# OAuth Clients ## List OAuth Clients `client.iam.oauthClients.list(OAuthClientListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/oauth_clients` List all OAuth clients for an account. ### Parameters - `params: OAuthClientListParams` - `account_id: string` Account identifier tag. ### Returns - `OAuthClientListResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const oauthClientListResponse of client.iam.oauthClients.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(oauthClientListResponse.client_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "client_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "visibility": "private", "allowed_cors_origins": [ "https://example.com" ], "client_name": "My OAuth App", "client_uri": "https://example.com", "client_uri_verification": { "status": "in_progress", "text": "cloudflare_oauth_client_publisher=example" }, "created_at": "2025-01-01T00:00:00Z", "grant_types": [ "authorization_code", "refresh_token" ], "has_rotated_secret": false, "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/privacy", "post_logout_redirect_uris": [ "https://example.com/logout" ], "promoted_at": "2026-05-13T12:00:00Z", "redirect_uris": [ "https://example.com/callback" ], "response_types": [ "code" ], "scopes": [ "account.read" ], "token_endpoint_auth_method": "client_secret_post", "tos_uri": "https://example.com/tos", "updated_at": "2025-01-01T00:00:00Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## OAuth Client Details `client.iam.oauthClients.get(stringoauthClientId, OAuthClientGetParamsparams, RequestOptionsoptions?): OAuthClientGetResponse` **get** `/accounts/{account_id}/oauth_clients/{oauth_client_id}` Get details of a specific OAuth client. ### Parameters - `oauthClientId: string` The unique identifier for an OAuth client. - `params: OAuthClientGetParams` - `account_id: string` Account identifier tag. ### Returns - `OAuthClientGetResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const oauthClient = await client.iam.oauthClients.get('a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(oauthClient.client_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "client_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "visibility": "private", "allowed_cors_origins": [ "https://example.com" ], "client_name": "My OAuth App", "client_uri": "https://example.com", "client_uri_verification": { "status": "in_progress", "text": "cloudflare_oauth_client_publisher=example" }, "created_at": "2025-01-01T00:00:00Z", "grant_types": [ "authorization_code", "refresh_token" ], "has_rotated_secret": false, "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/privacy", "post_logout_redirect_uris": [ "https://example.com/logout" ], "promoted_at": "2026-05-13T12:00:00Z", "redirect_uris": [ "https://example.com/callback" ], "response_types": [ "code" ], "scopes": [ "account.read" ], "token_endpoint_auth_method": "client_secret_post", "tos_uri": "https://example.com/tos", "updated_at": "2025-01-01T00:00:00Z" } } ``` ## Create OAuth Client `client.iam.oauthClients.create(OAuthClientCreateParamsparams, RequestOptionsoptions?): OAuthClientCreateResponse` **post** `/accounts/{account_id}/oauth_clients` Create a new OAuth client for an account. ### Parameters - `params: OAuthClientCreateParams` - `account_id: string` Path param: Account identifier tag. - `client_name: string` Body param: Human-readable name of the OAuth client. - `grant_types: Array<"authorization_code" | "refresh_token">` Body param: Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `redirect_uris: Array` Body param: Array of allowed redirect URIs for the client. - `response_types: Array<"token" | "id_token" | "code">` Body param: Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes: Array` Body param: Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method: "none" | "client_secret_basic" | "client_secret_post"` Body param: The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `allowed_cors_origins?: Array` Body param: Array of allowed CORS origins. - `client_uri?: string` Body param: URL of the home page of the client. - `logo_uri?: string` Body param: URL of the client's logo. - `policy_uri?: string` Body param: URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Body param: Array of allowed post-logout redirect URIs. - `tos_uri?: string` Body param: URL that points to a terms of service document. ### Returns - `OAuthClientCreateResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_secret?: string` The client secret. This is the only time the secret is returned in a response. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const oauthClient = await client.iam.oauthClients.