sftpgo/openapi/openapi.yaml

openapi: 3.0.3
tags:
  - name: healthcheck
  - name: token
  - name: maintenance
  - name: admins
  - name: API keys
  - name: connections
  - name: IP Lists
  - name: defender
  - name: quota
  - name: folders
  - name: groups
  - name: roles
  - name: users
  - name: data retention
  - name: events
  - name: metadata
  - name: user APIs
  - name: public shares
  - name: event manager
info:
  title: SFTPGo
  description: |
    SFTPGo allows you to securely share your files over SFTP and optionally over HTTP/S, FTP/S and WebDAV as well.
    Several storage backends are supported and they are configurable per-user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.
    SFTPGo also supports virtual folders, a virtual folder can use any of the supported storage backends. So you can have, for example, a user with the S3 backend mapping a Google Cloud Storage bucket (or part of it) on a specified path and an encrypted local filesystem on another one.
    Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.
    SFTPGo supports groups to simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.
    The SFTPGo WebClient allows end users to change their credentials, browse and manage their files in the browser and setup two-factor authentication which works with Authy, Google Authenticator and other compatible apps.
    From the WebClient each authorized user can also create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
  version: 2.5.99-dev
  contact:
    name: API support
    url: 'https://github.com/drakkan/sftpgo'
  license:
    name: AGPL-3.0-only
    url: 'https://www.gnu.org/licenses/agpl-3.0.en.html'
servers:
  - url: /api/v2
security:
  - BearerAuth: []
  - APIKeyAuth: []
paths:
  /healthz:
    get:
      security: []
      servers:
        - url: /
      tags:
        - healthcheck
      summary: health check
      description: This endpoint can be used to check if the application is running and responding to requests
      operationId: healthz
      responses:
        '200':
          description: successful operation
          content:
            text/plain; charset=utf-8:
              schema:
                type: string
                example: ok
  /shares/{id}:
    parameters:
      - name: id
        in: path
        description: the share id
        required: true
        schema:
          type: string
    get:
      security:
        - BasicAuth: []
      tags:
        - public shares
      summary: Download shared files and folders as a single zip file
      description: A zip file, containing the shared files and folders, will be generated on the fly and returned as response body. Only folders and regular files will be included in the zip. The share must be defined with the read scope and the associated user must have list and download permissions
      operationId: get_share
      parameters:
        - in: query
          name: compress
          schema:
            type: boolean
            default: true
          required: false
      responses:
        '200':
          description: successful operation
          content:
            '*/*':
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      security:
        - BasicAuth: []
      tags:
        - public shares
      summary: Upload one or more files to the shared path
      description: The share must be defined with the write scope and the associated user must have the upload permission
      operationId: upload_to_share
      requestBody:
        content:
          multipart/form-data:
            schema:
              type: object
              properties:
                filenames:
                  type: array
                  items:
                    type: string
                    format: binary
                  minItems: 1
                  uniqueItems: true
        required: true
      responses:
        '201':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '413':
          $ref: '#/components/responses/RequestEntityTooLarge'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /shares/{id}/files:
    parameters:
      - name: id
        in: path
        description: the share id
        required: true
        schema:
          type: string
    get:
      security:
        - BasicAuth: []
      tags:
        - public shares
      summary: Download a single file
      description: Returns the file contents as response body. The share must have exactly one path defined and it must be a directory for this to work
      operationId: download_share_file
      parameters:
        - in: query
          name: path
          required: true
          description: Path to the file to download. It must be URL encoded, for example the path "my dir/àdir/file.txt" must be sent as "my%20dir%2F%C3%A0dir%2Ffile.txt"
          schema:
            type: string
        - in: query
          name: inline
          required: false
          description: 'If set, the response will not have the Content-Disposition header set to `attachment`'
          schema:
            type: string
      responses:
        '200':
          description: successful operation
          content:
            '*/*':
              schema:
                type: string
                format: binary
        '206':
          description: successful operation
          content:
            '*/*':
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /shares/{id}/dirs:
    parameters:
      - name: id
        in: path
        description: the share id
        required: true
        schema:
          type: string
    get:
      security:
        - BasicAuth: []
      tags:
        - public shares
      summary: Read directory contents
      description: Returns the contents of the specified directory for the specified share. The share must have exactly one path defined and it must be a directory for this to work
      operationId: get_share_dir_contents
      parameters:
        - in: query
          name: path
          description: Path to the folder to read. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir". If empty or missing the user's start directory is assumed. If relative, the user's start directory is used as the base
          schema:
            type: string
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/DirEntry'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /shares/{id}/{fileName}:
    parameters:
      - name: id
        in: path
        description: the share id
        required: true
        schema:
          type: string
      - name: fileName
        in: path
        description: the name of the new file. It must be path encoded. Sub directories are not accepted
        required: true
        schema:
          type: string
      - name: X-SFTPGO-MTIME
        in: header
        schema:
          type: integer
        description: File modification time as unix timestamp in milliseconds
    post:
      security:
        - BasicAuth: []
      tags:
        - public shares
      summary: Upload a single file to the shared path
      description: The share must be defined with the write scope and the associated user must have the upload/overwrite permissions
      operationId: upload_single_to_share
      requestBody:
        content:
          application/*:
            schema:
              type: string
              format: binary
          text/*:
            schema:
              type: string
              format: binary
          image/*:
            schema:
              type: string
              format: binary
          audio/*:
            schema:
              type: string
              format: binary
          video/*:
            schema:
              type: string
              format: binary
        required: true
      responses:
        '201':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '413':
          $ref: '#/components/responses/RequestEntityTooLarge'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /token:
    get:
      security:
        - BasicAuth: []
      tags:
        - token
      summary: Get a new admin access token
      description: Returns an access token and its expiration
      operationId: get_token
      parameters:
        - in: header
          name: X-SFTPGO-OTP
          schema:
            type: string
          required: false
          description: 'If you have 2FA configured for the admin attempting to log in you need to set the authentication code using this header parameter'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Token'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /logout:
    get:
      security:
        - BearerAuth: []
      tags:
        - token
      summary: Invalidate an admin access token
      description: Allows to invalidate an admin token before its expiration
      operationId: logout
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/token:
    get:
      security:
        - BasicAuth: []
      tags:
        - token
      summary: Get a new user access token
      description: Returns an access token and its expiration
      operationId: get_user_token
      parameters:
        - in: header
          name: X-SFTPGO-OTP
          schema:
            type: string
          required: false
          description: 'If you have 2FA configured, for the HTTP protocol, for the user attempting to log in you need to set the authentication code using this header parameter'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Token'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/logout:
    get:
      security:
        - BearerAuth: []
      tags:
        - token
      summary: Invalidate a user access token
      description: Allows to invalidate a client token before its expiration
      operationId: client_logout
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /version:
    get:
      tags:
        - maintenance
      summary: Get version details
      description: 'Returns version details such as the version number, build date, commit hash and enabled features'
      operationId: get_version
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VersionInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/changepwd:
    put:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Change admin password
      description: Changes the password for the logged in admin
      operationId: change_admin_password
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PwdChange'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/profile:
    get:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Get admin profile
      description: 'Returns the profile for the logged in admin'
      operationId: get_admin_profile
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AdminProfile'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Update admin profile
      description: 'Allows to update the profile for the logged in admin'
      operationId: update_admin_profile
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AdminProfile'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/2fa/recoverycodes:
    get:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Get recovery codes
      description: 'Returns the recovery codes for the logged in admin. Recovery codes can be used if the admin loses access to their second factor auth device. Recovery codes are returned unencrypted'
      operationId: get_admin_recovery_codes
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/RecoveryCode'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Generate recovery codes
      description: 'Generates new recovery codes for the logged in admin. Generating new recovery codes you automatically invalidate old ones'
      operationId: generate_admin_recovery_codes
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/totp/configs:
    get:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Get available TOTP configuration
      description: Returns the available TOTP configurations for the logged in admin
      operationId: get_admin_totp_configs
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/TOTPConfig'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/totp/generate:
    post:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Generate a new TOTP secret
      description: 'Generates a new TOTP secret, including the QR code as png, using the specified configuration for the logged in admin'
      operationId: generate_admin_totp_secret
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                config_name:
                  type: string
                  description: 'name of the configuration to use to generate the secret'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: object
                properties:
                  config_name:
                    type: string
                  issuer:
                    type: string
                  secret:
                    type: string
                  url:
                    type: string
                  qr_code:
                    type: string
                    format: byte
                    description: 'QR code png encoded as BASE64'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/totp/validate:
    post:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Validate a one time authentication code
      description: 'Checks if the given authentication code can be validated using the specified secret and config name'
      operationId: validate_admin_totp_secret
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                config_name:
                  type: string
                  description: 'name of the configuration to use to validate the passcode'
                passcode:
                  type: string
                  description: 'passcode to validate'
                secret:
                  type: string
                  description: 'secret to use to validate the passcode'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Passcode successfully validated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admin/totp/save:
    post:
      security:
        - BearerAuth: []
      tags:
        - admins
      summary: Save a TOTP config
      description: 'Saves the specified TOTP config for the logged in admin'
      operationId: save_admin_totp_config
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AdminTOTPConfig'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: TOTP configuration saved
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /connections:
    get:
      tags:
        - connections
      summary: Get connections details
      description: Returns the active users and info about their current uploads/downloads
      operationId: get_connections
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ConnectionStatus'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/connections/{connectionID}':
    delete:
      tags:
        - connections
      summary: Close connection
      description: Terminates an active connection
      operationId: close_connection
      parameters:
        - name: connectionID
          in: path
          description: ID of the connection to close
          required: true
          schema:
            type: string
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Connection closed
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /iplists/{type}:
    parameters:
      - name: type
        in: path
        description: IP list type
        required: true
        schema:
          $ref: '#/components/schemas/IPListType'
    get:
      tags:
        - IP Lists
      summary: Get IP list entries
      description: Returns an array with one or more IP list entry
      operationId: get_ip_list_entries
      parameters:
        - in: query
          name: filter
          schema:
            type: string
          description: restrict results to ipornet matching or starting with this filter
        - in: query
          name: from
          schema:
            type: string
          description: ipornet to start from
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering entries by ipornet field. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/IPListEntry'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - IP Lists
      summary: Add a new IP list entry
      description: Add an IP address or a CIDR network to a supported list
      operationId: add_ip_list_entry
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/IPListEntry'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Entry added
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /iplists/{type}/{ipornet}:
    parameters:
      - name: type
        in: path
        description: IP list type
        required: true
        schema:
          $ref: '#/components/schemas/IPListType'
      - name: ipornet
        in: path
        required: true
        schema:
          type: string
    get:
      tags:
        - IP Lists
      summary: Find entry by ipornet
      description: Returns the entry with the given ipornet if it exists.
      operationId: get_ip_list_by_ipornet
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/IPListEntry'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - IP Lists
      summary: Update IP list entry
      description: Updates an existing IP list entry
      operationId: update_ip_list_entry
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/IPListEntry'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Entry updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - IP Lists
      summary: Delete IP list entry
      description: Deletes an existing IP list entry
      operationId: delete_ip_list_entry
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Entry deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /defender/hosts:
    get:
      tags:
        - defender
      summary: Get hosts
      description: Returns hosts that are banned or for which some violations have been detected
      operationId: get_defender_hosts
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/DefenderEntry'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /defender/hosts/{id}:
    parameters:
      - name: id
        in: path
        description: host id
        required: true
        schema:
          type: string
    get:
      tags:
        - defender
      summary: Get host by id
      description: Returns the host with the given id, if it exists
      operationId: get_defender_host_by_id
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DefenderEntry'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - defender
      summary: Removes a host from the defender lists
      description: Unbans the specified host or clears its violations
      operationId: delete_defender_host_by_id
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /retention/users/checks:
    get:
      tags:
        - data retention
      summary: Get retention checks
      description: Returns the active retention checks
      operationId: get_users_retention_checks
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/RetentionCheck'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /retention/users/{username}/check:
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
      - name: notifications
        in: query
        description: 'specify how to notify results'
        explode: false
        schema:
          type: array
          items:
            $ref: '#/components/schemas/RetentionCheckNotification'
    post:
      tags:
        - data retention
      summary: Start a retention check
      description: 'Starts a new retention check for the given user. If a retention check for this user is already active a 409 status code is returned'
      operationId: start_user_retention_check
      requestBody:
        required: true
        description: 'Defines virtual paths to check and their retention time in hours'
        content:
          application/json:
            schema:
              type: array
              items:
                $ref: '#/components/schemas/FolderRetention'
      responses:
        '202':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Check started
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/Conflict'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/users/scans:
    get:
      tags:
        - quota
      summary: Get active user quota scans
      description: Returns the active user quota scans
      operationId: get_users_quota_scans
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/QuotaScan'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/users/{username}/scan:
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
    post:
      tags:
        - quota
      summary: Start a user quota scan
      description: Starts a new quota scan for the given user. A quota scan updates the number of files and their total size for the specified user and the virtual folders, if any, included in his quota
      operationId: start_user_quota_scan
      responses:
        '202':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Scan started
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/Conflict'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/users/{username}/usage:
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
      - in: query
        name: mode
        required: false
        description: the update mode specifies if the given quota usage values should be added or replace the current ones
        schema:
          type: string
          enum:
            - add
            - reset
          description: |
            Update type:
                * `add` - add the specified quota limits to the current used ones
                * `reset` - reset the values to the specified ones. This is the default
          example: reset
    put:
      tags:
        - quota
      summary: Update disk quota usage limits
      description: Sets the current used quota limits for the given user
      operationId: user_quota_update_usage
      requestBody:
        required: true
        description: 'If used_quota_size and used_quota_files are missing they will default to 0, this means that if mode is "add" the current value, for the missing field, will remain unchanged, if mode is "reset" the missing field is set to 0'
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/QuotaUsage'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Quota updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/Conflict'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/users/{username}/transfer-usage:
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
      - in: query
        name: mode
        required: false
        description: the update mode specifies if the given quota usage values should be added or replace the current ones
        schema:
          type: string
          enum:
            - add
            - reset
          description: |
            Update type:
                * `add` - add the specified quota limits to the current used ones
                * `reset` - reset the values to the specified ones. This is the default
          example: reset
    put:
      tags:
        - quota
      summary: Update transfer quota usage limits
      description: Sets the current used transfer quota limits for the given user
      operationId: user_transfer_quota_update_usage
      requestBody:
        required: true
        description: 'If used_upload_data_transfer and used_download_data_transfer are missing they will default to 0, this means that if mode is "add" the current value, for the missing field, will remain unchanged, if mode is "reset" the missing field is set to 0'
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TransferQuotaUsage'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Quota updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/Conflict'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/folders/scans:
    get:
      tags:
        - quota
      summary: Get active folder quota scans
      description: Returns the active folder quota scans
      operationId: get_folders_quota_scans
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/FolderQuotaScan'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/folders/{name}/scan:
    parameters:
      - name: name
        in: path
        description: folder name
        required: true
        schema:
          type: string
    post:
      tags:
        - quota
      summary: Start a folder quota scan
      description: Starts a new quota scan for the given folder. A quota scan update the number of files and their total size for the specified folder
      operationId: start_folder_quota_scan
      responses:
        '202':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Scan started
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/Conflict'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /quotas/folders/{name}/usage:
    parameters:
      - name: name
        in: path
        description: folder name
        required: true
        schema:
          type: string
      - in: query
        name: mode
        required: false
        description: the update mode specifies if the given quota usage values should be added or replace the current ones
        schema:
          type: string
          enum:
            - add
            - reset
          description: |
            Update type:
                * `add` - add the specified quota limits to the current used ones
                * `reset` - reset the values to the specified ones. This is the default
          example: reset
    put:
      tags:
        - quota
      summary: Update folder quota usage limits
      description: Sets the current used quota limits for the given folder
      operationId: folder_quota_update_usage
      parameters:
        - in: query
          name: mode
          required: false
          description: the update mode specifies if the given quota usage values should be added or replace the current ones
          schema:
            type: string
            enum:
              - add
              - reset
            description: |
              Update type:
                * `add` - add the specified quota limits to the current used ones
                * `reset` - reset the values to the specified ones. This is the default
            example: reset
      requestBody:
        required: true
        description: 'If used_quota_size and used_quota_files are missing they will default to 0, this means that if mode is "add" the current value, for the missing field, will remain unchanged, if mode is "reset" the missing field is set to 0'
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/QuotaUsage'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Quota updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/Conflict'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /folders:
    get:
      tags:
        - folders
      summary: Get folders
      description: Returns an array with one or more folders
      operationId: get_folders
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering folders by name. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/BaseVirtualFolder'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - folders
      summary: Add folder
      operationId: add_folder
      description: Adds a new folder. A quota scan is required to update the used files/size
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BaseVirtualFolder'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BaseVirtualFolder'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/folders/{name}':
    parameters:
      - name: name
        in: path
        description: folder name
        required: true
        schema:
          type: string
    get:
      tags:
        - folders
      summary: Find folders by name
      description: Returns the folder with the given name if it exists.
