Create OAuth Client

GA
POST

Create a new OAuth client for API access.

Configure the client with:

  • Name and description
  • Authorized redirect URIs for OAuth flows
  • Supported grant types
  • Client type (user or project)

Grant Types:

  1. Client Credentials

    • For server-to-server API access
    • No user interaction required
    • No redirect URIs needed
    • Returns access token directly
    • Best for automated processes and service accounts

  2. Authorization Code

    • For user-based access to the API
    • Requires redirect URIs for OAuth flow
    • Most secure for web applications
    • Flow:
      1. User is redirected to authorization server
      2. After consent, redirects back to your app with auth code
      3. Your app exchanges code for tokens
    • Required for web applications accessing user data

  3. Refresh Token

    • Enables long-term API access
    • Used with authorization code flow
    • Allows getting new access tokens without user interaction
    • No redirect URIs needed for refresh flow itself
    • Best for maintaining persistent access

  4. Implicit (Legacy)

    • For browser-based applications
    • Requires redirect URIs
    • Returns token in URL fragment
    • Less secure than authorization code
    • Not recommended for new applications

Redirect URIs:

  • Required for authorization code and implicit flows
  • Must be exact match when used
  • Common formats:
  • Security requirements:
    • Must use HTTPS in production
    • Cannot contain fragments (#)
    • Should be specific paths, not generic domains
    • Maximum length: 2048 characters

Client types:

  • User: Standard OAuth client tied to the creating user’s permissions
  • Project: Service account OAuth client with project-level permissions

The response includes:

  • Client ID and secret (shown only once)
  • Configured redirect URIs
  • Supported grant types
  • Creation timestamp

Security note: Store the client secret securely as it cannot be retrieved later.

Path parameters

org_idstringRequired

The unique identifier of the organization.

project_idstringRequired

The unique identifier of the project.

Request

This endpoint expects an object.
namestringRequired

Name for the new OAuth client.

descriptionstringOptional

Optional description of the client’s purpose.

redirect_urislist of stringsOptional

List of authorized redirect URIs. Required if using authorization_code or implicit grant types.

grant_typeslist of enumsOptional
Allowed values: client_credentialsrefresh_tokenimplicitauthorization_code

List of OAuth grant types to enable.

typeenumOptionalDefaults to user
Allowed values: userproject

Type of OAuth client to create:

  • user: Standard client tied to creating user’s permissions
  • project: Service account client with project-level permissions

Response

Successful Response

idstringformat: "uuid"

Unique identifier for the OAuth client.

namestring

Human-readable name for the OAuth client.

client_idstringformat: "uuid"

Unique identifier used to identify the client with the authorization server.

project_idstringformat: "uuid"

ID of the project this OAuth client belongs to.

createddatetime

Timestamp when the OAuth client was created.

modifieddatetime

Timestamp when the OAuth client was last modified.

descriptionstringOptional

Optional description explaining the client’s purpose and usage.

redirect_urislist of stringsOptional

List of authorized redirect URIs for OAuth flows requiring user interaction. Required for authorization code and implicit flows. Must be exact matches when used. Must use HTTPS in production (except for localhost).

grant_typeslist of enumsOptional
Allowed values: client_credentialsrefresh_tokenimplicitauthorization_code

OAuth 2.0 grant types enabled for this client.

  • client_credentials: For server-to-server API access
  • authorization_code: For web and mobile apps
  • refresh_token: For maintaining long-term access
  • implicit: Legacy flow, not recommended for new applications
client_secretstringOptional

Secret key used to authenticate the client. Only shown once upon creation. Must be stored securely. Required for confidential clients (e.g., server applications).

Errors

Built with