{ "rootUrl": "https://verifiedaccess.googleapis.com/", "ownerDomain": "google.com", "version_module": true, "servicePath": "", "documentationLink": "https://developers.google.com/chrome/verified-access", "version": "v2", "description": "API for Verified Access chrome extension to provide credential verification for chrome devices connecting to an enterprise network", "title": "Chrome Verified Access API", "discoveryVersion": "v1", "basePath": "", "revision": "20260608", "schemas": { "CrowdStrikeAgent": { "properties": { "agentId": { "readOnly": true, "type": "string", "description": "Output only. The Agent ID of the Crowdstrike agent." }, "customerId": { "description": "Output only. The Customer ID to which the agent belongs to.", "readOnly": true, "type": "string" } }, "description": "Properties of the CrowdStrike agent installed on a device.", "id": "CrowdStrikeAgent", "type": "object" }, "Empty": { "id": "Empty", "type": "object", "properties": {}, "description": "A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }" }, "VerifyChallengeResponseRequest": { "properties": { "challengeResponse": { "type": "string", "format": "byte", "description": "Required. The generated response to the challenge, the bytes representation of SignedData." }, "expectedIdentity": { "description": "Optional. Service can optionally provide identity information about the device or user associated with the key. For an EMK, this value is the enrolled domain. For an EUK, this value is the user's email address. If present, this value will be checked against contents of the response, and verification will fail if there is no match.", "type": "string" } }, "description": "Signed ChallengeResponse.", "id": "VerifyChallengeResponseRequest", "type": "object" }, "Challenge": { "id": "Challenge", "type": "object", "properties": { "challenge": { "type": "string", "format": "byte", "description": "Generated challenge, the bytes representation of SignedData." } }, "description": "Result message for VerifiedAccess.GenerateChallenge." }, "VerifyChallengeResponseResult": { "id": "VerifyChallengeResponseResult", "type": "object", "properties": { "customerId": { "readOnly": true, "type": "string", "description": "Output only. Unique customer id that this device belongs to, as defined by the Google Admin SDK at https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers" }, "devicePermanentId": { "description": "Output only. Device permanent id is returned in this field (for the machine response only).", "readOnly": true, "type": "string" }, "profileKeyTrustLevel": { "readOnly": true, "enumDescriptions": [ "UNSPECIFIED.", "ChromeOS device in verified mode.", "ChromeOS device in developer mode.", "Chrome Browser with the key stored in the device hardware.", "Chrome Browser with the key stored at OS level.", "Chrome Browser without an attestation key.", "ChromeOS device without a signing key (e.g., Flex without TPM). Applies to both device and user contexts on ChromeOS." ], "enum": [ "KEY_TRUST_LEVEL_UNSPECIFIED", "CHROME_OS_VERIFIED_MODE", "CHROME_OS_DEVELOPER_MODE", "CHROME_BROWSER_HW_KEY", "CHROME_BROWSER_OS_KEY", "CHROME_BROWSER_NO_KEY", "CHROME_OS_NO_KEY" ], "description": "Output only. Profile attested key trust level.", "type": "string" }, "deviceSignal": { "type": "string", "readOnly": true, "description": "Output only. Deprecated. Device signal in json string representation. Prefer using `device_signals` instead." }, "virtualDeviceId": { "type": "string", "readOnly": true, "description": "Output only. Virtual device id of the device. The definition of virtual device id is platform-specific." }, "signedPublicKeyAndChallenge": { "type": "string", "readOnly": true, "description": "Output only. Certificate Signing Request (in the SPKAC format, base64 encoded) is returned in this field. This field will be set only if device has included CSR in its challenge response. (the option to include CSR is now available for both user and machine responses)" }, "attestedDeviceId": { "description": "Output only. Attested device ID (ADID).", "readOnly": true, "type": "string" }, "deviceEnrollmentId": { "description": "Output only. Device enrollment id for ChromeOS devices.", "readOnly": true, "type": "string" }, "profileCustomerId": { "type": "string", "readOnly": true, "description": "Output only. Unique customer id that this profile belongs to, as defined by the Google Admin SDK at https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers" }, "profilePermanentId": { "type": "string", "readOnly": true, "description": "Output only. The unique server-side ID of a profile on the device." }, "virtualProfileId": { "description": "Output only. The client-provided ID of a profile on the device.", "readOnly": true, "type": "string" }, "keyTrustLevel": { "type": "string", "description": "Output only. Device attested key trust level.", "readOnly": true, "enumDescriptions": [ "UNSPECIFIED.", "ChromeOS device in verified mode.", "ChromeOS device in developer mode.", "Chrome Browser with the key stored in the device hardware.", "Chrome Browser with the key stored at OS level.", "Chrome Browser without an attestation key.", "ChromeOS device without a signing key (e.g., Flex without TPM). Applies to both device and user contexts on ChromeOS." ], "enum": [ "KEY_TRUST_LEVEL_UNSPECIFIED", "CHROME_OS_VERIFIED_MODE", "CHROME_OS_DEVELOPER_MODE", "CHROME_BROWSER_HW_KEY", "CHROME_BROWSER_OS_KEY", "CHROME_BROWSER_NO_KEY", "CHROME_OS_NO_KEY" ] }, "deviceSignals": { "description": "Output only. Device signals.", "$ref": "DeviceSignals", "readOnly": true } }, "description": "Result message for VerifiedAccess.VerifyChallengeResponse. The response returned when successful for Managed profiles on Unmanaged browsers will NOT have devicePermanentId, keyTrustLevel, virtualDeviceId and customerId fields. Managed profiles will INSTEAD have the profileCustomerId, virtualProfileId, profilePermanentId and profileKeyTrustLevel fields." }, "DeviceSignals": { "properties": { "secureBootMode": { "description": "Output only. Whether the device's startup software has its Secure Boot feature enabled. Available on Windows only.", "readOnly": true, "enumDescriptions": [ "Unspecified.", "Chrome was unable to determine the Secure Boot mode.", "Secure Boot was disabled on the startup software.", "Secure Boot was enabled on the startup software." ], "enum": [ "SECURE_BOOT_MODE_UNSPECIFIED", "SECURE_BOOT_MODE_UNKNOWN", "SECURE_BOOT_MODE_DISABLED", "SECURE_BOOT_MODE_ENABLED" ], "type": "string" }, "trigger": { "enumDescriptions": [ "Unspecified.", "When navigating to an URL inside a browser.", "When signing into an account on the ChromeOS login screen." ], "enum": [ "TRIGGER_UNSPECIFIED", "TRIGGER_BROWSER_NAVIGATION", "TRIGGER_LOGIN_SCREEN" ], "readOnly": true, "description": "Output only. The trigger which generated this set of signals.", "type": "string" }, "screenLockSecured": { "type": "string", "description": "Output only. The state of the Screen Lock password protection. On ChromeOS, this value will always be ENABLED as there is not way to disable requiring a password or pin when unlocking the device.", "readOnly": true, "enumDescriptions": [ "Unspecified.", "Chrome could not evaluate the state of the Screen Lock mechanism.", "The Screen Lock is not password-protected.", "The Screen Lock is password-protected." ], "enum": [ "SCREEN_LOCK_SECURED_UNSPECIFIED", "SCREEN_LOCK_SECURED_UNKNOWN", "SCREEN_LOCK_SECURED_DISABLED", "SCREEN_LOCK_SECURED_ENABLED" ] }, "macAddresses": { "description": "Output only. MAC addresses of the device.", "items": { "type": "string" }, "type": "array", "readOnly": true }, "displayName": { "description": "Output only. The display name of the device, as defined by the user.", "type": "string", "readOnly": true }, "allowScreenLock": { "readOnly": true, "type": "boolean", "description": "Output only. Value of the AllowScreenLock policy on the device. See https://chromeenterprise.google/policies/?policy=AllowScreenLock for more details. Available on ChromeOS only." }, "crowdStrikeAgent": { "readOnly": true, "description": "Output only. Crowdstrike agent properties installed on the device, if any. Available on Windows and MacOS only.", "$ref": "CrowdStrikeAgent" }, "passwordProtectionWarningTrigger": { "readOnly": true, "enumDescriptions": [ "Unspecified.", "The policy is not set.", "No password protection warning will be shown.", "Password protection warning is shown if a protected password is re-used.", "Password protection warning is shown if a protected password is re-used on a known phishing website." ], "enum": [ "PASSWORD_PROTECTION_WARNING_TRIGGER_UNSPECIFIED", "POLICY_UNSET", "PASSWORD_PROTECTION_OFF", "PASSWORD_REUSE", "PHISHING_REUSE" ], "description": "Output only. Whether the Password Protection Warning feature is enabled or not. Password protection alerts users when they reuse their protected password on potentially suspicious sites. This setting is controlled by an enterprise policy: https://chromeenterprise.google/policies/#PasswordProtectionWarningTrigger. Note that the policy unset does not have the same effects as having the policy explicitly set to `PASSWORD_PROTECTION_OFF`.", "type": "string" }, "browserVersion": { "readOnly": true, "type": "string", "description": "Output only. Current version of the Chrome browser which generated this set of signals. Example value: \"107.0.5286.0\"." }, "thirdPartyBlockingEnabled": { "description": "Output only. Deprecated. The corresponding policy is now deprecated. Whether Chrome is blocking third-party software injection or not. This setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/?policy=ThirdPartyBlockingEnabled. Available on Windows only.", "readOnly": true, "deprecated": true, "type": "boolean" }, "diskEncryption": { "description": "Output