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', client_name: 'My OAuth App', grant_types: ['authorization_code', 'refresh_token'], redirect_uris: ['https://example.com/callback'], response_types: ['code'], scopes: ['account.read'], token_endpoint_auth_method: 'client_secret_post', }); console.log(oauthClient.client_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "client_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "visibility": "private", "allowed_cors_origins": [ "https://example.com" ], "client_name": "My OAuth App", "client_secret": "cf-oauth-secret-example", "client_uri": "https://example.com", "client_uri_verification": { "status": "in_progress", "text": "cloudflare_oauth_client_publisher=example" }, "created_at": "2025-01-01T00:00:00Z", "grant_types": [ "authorization_code", "refresh_token" ], "has_rotated_secret": false, "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/privacy", "post_logout_redirect_uris": [ "https://example.com/logout" ], "promoted_at": "2026-05-13T12:00:00Z", "redirect_uris": [ "https://example.com/callback" ], "response_types": [ "code" ], "scopes": [ "account.read" ], "token_endpoint_auth_method": "client_secret_post", "tos_uri": "https://example.com/tos", "updated_at": "2025-01-01T00:00:00Z" } } ``` ## Update OAuth Client `client.iam.oauthClients.update(stringoauthClientId, OAuthClientUpdateParamsparams, RequestOptionsoptions?): OAuthClientUpdateResponse` **patch** `/accounts/{account_id}/oauth_clients/{oauth_client_id}` Update an existing OAuth client. Only include fields you want to update. ### Parameters - `oauthClientId: string` The unique identifier for an OAuth client. - `params: OAuthClientUpdateParams` - `account_id: string` Path param: Account identifier tag. - `allowed_cors_origins?: Array` Body param: Array of allowed CORS origins. - `client_name?: string` Body param: Human-readable name of the OAuth client. - `client_uri?: string` Body param: URL of the home page of the client. - `grant_types?: Array<"authorization_code" | "refresh_token">` Body param: Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `logo_uri?: string` Body param: URL of the client's logo. - `policy_uri?: string` Body param: URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Body param: Array of allowed post-logout redirect URIs. - `redirect_uris?: Array` Body param: Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Body param: Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Body param: Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` Body param: The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` Body param: URL that points to a terms of service document. - `visibility?: "public"` Body param: Promote the OAuth client from private to public visibility. Only `public` is accepted; demotion to `private` is not supported. Promotion requires a non-empty client name, logo URI, verified client URI host, and at least one non-identity scope. - `"public"` ### Returns - `OAuthClientUpdateResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const oauthClient = await client.iam.oauthClients.update('a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(oauthClient.client_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "client_id": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "visibility": "private", "allowed_cors_origins": [ "https://example.com" ], "client_name": "My OAuth App", "client_uri": "https://example.com", "client_uri_verification": { "status": "in_progress", "text": "cloudflare_oauth_client_publisher=example" }, "created_at": "2025-01-01T00:00:00Z", "grant_types": [ "authorization_code", "refresh_token" ], "has_rotated_secret": false, "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/privacy", "post_logout_redirect_uris": [ "https://example.com/logout" ], "promoted_at": "2026-05-13T12:00:00Z", "redirect_uris": [ "https://example.com/callback" ], "response_types": [ "code" ], "scopes": [ "account.read" ], "token_endpoint_auth_method": "client_secret_post", "tos_uri": "https://example.com/tos", "updated_at": "2025-01-01T00:00:00Z" } } ``` ## Delete OAuth Client `client.iam.oauthClients.delete(stringoauthClientId, OAuthClientDeleteParamsparams, RequestOptionsoptions?): OAuthClientDeleteResponse | null` **delete** `/accounts/{account_id}/oauth_clients/{oauth_client_id}` Delete an OAuth client. ### Parameters - `oauthClientId: string` The unique identifier for an OAuth client. - `params: OAuthClientDeleteParams` - `account_id: string` Account identifier tag. ### Returns - `OAuthClientDeleteResponse` - `id: string` Identifier ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const oauthClient = await client.iam.oauthClients.delete('a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(oauthClient.