API v1hldgroup.org

Identity

The Identity API surfaces users, roles, access records, and risk scores from connected identity providers — including Azure AD, Okta, and Google Workspace.

The identity object

json
{
  "id": "idn_01hxyz",
  "tenant_id": "ten_01hxyz",
  "email": "[email protected]",
  "display_name": "John Smith",
  "status": "active",
  "risk_score": 34,
  "risk_level": "medium",
  "mfa_enrolled": true,
  "mfa_methods": ["totp", "hardware_key"],
  "privileged": false,
  "last_login_at": "2025-06-01T03:14:00Z",
  "last_login_ip": "41.58.22.11",
  "last_login_country": "NG",
  "provider": "azure_ad",
  "provider_id": "aad_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "roles": ["it-staff", "finance-reader"],
  "created_at": "2024-09-01T09:00:00Z"
}

Risk scoring

Risk scores run from 0 (no risk) to 100 (critical). Scores are computed continuously from login behaviour, access patterns, alert history, and threat intelligence feeds.

NameTypeRequiredDescription
0–20lowNoNormal behaviour. No action required.
21–50mediumNoAnomalous patterns detected. Monitor closely.
51–75highNoSignificant risk signals. Review and consider access restriction.
76–100criticalNoActive threat indicators. Immediate action warranted.

List identities

bash
GET /v1/identity
NameTypeRequiredDescription
filter[tenant_id]stringNoScope to a specific tenant.
filter[risk_level]stringNolow | medium | high | critical
filter[privileged]booleanNoFilter to privileged accounts only.
filter[mfa_enrolled]booleanNoFilter by MFA enrolment status.
filter[provider]stringNoazure_ad | okta | google_workspace | local

Force password reset

bash
POST /v1/identity/:id/force-password-reset

Revoke all sessions

bash
POST /v1/identity/:id/revoke-sessions
Warning:Session revocation is immediate and affects all active sessions across all devices and applications. Notify the user before triggering this in non-incident scenarios.

Disable account

bash
POST /v1/identity/:id/disable

{
  "reason": "Employee offboarding — IT ticket INC-4421"
}
ComplianceWebhooks