      operationId: get_folder_by_name
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BaseVirtualFolder'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - folders
      summary: Update folder
      description: Updates an existing folder
      operationId: update_folder
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BaseVirtualFolder'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Folder updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - folders
      summary: Delete folder
      description: Deletes an existing folder
      operationId: delete_folder
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: User deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /groups:
    get:
      tags:
        - groups
      summary: Get groups
      description: Returns an array with one or more groups
      operationId: get_groups
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering groups by name. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Group'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - groups
      summary: Add group
      operationId: add_group
      description: Adds a new group
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Group'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Group'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/groups/{name}':
    parameters:
      - name: name
        in: path
        description: group name
        required: true
        schema:
          type: string
    get:
      tags:
        - groups
      summary: Find groups by name
      description: Returns the group with the given name if it exists.
      operationId: get_group_by_name
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Group'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - groups
      summary: Update group
      description: Updates an existing group
      operationId: update_group
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Group'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Group updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - groups
      summary: Delete group
      description: Deletes an existing group
      operationId: delete_group
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Group deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /roles:
    get:
      tags:
        - roles
      summary: Get roles
      description: Returns an array with one or more roles
      operationId: get_roles
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering groups by name. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Role'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - roles
      summary: Add role
      operationId: add_role
      description: Adds a new role
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Role'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Role'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/roles/{name}':
    parameters:
      - name: name
        in: path
        description: role name
        required: true
        schema:
          type: string
    get:
      tags:
        - roles
      summary: Find roles by name
      description: Returns the role with the given name if it exists.
      operationId: get_role_by_name
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Role'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - roles
      summary: Update role
      description: Updates an existing role
      operationId: update_role
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Role'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Group updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - roles
      summary: Delete role
      description: Deletes an existing role
      operationId: delete_role
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Group deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /eventactions:
    get:
      tags:
        - event manager
      summary: Get event actions
      description: Returns an array with one or more event actions
      operationId: get_event_actons
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering actions by name. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/BaseEventAction'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - event manager
      summary: Add event action
      operationId: add_event_action
      description: Adds a new event actions
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BaseEventAction'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BaseEventAction'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/eventactions/{name}':
    parameters:
      - name: name
        in: path
        description: action name
        required: true
        schema:
          type: string
    get:
      tags:
        - event manager
      summary: Find event actions by name
      description: Returns the event action with the given name if it exists.
      operationId: get_event_action_by_name
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BaseEventAction'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - event manager
      summary: Update event action
      description: Updates an existing event action
      operationId: update_event_action
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BaseEventAction'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Event action updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - event manager
      summary: Delete event action
      description: Deletes an existing event action
      operationId: delete_event_action
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Event action deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /eventrules:
    get:
      tags:
        - event manager
      summary: Get event rules
      description: Returns an array with one or more event rules
      operationId: get_event_rules
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering rules by name. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/EventRule'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - event manager
      summary: Add event rule
      operationId: add_event_rule
      description: Adds a new event rule
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EventRuleMinimal'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EventRule'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/eventrules/{name}':
    parameters:
      - name: name
        in: path
        description: rule name
        required: true
        schema:
          type: string
    get:
      tags:
        - event manager
      summary: Find event rules by name
      description: Returns the event rule with the given name if it exists.
      operationId: get_event_rile_by_name
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EventRule'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - event manager
      summary: Update event rule
      description: Updates an existing event rule
      operationId: update_event_rule
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EventRuleMinimal'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Event rules updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - event manager
      summary: Delete event rule
      description: Deletes an existing event rule
      operationId: delete_event_rule
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Event rules deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/eventrules/run/{name}':
    parameters:
      - name: name
        in: path
        description: on-demand rule name
        required: true
        schema:
          type: string
    post:
      tags:
        - event manager
      summary: Run an on-demand event rule
      description: The rule's actions will run in background. SFTPGo will not monitor any concurrency and such. If you want to be notified at the end of the execution please add an appropriate action
      operationId: run_event_rule
      responses:
        '202':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Event rule started
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /events/fs:
    get:
      tags:
        - events
      summary: Get filesystem events
      description: 'Returns an array with one or more filesystem events applying the specified filters. This API is only available if you configure an "eventsearcher" plugin'
      operationId: get_fs_events
      parameters:
        - in: query
          name: start_timestamp
          schema:
            type: integer
            format: int64
            minimum: 0
            default: 0
          required: false
          description: 'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'
        - in: query
          name: end_timestamp
          schema:
            type: integer
            format: int64
            minimum: 0
            default: 0
          required: false
          description: 'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'
        - in: query
          name: actions
          schema:
            type: array
            items:
              $ref: '#/components/schemas/FsEventAction'
          description: 'the event action must be included among those specified. Empty or missing means omit this filter. Actions must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: username
          schema:
            type: string
          description: 'the event username must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: ip
          schema:
            type: string
          description: 'the event IP must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: ssh_cmd
          schema:
            type: string
          description: 'the event SSH command must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: fs_provider
          schema:
            $ref: '#/components/schemas/FsProviders'
          description: 'the event filesystem provider must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: bucket
          schema:
            type: string
          description: 'the bucket must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: endpoint
          schema:
            type: string
          description: 'the endpoint must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: protocols
          schema:
            type: array
            items:
              $ref: '#/components/schemas/EventProtocols'
          description: 'the event protocol must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: statuses
          schema:
            type: array
            items:
              $ref: '#/components/schemas/FsEventStatus'
          description: 'the event status must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: instance_ids
          schema:
            type: array
            items:
              type: string
          description: 'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: from_id
          schema:
            type: string
          description: 'the event id to start from. This is useful for cursor based pagination. Empty or missing means omit this filter.'
          required: false
        - in: query
          name: role
          schema:
            type: string
          description: 'User role. Empty or missing means omit this filter. Ignored if the admin has a role'
          required: false
        - in: query
          name: csv_export
          schema:
            type: boolean
            default: false
          required: false
          description: 'If enabled, events are exported as a CSV file'
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 1000
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 1000, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering events by timestamp. Default DESC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: DESC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/FsEvent'
            text/csv:
              schema:
                type: string
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /events/provider:
    get:
      tags:
        - events
      summary: Get provider events
      description: 'Returns an array with one or more provider events applying the specified filters. This API is only available if you configure an "eventsearcher" plugin'
      operationId: get_provider_events
      parameters:
        - in: query
          name: start_timestamp
          schema:
            type: integer
            format: int64
            minimum: 0
            default: 0
          required: false
          description: 'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'
        - in: query
          name: end_timestamp
          schema:
            type: integer
            format: int64
            minimum: 0
            default: 0
          required: false
          description: 'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'
        - in: query
          name: actions
          schema:
            type: array
            items:
              $ref: '#/components/schemas/ProviderEventAction'
          description: 'the event action must be included among those specified. Empty or missing means omit this filter. Actions must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: username
          schema:
            type: string
          description: 'the event username must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: ip
          schema:
            type: string
          description: 'the event IP must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: object_name
          schema:
            type: string
          description: 'the event object name must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: object_types
          schema:
            type: array
            items:
              $ref: '#/components/schemas/ProviderEventObjectType'
          description: 'the event object type must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: instance_ids
          schema:
            type: array
            items:
              type: string
          description: 'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: from_id
          schema:
            type: string
          description: 'the event id to start from. This is useful for cursor based pagination. Empty or missing means omit this filter.'
          required: false
        - in: query
          name: role
          schema:
            type: string
          description: 'Admin role. Empty or missing means omit this filter. Ignored if the admin has a role'
          required: false
        - in: query
          name: csv_export
          schema:
            type: boolean
            default: false
          required: false
          description: 'If enabled, events are exported as a CSV file'
        - in: query
          name: omit_object_data
          schema:
            type: boolean
            default: false
          required: false
          description: 'If enabled, returned events will not contain the `object_data` field'
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 1000
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 1000, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering events by timestamp. Default DESC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: DESC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ProviderEvent'
            text/csv:
              schema:
                type: string
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /events/log:
    get:
      tags:
        - events
      summary: Get log events
      description: 'Returns an array with one or more log events applying the specified filters. This API is only available if you configure an "eventsearcher" plugin'
      operationId: get_log_events
      parameters:
        - in: query
          name: start_timestamp
          schema:
            type: integer
            format: int64
            minimum: 0
            default: 0
          required: false
          description: 'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'
        - in: query
          name: end_timestamp
          schema:
            type: integer
            format: int64
            minimum: 0
            default: 0
          required: false
          description: 'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'
        - in: query
          name: events
          schema:
            type: array
            items:
              $ref: '#/components/schemas/LogEventType'
          description: 'the log events must be included among those specified. Empty or missing means omit this filter. Events must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: username
          schema:
            type: string
          description: 'the event username must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: ip
          schema:
            type: string
          description: 'the event IP must be the same as the one specified. Empty or missing means omit this filter'
          required: false
        - in: query
          name: protocols
          schema:
            type: array
            items:
              $ref: '#/components/schemas/EventProtocols'
          description: 'the event protocol must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: instance_ids
          schema:
            type: array
            items:
              type: string
          description: 'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
          explode: false
          required: false
        - in: query
          name: from_id
          schema:
            type: string
          description: 'the event id to start from. This is useful for cursor based pagination. Empty or missing means omit this filter.'
          required: false
        - in: query
          name: role
          schema:
            type: string
          description: 'User role. Empty or missing means omit this filter. Ignored if the admin has a role'
          required: false
        - in: query
          name: csv_export
          schema:
            type: boolean
            default: false
          required: false
          description: 'If enabled, events are exported as a CSV file'
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 1000
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 1000, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering events by timestamp. Default DESC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: DESC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/LogEvent'
            text/csv:
              schema:
                type: string
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /apikeys:
    get:
      security:
        - BearerAuth: []
      tags:
        - API keys
      summary: Get API keys
      description: Returns an array with one or more API keys. For security reasons hashed keys are omitted in the response
      operationId: get_api_keys
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering API keys by id. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/APIKey'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      security:
        - BearerAuth: []
      tags:
        - API keys
      summary: Add API key
      description: Adds a new API key
      operationId: add_api_key
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/APIKey'
      responses:
        '201':
          description: successful operation
          headers:
            X-Object-ID:
              schema:
                type: string
              description: ID for the new created API key
            Location:
              schema:
                type: string
              description: URI to retrieve the details for the new created API key
          content:
            application/json:
              schema:
                type: object
                properties:
                  mesage:
                    type: string
                    example: 'API key created. This is the only time the API key is visible, please save it.'