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353" } } ``` ## Rotate OAuth Client Secret `client.iam.oauthClients.rotateSecret(stringoauthClientId, OAuthClientRotateSecretParamsparams, RequestOptionsoptions?): OAuthClientRotateSecretResponse` **post** `/accounts/{account_id}/oauth_clients/{oauth_client_id}/rotate_secret` Creates a second client secret so you can update your client configuration before deleting the old one. The `has_rotated_secret` field on the client will be set to `true`. ### Parameters - `oauthClientId: string` The unique identifier for an OAuth client. - `params: OAuthClientRotateSecretParams` - `account_id: string` Account identifier tag. ### Returns - `OAuthClientRotateSecretResponse` - `client_secret?: string` The new client secret. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.iam.oauthClients.rotateSecret('a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(response.client_secret); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "client_secret": "cf-oauth-secret-new-example" } } ``` ## Delete Rotated OAuth Client Secret `client.iam.oauthClients.deleteRotatedSecret(stringoauthClientId, OAuthClientDeleteRotatedSecretParamsparams, RequestOptionsoptions?): OAuthClientDeleteRotatedSecretResponse | null` **delete** `/accounts/{account_id}/oauth_clients/{oauth_client_id}/rotate_secret` Removes the old client secret after a rotation, keeping only the new one. Use this after you have updated your client configuration to use the new secret. The `has_rotated_secret` field on the client indicates whether there is an old secret to delete. ### Parameters - `oauthClientId: string` The unique identifier for an OAuth client. - `params: OAuthClientDeleteRotatedSecretParams` - `account_id: string` Account identifier tag. ### Returns - `OAuthClientDeleteRotatedSecretResponse` - `id: string` Identifier ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.iam.oauthClients.deleteRotatedSecret( 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(response.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353" } } ``` ## Domain Types ### OAuth Client List Response - `OAuthClientListResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### OAuth Client Get Response - `OAuthClientGetResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### OAuth Client Create Response - `OAuthClientCreateResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_secret?: string` The client secret. This is the only time the secret is returned in a response. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### OAuth Client Update Response - `OAuthClientUpdateResponse` Fields shared by OAuth client responses and create/update requests. - `client_id: string` The unique identifier for an OAuth client. - `visibility: "public" | "private"` Visibility of the OAuth client. - `"public"` - `"private"` - `allowed_cors_origins?: Array` Array of allowed CORS origins. - `client_name?: string` Human-readable name of the OAuth client. - `client_uri?: string` URL of the home page of the client. - `client_uri_verification?: ClientURIVerification` Client URI domain control verification state. - `status?: "pending" | "in_progress" | "verified" | "failed"` Current verification status for the client URI host. - `"pending"` - `"in_progress"` - `"verified"` - `"failed"` - `text?: string` Exact TXT record value that must be added to DNS to prove ownership of the client URI host. - `created_at?: string` Timestamp when the OAuth client was created. - `grant_types?: Array<"authorization_code" | "refresh_token">` Array of OAuth grant types the client is allowed to use. `authorization_code` is required; `refresh_token` may be included optionally. - `"authorization_code"` - `"refresh_token"` - `has_rotated_secret?: boolean` Indicates whether the client has a rotated secret that has not yet been deleted. - `logo_uri?: string` URL of the client's logo. - `policy_uri?: string` URL that points to a privacy policy document. - `post_logout_redirect_uris?: Array` Array of allowed post-logout redirect URIs. - `promoted_at?: string` Timestamp when the OAuth client was promoted to public visibility. - `redirect_uris?: Array` Array of allowed redirect URIs for the client. - `response_types?: Array<"token" | "id_token" | "code">` Array of OAuth response types the client is allowed to use. - `"token"` - `"id_token"` - `"code"` - `scopes?: Array` Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes `offline_access` and `openid` are added or removed automatically based on `grant_types` and `response_types`. - `token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post"` The authentication method the client uses at the token endpoint. - `"none"` - `"client_secret_basic"` - `"client_secret_post"` - `tos_uri?: string` URL that points to a terms of service document. - `updated_at?: string` Timestamp when the OAuth client was last updated. ### OAuth Client Delete Response - `OAuthClientDeleteResponse` - `id: string` Identifier ### OAuth Client Rotate Secret Response - `OAuthClientRotateSecretResponse` - `client_secret?: string` The new client secret. ### OAuth Client Delete Rotated Secret Response - `OAuthClientDeleteRotatedSecretResponse` - `id: string` Identifier