions (blinded tokens issued) for that subscription description: >- In order to activate a DIP, a Blinded Token gets signed. The number of Blinded Tokens which can be issued, depend on the subscription's DIP license count. security: - Subscription_Receipt_Token: [ ] responses: '200': description: The response contains information about the redemption status content: application/json: schema: type: object properties: total_licenses: type: integer description: Number of total licenses available licenses_redeemed: type: integer description: Number of licenses already redeemed example: total_licenses: 5 licenses_redeemed: 3 '400': description: Authorization header is missing '401': description: The provided subscription token is invalid '429': description: Rate limited /reset-signed-token-count: servers: - url: https://api.blts.kape.com post: tags: - Blinded Tokens API security: - S2S_DTS_BLTS: [ ] summary: Reset the count of signed blind tokens for a subscription description: | This will reset the count for the provided subscription. This is a S2S call available to the DTS. requestBody: content: application/json: schema: type: object properties: subscription_ids: description: The subscription ID to reset the count for type: string example: subscription_id: '1' responses: '204': description: The count has been reset '400': description: The request json is invalid or could not be decoded '401': description: The provided S2S security token was missing or invalid '404': description: The subscription was not found '429': description: Rate limited components: parameters: XClientOSHeader: name: x-client-os in: header required: true schema: type: string example: - "windows" - "macos" - "linux" - "android" - "ios" - "web" description: >- The operating system of the client making the request. XClientOSVersionHeader: name: x-client-os-version in: header required: true schema: type: string description: >- The operating system version of the client making the request. example: "10.0.1234" XClientAppVersionHeader: name: x-client-app-version in: header required: true schema: type: string description: >- The app version of the client making the request. example: "8.10.123" XClientDeviceModelHeader: name: x-client-device-model in: header required: true schema: type: string example: - "desktop" - "mobile" - "tablet" - "firetv" - "appletv" description: >- The type of the device making the request XClientSdkVersionHeader: name: x-sdk-version in: header required: true schema: type: string description: >- The SDK version making the request example: "5.0.123" schemas: v1beta1CreateUserResponse: type: object properties: userToken: type: string description: >- String token that represents a verified customer. Use the token as the value of the x-array-user-token header. failedMonitoring: type: array description: >- DEPRECATED. Use unmonitored_fields instead. An array of objects that failed to create a monitor. The construction of the object is taken directly from the request body. items: type: string unmonitoredFields: title: >- The list of the field names of the personal information provided by the user that failed to create a monitor on Array.com due to: - missing or invalid required info (e.g. zip is missing or wrong in the Address) - user not having the necessary product (e.g. asked to monitor SSN but the user didn't purchase the idpSSNMonitoring product) type: array description: >- Example values are: address, email, phoneNumber see https://docs.array.com/reference/post_api-monitoring-v2-idp for more information items: type: string v1beta1GenerateUserTokenResponse: type: object properties: userToken: type: string description: >- String token that represents a verified customer. Use the token as the value of the x-array-user-token header. errorResponse: type: object properties: UserNotFound: type: object UserAlreadyExists: type: object EntitlementsRequired: type: object TwoFactorAuthRequired: type: object InputValidationFailure: type: object properties: invalid_fields: type: array description: Names of the invalid fields items: type: string 423errorResponse: type: object properties: AttemptsTooEarly: type: object properties: retry_after: type: integer description: Number of seconds until the next attempt can be made MaximumAttemptsReached: type: object properties: max_allowed: type: integer description: Number of total attempts allowed. If exceeded customer needs to approach support to get the counter reset securitySchemes: X-Consumer-Id: type: apiKey in: header name: X-Consumer-Id description: Unique ID of the Backend Consumer Any-XV-Access-Token: type: http scheme: bearer bearerFormat: JWT description: An XV_Access Token 2FA-enabled-XV-Access-Token: type: http scheme: bearer bearerFormat: JWT description: An XV_Access Token which is enabled for 2FA by having the ```mec``` value in the ```amr``` claim listed CLP-Token: type: http scheme: bearer bearerFormat: JWT description: CLP Token a which is usually present in the xvnv389t Cookie, in that case also an S2S Token needs to be provided X-CLP-Token: type: apiKey in: header name: X-CLP-Token description: A CLP Token which is usually present in the xvnv389t Cookie and is considered to have 2FA enabled as well Server-2-Server-Secret: type: apiKey in: header name: X-S2S description: An S2S Token for communication between internal services provided as a header param S2S_Token: type: http scheme: bearer description: An S2S Token for communication between internal services provides as an Authorization Bearer token Subscription_Receipt_Token: type: http scheme: bearer bearerFormat: JWT description: Uses the JWT Subscription Receipt Token DAT_Token: type: http scheme: bearer bearerFormat: jwt description: Uses the DAT Token S2S_DTS_SRS: type: http scheme: bearer S2S_DTS_DBS: type: http scheme: bearer S2S_DTS_BLTS: type: http scheme: bearer S2S_RESET_SUBSCRIPTION: type: http scheme: bearer S2S_RESET_IP_RESERVATIONS: type: http scheme: bearer