                  key:
                    type: string
                    description: 'generated API key'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/apikeys/{id}':
    parameters:
      - name: id
        in: path
        description: the key id
        required: true
        schema:
          type: string
    get:
      security:
        - BearerAuth: []
      tags:
        - API keys
      summary: Find API key by id
      description: Returns the API key with the given id, if it exists. For security reasons the hashed key is omitted in the response
      operationId: get_api_key_by_id
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIKey'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      security:
        - BearerAuth: []
      tags:
        - API keys
      summary: Update API key
      description: Updates an existing API key. You cannot update the key itself, the creation date and the last use
      operationId: update_api_key
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/APIKey'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: API key updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      security:
        - BearerAuth: []
      tags:
        - API keys
      summary: Delete API key
      description: Deletes an existing API key
      operationId: delete_api_key
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Admin deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /admins:
    get:
      tags:
        - admins
      summary: Get admins
      description: Returns an array with one or more admins. For security reasons hashed passwords are omitted in the response
      operationId: get_admins
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering admins by username. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Admin'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - admins
      summary: Add admin
      description: 'Adds a new admin. Recovery codes and TOTP configuration cannot be set using this API: each admin must use the specific APIs'
      operationId: add_admin
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Admin'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Admin'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/admins/{username}':
    parameters:
      - name: username
        in: path
        description: the admin username
        required: true
        schema:
          type: string
    get:
      tags:
        - admins
      summary: Find admins by username
      description: 'Returns the admin with the given username, if it exists. For security reasons the hashed password is omitted in the response'
      operationId: get_admin_by_username
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Admin'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - admins
      summary: Update admin
      description: 'Updates an existing admin. Recovery codes and TOTP configuration cannot be set/updated using this API: each admin must use the specific APIs. You are not allowed to update the admin impersonated using an API key'
      operationId: update_admin
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Admin'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Admin updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - admins
      summary: Delete admin
      description: Deletes an existing admin
      operationId: delete_admin
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Admin deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/admins/{username}/2fa/disable':
    parameters:
      - name: username
        in: path
        description: the admin username
        required: true
        schema:
          type: string
    put:
      tags:
        - admins
      summary: Disable second factor authentication
      description: 'Disables second factor authentication for the given admin. This API must be used if the admin loses access to their second factor auth device and has no recovery codes'
      operationId: disable_admin_2fa
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: 2FA disabled
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/admins/{username}/forgot-password':
    parameters:
      - name: username
        in: path
        description: the admin username
        required: true
        schema:
          type: string
    post:
      security: []
      tags:
        - admins
      summary: Send a password reset code by email
      description: 'You must set up an SMTP server and the account must have a valid email address, in which case SFTPGo will send a code via email to reset the password. If the specified admin does not exist, the request will be silently ignored (a success response will be returned) to avoid disclosing existing admins'
      operationId: admin_forgot_password
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/admins/{username}/reset-password':
    parameters:
      - name: username
        in: path
        description: the admin username
        required: true
        schema:
          type: string
    post:
      security: []
      tags:
        - admins
      summary: Reset the password
      description: 'Set a new password using the code received via email'
      operationId: admin_reset_password
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                code:
                  type: string
                password:
                  type: string
        required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /users:
    get:
      tags:
        - users
      summary: Get users
      description: Returns an array with one or more users. For security reasons hashed passwords are omitted in the response
      operationId: get_users
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering users by username. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - users
      summary: Add user
      description: 'Adds a new user.Recovery codes and TOTP configuration cannot be set using this API: each user must use the specific APIs'
      operationId: add_user
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the hash of the password and the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/User'
      responses:
        '201':
          description: successful operation
          headers:
            Location:
              schema:
                type: string
              description: 'URI of the newly created object'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/users/{username}':
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
    get:
      tags:
        - users
      summary: Find users by username
      description: Returns the user with the given username if it exists. For security reasons the hashed password is omitted in the response
      operationId: get_user_by_username
      parameters:
        - in: query
          name: confidential_data
          schema:
            type: integer
          description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the hash of the password and the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the manage_system permission is not granted.'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - users
      summary: Update user
      description: 'Updates an existing user and optionally disconnects it, if connected, to apply the new settings. The current password will be preserved if the password field is omitted in the request body. Recovery codes and TOTP configuration cannot be set/updated using this API: each user must use the specific APIs'
      operationId: update_user
      parameters:
        - in: query
          name: disconnect
          schema:
            type: integer
            enum:
              - 0
              - 1
          description: |
            Disconnect:
              * `0` The user will not be disconnected and it will continue to use the old configuration until connected. This is the default
              * `1` The user will be disconnected after a successful update. It must login again and so it will be forced to use the new configuration
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/User'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: User updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - users
      summary: Delete user
      description: Deletes an existing user
      operationId: delete_user
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: User deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/users/{username}/2fa/disable':
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
    put:
      tags:
        - users
      summary: Disable second factor authentication
      description: 'Disables second factor authentication for the given user. This API must be used if the user loses access to their second factor auth device and has no recovery codes'
      operationId: disable_user_2fa
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: 2FA disabled
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/users/{username}/forgot-password':
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
    post:
      security: []
      tags:
        - users
      summary: Send a password reset code by email
      description: 'You must configure an SMTP server, the account must have a valid email address and must not have the "reset-password-disabled" restriction, in which case SFTPGo will send a code via email to reset the password. If the specified user does not exist, the request will be silently ignored (a success response will be returned) to avoid disclosing existing users'
      operationId: user_forgot_password
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/users/{username}/reset-password':
    parameters:
      - name: username
        in: path
        description: the username
        required: true
        schema:
          type: string
    post:
      security: []
      tags:
        - users
      summary: Reset the password
      description: 'Set a new password using the code received via email'
      operationId: user_reset_password
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                code:
                  type: string
                password:
                  type: string
        required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /status:
    get:
      tags:
        - maintenance
      summary: Get status
      description: Retrieves the status of the active services
      operationId: get_status
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServicesStatus'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /dumpdata:
    get:
      tags:
        - maintenance
      summary: Dump data
      description: 'Backups data as data provider independent JSON. The backup can be saved in a local file on the server, to avoid exposing sensitive data over the network, or returned as response body. The output of dumpdata can be used as input for loaddata'
      operationId: dumpdata
      parameters:
        - in: query
          name: output-file
          schema:
            type: string
          description: Path for the file to write the JSON serialized data to. This path is relative to the configured "backups_path". If this file already exists it will be overwritten. To return the backup as response body set `output_data` to true instead.
        - in: query
          name: output-data
          schema:
            type: integer
            enum:
              - 0
              - 1
          description: |
            output data:
              * `0` or any other value != 1, the backup will be saved to a file on the server, `output_file` is required
              * `1` the backup will be returned as response body
        - in: query
          name: indent
          schema:
            type: integer
            enum:
              - 0
              - 1
          description: |
            indent:
              * `0` no indentation. This is the default
              * `1` format the output JSON
        - in: query
          name: scopes
          schema:
            type: array
            items:
              $ref: '#/components/schemas/DumpDataScopes'
          description: 'You can limit the dump contents to the specified scopes. Empty or missing means any supported scope. Scopes must be specified comma separated'
          explode: false
          required: false
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/ApiResponse'
                  - $ref: '#/components/schemas/BackupData'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /loaddata:
    parameters:
      - in: query
        name: scan-quota
        schema:
          type: integer
          enum:
            - 0
            - 1
            - 2
        description: |
          Quota scan:
            * `0` no quota scan is done, the imported users/folders will have used_quota_size and used_quota_files = 0 or the existing values if they already exists. This is the default
            * `1` scan quota
            * `2` scan quota if the user has quota restrictions
          required: false
      - in: query
        name: mode
        schema:
          type: integer
          enum:
            - 0
            - 1
            - 2
        description: |
          Mode:
            * `0` New objects are added, existing ones are updated. This is the default
            * `1` New objects are added, existing ones are not modified
            * `2` New objects are added, existing ones are updated and connected users are disconnected and so forced to use the new configuration
    get:
      tags:
        - maintenance
      summary: Load data from path
      description: 'Restores SFTPGo data from a JSON backup file on the server. Objects will be restored one by one and the restore is stopped if a object cannot be added or updated, so it could happen a partial restore'
      operationId: loaddata_from_file
      parameters:
        - in: query
          name: input-file
          schema:
            type: string
          required: true
          description: Path for the file to read the JSON serialized data from. This can be an absolute path or a path relative to the configured "backups_path". The max allowed file size is 10MB
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Data restored
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - maintenance
      summary: Load data
      description: 'Restores SFTPGo data from a JSON backup. Objects will be restored one by one and the restore is stopped if a object cannot be added or updated, so it could happen a partial restore'
      operationId: loaddata_from_request_body
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BackupData'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Data restored
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/changepwd:
    put:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Change user password
      description: Changes the password for the logged in user
      operationId: change_user_password
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PwdChange'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/profile:
    get:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Get user profile
      description: 'Returns the profile for the logged in user'
      operationId: get_user_profile
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UserProfile'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Update user profile
      description: 'Allows to update the profile for the logged in user'
      operationId: update_user_profile
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserProfile'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/2fa/recoverycodes:
    get:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Get recovery codes
      description: 'Returns the recovery codes for the logged in user. Recovery codes can be used if the user loses access to their second factor auth device. Recovery codes are returned unencrypted'
      operationId: get_user_recovery_codes
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/RecoveryCode'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Generate recovery codes
      description: 'Generates new recovery codes for the logged in user. Generating new recovery codes you automatically invalidate old ones'
      operationId: generate_user_recovery_codes
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/totp/configs:
    get:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Get available TOTP configuration
      description: Returns the available TOTP configurations for the logged in user
      operationId: get_user_totp_configs
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/TOTPConfig'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/totp/generate:
    post:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Generate a new TOTP secret
      description: 'Generates a new TOTP secret, including the QR code as png, using the specified configuration for the logged in user'
      operationId: generate_user_totp_secret
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                config_name:
                  type: string
                  description: 'name of the configuration to use to generate the secret'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: object
                properties:
                  config_name:
                    type: string
                  issuer:
                    type: string
                  secret:
                    type: string
                  qr_code:
                    type: string
                    format: byte
                    description: 'QR code png encoded as BASE64'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/totp/validate:
    post:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Validate a one time authentication code
      description: 'Checks if the given authentication code can be validated using the specified secret and config name'
      operationId: validate_user_totp_secret
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                config_name:
                  type: string
                  description: 'name of the configuration to use to validate the passcode'
                passcode:
                  type: string
                  description: 'passcode to validate'
                secret:
                  type: string
                  description: 'secret to use to validate the passcode'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Passcode successfully validated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/totp/save:
    post:
      security:
        - BearerAuth: []
      tags:
        - user APIs
      summary: Save a TOTP config
      description: 'Saves the specified TOTP config for the logged in user'
      operationId: save_user_totp_config
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserTOTPConfig'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: TOTP configuration saved
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/shares:
    get:
      tags:
        - user APIs
      summary: List user shares
      description: Returns the share for the logged in user
      operationId: get_user_shares
      parameters:
        - in: query
          name: offset
          schema:
            type: integer
            minimum: 0
            default: 0
          required: false
        - in: query
          name: limit
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 100
          required: false
          description: 'The maximum number of items to return. Max value is 500, default is 100'
        - in: query
          name: order
          required: false
          description: Ordering shares by ID. Default ASC
          schema:
            type: string
            enum:
              - ASC
              - DESC
            example: ASC
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Share'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - user APIs
      summary: Add a share
      operationId: add_share
      description: 'Adds a new share. The share id will be auto-generated'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Share'
      responses:
        '201':
          description: successful operation
          headers:
            X-Object-ID:
              schema:
                type: string
              description: ID for the new created share
            Location:
              schema:
                type: string
              description: URI to retrieve the details for the new created share
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  '/user/shares/{id}':
    parameters:
      - name: id
        in: path
        description: the share id
        required: true
        schema:
          type: string
    get:
      tags:
        - user APIs
      summary: Get share by id
      description: Returns a share by id for the logged in user
      operationId: get_user_share_by_id
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Share'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    put:
      tags:
        - user APIs
      summary: Update share
      description: 'Updates an existing share belonging to the logged in user'
      operationId: update_user_share
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Share'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Share updated
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - user APIs
      summary: Delete share
      description: 'Deletes an existing share belonging to the logged in user'
      operationId: delete_user_share
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
              example:
                message: Share deleted
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/file-actions/copy:
    parameters:
      - in: query
        name: path
        description: Path to the file/folder to copy. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
        schema:
          type: string
        required: true
      - in: query
        name: target
        description: New name. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
        schema:
          type: string
        required: true
    post:
      tags:
        - user APIs
      summary: 'Copy a file or a directory'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/file-actions/move:
    parameters:
      - in: query
        name: path
        description: Path to the file/folder to rename. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
        schema:
          type: string
        required: true
      - in: query
        name: target
        description: New name. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
        schema:
          type: string
        required: true
    post:
      tags:
        - user APIs
      summary: 'Move (rename) a file or a directory'
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/dirs:
    get:
      tags:
        - user APIs
      summary: Read directory contents
      description: Returns the contents of the specified directory for the logged in user
      operationId: get_user_dir_contents
      parameters:
        - in: query
          name: path
          description: Path to the folder to read. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir". If empty or missing the user's start directory is assumed. If relative, the user's start directory is used as the base
          schema:
            type: string
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/DirEntry'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - user APIs
      summary: Create a directory
      description: Create a directory for the logged in user
      operationId: create_user_dir
      parameters:
        - in: query
          name: path
          description: Path to the folder to create. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
          schema:
            type: string
          required: true
        - in: query
          name: mkdir_parents
          description: Create parent directories if they do not exist?
          schema:
            type: boolean
          required: false
      responses:
        '201':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    patch:
      tags:
        - user APIs
      deprecated: true
      summary: 'Rename a directory. Deprecated, use "file-actions/move"'
      description: Rename a directory for the logged in user. The rename is allowed for empty directory or for non empty local directories, with no virtual folders inside
      operationId: rename_user_dir
      parameters:
        - in: query
          name: path
          description: Path to the folder to rename. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
          schema:
            type: string
          required: true
        - in: query
          name: target
          description: New name. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
          schema:
            type: string
          required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - user APIs
      summary: Delete a directory
      description: Delete a directory and any children it contains for the logged in user
      operationId: delete_user_dir
      parameters:
        - in: query
          name: path
          description: Path to the folder to delete. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
          schema:
            type: string
          required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/files:
    get:
      tags:
        - user APIs
      summary: Download a single file
      description: Returns the file contents as response body
      operationId: download_user_file
      parameters:
        - in: query
          name: path
          required: true
          description: Path to the file to download. It must be URL encoded, for example the path "my dir/àdir/file.txt" must be sent as "my%20dir%2F%C3%A0dir%2Ffile.txt"
          schema:
            type: string
        - in: query
          name: inline
          required: false
          description: 'If set, the response will not have the Content-Disposition header set to `attachment`'
          schema:
            type: string
      responses:
        '200':
          description: successful operation
          content:
            '*/*':
              schema:
                type: string
                format: binary
        '206':
          description: successful operation
          content:
            '*/*':
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    post:
      tags:
        - user APIs
      summary: Upload files
      description: Upload one or more files for the logged in user
      operationId: create_user_files
      parameters:
        - in: query
          name: path
          description: Parent directory for the uploaded files. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir". If empty or missing the root path is assumed. If a file with the same name already exists, it will be overwritten
          schema:
            type: string
        - in: query
          name: mkdir_parents
          description: Create parent directories if they do not exist?
