Download OpenAPI specification:Download
Manage your applications and their clients. An application requires at least one client, the first client is created automatically and set as default. The application can be configured to use additional clients which can be added later. Application APIs are authorized using an access token of a relevant app or using an admin access token of the management application.
Create a new application with a default client. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients
or applications/{appId}/clients
endpoints.
app_name required | string Name of the application |
app_description | string Short description of the application |
client_type | string Deprecated Default: "web" Client type of the default client |
client_display_name required | string Deprecated Client name of the default client to display when needed |
client_description | string Deprecated Short description of the default client |
redirect_uris required | Array of strings Deprecated List of URI approved for redirects for your default client |
logo | string URI of your application's logo, such as for email templates |
resources | Array of strings Deprecated List of resources IDs associated with the default client |
service_providers | Array of strings List of service provider IDs associated with this application |
object Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login | |
allow_public_signup | boolean Default: false Determines if the application is allowed to request to create new users via login flows |
object Deprecated CIBA authorization flow configuration of the default client | |
client_auth_method | string Deprecated Default: "client_secret_basic" Which client authentication method to allow for the token endpoint of the default client. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE. |
login_uri | string URI used to redirect the user to the login page of the application (when needed) |
subdomain | string Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed) |
invite_member_email_expiration_minutes | number Default: 2880 Member invite email link expiration in minutes |
{- "app_name": "My App",
- "app_description": "string",
- "client_type": "web",
- "client_display_name": "string",
- "client_description": "string",
- "logo": "string",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": false,
- "device_authorization": {
- "enabled": false,
}, - "client_auth_method": "client_secret_basic",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "app_name": "string",
- "app_description": "string",
- "client_type": "web",
- "logo": "string",
- "client_id": "string",
- "client_display_name": "string",
- "client_description": "string",
- "client_secret": "string",
- "redirect_uris": [
- "string"
], - "login_preferences": {
- "auth_methods": {
- "google": {
- "clientId": "string",
- "clientSecret": "string"
}, - "facebook": {
- "clientId": "string",
- "clientSecret": "string"
}, - "email": {
- "expiresIn": 0,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "email_otp": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "apple": {
- "clientId": "string",
- "clientSecret": "string",
- "appleTeamId": "string",
- "keyId": "string"
}, - "sms": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6
}, - "webauthn": {
- "clientId": "string",
- "clientSecret": "string"
}, - "webauthn_api": {
- "rpId": "string",
- "rpOrigin": "string"
}, - "line": {
- "clientId": "string",
- "clientSecret": "string"
}, - "password": {
- "resetValidityMinutes": 5,
- "passwordComplexity": 5,
- "passwordMinLength": 14,
- "blockPreviousPasswords": 0,
- "passwordExpiresIn": 90,
- "maxPasswordFailures": 5,
- "passwordSuspensionDuration": 15,
- "failuresExpireIn": 15,
- "tempPasswordValidityHours": 24,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}, - "requireMFA": false,
- "codeLength": 6
}
}
}, - "created_at": "2019-08-24T14:15:22Z",
- "created_by": "string",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": true,
- "client_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "password_sharing_group_id": "string",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
}
Retrieves a list of all applications with their default clients. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients
or applications/{appId}/clients
endpoints.
{- "result": [
- {
- "app_id": "string",
- "tenant_id": "string",
- "app_name": "string",
- "app_description": "string",
- "client_type": "web",
- "client_id": "string",
- "client_display_name": "string",
- "client_description": "string",
- "client_secret": "string",
- "redirect_uris": [
- "string"
], - "login_preferences": {
- "auth_methods": {
- "google": {
- "clientId": "string",
- "clientSecret": "string"
}, - "facebook": {
- "clientId": "string",
- "clientSecret": "string"
}, - "email": {
- "expiresIn": 0,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "email_otp": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "apple": {
- "clientId": "string",
- "clientSecret": "string",
- "appleTeamId": "string",
- "keyId": "string"
}, - "sms": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6
}, - "webauthn": {
- "clientId": "string",
- "clientSecret": "string"
}, - "webauthn_api": {
- "rpId": "string",
- "rpOrigin": "string"
}, - "line": {
- "clientId": "string",
- "clientSecret": "string"
}, - "password": {
- "resetValidityMinutes": 5,
- "passwordComplexity": 5,
- "passwordMinLength": 14,
- "blockPreviousPasswords": 0,
- "passwordExpiresIn": 90,
- "maxPasswordFailures": 5,
- "passwordSuspensionDuration": 15,
- "failuresExpireIn": 15,
- "tempPasswordValidityHours": 24,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}, - "requireMFA": false,
- "codeLength": 6
}
}
}, - "created_at": "2019-08-24T14:15:22Z",
- "created_by": "string",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": true,
- "client_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "password_sharing_group_id": "string",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
]
}
Retrieves an application by application ID with the default client. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients
or applications/{appId}/clients
endpoints.