only. The encryption state of the disk. On ChromeOS, the main disk is always ENCRYPTED.", "enumDescriptions": [ "Unspecified.", "Chrome could not evaluate the encryption state.", "The main disk is not encrypted.", "The main disk is encrypted." ], "enum": [ "DISK_ENCRYPTION_UNSPECIFIED", "DISK_ENCRYPTION_UNKNOWN", "DISK_ENCRYPTION_DISABLED", "DISK_ENCRYPTION_ENCRYPTED" ], "readOnly": true, "type": "string" }, "siteIsolationEnabled": { "readOnly": true, "type": "boolean", "description": "Output only. Whether the Site Isolation (a.k.a Site Per Process) setting is enabled. That setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#SitePerProcess" }, "windowsMachineDomain": { "description": "Output only. Windows domain that the current machine has joined. Available on Windows only.", "readOnly": true, "type": "string" }, "hostname": { "description": "Hostname of the device.", "type": "string" }, "deviceManufacturer": { "type": "string", "readOnly": true, "description": "Output only. The name of the device's manufacturer." }, "antivirus": { "description": "Output only. Information about Antivirus software on the device. Available on Windows only.", "$ref": "Antivirus", "readOnly": true }, "osVersion": { "description": "Output only. The current version of the Operating System. On Windows and linux, the value will also include the security patch information.", "type": "string", "readOnly": true }, "meid": { "description": "Output only. Mobile Equipment Identifier (MEID) of the device. Available on ChromeOS only.", "items": { "type": "string" }, "readOnly": true, "type": "array" }, "deviceModel": { "type": "string", "readOnly": true, "description": "Output only. The name of the device's model." }, "profileAffiliationIds": { "description": "Output only. Affiliation IDs of the organizations that are affiliated with the organization that is currently managing the Chrome Profile’s user or ChromeOS user.", "items": { "type": "string" }, "type": "array", "readOnly": true }, "safeBrowsingProtectionLevel": { "type": "string", "description": "Output only. Safe Browsing Protection Level. That setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel.", "readOnly": true, "enumDescriptions": [ "Unspecified.", "Safe Browsing is disabled.", "Safe Browsing is active in the standard mode.", "Safe Browsing is active in the enhanced mode." ], "enum": [ "SAFE_BROWSING_PROTECTION_LEVEL_UNSPECIFIED", "INACTIVE", "STANDARD", "ENHANCED" ] }, "serialNumber": { "readOnly": true, "type": "string", "description": "Output only. The serial number of the device. On Windows, this represents the BIOS's serial number. Not available on most Linux distributions." }, "profileEnrollmentDomain": { "readOnly": true, "type": "string", "description": "Output only. Enrollment domain of the customer which is currently managing the profile." }, "deviceEnrollmentDomain": { "readOnly": true, "type": "string", "description": "Output only. Enrollment domain of the customer which is currently managing the device." }, "operatingSystem": { "type": "string", "enumDescriptions": [ "UNSPECIFIED.", "ChromeOS.", "ChromiumOS.", "Windows.", "Mac Os X.", "Linux" ], "enum": [ "OPERATING_SYSTEM_UNSPECIFIED", "CHROME_OS", "CHROMIUM_OS", "WINDOWS", "MAC_OS_X", "LINUX" ], "readOnly": true, "description": "Output only. The type of the Operating System currently running on the device." }, "osFirewall": { "description": "Output only. The state of the OS level firewall. On ChromeOS, the value will always be ENABLED on regular devices and UNKNOWN on devices in developer mode. Support for MacOS 15 (Sequoia) and later has been introduced in Chrome M131.", "enumDescriptions": [ "Unspecified.", "Chrome could not evaluate the OS firewall state.", "The OS firewall is disabled.", "The OS firewall is enabled." ], "enum": [ "OS_FIREWALL_UNSPECIFIED", "OS_FIREWALL_UNKNOWN", "OS_FIREWALL_DISABLED", "OS_FIREWALL_ENABLED" ], "readOnly": true, "type": "string" }, "realtimeUrlCheckMode": { "type": "string", "enumDescriptions": [ "Unspecified.", "Disabled. Consumer Safe Browsing checks are applied.", "Realtime check for main frame URLs is enabled." ], "enum": [ "REALTIME_URL_CHECK_MODE_UNSPECIFIED", "REALTIME_URL_CHECK_MODE_DISABLED", "REALTIME_URL_CHECK_MODE_ENABLED_MAIN_FRAME" ], "readOnly": true, "description": "Output only. Whether Enterprise-grade (i.e. custom) unsafe URL scanning is enabled or not. This setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#EnterpriseRealTimeUrlCheckMode" }, "deviceAffiliationIds": { "readOnly": true, "type": "array", "description": "Output only. Affiliation IDs of the organizations that are affiliated with the organization that is currently managing the device. When the sets of device and profile affiliation IDs overlap, it means that the organizations managing the device and user are affiliated. To learn more about user