          schema:
            type: boolean
          required: false
      requestBody:
        content:
          multipart/form-data:
            schema:
              type: object
              properties:
                filenames:
                  type: array
                  items:
                    type: string
                    format: binary
                  minItems: 1
                  uniqueItems: true
        required: true
      responses:
        '201':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '413':
          $ref: '#/components/responses/RequestEntityTooLarge'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    patch:
      tags:
        - user APIs
      deprecated: true
      summary: Rename a file
      description: 'Rename a file for the logged in user. Deprecated, use "file-actions/move"'
      operationId: rename_user_file
      parameters:
        - in: query
          name: path
          description: Path to the file to rename. It must be URL encoded
          schema:
            type: string
          required: true
        - in: query
          name: target
          description: New name. It must be URL encoded
          schema:
            type: string
          required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
    delete:
      tags:
        - user APIs
      summary: Delete a file
      description: Delete a file for the logged in user.
      operationId: delete_user_file
      parameters:
        - in: query
          name: path
          description: Path to the file to delete. It must be URL encoded
          schema:
            type: string
          required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/files/upload:
    post:
      tags:
        - user APIs
      summary: Upload a single file
      description: 'Upload a single file for the logged in user to an existing directory. This API does not use multipart/form-data and so no temporary files are created server side but only a single file can be uploaded as POST body'
      operationId: create_user_file
      parameters:
        - in: query
          name: path
          description: Full file path. It must be path encoded, for example the path "my dir/àdir/file.txt" must be sent as "my%20dir%2F%C3%A0dir%2Ffile.txt". The parent directory must exist. If a file with the same name already exists, it will be overwritten
          schema:
            type: string
          required: true
        - in: query
          name: mkdir_parents
          description: Create parent directories if they do not exist?
          schema:
            type: boolean
          required: false
        - in: header
          name: X-SFTPGO-MTIME
          schema:
            type: integer
          description: File modification time as unix timestamp in milliseconds
      requestBody:
        content:
          application/*:
            schema:
              type: string
              format: binary
          text/*:
            schema:
              type: string
              format: binary
          image/*:
            schema:
              type: string
              format: binary
          audio/*:
            schema:
              type: string
              format: binary
          video/*:
            schema:
              type: string
              format: binary
        required: true
      responses:
        '201':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '413':
          $ref: '#/components/responses/RequestEntityTooLarge'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/files/metadata:
    patch:
      tags:
        - user APIs
      summary: Set metadata for a file/directory
      description: 'Set supported metadata attributes for the specified file or directory'
      operationId: setprops_user_file
      parameters:
        - in: query
          name: path
          description: Full file/directory path. It must be URL encoded, for example the path "my dir/àdir/file.txt" must be sent as "my%20dir%2F%C3%A0dir%2Ffile.txt"
          schema:
            type: string
          required: true
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                modification_time:
                  type: integer
                  description: File modification time as unix timestamp in milliseconds
        required: true
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '413':
          $ref: '#/components/responses/RequestEntityTooLarge'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
  /user/streamzip:
    post:
      tags:
        - user APIs
      summary: Download multiple files and folders as a single zip file
      description: A zip file, containing the specified files and folders, will be generated on the fly and returned as response body. Only folders and regular files will be included in the zip
      operationId: streamzip
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: array
              items:
                type: string
                description: Absolute file or folder path
      responses:
        '200':
          description: successful operation
          content:
            'application/zip':
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
        default:
          $ref: '#/components/responses/DefaultResponse'
components:
  responses:
    BadRequest:
      description: Bad Request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    Unauthorized:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    Forbidden:
      description: Forbidden
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    NotFound:
      description: Not Found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    Conflict:
      description: Conflict
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    RequestEntityTooLarge:
      description: Request Entity Too Large, max allowed size exceeded
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    InternalServerError:
      description: Internal Server Error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
    DefaultResponse:
      description: Unexpected Error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiResponse'
  schemas:
    Permission:
      type: string
      enum:
        - '*'
        - list
        - download
        - upload
        - overwrite
        - delete
        - delete_files
        - delete_dirs
        - rename
        - rename_files
        - rename_dirs
        - create_dirs
        - create_symlinks
        - chmod
        - chown
        - chtimes
        - copy
      description: |
        Permissions:
          * `*` - all permissions are granted
          * `list` - list items is allowed
          * `download` - download files is allowed
          * `upload` - upload files is allowed
          * `overwrite` - overwrite an existing file, while uploading, is allowed. upload permission is required to allow file overwrite
          * `delete` - delete files or directories is allowed
          * `delete_files` - delete files is allowed
          * `delete_dirs` - delete directories is allowed
          * `rename` - rename files or directories is allowed
          * `rename_files` - rename files is allowed
          * `rename_dirs` - rename directories is allowed
          * `create_dirs` - create directories is allowed
          * `create_symlinks` - create links is allowed
          * `chmod` changing file or directory permissions is allowed
          * `chown` changing file or directory owner and group is allowed
          * `chtimes` changing file or directory access and modification time is allowed
          * `copy`, copying files or directories is allowed
    AdminPermissions:
      type: string
      enum:
        - '*'
        - add_users
        - edit_users
        - del_users
        - view_users
        - view_conns
        - close_conns
        - view_status
        - manage_admins
        - manage_folders
        - manage_groups
        - manage_apikeys
        - quota_scans
        - manage_system
        - manage_defender
        - view_defender
        - retention_checks
        - view_events
        - manage_event_rules
        - manage_roles
        - manage_ip_lists
        - disable_mfa
      description: |
        Admin permissions:
          * `*` - all permissions are granted
          * `add_users` - add new users is allowed
          * `edit_users` - change existing users is allowed
          * `del_users` - remove users is allowed
          * `view_users` - list users is allowed
          * `view_conns` - list active connections is allowed
          * `close_conns` - close active connections is allowed
          * `view_status` - view the server status is allowed
          * `manage_admins` - manage other admins is allowed
          * `manage_folders` - manage folders is allowed
          * `manage_groups` - manage groups is allowed
          * `manage_apikeys` - manage API keys is allowed
          * `quota_scans` - view and start quota scans is allowed
          * `manage_system` - backups and restores are allowed
          * `manage_defender` - remove ip from the dynamic blocklist is allowed
          * `view_defender` - list the dynamic blocklist is allowed
          * `retention_checks` - view and start retention checks is allowed
          * `view_events` - view and search filesystem and provider events is allowed
          * `manage_event_rules` - manage event actions and rules is allowed
          * `manage_roles` - manage roles is allowed
          * `manage_ip_lists` - manage global and ratelimter allow lists and defender block and safe lists is allowed
          * `disable_mfa` - allow to disable two-factor authentication for users and admins
    FsProviders:
      type: integer
      enum:
        - 0
        - 1
        - 2
        - 3
        - 4
        - 5
        - 6
      description: |
        Filesystem providers:
          * `0` - Local filesystem
          * `1` - S3 Compatible Object Storage
          * `2` - Google Cloud Storage
          * `3` - Azure Blob Storage
          * `4` - Local filesystem encrypted
          * `5` - SFTP
          * `6` - HTTP filesystem
    EventActionTypes:
      type: integer
      enum:
        - 1
        - 2
        - 3
        - 4
        - 5
        - 6
        - 7
        - 8
        - 9
        - 11
        - 12
        - 13
        - 14
      description: |
        Supported event action types:
          * `1` - HTTP
          * `2` - Command
          * `3` - Email
          * `4` - Backup
          * `5` - User quota reset
          * `6` - Folder quota reset
          * `7` - Transfer quota reset
          * `8` - Data retention check
          * `9` - Filesystem
          * `11` - Password expiration check
          * `12` - User expiration check
          * `13` - Identity Provider account check
          * `14` - User inactivity check
    FilesystemActionTypes:
      type: integer
      enum:
        - 1
        - 2
        - 3
        - 4
        - 5
        - 6
      description: |
        Supported filesystem action types:
          * `1` - Rename
          * `2` - Delete
          * `3` - Mkdis
          * `4` - Exist
          * `5` - Compress
          * `6` - Copy
    EventTriggerTypes:
      type: integer
      enum:
        - 1
        - 2
        - 3
        - 4
        - 5
        - 6
        - 7
      description: |
        Supported event trigger types:
          * `1` - Filesystem event
          * `2` - Provider event
          * `3` - Schedule
          * `4` - IP blocked
          * `5` - Certificate renewal
          * `6` - On demand, like schedule but executed on demand
          * `7` - Identity provider login
    LoginMethods:
      type: string
      enum:
        - publickey
        - password
        - password-over-SSH
        - keyboard-interactive
        - publickey+password
        - publickey+keyboard-interactive
        - TLSCertificate
        - TLSCertificate+password
      description: |
        Available login methods. To enable multi-step authentication you have to allow only multi-step login methods
          * `publickey`
          * `password`, password for all the supported protocols
          * `password-over-SSH`, password over SSH protocol (SSH/SFTP/SCP)
          * `keyboard-interactive`
          * `publickey+password` - multi-step auth: public key and password
          * `publickey+keyboard-interactive` - multi-step auth: public key and keyboard interactive
          * `TLSCertificate`
          * `TLSCertificate+password` - multi-step auth: TLS client certificate and password
    SupportedProtocols:
      type: string
      enum:
        - SSH
        - FTP
        - DAV
        - HTTP
      description: |
        Protocols:
          * `SSH` - includes both SFTP and SSH commands
          * `FTP` - plain FTP and FTPES/FTPS
          * `DAV` - WebDAV over HTTP/HTTPS
          * `HTTP` - WebClient/REST API
    MFAProtocols:
      type: string
      enum:
        - SSH
        - FTP
        - HTTP
      description: |
        Protocols:
          * `SSH` - includes both SFTP and SSH commands
          * `FTP` - plain FTP and FTPES/FTPS
          * `HTTP` - WebClient/REST API
    EventProtocols:
      type: string
      enum:
        - SSH
        - SFTP
        - SCP
        - FTP
        - DAV
        - HTTP
        - HTTPShare
        - DataRetention
        - EventAction
        - OIDC
      description: |
        Protocols:
          * `SSH` - SSH commands
          * `SFTP` - SFTP protocol
          * `SCP` - SCP protocol
          * `FTP` - plain FTP and FTPES/FTPS
          * `DAV` - WebDAV
          * `HTTP` - WebClient/REST API
          * `HTTPShare` - the event is generated in a public share
          * `DataRetention` - the event is generated by a data retention check
          * `EventAction` - the event is generated by an EventManager action
          * `OIDC` - OpenID Connect
    WebClientOptions:
      type: string
      enum:
        - publickey-change-disabled
        - write-disabled
        - mfa-disabled
        - password-change-disabled
        - api-key-auth-change-disabled
        - info-change-disabled
        - shares-disabled
        - password-reset-disabled
        - shares-without-password-disabled
      description: |
        Options:
          * `publickey-change-disabled` - changing SSH public keys is not allowed
          * `write-disabled` - upload, rename, delete are not allowed even if the user has permissions for these actions
          * `mfa-disabled` - enabling multi-factor authentication is not allowed. This option cannot be set if the user has MFA already enabled
          * `password-change-disabled` - changing password is not allowed
          * `api-key-auth-change-disabled` - enabling/disabling API key authentication is not allowed
          * `info-change-disabled` - changing info such as email and description is not allowed
          * `shares-disabled` - sharing files and directories with external users is not allowed
          * `password-reset-disabled` - resetting the password is not allowed
          * `shares-without-password-disabled` - creating shares without password protection is not allowed
    RetentionCheckNotification:
      type: string
      enum:
        - Hook
        - Email
      description: |
        Options:
          * `Hook` - notify result using the defined hook. A "data_retention_hook" must be defined in your configuration file for this to work
          * `Email` - notify results by email. The admin starting the retention check must have an associated email address and the SMTP server must be configured for this to work
    APIKeyScope:
      type: integer
      enum:
        - 1
        - 2
      description: |
        Options:
          * `1` - admin scope. The API key will be used to impersonate an SFTPGo admin
          * `2` - user scope. The API key will be used to impersonate an SFTPGo user
    ShareScope:
      type: integer
      enum:
        - 1
        - 2
      description: |
        Options:
          * `1` - read scope
          * `2` - write scope
    TOTPHMacAlgo:
      type: string
      enum:
        - sha1
        - sha256
        - sha512
      description: 'Supported HMAC algorithms for Time-based one time passwords'
    UserType:
      type: string
      enum:
        - ''
        - LDAPUser
        - OSUser
      description: This is an hint for authentication plugins. It is ignored when using SFTPGo internal authentication
    DumpDataScopes:
      type: string
      enum:
        - users
        - folders
        - groups
        - admins
        - api_keys
        - shares
        - actions
        - rules
        - roles
        - ip_lists
        - configs
    LogEventType:
      type: integer
      enum:
        - 1
        - 2
        - 3
        - 4
      description: >
        Event status:
          * `1` - Login failed
          * `2` - Login failed non-existent user
          * `3` - No login tried
          * `4` - Algorithm negotiation failed
    FsEventStatus:
      type: integer
      enum:
        - 1
        - 2
        - 3
      description: >
        Event status:
          * `1` - no error
          * `2` - generic error
          * `3` - quota exceeded error
    FsEventAction:
      type: string
      enum:
        - download
        - upload
        - first-upload
        - first-download
        - delete
        - rename
        - mkdir
        - rmdir
        - ssh_cmd
    ProviderEventAction:
      type: string
      enum:
        - add
        - update
        - delete
    ProviderEventObjectType:
      type: string
      enum:
        - user
        - folder
        - group
        - admin
        - api_key
        - share
        - event_action
        - event_rule
        - role
    SSHAuthentications:
      type: string
      enum:
        - publickey
        - password
        - keyboard-interactive
        - publickey+password
        - publickey+keyboard-interactive
    TLSVersions:
      type: integer
      enum:
        - 12
        - 13
      description: >
        TLS version:
          * `12` - TLS 1.2
          * `13` - TLS 1.3
    IPListType:
      type: integer
      enum:
        - 1
        - 2
        - 3
      description: >
        IP List types:
          * `1` - allow list
          * `2` - defender
          * `3` - rate limiter safe list
    IPListMode:
      type: integer
      enum:
        - 1
        - 2
      description: >
        IP list modes
          * `1` - allow
          * `2` - deny, supported for defender list type only
    TOTPConfig:
      type: object
      properties:
        name:
          type: string
        issuer:
          type: string
        algo:
          $ref: '#/components/schemas/TOTPHMacAlgo'
    RecoveryCode:
      type: object
      properties:
        secret:
          $ref: '#/components/schemas/Secret'
        used:
          type: boolean
      description: 'Recovery codes to use if the user loses access to their second factor auth device. Each code can only be used once, you should use these codes to login and disable or reset 2FA for your account'
    BaseTOTPConfig:
      type: object
      properties:
        enabled:
          type: boolean
        config_name:
          type: string
          description: 'This name must be defined within the "totp" section of the SFTPGo configuration file. You will be unable to save a user/admin referencing a missing config_name'
        secret:
          $ref: '#/components/schemas/Secret'
    AdminTOTPConfig:
      allOf:
        - $ref: '#/components/schemas/BaseTOTPConfig'
    UserTOTPConfig:
      allOf:
        - $ref: '#/components/schemas/BaseTOTPConfig'
        - type: object
          properties:
            protocols:
              type: array
              items:
                $ref: '#/components/schemas/MFAProtocols'
              description: 'TOTP will be required for the specified protocols. SSH protocol (SFTP/SCP/SSH commands) will ask for the TOTP passcode if the client uses keyboard interactive authentication. FTP has no standard way to support two factor authentication, if you enable the FTP support, you have to add the TOTP passcode after the password. For example if your password is "password" and your one time passcode is "123456" you have to use "password123456" as password. WebDAV is not supported since each single request must be authenticated and a passcode cannot be reused.'
