Constraints

All APIs of IAM can be called using the global region endpoint. Some APIs can be called using endpoints of both the global region and other regions (see Table 1), and other APIs can be called using only the global region endpoint.

Tokens or temporary AKs/SKs obtained using domain names of all regions except the global region can only be used to access services in the same region.

**Table 1** Global and region-specific APIs
Category	API URI	Link
Token Management	POST /v3/auth/tokens	Obtaining a User Token Obtaining an Agency Token Obtaining a Scoped Token
Token Management	GET /v3/auth/tokens	Verifying a Token
Access Key Management	POST /v3.0/OS-CREDENTIAL/securitytokens	Obtaining a Temporary AK/SK
Services and Endpoints	GET /v3/services{?type}	Querying Services
Services and Endpoints	GET /v3/endpoints{? interface, service_id}	Querying Endpoints
Version Information Management	GET /	Querying Keystone API Version Information
Version Information Management	GET /v3	Querying Information About Keystone API Version 3.0
Project Management	GET /v3/auth/projects	Querying the List of Projects Accessible to Users
Tenant Management	GET /v3/auth/domains	Querying the List of Domains Accessible to Users
Federated Identity Authentication Management	GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth	Obtaining an Unscoped Token (SP Initiated)
	POST /v3.0/OS-FEDERATION/tokens	IdP Initiated
	GET /v3/OS-FEDERATION/projects	Querying the List of Projects Accessible to Federated Users
	GET /v3/OS-FEDERATION/domains	Querying the List of Domains Accessible to Federated Users
	GET /v3-ext/auth/OS-FEDERATION/SSO/metadata	Querying the Metadata File of Keystone