> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a profile

> Creates a new authentication profile. The `ID` field in the request body must
match the `{id}` path parameter, otherwise a 400 is returned.




## OpenAPI

````yaml /swagger/5.13/identity-broker-swagger.yml post /api/profiles/{id}
openapi: 3.0.3
info:
  title: Tyk Identity Broker (TIB) API
  description: >
    The Tyk Identity Broker (TIB) acts as a delegated authentication gateway
    between

    external identity providers (OAuth/Social, SAML, LDAP, Reverse Proxy) and
    the

    Tyk ecosystem.


    ## Authentication


    Profile management endpoints (`/api/*`) require an `Authorization` header
    whose

    value must exactly match the `Secret` field in `tib.conf`.


    Auth flow endpoints (`/auth/*`) are public — they are the entry points for

    end-user authentication and are called by browsers or API clients, not by

    back-end services.
  version: v1.7.2
  contact:
    email: support@tyk.io
    name: Tyk Technologies
    url: https://tyk.io/contact
servers:
  - url: http://localhost:3010
    description: Default local TIB instance
security: []
tags:
  - name: Auth
    description: Entry points for identity-provider authentication flows (public)
  - name: Profiles
    description: CRUD management of TIB profiles (requires Authorization header)
  - name: Health
    description: Health check
paths:
  /api/profiles/{id}:
    post:
      tags:
        - Profiles
      summary: Create a profile
      description: >
        Creates a new authentication profile. The `ID` field in the request body
        must

        match the `{id}` path parameter, otherwise a 400 is returned.
      operationId: createProfile
      parameters:
        - $ref: '#/components/parameters/profileId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Profile'
            examples:
              GitHubSSODashboard:
                summary: GitHub OAuth → Dashboard login
                value:
                  ID: github-sso-dashboard
                  Name: GitHub SSO - Dashboard
                  OrgID: 5e9d9544a1dcd60001d0ed20
                  ActionType: GenerateOrLoginUserProfile
                  Type: redirect
                  ProviderName: SocialProvider
                  ReturnURL: https://dashboard.example.com/tap
                  ProviderConstraints:
                    Domain: ''
                    Group: ''
                  ProviderConfig:
                    CallbackBaseURL: https://tib.example.com
                    FailureRedirect: https://dashboard.example.com/login?error=1
                    UseProviders:
                      - Name: github
                        Key: my-github-client-id
                        Secret: my-github-client-secret
              LDAPDashboard:
                summary: LDAP / Active Directory → Dashboard login
                value:
                  ID: ldap-dashboard
                  Name: LDAP – Dashboard
                  OrgID: 5e9d9544a1dcd60001d0ed20
                  ActionType: GenerateOrLoginUserProfile
                  Type: passthrough
                  ProviderName: ADProvider
                  ReturnURL: https://dashboard.example.com/tap
                  ProviderConfig:
                    LDAPServer: ldap.example.com
                    LDAPPort: '389'
                    LDAPUserDN: uid={username},ou=users,dc=example,dc=com
                    LDAPBaseDN: dc=example,dc=com
                    LDAPFilter: (objectClass=person)
                    LDAPEmailAttribute: mail
                    LDAPUseSSL: false
                    GetAuthFromBAHeader: true
      responses:
        '201':
          description: Profile created successfully.
          content:
            application/json:
              schema:
                allOf:
                  - $ref: '#/components/schemas/APIOKMessage'
                  - type: object
                    properties:
                      Data:
                        $ref: '#/components/schemas/Profile'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
      security:
        - ApiSecret: []
components:
  parameters:
    profileId:
      name: id
      in: path
      required: true
      description: The unique identifier of the authentication profile.
      schema:
        type: string
      example: github-sso-dashboard
  schemas:
    Profile:
      type: object
      required:
        - ID
        - ActionType
        - ProviderName
        - Type
      properties:
        ID:
          type: string
          description: >
            Unique identifier for this profile. Must match the `{id}` path
            parameter

            when creating or updating.
          example: github-sso-dashboard
        Name:
          type: string
          description: Human-readable display name for this profile.
          example: GitHub SSO - Dashboard Login
        OrgID:
          type: string
          description: Tyk organisation ID this profile belongs to.
          example: 5e9d9544a1dcd60001d0ed20
        ActionType:
          $ref: '#/components/schemas/Action'
        MatchedPolicyID:
          type: string
          description: >
            Tyk policy ID to attach to tokens or sessions generated by this
            profile.
          example: 5f8f9e3c1b5e4a0001b3c4d5
        Type:
          $ref: '#/components/schemas/ProviderType'
        ProviderName:
          $ref: '#/components/schemas/ProviderName'
        CustomEmailField:
          type: string
          description: >
            Override the claim/attribute used to extract the user's email
            address.

            Leave empty to use the provider default.
          example: email
        CustomUserIDField:
          type: string
          description: >