    PatternsFilter:
      type: object
      properties:
        path:
          type: string
          description: 'virtual path as seen by users, if no other specific filter is defined, the filter applies for sub directories too. For example if filters are defined for the paths "/" and "/sub" then the filters for "/" are applied for any file outside the "/sub" directory'
        allowed_patterns:
          type: array
          items:
            type: string
          description: 'list of, case insensitive, allowed shell like patterns. Allowed patterns are evaluated before the denied ones'
          example:
            - '*.jpg'
            - a*b?.png
        denied_patterns:
          type: array
          items:
            type: string
          description: 'list of, case insensitive, denied shell like patterns'
          example:
            - '*.zip'
        deny_policy:
          type: integer
          enum:
            - 0
            - 1
          description: |
            Policies for denied patterns
              * `0` - default policy. Denied files/directories matching the filters are visible in directory listing but cannot be uploaded/downloaded/overwritten/renamed
              * `1` - deny policy hide. This policy applies the same restrictions as the default one and denied files/directories matching the filters will also be hidden in directory listing. This mode may cause performance issues for large directories
    HooksFilter:
      type: object
      properties:
        external_auth_disabled:
          type: boolean
          example: false
          description: If true, the external auth hook, if defined, will not be executed
        pre_login_disabled:
          type: boolean
          example: false
          description: If true, the pre-login hook, if defined, will not be executed
        check_password_disabled:
          type: boolean
          example: false
          description: If true, the check password hook, if defined, will not be executed
      description: User specific hook overrides
    BandwidthLimit:
      type: object
      properties:
        sources:
          type: array
          items:
            type: string
          description: 'Source networks in CIDR notation as defined in RFC 4632 and RFC 4291 for example `192.0.2.0/24` or `2001:db8::/32`. The limit applies if the defined networks contain the client IP'
        upload_bandwidth:
          type: integer
          format: int32
          description: 'Maximum upload bandwidth as KB/s, 0 means unlimited'
        download_bandwidth:
          type: integer
          format: int32
          description: 'Maximum download bandwidth as KB/s, 0 means unlimited'
    TimePeriod:
      type: object
      properties:
        day_of_week:
          type: integer
          enum:
            - 0
            - 1
            - 2
            - 3
            - 4
            - 5
            - 6
          description: Day of week, 0 Sunday, 6 Saturday
        from:
          type: string
          description: Start time in HH:MM format
        to:
          type: string
          description: End time in HH:MM format
    BaseUserFilters:
      type: object
      properties:
        allowed_ip:
          type: array
          items:
            type: string
          description: 'only clients connecting from these IP/Mask are allowed. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example "192.0.2.0/24" or "2001:db8::/32"'
          example:
            - 192.0.2.0/24
            - '2001:db8::/32'
        denied_ip:
          type: array
          items:
            type: string
          description: clients connecting from these IP/Mask are not allowed. Denied rules are evaluated before allowed ones
          example:
            - 172.16.0.0/16
        denied_login_methods:
          type: array
          items:
            $ref: '#/components/schemas/LoginMethods'
          description: if null or empty any available login method is allowed
        denied_protocols:
          type: array
          items:
            $ref: '#/components/schemas/SupportedProtocols'
          description: if null or empty any available protocol is allowed
        file_patterns:
          type: array
          items:
            $ref: '#/components/schemas/PatternsFilter'
          description: 'filters based on shell like file patterns. These restrictions do not apply to files listing for performance reasons, so a denied file cannot be downloaded/overwritten/renamed but it will still be in the list of files. Please note that these restrictions can be easily bypassed'
        max_upload_file_size:
          type: integer
          format: int64
          description: 'maximum allowed size, as bytes, for a single file upload. The upload will be aborted if/when the size of the file being sent exceeds this limit. 0 means unlimited. This restriction does not apply for SSH system commands such as `git` and `rsync`'
        tls_username:
          type: string
          description: 'defines the TLS certificate field to use as username. For FTP clients it must match the name provided using the "USER" command. For WebDAV, if no username is provided, the CN will be used as username. For WebDAV clients it must match the implicit or provided username. Ignored if mutual TLS is disabled. Currently the only supported value is `CommonName`'
        tls_certs:
          type: array
          items:
            type: string
        hooks:
          $ref: '#/components/schemas/HooksFilter'
        disable_fs_checks:
          type: boolean
          example: false
          description: Disable checks for existence and automatic creation of home directory and virtual folders. SFTPGo requires that the user's home directory, virtual folder root, and intermediate paths to virtual folders exist to work properly. If you already know that the required directories exist, disabling these checks will speed up login. You could, for example, disable these checks after the first login
        web_client:
          type: array
          items:
            $ref: '#/components/schemas/WebClientOptions'
          description: WebClient/user REST API related configuration options
        allow_api_key_auth:
          type: boolean
          description: 'API key authentication allows to impersonate this user with an API key'
        user_type:
          $ref: '#/components/schemas/UserType'
        bandwidth_limits:
          type: array
          items:
            $ref: '#/components/schemas/BandwidthLimit'
        external_auth_cache_time:
          type: integer
          description: 'Defines the cache time, in seconds, for users authenticated using an external auth hook. 0 means no cache'
        start_directory:
          type: string
          description: 'Specifies an alternate starting directory. If not set, the default is "/". This option is supported for SFTP/SCP, FTP and HTTP (WebClient/REST API) protocols. Relative paths will use this directory as base.'
        two_factor_protocols:
          type: array
          items:
            $ref: '#/components/schemas/MFAProtocols'
          description: 'Defines protocols that require two factor authentication'
        ftp_security:
          type: integer
          enum:
            - 0
            - 1
          description: 'Set to `1` to require TLS for both data and control connection. his setting is useful if you want to allow both encrypted and plain text FTP sessions globally and then you want to require encrypted sessions on a per-user basis. It has no effect if TLS is already required for all users in the configuration file.'
        is_anonymous:
          type: boolean
          description: 'If enabled the user can login with any password or no password at all. Anonymous users are supported for FTP and WebDAV protocols and permissions will be automatically set to "list" and "download" (read only)'
        default_shares_expiration:
          type: integer
          description: 'Defines the default expiration for newly created shares as number of days. 0 means no expiration'
        max_shares_expiration:
          type: integer
          description: 'Defines the maximum allowed expiration, as a number of days, when a user creates or updates a share. 0 means no expiration'
        password_expiration:
          type: integer
          description: 'The password expires after the defined number of days. 0 means no expiration'
        access_time:
          type: array
          items:
            $ref: '#/components/schemas/TimePeriod'
      description: Additional user options
    UserFilters:
      allOf:
        - $ref: '#/components/schemas/BaseUserFilters'
        - type: object
          properties:
            require_password_change:
              type: boolean
              description: 'User must change password from WebClient/REST API at next login'
            totp_config:
              $ref: '#/components/schemas/UserTOTPConfig'
            recovery_codes:
              type: array
              items:
                $ref: '#/components/schemas/RecoveryCode'
    Secret:
      type: object
      properties:
        status:
          type: string
          enum:
            - Plain
            - AES-256-GCM
            - Secretbox
            - GCP
            - AWS
            - VaultTransit
            - AzureKeyVault
            - Redacted
          description: 'Set to "Plain" to add or update an existing secret, set to "Redacted" to preserve the existing value'
        payload:
          type: string
        key:
          type: string
        additional_data:
          type: string
        mode:
          type: integer
          description: 1 means encrypted using a master key
      description: The secret is encrypted before saving, so to set a new secret you must provide a payload and set the status to "Plain". The encryption key and additional data will be generated automatically. If you set the status to "Redacted" the existing secret will be preserved
    S3Config:
      type: object
      properties:
        bucket:
          type: string
          minLength: 1
        region:
          type: string
          minLength: 1
        access_key:
          type: string
        access_secret:
          $ref: '#/components/schemas/Secret'
        role_arn:
          type: string
          description: 'Optional IAM Role ARN to assume'
        endpoint:
          type: string
          description: optional endpoint
        storage_class:
          type: string
        acl:
          type: string
          description: 'The canned ACL to apply to uploaded objects. Leave empty to use the default ACL. For more information and available ACLs, see here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl'
        upload_part_size:
          type: integer
          description: 'the buffer size (in MB) to use for multipart uploads. The minimum allowed part size is 5MB, and if this value is set to zero, the default value (5MB) for the AWS SDK will be used. The minimum allowed value is 5.'
        upload_concurrency:
          type: integer
          description: 'the number of parts to upload in parallel. If this value is set to zero, the default value (5) will be used'
        upload_part_max_time:
          type: integer
          description: 'the maximum time allowed, in seconds, to upload a single chunk (the chunk size is defined via "upload_part_size"). 0 means no timeout'
        download_part_size:
          type: integer
          description: 'the buffer size (in MB) to use for multipart downloads. The minimum allowed part size is 5MB, and if this value is set to zero, the default value (5MB) for the AWS SDK will be used. The minimum allowed value is 5. Ignored for partial downloads'
        download_concurrency:
          type: integer
          description: 'the number of parts to download in parallel. If this value is set to zero, the default value (5) will be used. Ignored for partial downloads'
        download_part_max_time:
          type: integer
          description: 'the maximum time allowed, in seconds, to download a single chunk (the chunk size is defined via "download_part_size"). 0 means no timeout. Ignored for partial downloads.'
        force_path_style:
          type: boolean
          description: 'Set this to "true" to force the request to use path-style addressing, i.e., "http://s3.amazonaws.com/BUCKET/KEY". By default, the S3 client will use virtual hosted bucket addressing when possible ("http://BUCKET.s3.amazonaws.com/KEY")'
        key_prefix:
          type: string
          description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole bucket contents will be available'
          example: folder/subfolder/
      description: S3 Compatible Object Storage configuration details
    GCSConfig:
      type: object
      properties:
        bucket:
          type: string
          minLength: 1
        credentials:
          $ref: '#/components/schemas/Secret'
        automatic_credentials:
          type: integer
          enum:
            - 0
            - 1
          description: |
            Automatic credentials:
              * `0` - disabled, explicit credentials, using a JSON credentials file, must be provided. This is the default value if the field is null
              * `1` - enabled, we try to use the Application Default Credentials (ADC) strategy to find your application's credentials
        storage_class:
          type: string
        acl:
          type: string
          description: 'The ACL to apply to uploaded objects. Leave empty to use the default ACL. For more information and available ACLs, refer to the JSON API here: https://cloud.google.com/storage/docs/access-control/lists#predefined-acl'
        key_prefix:
          type: string
          description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole bucket contents will be available'
          example: folder/subfolder/
        upload_part_size:
          type: integer
          description: 'The buffer size (in MB) to use for multipart uploads. The default value is 16MB. 0 means use the default'
        upload_part_max_time:
          type: integer
          description: 'The maximum time allowed, in seconds, to upload a single chunk. The default value is 32. 0 means use the default'
      description: 'Google Cloud Storage configuration details. The "credentials" field must be populated only when adding/updating a user. It will be always omitted, since there are sensitive data, when you search/get users'
    AzureBlobFsConfig:
      type: object
      properties:
        container:
          type: string
        account_name:
          type: string
          description: 'Storage Account Name, leave blank to use SAS URL'
        account_key:
          $ref: '#/components/schemas/Secret'
        sas_url:
          $ref: '#/components/schemas/Secret'
        endpoint:
          type: string
          description: 'optional endpoint. Default is "blob.core.windows.net". If you use the emulator the endpoint must include the protocol, for example "http://127.0.0.1:10000"'
        upload_part_size:
          type: integer
          description: 'the buffer size (in MB) to use for multipart uploads. If this value is set to zero, the default value (5MB) will be used.'
        upload_concurrency:
          type: integer
          description: 'the number of parts to upload in parallel. If this value is set to zero, the default value (5) will be used'
        download_part_size:
          type: integer
          description: 'the buffer size (in MB) to use for multipart downloads. If this value is set to zero, the default value (5MB) will be used.'
        download_concurrency:
          type: integer
          description: 'the number of parts to download in parallel. If this value is set to zero, the default value (5) will be used'
        access_tier:
          type: string
          enum:
            - ''
            - Archive
            - Hot
            - Cool
        key_prefix:
          type: string
          description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole container contents will be available'
          example: folder/subfolder/
        use_emulator:
          type: boolean
      description: Azure Blob Storage configuration details
    OSFsConfig:
      type: object
      properties:
        read_buffer_size:
          type: integer
          minimum: 0
          maximum: 10
          description: "The read buffer size, as MB, to use for downloads. 0 means no buffering, that's fine in most use cases."
        write_buffer_size:
          type: integer
          minimum: 0
          maximum: 10
          description: "The write buffer size, as MB, to use for uploads. 0 means no buffering, that's fine in most use cases."
