Clients

Download OpenAPI specification:Download

Allows an application to manage its clients, including updating existing clients and creating additional clients. To authorize API calls, use an access token for the relevant application. To manage apps and their clients as a tenant admin, see Application APIs.

Create client

Creates an additional client for the app. To authorize a request, use an access token for the relevant application.

SecurityOAuth2: ClientAccessToken
Request
Request Body schema: application/json
required
Any of:
name
required
string

Name of the client

description
string

Short description of the client

resources
Array of strings

List of resources IDs associated with this client

authentication_protocol
string
Default: "oidc"

Authentication protocol used by the client

Enum: "oidc" "saml"
client_group_id
string

Id of client group to associate with

default_custom_claims
Array of strings

List of client default custom claims

Items Enum: "tid" "fname" "lname" "mname" "email" "email_verified" "phone_number" "phone_number_verified" "groups" "new_user" "birthday" "language" "city" "address" "country" "street_address" "address_type" "webauthn" "roles" "ts_roles" "role_values" "ts_permissions" "permissions" "approval_data" "custom_group_data" "username" "secondary_phone_numbers" "secondary_emails" "picture" "created_at" "last_auth" "auth_time" "external_account_id" "external_user_id" "app_name" "custom_data" "custom_app_data"
short_cookies_samesite_type
string
Default: "lax"

Short cookies samesite type. Possible values: "none", "lax", "strict". Default: "lax"

Enum: "lax" "none"
redirect_uris
required
Array of strings

List of URIs approved for redirects for your client

client_type
string
Default: "web"

Client type

Enum: "web" "native"
response_types
Array of strings
Default: ["code","id_token"]
Items Enum: "code" "id_token"
token_endpoint_auth_method
string
Deprecated
Default: "client_secret_basic"

This field is deprecated- to configure pkce use "pkce" field instead

Enum: "client_secret_basic" "self_signed_tls_client_auth" "tls_client_auth" "none" "private_key_jwt"
object

Configuration for an OAuth Device Authorization Flow

object

CIBA authorization flow configuration

is_third_party
boolean

Is third party client

allowed_scopes
Array of strings

Allowed scopes

consent_uri
string

Consent URI

consent_validity_period
number

Consent validity period

pkce
string

PKCE configuration

Enum: "enforcePkceInsteadOfClientCredentials" "enforcePkceAlongsideClientCredentials" "allowPkceAlongsideClientCredentials"
supported_prompts
Array of strings

Supported prompts for the OIDC authentication flow

Items Enum: "login" "consent" "none"
object

Token expiration settings

object

Client authentication configuration

session_expiration
number

Session expiration time (seconds)

enforce_par
boolean

enforce PAR (Pushed Authorization Request) for this client

role_ids
Array of strings

Role IDs

fapi_version_compliancy
boolean

FAPI 2.0 compliancy configuration

Responses
201
400
409
post/v1/clients
Request samples
application/json
{
  • "name": "My Client",
  • "description": "string",
  • "resources": [
    ],
  • "authentication_protocol": "oidc",
  • "client_group_id": "string",
  • "default_custom_claims": [
    ],
  • "short_cookies_samesite_type": "lax",
  • "redirect_uris": [],
  • "client_type": "web",
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "client_secret_basic",
  • "device_authorization": {},
  • "ciba_authorization": {},
  • "is_third_party": true,
  • "allowed_scopes": [
    ],
  • "consent_uri": "string",
  • "consent_validity_period": 0,
  • "pkce": "enforcePkceInsteadOfClientCredentials",
  • "supported_prompts": [
    ],
  • "token_expiration": {
    },
  • "authentication_configuration": {
    },
  • "session_expiration": 0,
  • "enforce_par": true,
  • "role_ids": [
    ],
  • "fapi_version_compliancy": true
}
Response samples
application/json
{
  • "app_id": "string",
  • "tenant_id": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "name": "string",
  • "description": "string",
  • "resources": [
    ],
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "authentication_protocol": "oidc",
  • "client_group_id": "string",
  • "default_custom_claims": [
    ],
  • "short_cookies_samesite_type": "lax",
  • "redirect_uris": [
    ],
  • "client_type": "web",
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "client_secret_basic",
  • "pkce": "enforcePkceInsteadOfClientCredentials",
  • "device_authorization": {},
  • "ciba_authorization": {},
  • "supported_prompts": [
    ],
  • "authentication_configuration": {
    },
  • "token_expiration": {
    },
  • "session_expiration": 0,
  • "enforce_par": true,
  • "fapi_version_compliancy": true
}

Get all clients

Retrieves a list of clients for the app. To authorize a request, use an access token for the relevant application.