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "app_name": "string",
- "app_description": "string",
- "client_type": "web",
- "logo": "string",
- "client_id": "string",
- "client_display_name": "string",
- "client_description": "string",
- "client_secret": "string",
- "redirect_uris": [
- "string"
], - "login_preferences": {
- "auth_methods": {
- "google": {
- "clientId": "string",
- "clientSecret": "string"
}, - "facebook": {
- "clientId": "string",
- "clientSecret": "string"
}, - "email": {
- "expiresIn": 0,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "email_otp": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "apple": {
- "clientId": "string",
- "clientSecret": "string",
- "appleTeamId": "string",
- "keyId": "string"
}, - "sms": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6
}, - "webauthn": {
- "clientId": "string",
- "clientSecret": "string"
}, - "webauthn_api": {
- "rpId": "string",
- "rpOrigin": "string"
}, - "line": {
- "clientId": "string",
- "clientSecret": "string"
}, - "password": {
- "resetValidityMinutes": 5,
- "passwordComplexity": 5,
- "passwordMinLength": 14,
- "blockPreviousPasswords": 0,
- "passwordExpiresIn": 90,
- "maxPasswordFailures": 5,
- "passwordSuspensionDuration": 15,
- "failuresExpireIn": 15,
- "tempPasswordValidityHours": 24,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}, - "requireMFA": false,
- "codeLength": 6
}
}
}, - "created_at": "2019-08-24T14:15:22Z",
- "created_by": "string",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": true,
- "client_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "password_sharing_group_id": "string",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
}
Updates an application. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients
or applications/{appId}/clients
endpoints. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.
app_name | string Name of the application |
app_description | string Short description of the application |
client_type | string Deprecated Default: "web" Client type of the default client |
client_display_name | string Deprecated Client name of the default client to display when needed |
client_description | string Deprecated Short description of the default client |
redirect_uris | Array of strings Deprecated List of URI approved for redirects for your default client |
logo | string URI of your application's logo, such as for email templates |
resources | Array of strings Deprecated List of resources IDs associated with the default client |
service_providers | Array of strings List of service provider IDs associated with this application |
object Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login | |
allow_public_signup | boolean Default: false Determines if the application is allowed to request to create new users via login flows |
object Deprecated CIBA authorization flow configuration of the default client | |
client_auth_method | string Deprecated Default: "client_secret_basic" Which client authentication method to allow for the token endpoint of the default client. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE. |
login_uri | string URI used to redirect the user to the login page of the application (when needed) |
subdomain | string Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed) |
invite_member_email_expiration_minutes | number Default: 2880 Member invite email link expiration in minutes |
{- "app_name": "My App",
- "app_description": "string",
- "client_type": "web",
- "client_display_name": "string",
- "client_description": "string",
- "logo": "string",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": false,
- "device_authorization": {
- "enabled": false,
}, - "client_auth_method": "client_secret_basic",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "app_name": "string",
- "app_description": "string",
- "client_type": "web",
- "logo": "string",
- "client_id": "string",
- "client_display_name": "string",
- "client_description": "string",
- "client_secret": "string",
- "redirect_uris": [
- "string"
], - "login_preferences": {
- "auth_methods": {
- "google": {
- "clientId": "string",
- "clientSecret": "string"
}, - "facebook": {
- "clientId": "string",
- "clientSecret": "string"
}, - "email": {
- "expiresIn": 0,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "email_otp": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "apple": {
- "clientId": "string",
- "clientSecret": "string",
- "appleTeamId": "string",
- "keyId": "string"
}, - "sms": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6
}, - "webauthn": {
- "clientId": "string",
- "clientSecret": "string"
}, - "webauthn_api": {
- "rpId": "string",
- "rpOrigin": "string"
}, - "line": {
- "clientId": "string",
- "clientSecret": "string"
}, - "password": {
- "resetValidityMinutes": 5,
- "passwordComplexity": 5,