    CryptFsConfig:
      type: object
      properties:
        passphrase:
          $ref: '#/components/schemas/Secret'
        read_buffer_size:
          type: integer
          minimum: 0
          maximum: 10
          description: "The read buffer size, as MB, to use for downloads. 0 means no buffering, that's fine in most use cases."
        write_buffer_size:
          type: integer
          minimum: 0
          maximum: 10
          description: "The write buffer size, as MB, to use for uploads. 0 means no buffering, that's fine in most use cases."
      description: Crypt filesystem configuration details
    SFTPFsConfig:
      type: object
      properties:
        endpoint:
          type: string
          description: 'remote SFTP endpoint as host:port'
        username:
          type: string
          description: you can specify a password or private key or both. In the latter case the private key will be tried first.
        password:
          $ref: '#/components/schemas/Secret'
        private_key:
          $ref: '#/components/schemas/Secret'
        key_passphrase:
          $ref: '#/components/schemas/Secret'
        fingerprints:
          type: array
          items:
            type: string
          description: 'SHA256 fingerprints to use for host key verification. If you don''t provide any fingerprint the remote host key will not be verified, this is a security risk'
        prefix:
          type: string
          description: Specifying a prefix you can restrict all operations to a given path within the remote SFTP server.
        disable_concurrent_reads:
          type: boolean
          description: Concurrent reads are safe to use and disabling them will degrade performance. Some servers automatically delete files once they are downloaded. Using concurrent reads is problematic with such servers.
        buffer_size:
          type: integer
          minimum: 0
          maximum: 16
          example: 2
          description: The size of the buffer (in MB) to use for transfers. By enabling buffering, the reads and writes, from/to the remote SFTP server, are split in multiple concurrent requests and this allows data to be transferred at a faster rate, over high latency networks, by overlapping round-trip times. With buffering enabled, resuming uploads is not supported and a file cannot be opened for both reading and writing at the same time. 0 means disabled.
        equality_check_mode:
          type: integer
          enum:
            - 0
            - 1
          description: |
             Defines how to check if this config points to the same server as another config. If different configs point to the same server the renaming between the fs configs is allowed:
              * `0` username and endpoint must match. This is the default
              * `1` only the endpoint must match
    HTTPFsConfig:
      type: object
      properties:
        endpoint:
          type: string
          description: 'HTTP/S endpoint URL. SFTPGo will use this URL as base, for example for the `stat` API, SFTPGo will add `/stat/{name}`'
        username:
          type: string
        password:
          $ref: '#/components/schemas/Secret'
        api_key:
          $ref: '#/components/schemas/Secret'
        skip_tls_verify:
          type: boolean
        equality_check_mode:
          type: integer
          enum:
            - 0
            - 1
          description: |
             Defines how to check if this config points to the same server as another config. If different configs point to the same server the renaming between the fs configs is allowed:
              * `0` username and endpoint must match. This is the default
              * `1` only the endpoint must match
    FilesystemConfig:
      type: object
      properties:
        provider:
          $ref: '#/components/schemas/FsProviders'
        osconfig:
          $ref: '#/components/schemas/OSFsConfig'
        s3config:
          $ref: '#/components/schemas/S3Config'
        gcsconfig:
          $ref: '#/components/schemas/GCSConfig'
        azblobconfig:
          $ref: '#/components/schemas/AzureBlobFsConfig'
        cryptconfig:
          $ref: '#/components/schemas/CryptFsConfig'
        sftpconfig:
          $ref: '#/components/schemas/SFTPFsConfig'
        httpconfig:
          $ref: '#/components/schemas/HTTPFsConfig'
      description: Storage filesystem details
    BaseVirtualFolder:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        name:
          type: string
          description: unique name for this virtual folder
        mapped_path:
          type: string
          description: absolute filesystem path to use as virtual folder
        description:
          type: string
          description: optional description
        used_quota_size:
          type: integer
          format: int64
        used_quota_files:
          type: integer
          format: int32
        last_quota_update:
          type: integer
          format: int64
          description: Last quota update as unix timestamp in milliseconds
        users:
          type: array
          items:
            type: string
          description: list of usernames associated with this virtual folder
        filesystem:
          $ref: '#/components/schemas/FilesystemConfig'
      description: 'Defines the filesystem for the virtual folder and the used quota limits. The same folder can be shared among multiple users and each user can have different quota limits or a different virtual path.'
    VirtualFolder:
      allOf:
        - $ref: '#/components/schemas/BaseVirtualFolder'
        - type: object
          properties:
            virtual_path:
              type: string
            quota_size:
              type: integer
              format: int64
              description: 'Quota as size in bytes. 0 means unlimited, -1 means included in user quota. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed'
            quota_files:
              type: integer
              format: int32
              description: 'Quota as number of files. 0 means unlimited, , -1 means included in user quota. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed'
          required:
            - virtual_path
      description: 'A virtual folder is a mapping between a SFTPGo virtual path and a filesystem path outside the user home directory. The specified paths must be absolute and the virtual path cannot be "/", it must be a sub directory. The parent directory for the specified virtual path must exist. SFTPGo will try to automatically create any missing parent directory for the configured virtual folders at user login.'
    User:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        status:
          type: integer
          enum:
            - 0
            - 1
          description: |
            status:
              * `0` user is disabled, login is not allowed
              * `1` user is enabled
        username:
          type: string
          description: username is unique
        email:
          type: string
          format: email
        description:
          type: string
          description: 'optional description, for example the user full name'
        expiration_date:
          type: integer
          format: int64
          description: expiration date as unix timestamp in milliseconds. An expired account cannot login. 0 means no expiration
        password:
          type: string
          format: password
          description: If the password has no known hashing algo prefix it will be stored, by default, using bcrypt, argon2id is supported too. You can send a password hashed as bcrypt ($2a$ prefix), argon2id, pbkdf2 or unix crypt and it will be stored as is. For security reasons this field is omitted when you search/get users
        public_keys:
          type: array
          items:
            type: string
            example: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUWwDwEWhTbF0MqAsp/oXK1HR2cElhM8oo1uVmL3ZeDKDiTm4ljMr92wfTgIGDqIoxmVqgYIkAOAhuykAVWBzc= user@host
          description: Public keys in OpenSSH format.
        has_password:
          type: boolean
          description: Indicates whether the password is set
        home_dir:
          type: string
          description: path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path
        virtual_folders:
          type: array
          items:
            $ref: '#/components/schemas/VirtualFolder'
          description: mapping between virtual SFTPGo paths and virtual folders
        uid:
          type: integer
          format: int32
          minimum: 0
          maximum: 2147483647
          description: 'if you run SFTPGo as root user, the created files and directories will be assigned to this uid. 0 means no change, the owner will be the user that runs SFTPGo. Ignored on windows'
        gid:
          type: integer
          format: int32
          minimum: 0
          maximum: 2147483647
          description: 'if you run SFTPGo as root user, the created files and directories will be assigned to this gid. 0 means no change, the group will be the one of the user that runs SFTPGo. Ignored on windows'
        max_sessions:
          type: integer
          format: int32
          description: Limit the sessions that a user can open. 0 means unlimited
        quota_size:
          type: integer
          format: int64
          description: Quota as size in bytes. 0 means unlimited. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed
        quota_files:
          type: integer
          format: int32
          description: Quota as number of files. 0 means unlimited. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed
        permissions:
          type: object
          additionalProperties:
            type: array
            items:
              $ref: '#/components/schemas/Permission'
            minItems: 1
          minProperties: 1
          description: 'hash map with directory as key and an array of permissions as value. Directories must be absolute paths, permissions for root directory ("/") are required'
          example:
            /:
              - '*'
            /somedir:
              - list
              - download
        used_quota_size:
          type: integer
          format: int64
        used_quota_files:
          type: integer
          format: int32
        last_quota_update:
          type: integer
          format: int64
          description: Last quota update as unix timestamp in milliseconds
        upload_bandwidth:
          type: integer
          description: 'Maximum upload bandwidth as KB/s, 0 means unlimited'
        download_bandwidth:
          type: integer
          description: 'Maximum download bandwidth as KB/s, 0 means unlimited'
        upload_data_transfer:
          type: integer
          description: 'Maximum data transfer allowed for uploads as MB. 0 means no limit'
        download_data_transfer:
          type: integer
          description: 'Maximum data transfer allowed for downloads as MB. 0 means no limit'
        total_data_transfer:
          type: integer
          description: 'Maximum total data transfer as MB. 0 means unlimited. You can set a total data transfer instead of the individual values for uploads and downloads'
        used_upload_data_transfer:
          type: integer
          description: 'Uploaded size, as bytes, since the last reset'
        used_download_data_transfer:
          type: integer
          description: 'Downloaded size, as bytes, since the last reset'
        created_at:
          type: integer
          format: int64
          description: 'creation time as unix timestamp in milliseconds. It will be 0 for users created before v2.2.0'
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in milliseconds
        last_login:
          type: integer
          format: int64
          description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes
        first_download:
          type: integer
          format: int64
          description: first download time as unix timestamp in milliseconds
        first_upload:
          type: integer
          format: int64
          description: first upload time as unix timestamp in milliseconds
        last_password_change:
          type: integer
          format: int64
          description: last password change time as unix timestamp in milliseconds
        filters:
          $ref: '#/components/schemas/UserFilters'
        filesystem:
          $ref: '#/components/schemas/FilesystemConfig'
        additional_info:
          type: string
          description: Free form text field for external systems
        groups:
          type: array
          items:
            $ref: '#/components/schemas/GroupMapping'
        oidc_custom_fields:
          type: object
          additionalProperties: true
          description: 'This field is passed to the pre-login hook if custom OIDC token fields have been configured. Field values can be of any type (this is a free form object) and depend on the type of the configured OIDC token fields'
        role:
          type: string
    AdminPreferences:
      type: object
      properties:
        hide_user_page_sections:
          type: integer
          description: 'Allow to hide some sections from the user page. These are not security settings and are not enforced server side in any way. They are only intended to simplify the user page in the WebAdmin UI. 1 means hide groups section, 2 means hide filesystem section, "users_base_dir" must be set in the config file otherwise this setting is ignored, 4 means hide virtual folders section, 8 means hide profile section, 16 means hide ACLs section, 32 means hide disk and bandwidth quota limits section, 64 means hide advanced settings section. The settings can be combined'
        default_users_expiration:
          type: integer
          description: 'Defines the default expiration for newly created users as number of days. 0 means no expiration'
    AdminFilters:
      type: object
      properties:
        allow_list:
          type: array
          items:
            type: string
          description: 'only clients connecting from these IP/Mask are allowed. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example "192.0.2.0/24" or "2001:db8::/32"'
          example:
            - 192.0.2.0/24
            - '2001:db8::/32'
        allow_api_key_auth:
          type: boolean
          description: 'API key auth allows to impersonate this administrator with an API key'
        require_two_factor:
          type: boolean
        require_password_change:
          type: boolean
        totp_config:
          $ref: '#/components/schemas/AdminTOTPConfig'
        recovery_codes:
          type: array
          items:
            $ref: '#/components/schemas/RecoveryCode'
        preferences:
          $ref: '#/components/schemas/AdminPreferences'
    Admin:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        status:
          type: integer
          enum:
            - 0
            - 1
          description: |
            status:
              * `0` user is disabled, login is not allowed
              * `1` user is enabled
        username:
          type: string
          description: username is unique
        description:
          type: string
          description: 'optional description, for example the admin full name'
        password:
          type: string
          format: password
          description: Admin password. For security reasons this field is omitted when you search/get admins
        email:
          type: string
          format: email
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/AdminPermissions'
        filters:
          $ref: '#/components/schemas/AdminFilters'
        additional_info:
          type: string
          description: Free form text field
        groups:
          type: array
          items:
            $ref: '#/components/schemas/AdminGroupMapping'
          description: 'Groups automatically selected for new users created by this admin. The admin will still be able to choose different groups. These settings are only used for this admin UI and they will be ignored in REST API/hooks.'
