Within the term Applications is used to refer to OAuth clients and OpenID Connect Relying parties. Most modern web applications can act as either one of these. has great support for SAML 2.0, which is managed seperatly.


Create a new application by navigating to Applications > Add Application and provide a name of your application.

Depending on the application type, choose Web Client or Native Client (for Mobile Apps). However, you can change the type after creating the application.

POST /oauth/connect/register HTTP/1.1
Authorization: Bearer ...
Content-Type: application/json;charset=utf-8

{"client_name":"My Client","application_type":"web"}


Navigate to Applications and select the application you would like to update. Go throught the list of settings and update these to your liking. Don't forget to press the Save button.


Navigate to Applications and select the application you would like to delete. Go to the bottom section stating Danger Zone. If you are sure, press the Delete button.


Applications have many settings you can configure. The defaults provide a save choice for most cases. However, for extra hardening it is good to understand each of these options.

Application Type

You can choose Web Client or Native Client. Web clients require https redirection urls. Native clients allow custom app schemas.


A public client is for example a single-page application.

In more detail, a public client can exchange an OAuth authorization code for an access token without authenticating.


While it used to be very common to use the Implicit Grant for public clients, current best practices advise to use the Authorization Code grant, but without requiring clients for providing a client secret when exchanging an authorization code.

Client Id

The Client Id is a read only field. You will need it to configure your client application.

Client Name

The Client Name is shown to your end users on the log in screen, and when their consent is required before providing claims - such as personal identifiable information - to your client applications.


If you mark a client as "Trusted", an end user is not prompted for their consent.

Applications on your organization its intranet are usually marked as trusted.

PKCE supported

PKCE (Proof Key for Code Exchange) is a technology invented for native clients to securely use OAuth, even when not serving the client on an HTTPS-endpoint. You should enable this for native clients, and it is very good to use it for other clients as well.

Redirect URIs

Provide the list of redirect URIs of your client.

Logout redirect URIs

Provide the list of logout redirect URIs of your client.

Grant Types

Select the grant types supported by this application.

For most applications - even single-page applications - you would like to select Authorization Code and leave Implicit Code unchecked. For some applications you will need Refresh Token and Client Credentials.