API Reference

IAM

OAuth Clients

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Create OAuth Client

client.IAM.OAuthClients.New(ctx, params) (*OAuthClientNewResponse, error)

POST/accounts/{account_id}/oauth_clients

Create a new OAuth client for an account.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

OAuth Client Write

ParametersExpand Collapse

params OAuthClientNewParams

AccountID param.Field[string]

Path param: Account identifier tag.

maxLength32

minLength32

ClientName param.Field[string]

Body param: Human-readable name of the OAuth client.

GrantTypes param.Field[[]OAuthClientNewParamsGrantType]

Body param: Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

const OAuthClientNewParamsGrantTypeAuthorizationCode OAuthClientNewParamsGrantType = "authorization_code"

const OAuthClientNewParamsGrantTypeRefreshToken OAuthClientNewParamsGrantType = "refresh_token"

RedirectURIs param.Field[[]string]

Body param: Array of allowed redirect URIs for the client.

ResponseTypes param.Field[[]OAuthClientNewParamsResponseType]

Body param: Array of OAuth response types the client is allowed to use.

const OAuthClientNewParamsResponseTypeToken OAuthClientNewParamsResponseType = "token"

const OAuthClientNewParamsResponseTypeIDToken OAuthClientNewParamsResponseType = "id_token"

const OAuthClientNewParamsResponseTypeCode OAuthClientNewParamsResponseType = "code"

Scopes param.Field[[]string]

Body param: Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

TokenEndpointAuthMethod param.Field[OAuthClientNewParamsTokenEndpointAuthMethod]

Body param: The authentication method the client uses at the token endpoint.

const OAuthClientNewParamsTokenEndpointAuthMethodNone OAuthClientNewParamsTokenEndpointAuthMethod = "none"

const OAuthClientNewParamsTokenEndpointAuthMethodClientSecretBasic OAuthClientNewParamsTokenEndpointAuthMethod = "client_secret_basic"

const OAuthClientNewParamsTokenEndpointAuthMethodClientSecretPost OAuthClientNewParamsTokenEndpointAuthMethod = "client_secret_post"

AllowedCORSOrigins param.Field[[]string]Optional

Body param: Array of allowed CORS origins.

ClientURI param.Field[string]Optional

Body param: URL of the home page of the client.

LogoURI param.Field[string]Optional

Body param: URL of the client’s logo.

PolicyURI param.Field[string]Optional

Body param: URL that points to a privacy policy document.

PostLogoutRedirectURIs param.Field[[]string]Optional

Body param: Array of allowed post-logout redirect URIs.

TosURI param.Field[string]Optional

Body param: URL that points to a terms of service document.

ReturnsExpand Collapse

type OAuthClientNewResponse struct{…}

Fields shared by OAuth client responses and create/update requests.

ClientID string

The unique identifier for an OAuth client.

Visibility OAuthClientNewResponseVisibility

Visibility of the OAuth client.

One of the following:

const OAuthClientNewResponseVisibilityPublic OAuthClientNewResponseVisibility = "public"

const OAuthClientNewResponseVisibilityPrivate OAuthClientNewResponseVisibility = "private"

AllowedCORSOrigins []stringOptional

Array of allowed CORS origins.

ClientName stringOptional

Human-readable name of the OAuth client.

ClientSecret stringOptional

The client secret. This is the only time the secret is returned in a response.

ClientURI stringOptional

URL of the home page of the client.

ClientURIVerification OAuthClientNewResponseClientURIVerificationOptional

Client URI domain control verification state.

Status OAuthClientNewResponseClientURIVerificationStatusOptional

Current verification status for the client URI host.

One of the following:

const OAuthClientNewResponseClientURIVerificationStatusPending OAuthClientNewResponseClientURIVerificationStatus = "pending"

const OAuthClientNewResponseClientURIVerificationStatusInProgress OAuthClientNewResponseClientURIVerificationStatus = "in_progress"

const OAuthClientNewResponseClientURIVerificationStatusVerified OAuthClientNewResponseClientURIVerificationStatus = "verified"

const OAuthClientNewResponseClientURIVerificationStatusFailed OAuthClientNewResponseClientURIVerificationStatus = "failed"

Text stringOptional

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

CreatedAt TimeOptional

Timestamp when the OAuth client was created.

formatdate-time

GrantTypes []OAuthClientNewResponseGrantTypeOptional

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:

const OAuthClientNewResponseGrantTypeAuthorizationCode OAuthClientNewResponseGrantType = "authorization_code"

const OAuthClientNewResponseGrantTypeRefreshToken OAuthClientNewResponseGrantType = "refresh_token"

HasRotatedSecret boolOptional

Indicates whether the client has a rotated secret that has not yet been deleted.

LogoURI stringOptional

URL of the client’s logo.

PolicyURI stringOptional

URL that points to a privacy policy document.