- "passwordMinLength": 14,
- "blockPreviousPasswords": 0,
- "passwordExpiresIn": 90,
- "maxPasswordFailures": 5,
- "passwordSuspensionDuration": 15,
- "failuresExpireIn": 15,
- "tempPasswordValidityHours": 24,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}, - "requireMFA": false,
- "codeLength": 6
}
}
}, - "created_at": "2019-08-24T14:15:22Z",
- "created_by": "string",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": true,
- "client_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "password_sharing_group_id": "string",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
}
Update the list of resources that a default client of the application is allowed to explicitly request access to
{- "resource_ids": [
- "string"
]
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "app_name": "string",
- "app_description": "string",
- "client_type": "web",
- "logo": "string",
- "client_id": "string",
- "client_display_name": "string",
- "client_description": "string",
- "client_secret": "string",
- "redirect_uris": [
- "string"
], - "login_preferences": {
- "auth_methods": {
- "google": {
- "clientId": "string",
- "clientSecret": "string"
}, - "facebook": {
- "clientId": "string",
- "clientSecret": "string"
}, - "email": {
- "expiresIn": 0,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "email_otp": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}
}, - "apple": {
- "clientId": "string",
- "clientSecret": "string",
- "appleTeamId": "string",
- "keyId": "string"
}, - "sms": {
- "expiresIn": 0,
- "lockoutDuration": 15,
- "maxFailures": 3,
- "codeLength": 6
}, - "webauthn": {
- "clientId": "string",
- "clientSecret": "string"
}, - "webauthn_api": {
- "rpId": "string",
- "rpOrigin": "string"
}, - "line": {
- "clientId": "string",
- "clientSecret": "string"
}, - "password": {
- "resetValidityMinutes": 5,
- "passwordComplexity": 5,
- "passwordMinLength": 14,
- "blockPreviousPasswords": 0,
- "passwordExpiresIn": 90,
- "maxPasswordFailures": 5,
- "passwordSuspensionDuration": 15,
- "failuresExpireIn": 15,
- "tempPasswordValidityHours": 24,
- "message": {
- "primaryColor": "string",
- "from": "string",
- "subject": "string"
}, - "requireMFA": false,
- "codeLength": 6
}
}
}, - "created_at": "2019-08-24T14:15:22Z",
- "created_by": "string",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "service_providers": [
- "string"
], - "authenticator_preferences": {
- "is_centralized": false,
}, - "allow_public_signup": true,
- "client_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "password_sharing_group_id": "string",
- "subdomain": "myapp",
- "invite_member_email_expiration_minutes": 2880
}
}
Create a new client
name required | string Name of the client |
description | string Short description of the client |
redirect_uris required | Array of strings List of URIs approved for redirects for your client |
client_type | string Default: "web" Client type |
response_types | Array of strings Default: ["code","id_token"] Items Enum: "code" "id_token" |
token_endpoint_auth_method | string Default: "client_secret_basic" Which token endpoint authentication method to allow for the token endpoint. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE. |
resources | Array of strings List of resources IDs associated with this client |
object Configuration for an OAuth Device Authorization Flow | |
object CIBA authorization flow configuration |
{- "name": "My Client",
- "description": "string",
- "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
}
Retrieves a list of clients for an application.
{- "result": [
- {
- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
]
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
}
Update a client. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.
name | string Name of the client |
description | string Short description of the client |
redirect_uris | Array of strings List of URIs approved for redirects for your client |
client_type | string Default: "web" Client type |
response_types | Array of strings Default: ["code","id_token"] Items Enum: "code" "id_token" |
token_endpoint_auth_method | string Default: "client_secret_basic" Which token endpoint authentication method to allow for the token endpoint. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE. |
resources | Array of strings List of resources IDs associated with this client |
object Configuration for an OAuth Device Authorization Flow | |
object CIBA authorization flow configuration |
{- "name": "My Client",
- "description": "string",
- "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
}
Update the list of resources that a client is allowed to explicitly request access to
{- "resource_ids": [
- "string"
]
}
{- "result": {
- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "resources": [
- "string"
], - "device_authorization": {
- "enabled": false,
},
}
}