Manage applications
Applications and clients can be managed either using Management APIs, or from the Admin Portal (as described below).
View or search apps
The Applications page presents a list of all your applications, including basic details like the application ID and name, when it was created, which admin created it, and the last time a user logged in. You can search for a specific application by name using the search box on the top-right, and click to view the Application Settings.
Manage apps
You can manage your applications from the Applications page:
- Create an app by clicking + Add application and configuring Application Settings .
- Edit an app by clicking and then Edit .
- Delete an app by clicking and then Delete .
Application settings
You can access your application settings from the Applications page by clicking the relevant application in the table.
Basic information
Basic application information includes:
- Application ID : Application identifier, automatically generated when the app is created. It cannot be edited.
- Application name : Name of your application, displayed in the Admin Portal.
- Application description : Short description of your application, displayed in the Admin Portal.
- Application logo : Your application's logo when needed (e.g., in email templates) in jpeg, png, or webp format.
Advanced settings
Advanced app settings include:
-
Public sign-up
: Allows login flows to automatically create new users (or associate existing users with the application) the first time they login. For example, you can control whether or not to allow registration of guest users (users who are new to the app). If enabled, auto-creation of new users can be requested via the
create_new_user
parameter of Authentication APIs, orcreateNewUser
parameter of the OIDC authorization API . - Authentication Hub : Allows setting this application as the Authentication Hub for your tenant. It can then be used by other apps of the tenant to authenticate users (in a centralized login flow), and perform SSO across the apps. Only one application can be set as an Authentication Hub per tenant.
Client information
The first client is automatically created when you set up your application. This represents the client that will be requesting Mosaic services, such as your retail website or your Android banking application. You can add additional clients and leverage a multi-client application setup.
You can manage clients using Application APIs (with an access token of the relevant app or with an admin access token) or Client APIs (with an access token of the relevant app), or from the Admin Portal (as described below).
Client information includes:
- Client ID : Client identifier for API requests, automatically generated when the app is created. It cannot be edited.
- Client display name : Client name to display when needed.
- Client description : Short description of your client.
- Client secret : Client secret used to authorize API requests on behalf of the client (either directly or by using it to generate client access tokens). It is automatically generated when the app is created, but can be rotated when needed. Keep this secret somewhere safe, and make sure it's never exposed to your mobile or web applications.
-
Redirect URIs
: List of URIs approved for redirects for your application (e.g., URI to redirect to when an authentication is completed). The required format of the redirect URI depends upon client type: web clients must use HTTPS unless using local environment, while native apps must use HTTPS unless using a local environment or custom scheme. Custom schemes are only allowed in the format of reverse domain schemes (
[domain]://[scheme]
). - Client type : Whether the client is a web app (default) or a native app (e.g., mobile). This is used to adapt validations and configuration according to client type when relevant (such as validations for redirect URI).
- Resources : List of URIs the client can explicitly request access to. This allows the client to manage dedicated access for a resource, including the token expiration. For example, a website can have a shorter lifetime for the page used to manage the user's payment methods. Before a resource can be added to a client, it must first be created from the Resources tab of the Applications page (see Resources ).
Note
Your client can request access to a single resource in each request. If you'd like to customize the default expiration of tokens, create a resource that corresponds to your application URL.
Third-party clients
Third-party clients are external services that can request access to your protected resources on behalf of the user. Toggle Third-party client and complete additional settings:
- Consent redirect URL : List of URIs for obtaining user consent (e.g., URI to redirect to when a third-party client requests access to user data). These pages should be managed by the first-party client.
- Access validity period : Currently, set to 30 days.
- Scopes / permissions : List of resources the third-party client is allowed to access on behalf of the user in the app. Third-party clients typically have limited control over user's data.
Manage login preferences
Login preferences define which authentication methods the application can offer its end-users. For example, it allows you to configure provider credentials for social login, or to customize the branding of email templates for magic link authentication. Login preferences for your application are configured from the Authentication page of the Admin Portal.