# Create clients group Creates a new SSO clients group. Required permissions: sso-service:edit. Endpoint: POST /v1/sso-service/sso-group Security: ClientAccessToken ## Request fields (application/json): - `name` (string, required) Name of the clients group Example: "My Clients Group" - `description` (string) Short description of the clients group - `configuration` (object, required) Configuration of the clients group - `configuration.journey` (string, required) The journey ID associated with the SSO clients group - `configuration.allowSilentLogin` (boolean) Whether silent login is allowed. - `configuration.sessionTimeout` (number) Session timeout in seconds/minutes/hours/days/weeks (depending on value in session_timeout_granularity). - `configuration.sessionTimeoutGranularity` (string) Session timeout granularity Enum: "seconds", "minutes", "hours", "days", "weeks" ## Response 201 fields (application/json): - `result` (object, required) - `result.app_id` (string, required) Application ID - `result.tenant_id` (string, required) Tenant ID - `result.app_name` (string, required) Application name displayed in the Admin Portal - `result.app_description` (string, required) Short description of your application, displayed in the Admin Portal - `result.logo` (string, required) URI of your application's logo, such as for email templates - `result.login_preferences` (object, required) - `result.login_preferences.auth_methods` (object, required) Login preferences - `result.login_preferences.auth_methods.google` (object) Google login configuration - `result.login_preferences.auth_methods.google.clientId` (string, required) Client ID retrieved from the identity provider - `result.login_preferences.auth_methods.google.clientSecret` (string) Client Secret retrieved from the identity provider - `result.login_preferences.auth_methods.google.redirectUris` (array) List of URIs approved for redirects for your client Example: ["https://www.example.com/login"] - `result.login_preferences.auth_methods.facebook` (object) Facebook login configuration - `result.login_preferences.auth_methods.facebook.clientId` (string, required) Client ID retrieved from the identity provider - `result.login_preferences.auth_methods.facebook.clientSecret` (string) Client Secret retrieved from the identity provider - `result.login_preferences.auth_methods.facebook.redirectUris` (array) List of URIs approved for redirects for your client Example: ["https://www.example.com/login"] - `result.login_preferences.auth_methods.email` (object) Email magic link login configuration - `result.login_preferences.auth_methods.email.expiresIn` (number, required) Number of minutes until the email link/code expires - `result.login_preferences.auth_methods.email.linksPerUser` (number, required) Allowed magic links to send a user per minute - `result.login_preferences.auth_methods.email.message` (object, required) - `result.login_preferences.auth_methods.email.message.primaryColor` (string, required) Primary color of the email, specified as a Hex color - `result.login_preferences.auth_methods.email.message.from` (string) Origin of the email message - `result.login_preferences.auth_methods.email.message.subject` (string) Subject of the email message - `result.login_preferences.auth_methods.email_otp` (object) Email one time password login configuration - `result.login_preferences.auth_methods.email_otp.expiresIn` (number, required) Number of minutes until the OTP expires - `result.login_preferences.auth_methods.email_otp.lockoutDuration` (number) OTP lockout duration (in minutes) after maximum attempts are reached Example: 15 - `result.login_preferences.auth_methods.email_otp.maxFailures` (number, required) Number of wrong OTP attempts allowed before the passcode is invalidated. Must be between 1 and 20. Example: 3 - `result.login_preferences.auth_methods.email_otp.codeLength` (number) The length of the generated OTP code. Must be between 4 and 8. Example: 6 - `result.login_preferences.auth_methods.email_otp.crossClientsAllowed` (boolean) Determines if OTP authentication is allowed across different clients within the same application - `result.login_preferences.auth_methods.email_otp.message` (object, required) - `result.login_preferences.auth_methods.apple` (object) Apple login configuration - `result.login_preferences.auth_methods.apple.clientId` (string, required) Services ID retrieved from Apple - `result.login_preferences.auth_methods.apple.clientSecret` (string) Client Secret Signing Key retrieved from Apple - `result.login_preferences.auth_methods.apple.redirectUris` (array) List of URIs approved for redirects for your client Example: ["https://www.example.com/login"] - `result.login_preferences.auth_methods.apple.appleTeamId` (string, required) Apple Team ID - `result.login_preferences.auth_methods.apple.keyId` (string, required) Apple Key ID - `result.login_preferences.auth_methods.sms` (object) SMS one time password login configuration - `result.login_preferences.auth_methods.sms.expiresIn` (number, required) Number of minutes until the OTP expires - `result.login_preferences.auth_methods.sms.lockoutDuration` (number) OTP lockout duration (in minutes) after maximum attempts are reached Example: 15 - `result.login_preferences.auth_methods.sms.maxFailures` (number, required) Number of wrong OTP attempts allowed before the passcode is