For Agents
Register and authenticate users, configure multi-tenant applications, issue OAuth 2.0 tokens, and manage two-factor enrollment across self-hosted or cloud FusionAuth instances.
Get started with FusionAuth API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"register a user to an application"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with FusionAuth API API.
Register users to specific applications with custom role assignments and profile data
Issue OAuth 2.0 access tokens and configure device authorization flows
Enroll and verify two-factor authentication via TOTP, SMS, or email methods
Configure multi-tenant environments with isolated user pools and login themes
GET STARTED
Use for: I need to register a new user to a FusionAuth application, I want to issue an OAuth 2.0 access token for a client application, Search for users matching a specific email domain, Set up two-factor authentication for a user with TOTP
Not supported: Does not handle frontend login UI rendering, social login button styling, or client-side session cookies — use for server-side identity operations and OAuth token issuance only.
Jentic publishes the only available OpenAPI document for FusionAuth API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for FusionAuth API, keeping it validated and agent-ready. Provides complete identity management with 314 endpoints covering user registration, application configuration, OAuth 2.0 token issuance, two-factor authentication, tenant management, and WebAuthn passkey flows. Designed for self-hosted or cloud deployment with no per-user pricing, supporting multi-tenant architectures with isolated user pools and theme customization.
Link external identity providers (SAML, OIDC, social) to local user accounts
Search users with Elasticsearch-powered queries across custom profile fields
Trigger password reset flows and enforce tenant-specific password validation rules
Patterns agents use FusionAuth API API for, with concrete tasks.
★ AI Agent User Registration
AI agents register users to FusionAuth applications through Jentic by searching for the registration operation, loading the schema (userId, applicationId, roles, data), and executing POST /api/user/registration. The agent handles the full flow from user creation to application-specific role assignment in a single session without reading FusionAuth documentation.
Create a user via POST /api/user with email and password, then register them to an application via POST /api/user/registration with specific roles assigned
Multi-Tenant Identity Isolation
Configure isolated identity environments per customer or business unit using FusionAuth tenants. Each tenant has independent user pools, login themes, password policies, and email templates. The /api/tenant endpoint enables creating and configuring tenants programmatically, supporting white-label SaaS deployments where each customer gets their own branded login experience.
Create a new tenant via POST /api/tenant with custom password rules and email configuration, then create an application within that tenant
Two-Factor Authentication Enrollment
Add a second factor to user accounts by generating TOTP secrets, sending SMS or email verification codes, and validating enrollment. FusionAuth supports TOTP authenticator apps, SMS-based codes, and email-based codes. The /api/two-factor/{userId} endpoints handle enrollment, and /api/two-factor/login validates codes during sign-in.
Generate a TOTP secret via GET /api/two-factor/secret, enroll it for a user via POST /api/user/two-factor/{userId}, then verify a code via POST /api/two-factor/login
External Identity Provider Federation
Link external SAML 2.0, OpenID Connect, or social login providers (Google, Apple, Facebook) to FusionAuth for federated authentication. The /api/identity-provider endpoints configure provider settings, attribute mappings, and linking strategies. Users can sign in via external providers while FusionAuth maintains the canonical user record.
Create a SAML v2 identity provider via POST /api/identity-provider with metadata URL and attribute mappings, then initiate a login flow via POST /api/identity-provider/start
User Search and Bulk Operations
Search across user profiles using Elasticsearch-powered queries with filters on custom data fields, registration status, and login timestamps. The /api/user/search endpoint accepts queryString or structured queries. Bulk operations like /api/user/bulk enable mass deactivation or deletion for compliance workflows.
Search for all users registered to a specific application who last logged in more than 90 days ago via POST /api/user/search with an Elasticsearch query, then bulk deactivate inactive accounts
314 endpoints — jentic publishes the only available openapi specification for fusionauth api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/api/user
Create a new user with profile and credentials
/api/user/registration
Register a user to an application with roles
/api/user/search
Search users with Elasticsearch queries
/api/application
Create a new application configuration
/api/tenant
Create a new tenant with isolated settings
/oauth2/token
Issue OAuth 2.0 access and refresh tokens
/api/user/two-factor/{userId}
Enroll two-factor authentication for a user
/api/identity-provider
Configure an external identity provider
/api/user
Create a new user with profile and credentials
/api/user/registration
Register a user to an application with roles
/api/user/search
Search users with Elasticsearch queries
/api/application
Create a new application configuration
/api/tenant
Create a new tenant with isolated settings
Three things that make agents converge on Jentic-routed access.
