Create a new managed object type definition in PingOne AIC by appending to the managed config. IMPORTANT: Call getManagedObjectSchema with includeFullDefinition=true on an existing object first to understand the expected definition structure.

Create a new managed object in PingOne AIC

Delete a managed object type definition from PingOne AIC. Removes the object type from the managed config. IMPORTANT: This will fail if other object types have relationship properties referencing this object type.

Delete a managed object by ID from PingOne AIC

Retrieve schema definition for a managed object type in PingOne AIC

Retrieve a managed object's complete profile by ID in PingOne AIC

Retrieve the list of all managed object types available in PingOne AIC

Modify an existing managed object type definition in PingOne AIC using ForgeRock PATCH operations. Operations use field paths relative to the object (e.g., /schema/properties/email). IMPORTANT: Cannot modify relationship properties — use patchManagedObjectRelationship for those.

Add, update, or remove a custom relationship property on a managed object type in PingOne AIC via the schema service. Only works with properties that have a "custom_" prefix. For add/update, provide the full relationship property definition.

Update specific fields of a managed object in PingOne AIC using JSON Patch operations

Query managed objects in PingOne AIC using CREST query filter syntax

Retrieve the list of available log sources in PingOne AIC

Query PingOne AIC logs to investigate issues or understand system behavior. Useful for debugging journey execution failures, authentication errors, script exceptions, and API issues. Transaction IDs from error responses can be used to trace specific requests.

Create a new theme for a realm in PingOne AIC. IMPORTANT: Call getThemeSchema first to understand all available fields, their types, enum values, and requirements before creating a theme.

Delete a theme from a realm in PingOne AIC

Get comprehensive schema documentation for PingOne AIC themes including the expected payload structure, field types, enum values, and constraints. Use this before creating or updating themes to understand requirements.

Retrieve a specific theme by ID or name from PingOne AIC

Retrieve all themes for a specific realm in PingOne AIC

Set a theme as the default for a realm in PingOne AIC

Update an existing theme in PingOne AIC

Delete an environment variable (ESV) from PingOne AIC

Retrieve a specific environment variable (ESV) by ID with decoded value

Query environment secrets or variables (ESVs) in PingOne AIC by ID

Create or update an environment variable (ESV) in PingOne AIC

Enable the AI Agents feature in PingOne AIC. IMPORTANT: this action is one-way and cannot be undone. Re-running this tool is safe. Use listFeatures to check current status.

Install an IDM feature in PingOne AIC. IMPORTANT: this action is one-way and cannot be undone. Run validateIdmFeature first to check the feature can be installed. For AI Agents, use enableAiAgent instead. Use listFeatures to see what is available.

List all available features in PingOne AIC and whether they are installed. Returns a unified list of IDM features and AIC platform features (e.g. AI Agents) with install status. This is the single tool to call when checking what features exist and their state.

Check whether an IDM feature can be installed without making any changes. Returns a result with success (true/false) and a message explaining any blockers. Run this before installIdmFeature.

Create or replace an authentication journey (upsert operation — if a journey with the same name already exists, it is overwritten). Node IDs can be human-readable (e.g., "login-page") and will be automatically transformed to UUIDs. Use "success" or "failure" as connection targets for terminal nodes. Returns the mapping of original IDs to generated UUIDs.

Create a new Scripted Decision Node script for use in authentication journeys. Use getScriptedDecisionNodeBindings to see available variables and allowed imports before writing the script.

Batch delete orphaned node instances. Use this to clean up nodes that were removed from a journey during an update (via updateJourney) but still exist in AM. Note: Deleting an entire journey automatically cleans up its nodes, so this tool is only needed after journey updates that remove nodes.

Delete an authentication journey from a realm. AM automatically cleans up all node instances within the journey, including PageNode child nodes.

Delete an AM script by its ID. Warning: This is a permanent deletion and cannot be undone. Ensure the script is not referenced by any journey nodes before deleting.

Retrieve an AM script by its ID. Returns the complete script including name, description, language, and source code.

Calculate the dynamic outcomes for a node based on its configuration. Use this for nodes whose outcomes depend on their config, such as: PageNode (outcomes depend on child nodes - pass { nodes: [...] }), ChoiceCollectorNode (outcomes depend on choices array - pass { choices: [...] }), and similar configurable nodes. This helps determine what connections to wire when building journeys.

Generate the preview URL for testing an authentication journey. Returns a URL that can be opened in a browser to test the journey flow.

Retrieve a specific authentication journey (tree) by name from a realm in PingOne AIC. Automatically fetches and includes complete node schemas and configurations for all nodes in the journey. Returns comprehensive journey data with embedded node details.

Get complete details (schema, default template, and outcomes) for one or more node types. Use this before building journeys to understand what configuration each node type requires and what outcomes it produces.

Retrieve the available bindings (variables, functions) and allowed import libraries for Scripted Decision Node scripts. This is essential reference information when writing journey scripts - it shows what APIs and classes are available in the scripting environment.

Retrieve all authentication journeys (trees) for a specific realm in PingOne AIC. Returns journey metadata including ID, description, and the default journey for the realm.

Discover all available authentication node types in a realm. Returns node type metadata including ID, name, and tags. Use this to understand what node types can be used when building journeys.

List Scripted Decision Node scripts (evaluatorVersion 2.0) in a realm. Returns script metadata including ID, name, description, language, and context. Use getAMScript to retrieve the full script content.

Set the default authentication journey for a realm. This journey will be used when no specific journey is requested during authentication.

Update a single node's configuration without modifying the journey structure. This is a FULL REPLACEMENT of the node configuration - to preserve existing fields, first fetch the current configuration using getJourney, merge your changes, then call this tool with the complete configuration.

Update an existing authentication journey. Fetches the current journey, merges any caller-provided metadata fields (description, identityResource, mustRun, innerTreeOnly, uiConfig, enabled, maximumSessionTime, maximumIdleTime), and PUTs the result back. If nodes and/or entryNodeId are provided, the graph is replaced atomically using the same UUID transformation pipeline as createJourney; otherwise the existing graph is preserved unchanged. Fields not supplied by the caller are preserved from the fetched journey.

Update an existing Scripted Decision Node script. You can update any combination of name, description, or script content.

Creates an OIDC application. Only supply the oauth2Client fields you want to set; defaults are applied for the rest.

Deletes an OIDC application.

Returns the schema for an OIDC application. By default returns a compact summary of property names, types, and allowed values. Set summary=false for full details. Call this before createOidcApp or updateOidcApp to understand available fields.

Retrieves a complete OIDC application configuration.

Lists OIDC applications in a realm with summary fields only. Use getOidcApp for full details of a specific app.

Updates an OIDC application. You can update the client configuration, the application metadata, or both.