SecurityOAuth2: ClientAccessToken
Responses
200
400
get/v1/clients
Request samples 
Response samples 
application/json
[
  • {
    }
]
Delete all clients
Deletes all clients associated with the app. To authorize a request, use an access token for the relevant application. Note that the application cannot be used without clients.


SecurityOAuth2: ClientAccessToken 
Responses 
204
400
404
delete/v1/clients
Request samples 
Response samples 
application/json
{
  • "message": "Bad request",
  • "error_code": 400
}
Get client by ID
Retrieves a client by client ID. To authorize a request, use an access token for the relevant application.


SecurityOAuth2: ClientAccessToken 
Request 
path Parameters
clientId
required
string
ID of the client to retrieve


 
Responses 
200
400
404
get/v1/clients/{clientId}
Request samples 
Response samples 
application/json
{
  • "app_id": "string",
  • "tenant_id": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "name": "string",
  • "description": "string",
  • "resources": [
    ],
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "authentication_protocol": "oidc",
  • "client_group_id": "string",
  • "default_custom_claims": [
    ],
  • "short_cookies_samesite_type": "lax",
  • "redirect_uris": [
    ],
  • "client_type": "web",
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "client_secret_basic",
  • "pkce": "enforcePkceInsteadOfClientCredentials",
  • "device_authorization": {},
  • "ciba_authorization": {},
  • "supported_prompts": [
    ],
  • "authentication_configuration": {
    },
  • "token_expiration": {
    },
  • "session_expiration": 0,
  • "enforce_par": true,
  • "fapi_version_compliancy": true
}
Update client
Update a client by its ID. To authorize a request, use an access token for the relevant application. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.


SecurityOAuth2: ClientAccessToken 
Request 
path Parameters
clientId
required
string
ID of the client to update


 
Request Body schema: application/json
required
Any of:
name
string
Name of the client


 
description
string
Short description of the client


 
resources
Array of strings
List of resources IDs associated with this client


 
client_group_id
string
Id of client group to associate with


 
default_custom_claims
Array of strings
List of client default custom claims


Items Enum: "tid" "fname" "lname" "mname" "email" "email_verified" "phone_number" "phone_number_verified" "groups" "new_user" "birthday" "language" "city" "address" "country" "street_address" "address_type" "webauthn" "roles" "ts_roles" "role_values" "ts_permissions" "permissions" "approval_data" "custom_group_data" "username" "secondary_phone_numbers" "secondary_emails" "picture" "created_at" "last_auth" "auth_time" "external_account_id" "external_user_id" "app_name" "custom_data" "custom_app_data"  
short_cookies_samesite_type
string
 Default:  "lax"
Short cookies samesite type. Possible values: "none", "lax", "strict". Default: "lax"


 Enum: "lax" "none"  
redirect_uris
Array of strings
List of URIs approved for redirects for your client


 
client_type
string
 Default:  "web"
Client type


 Enum: "web" "native"  
response_types
Array of strings
 Default:  ["code","id_token"]
Items Enum: "code" "id_token"  
token_endpoint_auth_method
string
 Deprecated 
 Default:  "client_secret_basic"
This field is deprecated- to configure pkce use "pkce" field instead


