Applications

Download OpenAPI specification:Download

Manage your applications and their clients. An application requires at least one client, the first client is created automatically and set as default. The application can be configured to use additional clients which can be added later. Application APIs are authorized using an access token of a relevant app or using an admin access token of the management application.

Create app

Create a new application with a default client. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients or applications/{appId}/clients endpoints.

SecurityHTTP: bearer
Request
Request Body schema: application/json
required
app_name
required
string

Name of the application

app_description
string

Short description of the application

client_type
string
Deprecated
Default: "web"

Client type of the default client

Enum: "web" "native"
client_display_name
required
string
Deprecated

Client name of the default client to display when needed

client_description
string
Deprecated

Short description of the default client

redirect_uris
required
Array of strings
Deprecated

List of URI approved for redirects for your default client

logo
string

URI of your application's logo, such as for email templates

resources
Array of strings
Deprecated

List of resources IDs associated with the default client

service_providers
Array of strings

List of service provider IDs associated with this application

object

Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login

allow_public_signup
boolean
Default: false

Determines if the application is allowed to request to create new users via login flows

object
Deprecated

Configuration for an OAuth Device Authorization Flow of the default client

object
Deprecated

CIBA authorization flow configuration of the default client

client_auth_method
string
Deprecated
Default: "client_secret_basic"

Which client authentication method to allow for the token endpoint of the default client. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE.

Enum: "client_secret_basic" "none"
login_uri
string

URI used to redirect the user to the login page of the application (when needed)

subdomain
string

Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)

invite_member_email_expiration_minutes
number
Default: 2880

Member invite email link expiration in minutes

Responses
201
400
409
post/v1/applications
Request samples
application/json
{}
Response samples
application/json
{
  • "result": {
    }
}

Get all apps

Retrieves a list of all applications with their default clients. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients or applications/{appId}/clients endpoints.

SecurityHTTP: bearer
Responses
200
400
get/v1/applications
Request samples 
Response samples 
application/json
{
  • "result": [
    ]
}
Get app by ID
Retrieves an application by application ID with the default client. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients or applications/{appId}/clients endpoints.


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
ID of the application to retrieve


 
Responses 
200
400
404
get/v1/applications/{appId}
Request samples 
Response samples 
application/json
{
  • "result": {
    }
}
Update app
Updates an application. The fields marked as deprecated are now managed on the client level. To update a default client, create additional clients, or fetch all app clients, use /clients or applications/{appId}/clients endpoints. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
ID of the application to update


 
Request Body schema: application/json
required
app_name
string
Name of the application


 
app_description
string
Short description of the application


 
client_type
string
 Deprecated 
 Default:  "web"
Client type of the default client


 Enum: "web" "native"  
client_display_name
string
 Deprecated 
Client name of the default client to display when needed


 
client_description
string
 Deprecated 
Short description of the default client


 
redirect_uris
Array of strings
 Deprecated 
List of URI approved for redirects for your default client


 
logo
string
URI of your application's logo, such as for email templates


 
resources
Array of strings
 Deprecated 
List of resources IDs associated with the default client


 
service_providers
Array of strings
List of service provider IDs associated with this application


 
object
Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login


 
allow_public_signup
boolean
 Default:  false
Determines if the application is allowed to request to create new users via login flows


 
object
 Deprecated 
Configuration for an OAuth Device Authorization Flow of the default client


 
object
 Deprecated 
CIBA authorization flow configuration of the default client


 
client_auth_method
string
 Deprecated 
 Default:  "client_secret_basic"
Which client authentication method to allow for the token endpoint of the default client. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE.


