Client Management

Overview

The Client Management API provides endpoints for registering, configuring, and managing secrets for OAuth client applications.

Endpoint List

Method	Endpoint	Description
GET	`/api/admin/clients`	List clients
GET	`/api/admin/clients/:id`	Get client details
POST	`/api/admin/clients`	Create client
PUT	`/api/admin/clients/:id`	Update client
DELETE	`/api/admin/clients/:id`	Delete client
POST	`/api/admin/clients/:id/rotate-secret`	Rotate secret
POST	`/api/admin/clients/:id/enable`	Enable client
POST	`/api/admin/clients/:id/disable`	Disable client

List Clients

Retrieve a list of registered OAuth clients.

Endpoint

GET /api/admin/clients

Query Parameters

Parameter	Type	Required	Description
`limit`	integer	-	Number of items (default: 20, max: 100)
`cursor`	string	-	Pagination cursor
`type`	string	-	Client type (`web`, `native`, `spa`, `m2m`)
`status`	string	-	Status (`active`, `disabled`)

Request Example

curl -X GET "https://{tenant-domain}/api/admin/clients?type=web" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "items": [
    {
      "id": "client_abc123",
      "name": "My Web App",
      "type": "web",
      "status": "active",
      "redirect_uris": ["https://myapp.example.com/callback"],
      "created_at": 1705881600,
      "updated_at": 1705968000
    }
  ],
  "total": 5,
  "cursor": null
}

Get Client Details

Retrieve detailed information for a specified client.

Endpoint

GET /api/admin/clients/:id

Path Parameters

Parameter	Type	Required	Description
`id`	string	✓	Client ID

Request Example

curl -X GET "https://{tenant-domain}/api/admin/clients/client_abc123" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "id": "client_abc123",
  "name": "My Web App",
  "description": "Main web application",
  "type": "web",
  "status": "active",
  "redirect_uris": [
    "https://myapp.example.com/callback",
    "https://myapp.example.com/silent-callback"
  ],
  "post_logout_redirect_uris": [
    "https://myapp.example.com/"
  ],
  "allowed_origins": [
    "https://myapp.example.com"
  ],
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "token_endpoint_auth_method": "client_secret_post",
  "scopes": ["openid", "profile", "email"],
  "id_token_lifetime": 3600,
  "access_token_lifetime": 3600,
  "refresh_token_lifetime": 2592000,
  "created_at": 1705881600,
  "updated_at": 1705968000
}

Create Client

Endpoint

POST /api/admin/clients

Request Body

Field	Type	Required	Description
`name`	string	✓	Client name
`type`	string	✓	Client type (`web`, `native`, `spa`, `m2m`)
`description`	string	-	Description
`redirect_uris`	string[]	✓	Redirect URI list
`post_logout_redirect_uris`	string[]	-	Post-logout redirect URIs
`allowed_origins`	string[]	-	Allowed origins (CORS)
`grant_types`	string[]	-	Allowed grant types
`response_types`	string[]	-	Allowed response types
`token_endpoint_auth_method`	string	-	Token endpoint auth method
`scopes`	string[]	-	Allowed scopes
`id_token_lifetime`	integer	-	ID token lifetime (seconds)
`access_token_lifetime`	integer	-	Access token lifetime (seconds)
`refresh_token_lifetime`	integer	-	Refresh token lifetime (seconds)

Client Types

Type	Description	Recommended Auth Method
`web`	Server-side web app	client_secret_post/basic
`native`	Native app (iOS, Android)	none (PKCE)
`spa`	Single-page app	none (PKCE)
`m2m`	Machine-to-machine	client_secret_post/basic

Request Example

curl -X POST "https://{tenant-domain}/api/admin/clients" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "New Web App",
    "type": "web",
    "description": "New web application",
    "redirect_uris": ["https://newapp.example.com/callback"],
    "grant_types": ["authorization_code", "refresh_token"],
    "scopes": ["openid", "profile", "email"]
  }'

Response Example

{
  "id": "client_xyz789",
  "name": "New Web App",
  "type": "web",
  "status": "active",
  "client_secret": "cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "redirect_uris": ["https://newapp.example.com/callback"],
  "created_at": 1706140800
}

Update Client

Update existing client settings.

Endpoint

PUT /api/admin/clients/:id

Request Example

curl -X PUT "https://{tenant-domain}/api/admin/clients/client_abc123" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Updated Web App",
    "redirect_uris": [
      "https://myapp.example.com/callback",
      "https://myapp.example.com/callback2"
    ]
  }'

Delete Client

Delete a client.

Endpoint

DELETE /api/admin/clients/:id

Request Example

curl -X DELETE "https://{tenant-domain}/api/admin/clients/client_abc123" \
  -H "Authorization: Bearer {token}"

Response

Status code 204 No Content (no body)

Rotate Secret

Regenerate the client secret.

Endpoint

POST /api/admin/clients/:id/rotate-secret

Request Example

curl -X POST "https://{tenant-domain}/api/admin/clients/client_abc123/rotate-secret" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "id": "client_abc123",
  "client_secret": "cs_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",
  "rotated_at": 1706227200
}

Enable Client

Enable a disabled client.

Endpoint

POST /api/admin/clients/:id/enable

Request Example

curl -X POST "https://{tenant-domain}/api/admin/clients/client_abc123/enable" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "id": "client_abc123",
  "status": "active",
  "enabled_at": 1706313600
}

Disable Client

Temporarily disable a client. Disabled clients cannot issue tokens.

Endpoint

POST /api/admin/clients/:id/disable

Request Example

curl -X POST "https://{tenant-domain}/api/admin/clients/client_abc123/disable" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "id": "client_abc123",
  "status": "disabled",
  "disabled_at": 1706400000
}