OAuth Clients API
Manage OAuth2 client registrations within a realm.
On this page
List Clients
GET /api/clients?realm={realm}
Authorization: Bearer <token>
curl -H "Authorization: Bearer $TOKEN" \
"http://localhost:8080/api/clients?realm=master"Create Client
POST /api/clients
Authorization: Bearer <token>
Content-Type: application/json
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"realmName": "master",
"publicClient": false,
"pkceRequired": true,
"redirectUris": ["https://app.example.com/callback"],
"webOrigins": ["https://app.example.com"],
"grantTypes": ["authorization_code", "refresh_token"],
"scopes": ["openid", "profile", "email"]
}' \
http://localhost:8080/api/clientsRequest fields:
| Field | Type | Required | Description |
|---|---|---|---|
realmName | string | ✅ | Target realm |
publicClient | boolean | — | Public client — no secret (default: false) |
pkceRequired | boolean | — | Enforce PKCE (default: true) |
redirectUris | string[] | ✅ | Allowed redirect URIs |
webOrigins | string[] | — | Allowed CORS origins |
grantTypes | string[] | ✅ | authorization_code | client_credentials | refresh_token |
scopes | string[] | — | Requested scopes (default: openid profile email) |
Response: 201 Created
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"clientId": "client-a1b2c3d4",
"clientSecret": "cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"realmName": "master",
"publicClient": false,
"pkceRequired": true,
"redirectUris": ["https://app.example.com/callback"],
"grantTypes": ["authorization_code", "refresh_token"],
"enabled": true,
"createdAt": "2025-06-01T10:00:00Z"
}Save the client secret now
The clientSecret is returned only once at creation time. Store it securely immediately — it cannot be retrieved again, only rotated.
Get Client
GET /api/clients/{clientId}
Authorization: Bearer <token>
Client secret not returned
GET responses never include the client secret. Only the hash is stored. Use the rotate endpoint to get a new secret.
Rotate Client Secret
POST /api/clients/{clientId}/rotate-secret
Authorization: Bearer <token>
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
http://localhost:8080/api/clients/client-a1b2c3d4/rotate-secretReturns a new clientSecret. Update your application immediately — the old secret is invalidated.
Delete Client
DELETE /api/clients/{clientId}
Authorization: Bearer <token>
Response: 204 No Content