        created_at:
          type: integer
          format: int64
          description: 'creation time as unix timestamp in milliseconds. It will be 0 for admins created before v2.2.0'
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in milliseconds
        last_login:
          type: integer
          format: int64
          description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes
        role:
          type: string
          description: 'If set the admin can only administer users with the same role. Role admins cannot have the following permissions: "manage_admins", "manage_apikeys", "manage_system", "manage_event_rules", "manage_roles", "manage_ip_lists"'
    AdminProfile:
      type: object
      properties:
        email:
          type: string
          format: email
        description:
          type: string
        allow_api_key_auth:
          type: boolean
          description: 'If enabled, you can impersonate this admin, in REST API, using an API key. If disabled admin credentials are required for impersonation'
    UserProfile:
      type: object
      properties:
        email:
          type: string
          format: email
        description:
          type: string
        allow_api_key_auth:
          type: boolean
          description: 'If enabled, you can impersonate this user, in REST API, using an API key. If disabled user credentials are required for impersonation'
        public_keys:
          type: array
          items:
            type: string
            example: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUWwDwEWhTbF0MqAsp/oXK1HR2cElhM8oo1uVmL3ZeDKDiTm4ljMr92wfTgIGDqIoxmVqgYIkAOAhuykAVWBzc= user@host
            description: Public keys in OpenSSH format
    APIKey:
      type: object
      properties:
        id:
          type: string
          description: unique key identifier
        name:
          type: string
          description: User friendly key name
        key:
          type: string
          format: password
          description: We store the hash of the key. This is just like a password. For security reasons this field is omitted when you search/get API keys
        scope:
          $ref: '#/components/schemas/APIKeyScope'
        created_at:
          type: integer
          format: int64
          description: creation time as unix timestamp in milliseconds
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in milliseconds
        last_use_at:
          type: integer
          format: int64
          description: last use time as unix timestamp in milliseconds. It is saved at most once every 10 minutes
        expires_at:
          type: integer
          format: int64
          description: expiration time as unix timestamp in milliseconds
        description:
          type: string
          description: optional description
        user:
          type: string
          description: username associated with this API key. If empty and the scope is "user scope" the key can impersonate any user
        admin:
          type: string
          description: admin associated with this API key. If empty and the scope is "admin scope" the key can impersonate any admin
    QuotaUsage:
      type: object
      properties:
        used_quota_size:
          type: integer
          format: int64
        used_quota_files:
          type: integer
          format: int32
    TransferQuotaUsage:
      type: object
      properties:
        used_upload_data_transfer:
          type: integer
          format: int64
          description: 'The value must be specified as bytes'
        used_download_data_transfer:
          type: integer
          format: int64
          description: 'The value must be specified as bytes'
    Transfer:
      type: object
      properties:
        operation_type:
          type: string
          enum:
            - upload
            - download
          description: |
            Operations:
              * `upload`
              * `download`
        path:
          type: string
          description: file path for the upload/download
        start_time:
          type: integer
          format: int64
          description: start time as unix timestamp in milliseconds
        size:
          type: integer
          format: int64
          description: bytes transferred
    ConnectionStatus:
      type: object
      properties:
        username:
          type: string
          description: connected username
        connection_id:
          type: string
          description: unique connection identifier
        client_version:
          type: string
          description: client version
        remote_address:
          type: string
          description: Remote address for the connected client
        connection_time:
          type: integer
          format: int64
          description: connection time as unix timestamp in milliseconds
        command:
          type: string
          description: Last SSH/FTP command or WebDAV method
        last_activity:
          type: integer
          format: int64
          description: last client activity as unix timestamp in milliseconds
        protocol:
          type: string
          enum:
            - SFTP
            - SCP
            - SSH
            - FTP
            - DAV
        active_transfers:
          type: array
          items:
            $ref: '#/components/schemas/Transfer'
        node:
          type: string
          description: 'Node identifier, omitted for single node installations'
    FolderRetention:
      type: object
      properties:
        path:
          type: string
          description: 'virtual directory path as seen by users, if no other specific retention is defined, the retention applies for sub directories too. For example if retention is defined for the paths "/" and "/sub" then the retention for "/" is applied for any file outside the "/sub" directory'
          example: '/'
        retention:
          type: integer
          description: retention time in hours. All the files with a modification time older than the defined value will be deleted. 0 means exclude this path
          example: 24
        delete_empty_dirs:
          type: boolean
          description: if enabled, empty directories will be deleted
        ignore_user_permissions:
          type: boolean
          description: 'if enabled, files will be deleted even if the user does not have the delete permission. The default is "false" which means that files will be skipped if the user does not have permission to delete them. File patterns filters will always be silently ignored'
    RetentionCheck:
      type: object
      properties:
        username:
          type: string
          description: username to which the retention check refers
        folders:
          type: array
          items:
            $ref: '#/components/schemas/FolderRetention'
        start_time:
          type: integer
          format: int64
          description: check start time as unix timestamp in milliseconds
        notifications:
          type: array
          items:
            $ref: '#/components/schemas/RetentionCheckNotification'
        email:
          type: string
          format: email
          description: 'if the notification method is set to "Email", this is the e-mail address that receives the retention check report. This field is automatically set to the email address associated with the administrator starting the check'
    QuotaScan:
      type: object
      properties:
        username:
          type: string
          description: username to which the quota scan refers
        start_time:
          type: integer
          format: int64
          description: scan start time as unix timestamp in milliseconds
    FolderQuotaScan:
      type: object
      properties:
        name:
          type: string
          description: folder name to which the quota scan refers
        start_time:
          type: integer
          format: int64
          description: scan start time as unix timestamp in milliseconds
    DefenderEntry:
      type: object
      properties:
        id:
          type: string
        ip:
          type: string
        score:
          type: integer
          description: the score increases whenever a violation is detected, such as an attempt to log in using an incorrect password or invalid username. If the score exceeds the configured threshold, the IP is banned. Omitted for banned IPs
        ban_time:
          type: string
          format: date-time
          description: date time until the IP is banned. For already banned hosts, the ban time is increased each time a new violation is detected. Omitted if the IP is not banned
    SSHHostKey:
      type: object
      properties:
        path:
          type: string
        fingerprint:
          type: string
        algorithms:
          type: array
          items:
            type: string
    SSHBinding:
      type: object
      properties:
        address:
          type: string
          description: TCP address the server listen on
        port:
          type: integer
          description: the port used for serving requests
        apply_proxy_config:
          type: boolean
          description: 'apply the proxy configuration, if any'
    WebDAVBinding:
      type: object
      properties:
        address:
          type: string
          description: TCP address the server listen on
        port:
          type: integer
          description: the port used for serving requests
        enable_https:
          type: boolean
        min_tls_version:
          $ref: '#/components/schemas/TLSVersions'
        client_auth_type:
          type: integer
          description: 1 means that client certificate authentication is required in addition to HTTP basic authentication
        tls_cipher_suites:
          type: array
          items:
            type: string
          description: 'List of supported cipher suites for TLS version 1.2. If empty  a default list of secure cipher suites is used, with a preference order based on hardware performance'
        prefix:
          type: string
          description: 'Prefix for WebDAV resources, if empty WebDAV resources will be available at the `/` URI'
        proxy_allowed:
          type: array
          items:
            type: string
          description: 'List of IP addresses and IP ranges allowed to set proxy headers'
    PassiveIPOverride:
      type: object
      properties:
        networks:
          type: array
          items:
            type: string
        ip:
          type: string
    FTPDBinding:
      type: object
      properties:
        address:
          type: string
          description: TCP address the server listen on
        port:
          type: integer
          description: the port used for serving requests
        apply_proxy_config:
          type: boolean
          description: 'apply the proxy configuration, if any'
        tls_mode:
          type: integer
          enum:
            - 0
            - 1
            - 2
          description: |
            TLS mode:
              * `0` - clear or explicit TLS
              * `1` - explicit TLS required
              * `2` - implicit TLS
        min_tls_version:
          $ref: '#/components/schemas/TLSVersions'
        force_passive_ip:
          type: string
          description: External IP address for passive connections
        passive_ip_overrides:
          type: array
          items:
            $ref: '#/components/schemas/PassiveIPOverride'
        client_auth_type:
          type: integer
          description: 1 means that client certificate authentication is required in addition to FTP authentication
        tls_cipher_suites:
          type: array
          items:
            type: string
          description: 'List of supported cipher suites for TLS version 1.2. If empty  a default list of secure cipher suites is used, with a preference order based on hardware performance'
        passive_connections_security:
          type: integer
          enum:
            - 0
            - 1
          description: |
            Active connections security:
              * `0` - require matching peer IP addresses of control and data connection
              * `1` - disable any checks
        active_connections_security:
          type: integer
          enum:
            - 0
            - 1
          description: |
            Active connections security:
              * `0` - require matching peer IP addresses of control and data connection
              * `1` - disable any checks
        debug:
          type: boolean
          description: 'If enabled any FTP command will be logged'
    SSHServiceStatus:
      type: object
      properties:
        is_active:
          type: boolean
        bindings:
          type: array
          items:
            $ref: '#/components/schemas/SSHBinding'
          nullable: true
        host_keys:
          type: array
          items:
            $ref: '#/components/schemas/SSHHostKey'
          nullable: true
        ssh_commands:
          type: array
          items:
            type: string
        authentications:
          type: array
          items:
            $ref: '#/components/schemas/SSHAuthentications'
        public_key_algorithms:
          type: array
          items:
            type: string
        macs:
          type: array
          items:
            type: string
        kex_algorithms:
          type: array
          items:
            type: string
        ciphers:
          type: array
          items:
            type: string
    FTPPassivePortRange:
      type: object
      properties:
        start:
          type: integer
        end:
          type: integer
    FTPServiceStatus:
      type: object
      properties:
        is_active:
          type: boolean
        bindings:
          type: array
          items:
            $ref: '#/components/schemas/FTPDBinding'
          nullable: true
        passive_port_range:
          $ref: '#/components/schemas/FTPPassivePortRange'
    WebDAVServiceStatus:
      type: object
      properties:
        is_active:
          type: boolean
        bindings:
          type: array
          items:
            $ref: '#/components/schemas/WebDAVBinding'
          nullable: true
    DataProviderStatus:
      type: object
      properties:
        is_active:
          type: boolean
        driver:
          type: string
        error:
          type: string
    MFAStatus:
      type: object
      properties:
        is_active:
          type: boolean
        totp_configs:
          type: array
          items:
            $ref: '#/components/schemas/TOTPConfig'
    ServicesStatus:
      type: object
      properties:
        ssh:
          $ref: '#/components/schemas/SSHServiceStatus'
        ftp:
          $ref: '#/components/schemas/FTPServiceStatus'
        webdav:
          $ref: '#/components/schemas/WebDAVServiceStatus'
        data_provider:
          $ref: '#/components/schemas/DataProviderStatus'
        defender:
          type: object
          properties:
            is_active:
              type: boolean
        mfa:
          $ref: '#/components/schemas/MFAStatus'
        allow_list:
          type: object
          properties:
            is_active:
              type: boolean
        rate_limiters:
          type: object
          properties:
            is_active:
              type: boolean
            protocols:
              type: array
              items:
                type: string
                example: SSH
    Share:
      type: object
      properties:
        id:
          type: string
          description: auto-generated unique share identifier
        name:
          type: string
        description:
          type: string
          description: optional description
        scope:
          $ref: '#/components/schemas/ShareScope'
        paths:
          type: array
          items:
            type: string
          description: 'paths to files or directories, for share scope write this array must contain exactly one directory. Paths will not be validated on save so you can also create them after creating the share'
          example:
            - '/dir1'
            - '/dir2/file.txt'
            - '/dir3/subdir'
        username:
          type: string
        created_at:
          type: integer
          format: int64
          description: 'creation time as unix timestamp in milliseconds'
        updated_at:
          type: integer
          format: int64
          description: 'last update time as unix timestamp in milliseconds'
        last_use_at:
          type: integer
          format: int64
          description: last use time as unix timestamp in milliseconds
        expires_at:
          type: integer
          format: int64
          description: 'optional share expiration, as unix timestamp in milliseconds. 0 means no expiration'
        password:
          type: string
          description: 'optional password to protect the share. The special value "[**redacted**]" means that a password has been set, you can use this value if you want to preserve the current password when you update a share'
        max_tokens:
          type: integer
          description: 'maximum allowed access tokens. 0 means no limit'
        used_tokens:
          type: integer
        allow_from:
          type: array
          items:
            type: string
          description: 'Limit the share availability to these IP/Mask. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example "192.0.2.0/24" or "2001:db8::/32". An empty list means no restrictions'
          example:
            - 192.0.2.0/24
            - '2001:db8::/32'
    GroupUserSettings:
      type: object
      properties:
        home_dir:
          type: string
        max_sessions:
          type: integer
          format: int32
        quota_size:
          type: integer
          format: int64
        quota_files:
          type: integer
          format: int32
        permissions:
          type: object
          additionalProperties:
            type: array
            items:
              $ref: '#/components/schemas/Permission'
            minItems: 1
          minProperties: 1
          description: 'hash map with directory as key and an array of permissions as value. Directories must be absolute paths, permissions for root directory ("/") are required'
          example:
            /:
              - '*'
            /somedir:
              - list
              - download
        upload_bandwidth:
          type: integer
          description: 'Maximum upload bandwidth as KB/s'
        download_bandwidth:
          type: integer
          description: 'Maximum download bandwidth as KB/s'
        upload_data_transfer:
          type: integer
          description: 'Maximum data transfer allowed for uploads as MB'
        download_data_transfer:
          type: integer
          description: 'Maximum data transfer allowed for downloads as MB'
        total_data_transfer:
          type: integer
          description: 'Maximum total data transfer as MB'
        expires_in:
          type: integer
          description: 'Account expiration in number of days from creation. 0 means no expiration'
        filters:
          $ref: '#/components/schemas/BaseUserFilters'
        filesystem:
          $ref: '#/components/schemas/FilesystemConfig'
    Role:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        name:
          type: string
          description: name is unique
        description:
          type: string
          description: 'optional description'
        created_at:
          type: integer
          format: int64
          description: creation time as unix timestamp in milliseconds
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in milliseconds
        users:
          type: array
          items:
            type: string
          description: list of usernames associated with this group
        admins:
          type: array
          items:
            type: string
          description: list of admins usernames associated with this group
    Group:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        name:
          type: string
          description: name is unique
        description:
          type: string
          description: 'optional description'
        created_at:
          type: integer
          format: int64
          description: creation time as unix timestamp in milliseconds
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in milliseconds
        user_settings:
          $ref: '#/components/schemas/GroupUserSettings'
        virtual_folders:
          type: array
          items:
            $ref: '#/components/schemas/VirtualFolder'
          description: mapping between virtual SFTPGo paths and folders
        users:
          type: array
          items:
            type: string
          description: list of usernames associated with this group
        admins:
          type: array
          items:
            type: string
          description: list of admins usernames associated with this group
    GroupMapping:
      type: object
      properties:
        name:
          type: string
          description: group name
        type:
          enum:
            - 1
            - 2
            - 3
          description: |
            Group type:
              * `1` - Primary group
              * `2` - Secondary group
              * `3` - Membership only, no settings are inherited from this group type
    AdminGroupMappingOptions:
      type: object
      properties:
        add_to_users_as:
          enum:
            - 0
            - 1
            - 2
          description: |
            Add to new users as:
              * `0` - the admin's group will be added as membership group for new users
              * `1` - the admin's group will be added as primary group for new users
              * `2` - the admin's group will be added as secondary group for new users
    AdminGroupMapping:
      type: object
      properties:
        name:
          type: string
          description: group name
        options:
          $ref: '#/components/schemas/AdminGroupMappingOptions'
    BackupData:
      type: object
      properties:
        users:
          type: array
          items:
            $ref: '#/components/schemas/User'
        folders:
          type: array
          items:
            $ref: '#/components/schemas/BaseVirtualFolder'
        groups:
          type: array
          items:
            $ref: '#/components/schemas/Group'
        admins:
          type: array
          items:
            $ref: '#/components/schemas/Admin'
        api_keys:
          type: array
          items:
            $ref: '#/components/schemas/APIKey'
        shares:
          type: array
          items:
            $ref: '#/components/schemas/Share'
        event_actions:
          type: array
          items:
            $ref: '#/components/schemas/EventAction'
        event_rules:
          type: array
          items:
            $ref: '#/components/schemas/EventRule'
        roles:
          type: array
          items:
            $ref: '#/components/schemas/Role'
        version:
          type: integer
    PwdChange:
      type: object
      properties:
        current_password:
          type: string
        new_password:
          type: string
    DirEntry:
      type: object
      properties:
        name:
          type: string
          description: name of the file (or subdirectory) described by the entry. This name is the final element of the path (the base name), not the entire path
        size:
          type: integer
          format: int64
          description: file size, omitted for folders and non regular files
        mode:
          type: integer
          description: |
            File mode and permission bits. More details here: https://golang.org/pkg/io/fs/#FileMode.
