For Agents
Get started with PingOne Advanced Identity Cloud API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"list Advanced Identity Cloud certificates"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with PingOne Advanced Identity Cloud API API.
Manage TLS certificates and certificate signing requests for tenant environments
Configure cookie domains, custom domains, and content security policies
Issue and rotate environment secrets and variables
Promote configuration between environments using promotion locks and reports
GET STARTED
Manage Advanced Identity Cloud tenant environments, certificates, custom domains, secrets, variables, and config promotions from agent code.
Use for: I need to upload a new TLS certificate to a PingOne Advanced Identity Cloud environment, I want to list all custom domains configured on this tenant, Find a specific environment secret by ID, Get the current state of a promotion lock
Not supported: Does not handle end-user authentication journeys, OAuth client management, or directory record CRUD — use for PingOne Advanced Identity Cloud tenant environment configuration, certificates, secrets, variables, and promotions only.
Jentic publishes the only available OpenAPI document for PingOne Advanced Identity Cloud API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for PingOne Advanced Identity Cloud API, keeping it validated and agent-ready. PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) is an enterprise identity platform used to manage tenant configuration, certificates, custom domains, federation, environment promotions, secrets, and variables. The API exposes 67 endpoints across environment management with multiple authentication options including OAuth 2.0, API key plus secret, and basic auth.
Configure federation enforcement and SSO settings on a tenant
Read environment counts and inspect promotion state
Authenticate with API key and secret for read-only operations or access tokens for writes
Patterns agents use PingOne Advanced Identity Cloud API API for, with concrete tasks.
★ Tenant Environment Configuration
Manage day-two configuration of an Advanced Identity Cloud tenant by automating certificate uploads, custom domains, cookie domains, and CSP rules. The API surfaces these as discrete endpoints under /environment so platform engineers can codify their identity environment alongside other infra-as-code. This eliminates manual portal work for repeatable changes.
Upload a new certificate to /environment/certificates and then add a custom domain via /environment/custom-domains for the supplied hostname.
Secrets and Variables Management
Manage environment secrets and variables through the corresponding endpoints to inject runtime configuration into Identity Cloud journeys and scripts. Useful for rotating secrets without redeploying configuration and for keeping environment-specific values out of journey JSON. Each secret and variable is referenced by ID in journey logic.
Rotate the secret named 'auth-signing-key' in /environment/secrets and update its value to the new key supplied by the user.
Config Promotion Workflows
Promote configuration changes from a development tenant to staging and production using the promotion endpoints under /environment/promotion. Lock the promotion to prevent concurrent changes, run the promotion, and inspect state via the promotion report. This formalises the move from manual exports to a controlled, auditable rollout pipeline.
Acquire a promotion lock via /environment/promotion/lock, trigger a promotion via /environment/promotion/promote, and return the new lock state.
Federation and SSO Management
Use /environment/federation/enforcement to enable or disable federation enforcement on a tenant, ensuring SSO requirements match policy. Useful for security teams running periodic compliance checks or enforcing a baseline across multiple tenants. The endpoint returns the current enforcement state and lets you toggle it.
Read /environment/federation/enforcement and switch enforcement to enabled if it is currently disabled.
AI Agent Identity Operations via Jentic
Agents use Jentic's intent search to find Identity Cloud operations, load the schema for the right environment endpoint, and execute calls under a scoped credential. This is the recommended pattern for platform copilots that automate routine identity admin tasks without exposing the underlying API key, secret, or access token to the model.
Use Jentic to search 'list Advanced Identity Cloud certificates', load the GET /environment/certificates schema, and return the IDs and expiry dates of all certificates on the tenant.
67 endpoints — jentic publishes the only available openapi specification for pingone advanced identity cloud api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/environment/certificates
List installed TLS certificates
/environment/certificates/{id}
Retrieve a certificate by ID
/environment/csrs
List certificate signing requests
/environment/custom-domains
List custom domains
/environment/cookie-domains
List cookie domains
/environment/promotion/lock
Acquire a promotion lock
/environment/promotion/promote
Run a promotion
/environment/federation/enforcement
Read federation enforcement state
/environment/certificates
List installed TLS certificates
/environment/certificates/{id}
Retrieve a certificate by ID
/environment/csrs
List certificate signing requests
/environment/custom-domains
List custom domains
/environment/cookie-domains
List cookie domains
Three things that make agents converge on Jentic-routed access.
Credential isolation
The Identity Cloud API key id, secret, OAuth client credentials, or basic auth pair are stored encrypted in the Jentic vault (MAXsystem). Agents receive a scoped execution token and never see the underlying credentials, which is critical when the API can change tenant security configuration.
Intent-based discovery
Agents search by intent (e.g. 'list Advanced Identity Cloud certificates') and Jentic returns the GET /environment/certificates operation with its query schema, so the agent runs the right call without browsing Ping Identity docs.
Time to first call
Direct Identity Cloud integration: 1-2 weeks for authentication choice, environment configuration, and promotion automation. Through Jentic: under an hour — search, load, execute.
Alternatives and complements available in the Jentic catalogue.
Okta API
Mainstream identity platform with broad SSO and lifecycle features.
Choose Okta when the organisation already runs Okta or wants the largest ecosystem of pre-built SSO integrations.
Auth0 API
Developer-first identity platform with strong CIAM features.
Choose Auth0 when the priority is developer experience for customer-facing login rather than enterprise tenant management.
Slack API
Team messaging for alerting platform engineers when promotions and certificate changes complete.
Use alongside Identity Cloud when an agent should notify a Slack channel after a promotion or certificate rotation finishes.
Specific to using PingOne Advanced Identity Cloud API API through Jentic.
Why is there no official OpenAPI spec for PingOne Advanced Identity Cloud API?
Ping Identity publishes reference docs but the only consolidated OpenAPI 3.0 specification is generated and maintained by Jentic so AI agents and developers can call PingOne Advanced Identity Cloud API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the PingOne Advanced Identity Cloud API use?
The API supports three schemes: an API key id and secret pair (in headers x-api-key-id and x-api-key-secret) for read-only tenant operations, OAuth 2.0 access tokens for write and access management operations, and basic auth as a fallback. Jentic stores the chosen credential encrypted in the MAXsystem vault.
Can I rotate environment secrets with the PingOne Advanced Identity Cloud API?
Yes, the /environment/secrets endpoints let you list, create, update, and delete tenant secrets. Rotating a secret in the API immediately makes the new value available to journeys and scripts that reference it by name.
What are the rate limits for the PingOne Advanced Identity Cloud API?
The OpenAPI spec does not declare explicit rate limits. Ping Identity applies tenant-level throughput controls in production — back off on 429 responses and avoid running large promotion or certificate operations in tight loops.
How do I run a config promotion through Jentic?
Search Jentic for 'promote Advanced Identity Cloud config', acquire a lock via /environment/promotion/lock, then load and execute /environment/promotion/promote. Read /environment/promotion/lock/state to confirm the lock has been released.
Does the PingOne Advanced Identity Cloud API support custom domains?
Yes, /environment/custom-domains and /environment/custom-domains/{realm} let you list and manage custom domains attached to specific realms. Pair this with /environment/certificates to upload the matching TLS certificate.
/environment/promotion/lock
Acquire a promotion lock
/environment/promotion/promote
Run a promotion
/environment/federation/enforcement
Read federation enforcement state