            Override the claim/attribute used to extract the user's unique
            identifier.
          example: sub
        ProviderConfig:
          type: object
          description: >
            Provider-specific configuration object. The shape depends on
            `ProviderName`:

            - `SocialProvider` → see `GothConfig` schema

            - `ADProvider` → see `ADConfig` schema

            - `SAMLProvider` → see `SAMLConfig` schema

            - `ProxyProvider` → see `ProxyConfig` schema
          additionalProperties: true
        IdentityHandlerConfig:
          type: object
          description: |
            Additional key/value settings passed to the identity handler
            (e.g. OAuth client credentials, token TTL).
          additionalProperties: true
          example:
            oauth-client-id: tyk-portal-client
            oauth-client-secret: s3cr3t
            oauth-client-base-url: http://gateway:8080
        ProviderConstraints:
          $ref: '#/components/schemas/ProfileConstraint'
        ReturnURL:
          type: string
          description: URL the user is redirected to after successful authentication.
          example: https://dashboard.example.com/tap
        DefaultUserGroupID:
          type: string
          description: |
            Tyk user-group ID assigned to users that do not match any entry in
            `UserGroupMapping`.
          example: 5f8f9e3c1b5e4a0001b3c4d6
        CustomUserGroupField:
          type: string
          description: Claim/attribute name that carries the user's group membership.
          example: groups
        UserGroupMapping:
          type: object
          description: |
            Maps IdP group names to Tyk user-group IDs.
          additionalProperties:
            type: string
          example:
            admins: 5f8f9e3c1b5e4a0001b3c4d7
            developers: 5f8f9e3c1b5e4a0001b3c4d8
        UserGroupSeparator:
          type: string
          description: |
            Separator used when a single claim contains multiple group values
            (e.g. `","` or `" "`).
          example: ','
        SSOOnlyForRegisteredUsers:
          type: boolean
          description: |
            When `true`, only pre-existing Tyk users may log in via SSO.
            New users will be rejected rather than auto-created.
          example: false
    APIOKMessage:
      type: object
      properties:
        Status:
          type: string
          enum:
            - ok
          example: ok
        ID:
          type: string
          description: The profile ID the operation was performed on.
          example: github-sso-dashboard
        Data:
          description: >-
            Payload — a single Profile object, a list of Profiles, or an empty
            object.
          oneOf:
            - $ref: '#/components/schemas/Profile'
            - type: array
              items:
                $ref: '#/components/schemas/Profile'
            - type: object
    Action:
      type: string
      description: >
        Determines what TIB does with the confirmed identity.

        - `GenerateOrLoginDeveloperProfile` – create/log in a Tyk Developer
        Portal API Consumer

        - `GenerateOrLoginUserProfile` – create/log in a Tyk Dashboard user or
        Tyk Developer Portal API Owner

        - `GenerateOAuthTokenForClient` – generate an OAuth token for an API
        client (also used for the OAuth password flow)

        - `GenerateTemporaryAuthToken` – generate a short-lived Tyk access token
      enum:
        - GenerateOrLoginDeveloperProfile
        - GenerateOrLoginUserProfile
        - GenerateOAuthTokenForClient
        - GenerateTemporaryAuthToken
    ProviderType:
      type: string
      description: >
        - `redirect` – the user is redirected to an external IdP (OAuth, SAML)

        - `passthrough` – credentials are validated inline without a redirect
        (LDAP, Proxy)
      enum:
        - redirect
        - passthrough
    ProviderName:
      type: string
      description: Identifier for the concrete provider implementation.
      enum:
        - SocialProvider
        - ADProvider
        - SAMLProvider
        - ProxyProvider
    ProfileConstraint:
      type: object
      description: >
        Optional constraints that restrict which users may authenticate via this
        profile.
      properties:
        Domain:
          type: string
          description: |
            Restrict logins to email addresses on this domain (e.g. `tyk.io`).
            Empty string means no domain restriction.
          example: tyk.io
        Group:
          type: string
          description: >
            Restrict logins to members of this group (provider-specific
            semantics).
          example: engineering
    APIErrorMessage:
      type: object
      properties:
        Status:
          type: string
          enum:
            - error
          example: error
        Error:
          type: string
          description: Human-readable error message.
          example: Profile not found
  responses:
    BadRequest:
      description: The request body is malformed or the ID fields do not match.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/APIErrorMessage'
          example:
            Status: error
            Error: Object ID and URI resource ID do not match
    Unauthorized:
      description: Missing or incorrect `Authorization` header.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/APIErrorMessage'
          example:
            Status: error
            Error: Authorization failed
  securitySchemes:
    ApiSecret:
      type: apiKey
      in: header
      name: Authorization
      description: |
        Must equal the `Secret` value in `tib.conf`.
        Example: `Authorization: your-tib-secret`

````