Download OpenAPI specification:Download
Allows an application to manage its clients, including updating existing clients and creating additional clients. To authorize API calls, use an access token for the relevant application. To manage apps and their clients as a tenant admin, see Application APIs.
Creates an additional client for the app. To authorize a request, use an access token for the relevant application.
name required | string Name of the client |
description | string Short description of the client |
resources | Array of strings List of resources IDs associated with this client |
authentication_protocol | string Default: "oidc" Authentication protocol used by the client |
client_group_id | string Id of client group to associate with |
default_custom_claims | Array of strings List of client default custom claims |
short_cookies_samesite_type | string Default: "lax" Short cookies samesite type. Possible values: "none", "lax", "strict". Default: "lax" |
redirect_uris required | Array of strings List of URIs approved for redirects for your client |
client_type | string Default: "web" Client type |
response_types | Array of strings Default: ["code","id_token"] Items Enum: "code" "id_token" |
token_endpoint_auth_method | string Deprecated Default: "client_secret_basic" This field is deprecated- to configure pkce use "pkce" field instead |
object Configuration for an OAuth Device Authorization Flow | |
object CIBA authorization flow configuration | |
pkce | string PKCE configuration |
supported_prompts | Array of strings Supported prompts for the OIDC authentication flow |
object Token expiration settings | |
session_expiration | number Session expiration time (seconds) |
enforce_par | boolean enforce PAR (Pushed Authorization Request) for this client |
role_ids | Array of strings Role IDs |
fapi_version_compliancy | boolean FAPI 2.0 compliancy configuration |
{- "name": "My Client",
- "description": "string",
- "resources": [
- "string"
], - "authentication_protocol": "oidc",
- "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "pkce": "enforcePkceInsteadOfClientCredentials",
- "supported_prompts": [
- "login",
- "consent",
- "none"
], - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "role_ids": [
- "string"
], - "fapi_version_compliancy": true
}
{- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "resources": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "authentication_protocol": "oidc",
- "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "pkce": "enforcePkceInsteadOfClientCredentials",
- "device_authorization": {
- "enabled": false,
}, - "supported_prompts": [
- "login"
], - "authentication_configuration": {
- "method": "client_secret_basic",
- "jwks": { },
- "tls_client_auth": {
- "certificate_chain": "string",
- "distinguished_name": 6,
- "ocsp_on": true,
- "ocsp_responder_uri": "string",
- "ocsp_responder_certificate": "string",
- "ocsp_fail_open": true
}, - "isMtlsCertTokenBound": true
}, - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "fapi_version_compliancy": true
}
Retrieves a list of clients for the app. To authorize a request, use an access token for the relevant application.
[- {
- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "resources": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "authentication_protocol": "oidc",
- "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "pkce": "enforcePkceInsteadOfClientCredentials",
- "device_authorization": {
- "enabled": false,
}, - "supported_prompts": [
- "login"
], - "authentication_configuration": {
- "method": "client_secret_basic",
- "jwks": { },
- "tls_client_auth": {
- "certificate_chain": "string",
- "distinguished_name": 6,
- "ocsp_on": true,
- "ocsp_responder_uri": "string",
- "ocsp_responder_certificate": "string",
- "ocsp_fail_open": true
}, - "isMtlsCertTokenBound": true
}, - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "fapi_version_compliancy": true
}
]
Deletes all clients associated with the app. To authorize a request, use an access token for the relevant application. Note that the application cannot be used without clients.
{- "message": "Bad request",
- "error_code": 400
}
Retrieves a client by client ID. To authorize a request, use an access token for the relevant application.
{- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "resources": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "authentication_protocol": "oidc",
- "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "pkce": "enforcePkceInsteadOfClientCredentials",
- "device_authorization": {
- "enabled": false,
}, - "supported_prompts": [
- "login"
], - "authentication_configuration": {
- "method": "client_secret_basic",
- "jwks": { },
- "tls_client_auth": {
- "certificate_chain": "string",
- "distinguished_name": 6,
- "ocsp_on": true,
- "ocsp_responder_uri": "string",
- "ocsp_responder_certificate": "string",
- "ocsp_fail_open": true
}, - "isMtlsCertTokenBound": true
}, - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "fapi_version_compliancy": true
}
Update a client by its ID. To authorize a request, use an access token for the relevant application. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.
name | string Name of the client |
description | string Short description of the client |
resources | Array of strings List of resources IDs associated with this client |
client_group_id | string Id of client group to associate with |
default_custom_claims | Array of strings List of client default custom claims |
short_cookies_samesite_type | string Default: "lax" Short cookies samesite type. Possible values: "none", "lax", "strict". Default: "lax" |
redirect_uris | Array of strings List of URIs approved for redirects for your client |
client_type | string Default: "web" Client type |
response_types | Array of strings Default: ["code","id_token"] Items Enum: "code" "id_token" |
token_endpoint_auth_method | string Deprecated Default: "client_secret_basic" This field is deprecated- to configure pkce use "pkce" field instead |
object Configuration for an OAuth Device Authorization Flow | |
object CIBA authorization flow configuration | |
pkce | string PKCE configuration |
supported_prompts | Array of strings Supported prompts for the OIDC authentication flow |
object Token expiration settings | |
session_expiration | number Session expiration time (seconds) |
enforce_par | boolean enforce PAR (Pushed Authorization Request) for this client |
role_ids | Array of strings Role IDs |
fapi_version_compliancy | boolean FAPI 2.0 compliancy configuration |
{- "name": "My Client",
- "description": "string",
- "resources": [
- "string"
], - "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "device_authorization": {
- "enabled": false,
}, - "pkce": "enforcePkceInsteadOfClientCredentials",
- "supported_prompts": [
- "login",
- "consent",
- "none"
], - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "role_ids": [
- "string"
], - "fapi_version_compliancy": true
}
{- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "resources": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "authentication_protocol": "oidc",
- "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "pkce": "enforcePkceInsteadOfClientCredentials",
- "device_authorization": {
- "enabled": false,
}, - "supported_prompts": [
- "login"
], - "authentication_configuration": {
- "method": "client_secret_basic",
- "jwks": { },
- "tls_client_auth": {
- "certificate_chain": "string",
- "distinguished_name": 6,
- "ocsp_on": true,
- "ocsp_responder_uri": "string",
- "ocsp_responder_certificate": "string",
- "ocsp_fail_open": true
}, - "isMtlsCertTokenBound": true
}, - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "fapi_version_compliancy": true
}
Deletes a client. To authorize a request, use an access token for the relevant application.
{- "message": "Bad request",
- "error_code": 400
}
Updates the list of resources that a client is allowed to explicitly request access to. To authorize a request, use an access token for the relevant application.
{- "resource_ids": [
- "string"
]
}
{- "app_id": "string",
- "tenant_id": "string",
- "client_id": "string",
- "client_secret": "string",
- "name": "string",
- "description": "string",
- "resources": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "authentication_protocol": "oidc",
- "client_group_id": "string",
- "default_custom_claims": [
- "tid"
], - "short_cookies_samesite_type": "lax",
- "redirect_uris": [
- "string"
], - "client_type": "web",
- "response_types": [
- "code"
], - "token_endpoint_auth_method": "client_secret_basic",
- "pkce": "enforcePkceInsteadOfClientCredentials",
- "device_authorization": {
- "enabled": false,
}, - "supported_prompts": [
- "login"
], - "authentication_configuration": {
- "method": "client_secret_basic",
- "jwks": { },
- "tls_client_auth": {
- "certificate_chain": "string",
- "distinguished_name": 6,
- "ocsp_on": true,
- "ocsp_responder_uri": "string",
- "ocsp_responder_certificate": "string",
- "ocsp_fail_open": true
}, - "isMtlsCertTokenBound": true
}, - "token_expiration": {
- "access_token_ttl": 0,
- "refresh_token_ttl": 0,
- "max_refresh_rotate": 0
}, - "session_expiration": 0,
- "enforce_par": true,
- "fapi_version_compliancy": true
}