 Enum: "client_secret_basic" "self_signed_tls_client_auth" "tls_client_auth" "none" "private_key_jwt"  
object
Configuration for an OAuth Device Authorization Flow


 
object
CIBA authorization flow configuration


 
is_third_party
boolean
Is third party client


 
allowed_scopes
Array of strings
Allowed scopes


 
consent_uri
string
Consent URI


 
consent_validity_period
number
Consent validity period


 
pkce
string
PKCE configuration


 Enum: "enforcePkceInsteadOfClientCredentials" "enforcePkceAlongsideClientCredentials" "allowPkceAlongsideClientCredentials"  
supported_prompts
Array of strings
Supported prompts for the OIDC authentication flow


Items Enum: "login" "consent" "none"  
object
Token expiration settings


 
object
Client authentication configuration


 
session_expiration
number
Session expiration time (seconds)


 
enforce_par
boolean
enforce PAR (Pushed Authorization Request) for this client


 
role_ids
Array of strings
Role IDs


 
fapi_version_compliancy
boolean
FAPI 2.0 compliancy configuration


 
Responses 
200
400
404
put/v1/clients/{clientId}
Request samples 
application/json
{
  • "name": "My Client",
  • "description": "string",
  • "resources": [
    ],
  • "client_group_id": "string",
  • "default_custom_claims": [
    ],
  • "short_cookies_samesite_type": "lax",
  • "redirect_uris": [],
  • "client_type": "web",
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "client_secret_basic",
  • "device_authorization": {},
  • "ciba_authorization": {},
  • "is_third_party": true,
  • "allowed_scopes": [
    ],
  • "consent_uri": "string",
  • "consent_validity_period": 0,
  • "pkce": "enforcePkceInsteadOfClientCredentials",
  • "supported_prompts": [
    ],
  • "token_expiration": {
    },
  • "authentication_configuration": {
    },
  • "session_expiration": 0,
  • "enforce_par": true,
  • "role_ids": [
    ],
  • "fapi_version_compliancy": true
}
Response samples 
application/json
{
  • "app_id": "string",
  • "tenant_id": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "name": "string",
  • "description": "string",
  • "resources": [
    ],
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "authentication_protocol": "oidc",
  • "client_group_id": "string",
  • "default_custom_claims": [
    ],
  • "short_cookies_samesite_type": "lax",
  • "redirect_uris": [
    ],
  • "client_type": "web",
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "client_secret_basic",
  • "pkce": "enforcePkceInsteadOfClientCredentials",
  • "device_authorization": {},
  • "ciba_authorization": {},
  • "supported_prompts": [
    ],
  • "authentication_configuration": {
    },
  • "token_expiration": {
    },
  • "session_expiration": 0,
  • "enforce_par": true,
  • "fapi_version_compliancy": true
}
Delete client
Deletes a client. To authorize a request, use an access token for the relevant application.


SecurityOAuth2: ClientAccessToken 
Request 
path Parameters
clientId
required
string
ID of the client to delete


 
Responses 
204
400
404
delete/v1/clients/{clientId}
Request samples 
Response samples 
application/json
{
  • "message": "Bad request",
  • "error_code": 400
}
Update client resources
Updates the list of resources that a client is allowed to explicitly request access to. To authorize a request, use an access token for the relevant application.


SecurityOAuth2: ClientAccessToken 
Request 
path Parameters
clientId
required
string
 
Request Body schema: application/json
required
resource_ids
required
Array of strings
List of resources this application is allowed to explicitly request access to


 
Responses 
200
put/v1/clients/{clientId}/resources
Request samples 
application/json
{
  • "resource_ids": [
    ]
}
Response samples 
application/json
{
  • "app_id": "string",
  • "tenant_id": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "name": "string",
  • "description": "string",
  • "resources": [
    ],
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "authentication_protocol": "oidc",
  • "client_group_id": "string",
  • "default_custom_claims": [
    ],
  • "short_cookies_samesite_type": "lax",
  • "redirect_uris": [
    ],
  • "client_type": "web",
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "client_secret_basic",
  • "pkce": "enforcePkceInsteadOfClientCredentials",
  • "device_authorization": {},
  • "ciba_authorization": {},
  • "supported_prompts": [
    ],
  • "authentication_configuration": {
    },
  • "token_expiration": {
    },
  • "session_expiration": 0,
  • "enforce_par": true,
  • "fapi_version_compliancy": true
}