Identity Cache Invalidation

New
  • Published on Jun 29, 2025
  • 3 minute(s) read
Prev Next
Post
/api/1.0/runtime/caches/identity/{envId}/invalidate

Performs a cache invalidation operation for identity data in the PAAs related to the relevant Environment.

When to use this API

Use this API when identity-related data changes—such as group membership, attribute values, or source assignments—and you want to immediately clear outdated entries from the Identity cache.
Example Use Case: Identity data is cached for each user during the first Authorization request and will be invalidated when the user logs off an Application. So during the next login to the Application, fresh data will be re-fetched for the current Authorization session.

Using this API

Authentication

A valid PlainID Platform JWT is required in the `Authorization` header. Refer to our [Get Access Token API](/apidocs/get-access-token) to retrieve a valid JWT for the Bearer Token.

How to use this API

The Identity Template ID is always required.
To invalidate all identity caches in Environment's PAAs, send a JSON object in the request body with the **Identity Template ID only**. The invalidation can be applied broadly for all Identity Source data and for all users, or scoped down using these **optional** parameters in the request body:
  • Attribute Source ID: Limits invalidation to Identity data from a specific Identity Attribute source, which is defined as part of your Identity Template.
    • If only the Attribute Source ID is provided, all cached identity data for that source will be invalidated across all users.
  • Identity ID: Invalidates dentity data for a specific user, identified by the unique identifier (UID) as defined in the Identity template. This clears any cached data associated with that user.
    • If only the Identity ID is provided, the user's identity data will be invalidated across all cached sources.
  • If both parameters are provided, the identity data for the specified user and source will be invalidated.

Notice

When accessing the Authorization APIs, the URL base/prefix depends on your PlainID PDP location:
  • United States Cloud PDP - `https://tenant-name.us1.plainid.io`
  • Canadian Cloud PDP - `https://tenant-name.ca1.plainid.io`
  • European Cloud PDP - `https://tenant-name.eu1.plainid.io`
  • Local PAA - `https://your-paa.acme.local`

    • For more information on which Asset Types to use with your PAA or Cloud PDP, refer to Managing Asset Types.

    cURL Sample Guidelines

    In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right under the Try It\* or the Code Sample tabs. They will then appear in the cURL sample in the correct format to use in your API tool.

    \*Try It function coming soon.


    Important note about headers

    Refer to the headers below to modify your cURL sample. Check if the following headers are in the sample—if not, ensure you add them before pasting into your API tool.

    Headers

    Header Value cURL Line
    Accept application/json 'accept: application/json'
    Content-Type application/json 'content-type: application/json'
    X-Request-ID (optional) UUID 'X-Request-ID: {uuid}'

    Note: RequestID Header (optional): You may include an X-Request-ID header for traceability. If not provided, the system will generate one automatically.

    Security
    HTTP
    Type bearer

    For more details about Administration API Authentication, check out the Authentication APIs documentation
    Provide your bearer token in the Authorization header when making requests to protected resources.
    Example: Authorization: Bearer 123

    Path parameters
    envId
    stringRequired

    The Environment ID can be found under the Details tab in the Environment Settings.

    Body parameters
    object

    The Identity Template ID is always required.
    To invalidate all identity caches in Environment's PAAs, send a JSON object in the request body with the Identity Template ID only. The invalidation can be applied broadly for all Identity Source data and for all users, or scoped down using these optional parameters in the request body.

    identityTemplate
    string Required

    The Identity Template ID where the identity is defined. Required for locating the correct UID mapping. You can find this in your Identity Workspace Settings. For more information, refer to Identity Workspace Settings in the PlainID documentation.

    ExampleUser
    attributeSourceId
    string

    The identifier of the Attribute Source to limit the invalidation to identities from a specific source. For information on the sourceID parameter and where to locate it, check out Managing Attribute Sources in the PlainID documentation.

    Example3cb6e371-c76b-408d-a9cb-6d4b260145b0
    identityId
    string

    The Identity UID to invalidate, as modeled and mapped in the Identity Template. Note: This is the same user ID that is used when sending an Authorization request with the entityId parameter.

    Responses
    200

    ok

    400

    missing required parameters

    Expand All
    object
    errors
    Array of object (GenericError)
    Min items1
    object
    id
    string
    Min length1
    code
    string
    Min length1
    name
    string
    Min length1
    message
    string
    Min length1
    401

    unauthorized

    Expand All
    object
    errors
    Array of object (GenericError)
    Min items1
    object
    id
    string
    Min length1
    code
    string
    Min length1
    name
    string
    Min length1
    message
    string
    Min length1
    424

    failed dependency

    Expand All
    object
    errors
    Array of object (GenericError)
    Min items1
    object
    id
    string
    Min length1
    code
    string
    Min length1
    name
    string
    Min length1
    message
    string
    Min length1