 Enum: "client_secret_basic" "none"  
login_uri
string
URI used to redirect the user to the login page of the application (when needed)


 
subdomain
string
Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)


 
invite_member_email_expiration_minutes
number
 Default:  2880
Member invite email link expiration in minutes


 
Responses 
200
400
404
put/v1/applications/{appId}
Request samples 
application/json
{}
Response samples 
application/json
{
  • "result": {
    }
}
Delete app
Delete an application


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
ID of the application to delete


 
Responses 
204
400
404
delete/v1/applications/{appId}
Request samples 
Response samples 
application/json
{
  • "message": "Bad request",
  • "error_code": 400
}
Update app resourcesDeprecated
Update the list of resources that a default client of the application is allowed to explicitly request access to


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
 
Request Body schema: application/json
required
resource_ids
required
Array of strings
List of resources this application is allowed to explicitly request access to


 
Responses 
200
put/v1/applications/{appId}/resources
Request samples 
application/json
{
  • "resource_ids": [
    ]
}
Response samples 
application/json
{
  • "result": {
    }
}
Create client
Create a new client


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
 
Request Body schema: application/json
required
name
required
string
Name of the client


 
description
string
Short description of the client


 
redirect_uris
required
Array of strings
List of URIs approved for redirects for your client


 
client_type
string
 Default:  "web"
Client type


 Enum: "web" "native"  
response_types
Array of strings
 Default:  ["code","id_token"]
Items Enum: "code" "id_token"  
token_endpoint_auth_method
string
 Default:  "client_secret_basic"
Which token endpoint authentication method to allow for the token endpoint. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE.


 Enum: "client_secret_basic" "none"  
resources
Array of strings
List of resources IDs associated with this client


 
object
Configuration for an OAuth Device Authorization Flow


 
object
CIBA authorization flow configuration


 
Responses 
201
400
409
post/v1/applications/{appId}/clients
Request samples 
application/json
{}
Response samples 
application/json
{}
Get all clients
Retrieves a list of clients for an application.


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
 
Responses 
200
400
get/v1/applications/{appId}/clients
Request samples 
Response samples 
application/json
{}
Delete all clients
Deletes all clients for an application.


SecurityHTTP: bearer 
Request 
path Parameters
appId
required
string
 
Responses 
204
400
404
delete/v1/applications/{appId}/clients
Request samples 
Response samples 
application/json
{
  • "message": "Bad request",
  • "error_code": 400
}
Get client by ID
Retrieves a client by client ID


SecurityHTTP: bearer 
Request 
path Parameters
clientId
required
string
ID of the client to retrieve


 
appId
required
string
 
Responses 
200
400
404
get/v1/applications/{appId}/clients/{clientId}
Request samples 
Response samples 
application/json
{}
Update client
Update a client. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.


SecurityHTTP: bearer 
Request 
path Parameters
clientId
required
string
ID of the client to update


 
appId
required
string
 
Request Body schema: application/json
required
name
string
Name of the client


 
description
string
Short description of the client


 
redirect_uris
Array of strings
List of URIs approved for redirects for your client


 
client_type
string
 Default:  "web"
Client type


 Enum: "web" "native"  
response_types
Array of strings
 Default:  ["code","id_token"]
Items Enum: "code" "id_token"  
token_endpoint_auth_method
string
 Default:  "client_secret_basic"
Which token endpoint authentication method to allow for the token endpoint. Unauthorized requests are only allowed for native clients that will perform a centralized login flow (via the Authentication Hub) with PKCE.


 Enum: "client_secret_basic" "none"  
resources
Array of strings
List of resources IDs associated with this client


 
object
Configuration for an OAuth Device Authorization Flow


 
object
CIBA authorization flow configuration


 
Responses 
200
400
404
put/v1/applications/{appId}/clients/{clientId}
Request samples 
application/json
{}
Response samples 
application/json
{}
Delete client
Delete a client


SecurityHTTP: bearer 
Request 
path Parameters
clientId
required
string
ID of the client to delete


 
appId
required
string
 
Responses 
204
400
404
delete/v1/applications/{appId}/clients/{clientId}
Request samples 
Response samples 
application/json
{
  • "message": "Bad request",
  • "error_code": 400
}
Update client resources
Update the list of resources that a client is allowed to explicitly request access to


SecurityHTTP: bearer 
Request 
path Parameters
clientId
required
string
 
appId
required
string
 
Request Body schema: application/json
required
resource_ids
required
Array of strings
List of resources this application is allowed to explicitly request access to


 
Responses 
200
put/v1/applications/{appId}/clients/{clientId}/resources
Request samples 
application/json
{
  • "resource_ids": [
    ]
}
Response samples 
application/json
{}