invalidated. Must be between 1 and 20. Example: 3 - `result.login_preferences.auth_methods.sms.codeLength` (number) The length of the generated OTP code. Must be between 4 and 8. Example: 6 - `result.login_preferences.auth_methods.sms.crossClientsAllowed` (boolean) Determines if OTP authentication is allowed across different clients within the same application - `result.login_preferences.auth_methods.webauthn_api` (object) WebAuthn API configuration - `result.login_preferences.auth_methods.webauthn_api.failuresExpireIn` (number) Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year). Example: 15 - `result.login_preferences.auth_methods.webauthn_api.lockoutTiers` (array) Progressive lockout tiers based on failed attempts - `result.login_preferences.auth_methods.webauthn_api.lockoutTiers.attempts` (number, required) Number of failed attempts before this tier is triggered Example: 3 - `result.login_preferences.auth_methods.webauthn_api.lockoutTiers.duration` (number, required) Lockout duration in minutes for this tier Example: 15 - `result.login_preferences.auth_methods.webauthn_api.rpId` (string, required) Domain to which WebAuthn credentials are registered and used to authenticate (e.g., example.com) - `result.login_preferences.auth_methods.webauthn_api.rpWebOrigins` (array) A list of Web origins that will be used to request registration and authentication. The origin must match the domain of the RP ID, but may be a subdomain of the RP ID (e.g., https://login.example.com ). The origin must also include the HTTPS scheme and port (if relevant). - `result.login_preferences.auth_methods.webauthn_api.rpMobileOrigins` (array) A list of mobile origins that will be used to request registration and authentication. The origin must match the domain of the RP ID. - `result.login_preferences.auth_methods.webauthn_api.replaceExistingPasskey` (boolean) Set to true in order to replace the existing passkey. Default is False. - `result.login_preferences.auth_methods.webauthn_api.allowSyncedPasskeys` (boolean) Allow synced passkeys - `result.login_preferences.auth_methods.webauthn_api.enforceAttestation` (boolean) Enforce attestation for device-bound passkeys - `result.login_preferences.auth_methods.webauthn_api.aaguidAllowList` (array) List of allowed AAGUIDs (Authenticator Attestation GUIDs). If specified, only authenticators with these AAGUIDs will be accepted. Mutually exclusive with aaguidBlockList. - `result.login_preferences.auth_methods.webauthn_api.aaguidBlockList` (array) List of blocked AAGUIDs (Authenticator Attestation GUIDs). Authenticators with these AAGUIDs will be rejected. Mutually exclusive with aaguidAllowList. - `result.login_preferences.auth_methods.webauthn_api.maxFailures` (number) Number of wrong attempts allowed before the passcode is invalidated. Must be between 1 and 20. Example: 3 - `result.login_preferences.auth_methods.webauthn_api.lockoutDuration` (number) Lockout duration (in minutes) after maximum attempts are reached Example: 15 - `result.login_preferences.auth_methods.webauthn_api.rpOrigin` (string) Web origin that will be used to request registration and authentication. The origin must match the domain of the RP ID, but may be a subdomain of the RP ID (e.g., https://login.example.com ). The origin must also include the HTTPS scheme and port (if relevant). - `result.login_preferences.auth_methods.webauthn_api.rpOrigins` (array) Use rpWebOrigins or rpMobileOrigins instead - `result.login_preferences.auth_methods.line` (object) Line login configuration - `result.login_preferences.auth_methods.line.clientId` (string, required) Client ID retrieved from the identity provider - `result.login_preferences.auth_methods.line.clientSecret` (string) Client Secret retrieved from the identity provider - `result.login_preferences.auth_methods.line.redirectUris` (array) List of URIs approved for redirects for your client Example: ["https://www.example.com/login"] - `result.login_preferences.auth_methods.password` (object) Password login configuration - `result.login_preferences.auth_methods.password.failuresExpireIn` (number) Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year). Example: 15 - `result.login_preferences.auth_methods.password.lockoutTiers` (array) Progressive lockout tiers based on failed attempts - `result.login_preferences.auth_methods.password.resetValidityMinutes` (number, required) Number of minutes until reset password token/OTP expires. Example: 5 - `result.login_preferences.auth_methods.password.passwordComplexity` (number, required) Password complexity. Must be between 1 and 5. Example: 5 - `result.login_preferences.auth_methods.password.passwordMinLength` (number, required) Minimum required length of the password. Example: 14 - `result.login_preferences.auth_methods.password.blockPreviousPasswords` (number, required) Number of most recent passwords to block the user from setting as their new password. - `result.login_preferences.auth_methods.password.checkHibp` (boolean) Check password updates against HIBP. - `result.login_preferences.auth_methods.password.checkDictionary` (boolean) Check password updates against a predefined dictionary. - `result.login_preferences.auth_methods.password.passwordExpiresIn` (number, required) Number of days until the password expires. Must be between 1 and 1096 days (3 years). Example: 90 - `result.login_preferences.auth_methods.password.ignoreExpiration` (boolean) Ignore password expiration. If true, the password will never expire. - `result.login_preferences.auth_methods.password.maxPasswordFailures` (number) Number of wrong password attempts allowed before the user is suspended. Must be between 1 and 20. Example: 5 - `result.login_preferences.auth_methods.password.passwordSuspensionDuration` (number) Number of minutes to suspend the user from authenticating using password after the maximum number of allowed failed attempts is exceeded. Must be between 1 and 525600 minutes (1 year). Example: 15 - `result.login_preferences.auth_methods.password.tempPasswordValidityHours` (number) Number of hours until temporary passwords are considered expired. Must be between 1 and 8760 hours (1 year). Example: 24 - `result.login_preferences.auth_methods.password.message` (object, required) - `result.login_preferences.auth_methods.password.requireMFA` (boolean) Require multi-factor authentication for password reset flows. - `result.login_preferences.auth_methods.password.codeLength` (number) The length of the generated OTP code. Must be between 4 and 8. Example: 6 - `result.login_preferences.auth_methods.password.notifyOnPasswordUpdate` (boolean) Send email to end-user upon password update - `result.login_preferences.auth_methods.totp` (object) TOTP login configuration - `result.login_preferences.auth_methods.totp.failuresExpireIn` (number) Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year). Example: 15 - `result.login_preferences.auth_methods.totp.lockoutTiers` (array) Progressive lockout tiers based on failed attempts - `result.login_preferences.auth_methods.totp.algorithm` (string) The algorithm used to generate the TOTP code Enum: "sha1", "sha256", "sha512" - `result.login_preferences.auth_methods.totp.digits` (number) Number of digits in the generated TOTP code, must be 6 or 8 Example: 6 - `result.login_preferences.auth_methods.totp.period` (number) Number of seconds in which the TOTP code is valid Example: 30 - `result.login_preferences.auth_methods.totp.window` (number) Number of windows to check for valid TOTP codes Example: 2 - `result.login_preferences.auth_methods.totp.issuer` (string) TOTP issuer Example: "My Company" - `result.login_preferences.auth_methods.totp.maxTotpPerUser` (number) Maximum number of TOTP authenticators allowed per user. Must be between 1 and 5. Example: 1 - `result.login_preferences.auth_methods.totp.maxFailures` (number) Number of wrong TOTP attempts allowed before the passcode is invalidated. Must be between 1 and 20. Example: 3 - `result.login_preferences.auth_methods.totp.lockoutDuration` (number) TOTP lockout duration (in minutes) after maximum attempts are reached Example: 15 - `result.login_preferences.auth_methods.push` (object) Push configuration - `result.login_preferences.auth_methods.push.apn` (array) APN configuration. Can be a single object or an array of objects. - `result.login_preferences.auth_methods.push.fcm` (object) FCM configuration - `result.login_preferences.auth_methods.push.fcm.key` (object, required) FCM key - `result.login_preferences.auth_methods.tiktok` (object) TikTok login configuration - `result.login_preferences.auth_methods.tiktok.clientId` (string, required) Client ID retrieved from the identity provider - `result.login_preferences.auth_methods.tiktok.clientSecret` (string) Client Secret retrieved from the identity provider - `result.login_preferences.auth_methods.tiktok.redirectUris` (array) List of URIs approved for redirects for your client Example: ["https://www.example.com/login"] - `result.login_preferences.auth_methods.pin_authenticator` (object) PIN authenticator configuration - `result.login_preferences.auth_methods.pin_authenticator.failuresExpireIn` (number) Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year). Example: 15 - `result.login_preferences.auth_methods.pin_authenticator.lockoutTiers` (array) Progressive lockout tiers based on failed attempts - `result.login_preferences.auth_methods.pin_authenticator.maxFailures` (number) Number of wrong PIN Authenticator attempts allowed before the passcode is invalidated. Must be between 1 and 20. Example: 3 - `result.login_preferences.auth_methods.pin_authenticator.lockoutDuration` (number) PIN Authenticator lockout duration (in minutes) after maximum attempts are reached Example: 15 - `result.login_preferences.auth_methods.face` (object) Face authenticator configuration - `result.login_preferences.auth_methods.face.failuresExpireIn` (number) Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year). Example: 15 - `result.login_preferences.auth_methods.face.lockoutTiers` (array) Progressive lockout tiers based on failed attempts - `result.login_preferences.auth_methods.face.saveImageEmbedding` (boolean) Enables saving the image embedding - `result.login_preferences.auth_methods.face.maxFailures` (number) Number of wrong Face Authenticator attempts allowed. Must be between 1 and 20. Example: 3 - `result.login_preferences.auth_methods.face.lockoutDuration` (number) Face Authenticator lockout duration (in minutes) after maximum attempts are reached Example: 15 - `result.created_at` (string, required) Date the application was created - `result.created_by` (string, required) The user that created the application - `result.updated_at` (string, required) Date the application was last