Credential isolation
FusionAuth API keys are stored encrypted in the Jentic vault (MAXsystem). Agents receive properly formatted Authorization headers with the API key — raw keys never enter the agent's context window.
Intent-based discovery
Agents search by intent (e.g., 'register a user to an application') and Jentic returns matching FusionAuth operations with full schemas including required fields, so the agent can call POST /api/user/registration without navigating 314 endpoints.
Time to first call
Direct FusionAuth integration: 2-5 days for API key setup, endpoint discovery across 173 paths, and multi-tenant configuration. Through Jentic: under 1 hour — search, load schema, execute.
Alternatives and complements available in the Jentic catalogue.
Auth0 Authentication API
Cloud-hosted authentication with managed infrastructure but per-user pricing
Choose Auth0 when managed cloud hosting and turnkey integrations are preferred over self-hosting, and per-user pricing is acceptable
Okta Admin Management API
Enterprise identity platform with extensive directory sync and policy management
Choose Okta when the requirement is enterprise-scale directory management with AD/LDAP sync, extensive audit logging, and compliance certifications
Keycloak API
Open-source identity server with similar self-hosting model and Red Hat backing
Choose Keycloak when a fully open-source solution with Red Hat support is required and Java-based deployment is preferred
Clerk Backend API
Frontend-focused auth with pre-built UI components for modern web frameworks
Use Clerk for frontend-facing auth UI components while using FusionAuth as the backend identity store for complex multi-tenant scenarios
Specific to using FusionAuth API API through Jentic.
Why is there no official OpenAPI spec for FusionAuth API?
FusionAuth does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call FusionAuth API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the FusionAuth API use?
The FusionAuth API uses API key authentication via the Authorization header. API keys are created in the FusionAuth admin UI and scoped to specific tenants and endpoints. Some endpoints also accept JWT bearer tokens for user-context operations. Through Jentic, API keys are stored in the MAXsystem vault and agents receive properly formatted Authorization headers.
Can I register users to specific applications with the FusionAuth API?
Yes. POST /api/user/registration accepts a userId and registration object containing applicationId, roles array, and custom data fields. Users can be registered to multiple applications within the same tenant, each with different role assignments. Through Jentic, search for 'register user to application' to load the operation schema and execute.
What are the rate limits for the FusionAuth API?
FusionAuth is self-hosted, so rate limits depend on your deployment's hardware and configuration. The default installation has no enforced rate limits at the API level. For FusionAuth Cloud deployments, rate limits vary by plan tier. The /api/status endpoint returns server health metrics to monitor capacity.
How do I search users by custom attributes through the FusionAuth API via Jentic?
Search Jentic for 'search fusionauth users' to find the POST /api/user/search operation. The schema accepts a search object with queryString (Elasticsearch query syntax) or structured query with filters on registrations.applicationId, data.customField, insertInstant ranges, and more. Results include full user profiles with registration data.
Does the FusionAuth API support WebAuthn passkeys?
Yes. POST /api/webauthn/register/start initiates passkey registration by generating a challenge and credential creation options. POST /api/webauthn/register/complete finalizes registration with the authenticator response. For login, POST /api/webauthn/start generates an assertion challenge and POST /api/webauthn/assert verifies the response.
Can I configure multiple tenants with the FusionAuth API?
Yes. POST /api/tenant creates a new tenant with its own password rules, email templates, SMTP configuration, and login theme. Each tenant has an isolated user pool. Applications are scoped to tenants. The X-FusionAuth-TenantId header routes API requests to the correct tenant when managing multi-tenant deployments.
/oauth2/token
Issue OAuth 2.0 access and refresh tokens
/api/user/two-factor/{userId}
Enroll two-factor authentication for a user
/api/identity-provider
Configure an external identity provider