Description not available


description Required

Organization OAuth App Description

array of string
grantTypes Required

OAuth Grant types. Available grant types: authorization_code, refresh_token, client_credentials, client_delegate

displayName Required

Organization OAuth App display name.
The name must be alphanumerical and can contain the following symbols -_.`‘:@&, and space. International characters are allowed.

allowedScopes Required

Allowed Scopes

integer as int32
accessTokenTTL Optional

OAuth Access token TTL

array of string
allowedOrgs Optional

Allowed Organizations.
Can be used to restrict the client to sub-set of orgs.
The value is a list of org IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
1. This option is available only for service orgs. Consumer orgs cannot pass this value since the client is restricted only to it’s managed org, which cannot be changed.
2. It is not possible to update an org/s restricted client to be a regular client.
3. The ‘allowedOrgs’ is ignored during client_credentials flow.
4. If an org is deleted, its references in allowedOrgs are deleted eventually. ‘allowedOrgs’ may become empty if a org gets deleted, which means users cannot login to any org using this client. The ‘allowedOrgs’ will be ignored during client_credentials flow.

forcePkce Optional

When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).

allowOpenRedirectUris Optional

Allow client to use open redirections in non-production environments. If true, the redirectUris field must be null. If a client has been created with open redirect uris disabled, it cannot be updated to open redirect uris enabled.

string as ^[A-Za-z0-9-_]+$
id Optional

Organization OAuth App ID. Constraints:
1. Must contain at least 5 and at most 256 characters.
2. Allowed characters: A-Z a-z 0-9 _ -
3. Whitespaces are not allowed.

integer as int32
maxCharactersInAccessToken Optional

Limit the number of text characters that would be put in the access token. If the access token has more characters than the max number provided, an overflow link will be provided in the access token. A value of zero will be considered as unlimited. A value of less than zero will be treated the same as not setting any value. If overflow happens the access token will have a claim ‘ovc’ that lists the claims which have overflowed. For example ‘ovc’ : [‘perms’, ‘authorization_details’]. It will also have a ‘ovl’ claim which is the link that can be used to get the full access token as json. For example ‘ovl’: ‘’ When ‘maxCharactersInAccessToken’ is not set (the default), the maxCharactersInAccessToken parameter will be in effect if it is set. If it is not set, there will be no limit on the number of permissions.

integer as int32
maxGroupsInIdToken Optional

Max groups in ID token

ownerOnlySecretRotation Optional

When set to ‘true’, the client is not allowed to rotate its own secret. Client rotation will be enabled for org owner/service owner only using client rotation management APIs. By default, client is enabled to self rotate its secret.

array of string
postLogoutRedirectUris Optional

Post Logout Redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for authorization_code grant type.

publicClient Optional

Mark the client as a public client. Can only be specified at creation time (publicClient cannot be updated).
Public clients:
Cannot have a secret specified (the secret will implicitly be set as an empty string)
Cannot use the ‘client_credentials’ flow
Cannot update or rotate their secret
MUST use PKCE when doing an authorization_code flow

array of string
redirectUris Optional

Organization OAuth App redirect URIs. Relevant only for authorization_code grant type. If allowOpenRedirectUris = true is set, this field must not be specified.

integer as int32
refreshTokenTTL Optional

OAuth Refresh token TTL

string as (?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*()_+=\[\]-{|}',./:;<>?`~]).*
secret Optional

Organization OAuth App Secret

integer as int32
secretRotationExpirationInSeconds Optional

Optionally override the default number of seconds before a new client secret will automatically be rotated when using the clientsecret rotation APIs. If not specified, the default expiration time is 48 hours.

serviceDefinitionId Optional

Service definition ID of the service using this authorization code webapp. Required in production for tracking purposes.

JSON Example

	"allowedScopes": {},
	"description": "string",
	"displayName": "string",
	"grantTypes": [
Parameter To

Create Org OAuth App


Was this page helpful?