updated - `result.service_providers` (array, required) List of service providers this application is allowed to explicitly redirect to - `result.authenticator_preferences` (object, required) Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login. - `result.authenticator_preferences.is_centralized` (boolean, required) Indicates whether to set the application as the Authentication Hub for this tenant - `result.authenticator_preferences.login_uri` (string, required) URI of the application that will initiate an authentication flow when centralized login is requested Example: "https://www.example.com/login" - `result.allow_public_signup` (boolean, required) Determines if the application is allowed to request to create new users via login flows - `result.pkce` (string) PKCE configuration Enum: "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" - `result.password_sharing_group_id` (string) If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with. - `result.login_uri` (string) URI used to redirect the user to the login page of the application (when needed) Example: "https://www.example.com/login" - `result.invite_member_uri` (string) URI used to redirect the member to the login page of the application (when needed) Example: "https://www.example.com/login" - `result.invite_client_id` (string) Client used for the email magic link invitation flow - `result.subdomain` (string) Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed) Example: "myapp" - `result.invite_member_email_expiration_minutes` (number) Member invite email link expiration in minutes - `result.custom_domain` (object) Custom domain of the application that can be offered for the application to be accessed from - `result.custom_domain.domain` (string, required) Domain of the application that can be offered for the application to be accessed from Example: "myapp.com" - `result.custom_domain.updated_at` (string, required) Date the custom domain was last updated - `result.custom_domain.status` (string) The status of the custom domain validation process Enum: "pending", "verified", "error" - `result.custom_domain.error` (string) The error message if the custom domain validation process failed - `result.external_communication` (object) External communication configuration for the application - `result.external_communication.language` (string) Language configuration for the external communication. The default language is english. Enum: "en", "es", "pt", "fr", "ja", "fr-CA" - `result.signing_key_enabled` (boolean) Determines if application specific signing key is enabled - `result.refresh_token_invalidation_trigger_configuration` (object) Refresh token invalidation trigger configuration - `result.refresh_token_invalidation_trigger_configuration.invalidateOnMemberSuspension` (boolean) Determines if refresh tokens should be invalidated when a member is suspended - `result.refresh_token_invalidation_trigger_configuration.invalidateOnMemberPasswordReset` (boolean) Determines if refresh tokens should be invalidated when a member resets their password - `result.refresh_token_invalidation_trigger_configuration.invalidateOnMemberRoleUpdate` (boolean) Determines if refresh tokens should be invalidated when a member role is updated - `result.application_type` (string) Application type Enum: "ido", "basic" - `result.client_type` (string) Type of the default client Enum: "web", "native" - `result.client_id` (string) Client ID of the default client used for API requests - `result.client_display_name` (string) Client name of the default client to display when needed - `result.client_description` (string) Short description of the default client - `result.client_secret` (string) Client secret of the default client used to obtain tokens for API authorization - `result.redirect_uris` (array) List of URI approved for redirects for your default client - `result.resources` (array) List of resources the default client is allowed to explicitly request access to - `result.client_auth_method` (string) This field is deprecated- to configure pkce use "pkce" field instead Enum: "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" - `result.device_authorization` (object) Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628) of the default client - `result.device_authorization.enabled` (boolean, required) Determines if the client is allowed to use the OAuth device authorization flow - `result.device_authorization.approval_uri` (string, required) The URI of the page that allows the user to approve the access request Example: "https://www.example.com/device/approval" - `result.device_authorization.success_uri` (string, required) Callback URI that receives an indication of whether the end-user authentication was completed successfully. Example: "https://www.example.com/device/complete" - `result.device_authorization.input_uri` (string, required) The URI of the page that allows the user to enter the code Example: "https://www.example.com/device/start" - `result.ciba_authorization` (object) CIBA authorization flow configuration of the default client - `result.ciba_authorization.enabled` (boolean, required) Determines if the client is allowed to use the OAuth CIBA authorization flow - `result.ciba_authorization.login_uri` (string) The URI of the page that allows the user to log-in and verify the access request Example: "https://www.example.com/ciba/login"