PostLogoutRedirectURIs []stringOptional

Array of allowed post-logout redirect URIs.

PromotedAt TimeOptional

Timestamp when the OAuth client was promoted to public visibility.

formatdate-time

RedirectURIs []stringOptional

Array of allowed redirect URIs for the client.

ResponseTypes []OAuthClientNewResponseResponseTypeOptional

Array of OAuth response types the client is allowed to use.

One of the following:

const OAuthClientNewResponseResponseTypeToken OAuthClientNewResponseResponseType = "token"

const OAuthClientNewResponseResponseTypeIDToken OAuthClientNewResponseResponseType = "id_token"

const OAuthClientNewResponseResponseTypeCode OAuthClientNewResponseResponseType = "code"

Scopes []stringOptional

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

TokenEndpointAuthMethod OAuthClientNewResponseTokenEndpointAuthMethodOptional

The authentication method the client uses at the token endpoint.

One of the following:

const OAuthClientNewResponseTokenEndpointAuthMethodNone OAuthClientNewResponseTokenEndpointAuthMethod = "none"

const OAuthClientNewResponseTokenEndpointAuthMethodClientSecretBasic OAuthClientNewResponseTokenEndpointAuthMethod = "client_secret_basic"

const OAuthClientNewResponseTokenEndpointAuthMethodClientSecretPost OAuthClientNewResponseTokenEndpointAuthMethod = "client_secret_post"

TosURI stringOptional

URL that points to a terms of service document.

UpdatedAt TimeOptional

Timestamp when the OAuth client was last updated.

formatdate-time

Create OAuth Client

Go

HTTP

TypeScript

Python

Go

Terraform

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/iam"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  oauthClient, err := client.IAM.OAuthClients.New(context.TODO(), iam.OAuthClientNewParams{
    AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    ClientName: cloudflare.F("My OAuth App"),
    GrantTypes: cloudflare.F([]iam.OAuthClientNewParamsGrantType{iam.OAuthClientNewParamsGrantTypeAuthorizationCode, iam.OAuthClientNewParamsGrantTypeRefreshToken}),
    RedirectURIs: cloudflare.F([]string{"https://example.com/callback"}),
    ResponseTypes: cloudflare.F([]iam.OAuthClientNewParamsResponseType{iam.OAuthClientNewParamsResponseTypeCode}),
    Scopes: cloudflare.F([]string{"account.read"}),
    TokenEndpointAuthMethod: cloudflare.F(iam.OAuthClientNewParamsTokenEndpointAuthMethodClientSecretPost),
  })
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", oauthClient.ClientID)
}

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "client_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
    "visibility": "private",
    "allowed_cors_origins": [
      "https://example.com"
    ],
    "client_name": "My OAuth App",
    "client_secret": "cf-oauth-secret-example",
    "client_uri": "https://example.com",
    "client_uri_verification": {
      "status": "in_progress",
      "text": "cloudflare_oauth_client_publisher=example"
    },
    "created_at": "2025-01-01T00:00:00Z",
    "grant_types": [
      "authorization_code",
      "refresh_token"
    ],
    "has_rotated_secret": false,
    "logo_uri": "https://example.com/logo.png",
    "policy_uri": "https://example.com/privacy",
    "post_logout_redirect_uris": [
      "https://example.com/logout"
    ],
    "promoted_at": "2026-05-13T12:00:00Z",
    "redirect_uris": [
      "https://example.com/callback"
    ],
    "response_types": [
      "code"
    ],
    "scopes": [
      "account.read"
    ],
    "token_endpoint_auth_method": "client_secret_post",
    "tos_uri": "https://example.com/tos",
    "updated_at": "2025-01-01T00:00:00Z"
  }
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "client_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
    "visibility": "private",
    "allowed_cors_origins": [
      "https://example.com"
    ],
    "client_name": "My OAuth App",
    "client_secret": "cf-oauth-secret-example",
    "client_uri": "https://example.com",
    "client_uri_verification": {
      "status": "in_progress",
      "text": "cloudflare_oauth_client_publisher=example"
    },
    "created_at": "2025-01-01T00:00:00Z",
    "grant_types": [
      "authorization_code",
      "refresh_token"
    ],
    "has_rotated_secret": false,
    "logo_uri": "https://example.com/logo.png",
    "policy_uri": "https://example.com/privacy",
    "post_logout_redirect_uris": [
      "https://example.com/logout"
    ],
    "promoted_at": "2026-05-13T12:00:00Z",
    "redirect_uris": [
      "https://example.com/callback"
    ],
    "response_types": [
      "code"
    ],
    "scopes": [
      "account.read"
    ],
    "token_endpoint_auth_method": "client_secret_post",
    "tos_uri": "https://example.com/tos",
    "updated_at": "2025-01-01T00:00:00Z"
  }
}