API ReferenceOAuth Clients

Update OAuth Client

Update OAuth client configuration. Modifiable fields: - Name and description - Redirect URIs - Allowed scopes - Trusted status Note: Grant types cannot be changed after creation.

Authentication

AuthorizationBearer

Bearer token authentication using JWT tokens from Ory Kratos/Hydra

Path Parameters

oauth_client_idstringRequiredformat: "uuid"
org_idstringRequiredformat: "uuid"
The unique identifier of the organization.
project_idstringRequiredformat: "uuid"
The unique identifier of the project.

Request

This endpoint expects an object.
redirect_urislist of strings or nullOptional
Updated list of authorized redirect URIs. All existing URIs will be replaced with this list.
grant_typeslist of enums or nullOptional
Updated list of enabled grant types. All existing grant types will be replaced with this list.
Allowed values:
token_endpoint_auth_methodenum or nullOptional
Updated authentication method for the token endpoint.
Allowed values:
pkce_requiredboolean or nullOptional

Whether to require PKCE for authorization code flows. IMPORTANT: Only applicable when ‘authorization_code’ is included in grant_types. Setting to True enhances security, especially for public clients.

pkce_challenge_methodenum or nullOptional
PKCE code challenge method. Only applies when PKCE is required.
Allowed values:

Response

OAuth client updated
idstringformat: "uuid"
Unique identifier for the OAuth client.
namestring

Human-readable name for the OAuth client.

client_idstringformat: "uuid"
Unique identifier used to identify the client with the authorization server.
project_idstringformat: "uuid"
ID of the project this OAuth client belongs to.
createdstring
Timestamp when the OAuth client was created.
modifiedstring
Timestamp when the OAuth client was last modified.
descriptionstring or null
Optional description explaining the client's purpose and usage.
redirect_urislist of strings or null

List of authorized redirect URIs for OAuth flows requiring user interaction. Required for authorization code and implicit flows. Must be exact matches when used. Must use HTTPS in production (except for localhost).

grant_typeslist of enums or null
OAuth 2.0 grant types enabled for this client. - client_credentials: For server-to-server API access - authorization_code: For web and mobile apps - refresh_token: For maintaining long-term access - implicit: Legacy flow, not recommended for new applications
Allowed values:
client_secretstring or null

Secret key used to authenticate the client. Only shown once upon creation. Must be stored securely. Required for confidential clients (e.g., server applications).

token_endpoint_auth_methodenum or nullDefaults to client_secret_basic
Authentication method enabled for the client: - client_secret_basic: Client ID and secret sent in HTTP headers - client_secret_post: Client ID and secret sent in request body - none: No client authentication (required for public clients using PKCE)
Allowed values:
pkce_requiredboolean or nullDefaults to false

Whether PKCE (Proof Key for Code Exchange) is required for this client. When enabled, authorization code flows must include code_challenge and code_verifier. Recommended for public clients (mobile apps, SPAs) and enhances security for all clients.

pkce_challenge_methodenum or null
PKCE code challenge method when PKCE is enabled. - S256: SHA256 hash of code verifier (recommended and secure) - plain: Plain text code verifier (not recommended, only for testing)
Allowed values:

Errors