            Let's see some examples:
            - for a directory mode&2147483648 != 0
            - for a symlink mode&134217728 != 0
            - for a regular file mode&2401763328 == 0
        last_modified:
          type: string
          format: date-time
    FsEvent:
      type: object
      properties:
        id:
          type: string
        timestamp:
          type: integer
          format: int64
          description: 'unix timestamp in nanoseconds'
        action:
          $ref: '#/components/schemas/FsEventAction'
        username:
          type: string
        fs_path:
          type: string
        fs_target_path:
          type: string
        virtual_path:
          type: string
        virtual_target_path:
          type: string
        ssh_cmd:
          type: string
        file_size:
          type: integer
          format: int64
        elapsed:
          type: integer
          format: int64
          description: elapsed time as milliseconds
        status:
          $ref: '#/components/schemas/FsEventStatus'
        protocol:
          $ref: '#/components/schemas/EventProtocols'
        ip:
          type: string
        session_id:
          type: string
        fs_provider:
          $ref: '#/components/schemas/FsProviders'
        bucket:
          type: string
        endpoint:
          type: string
        open_flags:
          type: string
        role:
          type: string
        instance_id:
          type: string
    ProviderEvent:
      type: object
      properties:
        id:
          type: string
        timestamp:
          type: integer
          format: int64
          description: 'unix timestamp in nanoseconds'
        action:
          $ref: '#/components/schemas/ProviderEventAction'
        username:
          type: string
        ip:
          type: string
        object_type:
          $ref: '#/components/schemas/ProviderEventObjectType'
        object_name:
          type: string
        object_data:
          type: string
          format: byte
          description: 'base64 of the JSON serialized object with sensitive fields removed'
        role:
          type: string
        instance_id:
          type: string
    LogEvent:
      type: object
      properties:
        id:
          type: string
        timestamp:
          type: integer
          format: int64
          description: 'unix timestamp in nanoseconds'
        event:
          $ref: '#/components/schemas/LogEventType'
        protocol:
          $ref: '#/components/schemas/EventProtocols'
        username:
          type: string
        ip:
          type: string
        message:
          type: string
        role:
          type: string
        instance_id:
          type: string
    KeyValue:
      type: object
      properties:
        key:
          type: string
        value:
          type: string
    HTTPPart:
      type: object
      properties:
        name:
          type: string
        headers:
          type: array
          items:
            $ref: '#/components/schemas/KeyValue'
          description: 'Additional headers. Content-Disposition header is automatically set. Content-Type header is automatically detect for files to attach'
        filepath:
          type: string
          description: 'path to the file to be sent as an attachment'
        body:
          type: string
    EventActionHTTPConfig:
      type: object
      properties:
        endpoint:
          type: string
          description: HTTP endpoint
          example: https://example.com
        username:
          type: string
        password:
          $ref: '#/components/schemas/Secret'
        headers:
          type: array
          items:
            $ref: '#/components/schemas/KeyValue'
          description: headers to add
        timeout:
          type: integer
          minimum: 1
          maximum: 180
          description: 'Ignored for multipart requests with files as attachments'
        skip_tls_verify:
          type: boolean
          description: 'if enabled the HTTP client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.'
        method:
          type: string
          enum:
            - GET
            - POST
            - PUT
            - DELETE
        query_parameters:
          type: array
          items:
            $ref: '#/components/schemas/KeyValue'
        body:
          type: string
          description: HTTP POST/PUT body
        parts:
          type: array
          items:
            $ref: '#/components/schemas/HTTPPart'
          description: 'Multipart requests allow to combine one or more sets of data into a single body. For each part, you can set a file path or a body as text. Placeholders are supported in file path, body, header values.'
    EventActionCommandConfig:
      type: object
      properties:
        cmd:
          type: string
          description: absolute path to the command to execute
        args:
          type: array
          items:
            type: string
          description: 'command line arguments'
        timeout:
          type: integer
          minimum: 1
          maximum: 120
        env_vars:
          type: array
          items:
            $ref: '#/components/schemas/KeyValue'
    EventActionEmailConfig:
      type: object
      properties:
        recipients:
          type: array
          items:
            type: string
        bcc:
          type: array
          items:
            type: string
        subject:
          type: string
        body:
          type: string
        content_type:
          type: integer
          enum:
            - 0
            - 1
          description: |
            Content type:
              * `0` text/plain
              * `1` text/html
        attachments:
          type: array
          items:
            type: string
          description: 'list of file paths to attach. The total size is limited to 10 MB'
    EventActionDataRetentionConfig:
      type: object
      properties:
        folders:
          type: array
          items:
            $ref: '#/components/schemas/FolderRetention'
    EventActionFsCompress:
      type: object
      properties:
        name:
          type: string
          description: 'Full path to the (zip) archive to create. The parent dir must exist'
        paths:
          type: array
          items:
            type: string
          description: 'paths to add the archive'
    EventActionFilesystemConfig:
      type: object
      properties:
        type:
          $ref: '#/components/schemas/FilesystemActionTypes'
        renames:
          type: array
          items:
            $ref: '#/components/schemas/KeyValue'
        mkdirs:
          type: array
          items:
            type: string
        deletes:
          type: array
          items:
            type: string
        exist:
          type: array
          items:
            type: string
        copy:
          type: array
          items:
            $ref: '#/components/schemas/KeyValue'
        compress:
          $ref: '#/components/schemas/EventActionFsCompress'
    EventActionPasswordExpiration:
      type: object
      properties:
        threshold:
          type: integer
          description: 'An email notification will be generated for users whose password expires in a number of days less than or equal to this threshold'
    EventActionUserInactivity:
      type: object
      properties:
        disable_threshold:
          type: integer
          description: 'Inactivity threshold, in days, before disabling the account'
        delete_threshold:
          type: integer
          description: 'Inactivity threshold, in days, before deleting the account'
    EventActionIDPAccountCheck:
      type: object
      properties:
        mode:
          type: integer
          enum:
            - 0
            - 1
          description: |
            Account check mode:
              * `0` Create or update the account
              * `1` Create the account if it doesn't exist
        template_user:
          type: string
          description: 'SFTPGo user template in JSON format'
        template_admin:
          type: string
          description: 'SFTPGo admin template in JSON format'
    BaseEventActionOptions:
      type: object
      properties:
        http_config:
          $ref: '#/components/schemas/EventActionHTTPConfig'
        cmd_config:
          $ref: '#/components/schemas/EventActionCommandConfig'
        email_config:
          $ref: '#/components/schemas/EventActionEmailConfig'
        retention_config:
          $ref: '#/components/schemas/EventActionDataRetentionConfig'
        fs_config:
          $ref: '#/components/schemas/EventActionFilesystemConfig'
        pwd_expiration_config:
          $ref: '#/components/schemas/EventActionPasswordExpiration'
        user_inactivity_config:
          $ref: '#/components/schemas/EventActionUserInactivity'
        idp_config:
          $ref: '#/components/schemas/EventActionIDPAccountCheck'
    BaseEventAction:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        name:
          type: string
          description: unique name
        description:
          type: string
          description: optional description
        type:
          $ref: '#/components/schemas/EventActionTypes'
        options:
          $ref: '#/components/schemas/BaseEventActionOptions'
        rules:
          type: array
          items:
            type: string
          description: list of event rules names associated with this action
    EventActionOptions:
      type: object
      properties:
        is_failure_action:
          type: boolean
        stop_on_failure:
          type: boolean
        execute_sync:
          type: boolean
    EventAction:
      allOf:
        - $ref: '#/components/schemas/BaseEventAction'
        - type: object
          properties:
            order:
              type: integer
              description: execution order
            relation_options:
              $ref: '#/components/schemas/EventActionOptions'
    EventActionMinimal:
      type: object
      properties:
        name:
          type: string
        order:
          type: integer
          description: execution order
        relation_options:
          $ref: '#/components/schemas/EventActionOptions'
    ConditionPattern:
      type: object
      properties:
        pattern:
          type: string
        inverse_match:
          type: boolean
    ConditionOptions:
      type: object
      properties:
        names:
          type: array
          items:
            $ref: '#/components/schemas/ConditionPattern'
        group_names:
          type: array
          items:
            $ref: '#/components/schemas/ConditionPattern'
        role_names:
          type: array
          items:
            $ref: '#/components/schemas/ConditionPattern'
        fs_paths:
          type: array
          items:
            $ref: '#/components/schemas/ConditionPattern'
        protocols:
          type: array
          items:
            type: string
            enum:
              - SFTP
              - SCP
              - SSH
              - FTP
              - DAV
              - HTTP
              - HTTPShare
              - OIDC
        provider_objects:
          type: array
          items:
            type: string
            enum:
              - user
              - group
              - admin
              - api_key
              - share
              - event_action
              - event_rule
        min_size:
          type: integer
          format: int64
        max_size:
          type: integer
          format: int64
        concurrent_execution:
          type: boolean
          description: allow concurrent execution from multiple nodes
    Schedule:
      type: object
      properties:
        hour:
          type: string
        day_of_week:
          type: string
        day_of_month:
          type: string
        month:
          type: string
    EventConditions:
      type: object
      properties:
        fs_events:
          type: array
          items:
            type: string
            enum:
              - upload
              - download
              - delete
              - rename
              - mkdir
              - rmdir
              - copy
              - ssh_cmd
              - pre-upload
              - pre-download
              - pre-delete
              - first-upload
              - first-download
        provider_events:
          type: array
          items:
            type: string
            enum:
              - add
              - update
              - delete
        schedules:
          type: array
          items:
            $ref: '#/components/schemas/Schedule'
        idp_login_event:
          type: integer
          enum:
            - 0
            - 1
            - 2
          description: |
            IDP login events:
              - `0` any login event
              - `1` user login event
              - `2` admin login event
        options:
          $ref: '#/components/schemas/ConditionOptions'
    BaseEventRule:
      type: object
      properties:
        id:
          type: integer
          format: int32
          minimum: 1
        name:
          type: string
          description: unique name
        status:
          type: integer
          enum:
            - 0
            - 1
          description: |
            status:
              * `0` disabled
              * `1` enabled
        description:
          type: string
          description: optional description
        created_at:
          type: integer
          format: int64
          description: creation time as unix timestamp in milliseconds
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in millisecond
        trigger:
          $ref: '#/components/schemas/EventTriggerTypes'
        conditions:
          $ref: '#/components/schemas/EventConditions'
    EventRule:
      allOf:
        - $ref: '#/components/schemas/BaseEventRule'
        - type: object
          properties:
            actions:
              type: array
              items:
                $ref: '#/components/schemas/EventAction'
    EventRuleMinimal:
      allOf:
        - $ref: '#/components/schemas/BaseEventRule'
        - type: object
          properties:
            actions:
              type: array
              items:
                $ref: '#/components/schemas/EventActionMinimal'
    IPListEntry:
      type: object
      properties:
        ipornet:
          type: string
          description: IP address or network in CIDR format, for example `192.168.1.2/32`, `192.168.0.0/24`, `2001:db8::/32`
        description:
          type: string
          description: optional description
        type:
          $ref: '#/components/schemas/IPListType'
        mode:
          $ref: '#/components/schemas/IPListMode'
        protocols:
          type: integer
          description: Defines the protocol the entry applies to. `0` means all the supported protocols, 1 SSH, 2 FTP, 4 WebDAV, 8 HTTP. Protocols can be combined, for example 3 means SSH and FTP
        created_at:
          type: integer
          format: int64
          description: creation time as unix timestamp in milliseconds
        updated_at:
          type: integer
          format: int64
          description: last update time as unix timestamp in millisecond
    ApiResponse:
      type: object
      properties:
        message:
          type: string
          description: 'message, can be empty'
        error:
          type: string
          description: error description if any
    VersionInfo:
      type: object
      properties:
        version:
          type: string
        build_date:
          type: string
        commit_hash:
          type: string
        features:
          type: array
          items:
            type: string
          description: 'Features for the current build. Available features are `portable`, `bolt`, `mysql`, `sqlite`, `pgsql`, `s3`, `gcs`, `azblob`, `metrics`, `unixcrypt`. If a feature is available it has a `+` prefix, otherwise a `-` prefix'
    Token:
      type: object
      properties:
        access_token:
          type: string
        expires_at:
          type: string
          format: date-time
  securitySchemes:
    BasicAuth:
      type: http
      scheme: basic
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
    APIKeyAuth:
      type: apiKey
      in: header
      name: X-SFTPGO-API-KEY
      description: 'API key to use for authentication. API key authentication is intrinsically less secure than using a short lived JWT token. You should prefer API key authentication only for machine-to-machine communications in trusted environments. If no admin/user is associated to the provided key you need to add ".username" at the end of the key. For example if your API key is "6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof" and you want to impersonate the admin with username "myadmin" you have to use "6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof.myadmin" as API key. When using API key authentication you cannot manage API keys, update the impersonated admin, change password or public keys for the impersonated user.'