affiliation, visit https://support.google.com/chrome/a/answer/12801245?ref_topic=9027936.", "items": { "type": "string" } }, "systemDnsServers": { "type": "array", "description": "List of the addesses of all OS level DNS servers configured in the device's network settings.", "items": { "type": "string" } }, "imei": { "type": "array", "readOnly": true, "description": "Output only. International Mobile Equipment Identity (IMEI) of the device. Available on ChromeOS only.", "items": { "type": "string" } }, "builtInDnsClientEnabled": { "description": "Output only. Whether Chrome's built-in DNS client is used. The OS DNS client is otherwise used. This value may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#BuiltInDnsClientEnabled.", "readOnly": true, "type": "boolean" }, "windowsUserDomain": { "type": "string", "readOnly": true, "description": "Output only. Windows domain for the current OS user. Available on Windows only." }, "chromeRemoteDesktopAppBlocked": { "type": "boolean", "readOnly": true, "description": "Output only. Whether access to the Chrome Remote Desktop application is blocked via a policy." } }, "description": "The device signals as reported by Chrome. Unless otherwise specified, signals are available on all platforms.", "id": "DeviceSignals", "type": "object" }, "Antivirus": { "id": "Antivirus", "type": "object", "properties": { "state": { "type": "string", "readOnly": true, "enumDescriptions": [ "Unspecified.", "No antivirus was detected on the device.", "At least one antivirus was installed on the device but none was enabled.", "At least one antivirus was enabled on the device." ], "enum": [ "STATE_UNSPECIFIED", "MISSING", "DISABLED", "ENABLED" ], "description": "Output only. The state of the antivirus on the device. Introduced in Chrome M136." } }, "description": "Antivirus information on a device." } }, "id": "verifiedaccess:v2", "icons": { "x32": "http://www.google.com/images/icons/product/search-32.gif", "x16": "http://www.google.com/images/icons/product/search-16.gif" }, "name": "verifiedaccess", "ownerName": "Google", "fullyEncodeReservedExpansion": true, "canonicalName": "verifiedaccess", "auth": { "oauth2": { "scopes": { "https://www.googleapis.com/auth/verifiedaccess": { "description": "Verify your enterprise credentials" } } } }, "mtlsRootUrl": "https://verifiedaccess.mtls.googleapis.com/", "resources": { "challenge": { "methods": { "generate": { "scopes": [ "https://www.googleapis.com/auth/verifiedaccess" ], "parameters": {}, "description": "Generates a new challenge.", "flatPath": "v2/challenge:generate", "id": "verifiedaccess.challenge.generate", "response": { "$ref": "Challenge" }, "httpMethod": "POST", "parameterOrder": [], "path": "v2/challenge:generate", "request": { "$ref": "Empty" } }, "verify": { "httpMethod": "POST", "id": "verifiedaccess.challenge.verify", "response": { "$ref": "VerifyChallengeResponseResult" }, "path": "v2/challenge:verify", "request": { "$ref": "VerifyChallengeResponseRequest" }, "parameterOrder": [], "parameters": {}, "description": "Verifies the challenge response.", "scopes": [ "https://www.googleapis.com/auth/verifiedaccess" ], "flatPath": "v2/challenge:verify" } } } }, "kind": "discovery#restDescription", "batchPath": "batch", "parameters": { "quotaUser": { "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.", "type": "string", "location": "query" }, "fields": { "description": "Selector specifying which fields to include in a partial response.", "type": "string", "location": "query" }, "key": { "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.", "type": "string", "location": "query" }, "uploadType": { "type": "string", "location": "query", "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\")." }, "$.xgafv": { "type": "string", "location": "query", "description": "V1 error format.", "enum": [ "1", "2" ], "enumDescriptions": [ "v1 error format", "v2 error format" ] }, "alt": { "default": "json", "type": "string", "location": "query", "description": "Data format for response.", "enum": [ "json", "media", "proto" ], "enumDescriptions": [ "Responses with Content-Type of application/json", "Media download with context-dependent Content-Type", "Responses with Content-Type of application/x-protobuf" ] }, "access_token": { "type": "string", "location": "query", "description": "OAuth access token." }, "oauth_token": { "description": "OAuth 2.0 token for the current user.", "type": "string", "location": "query" }, "upload_protocol": { "type": "string", "location": "query", "description": "Upload protocol for media (e.g. \"raw\", \"multipart\")." }, "prettyPrint": { "default": "true", "type": "boolean", "location": "query", "description": "Returns response with indentations and line breaks." }, "callback": { "type": "string", "location": "query", "description": "JSONP" } }, "baseUrl": "https://verifiedaccess.googleapis.com/", "protocol": "rest" }