Skip to content
Cloudflare API
Start here
API Reference
IAM

OAuth Clients

List OAuth Clients
GET/accounts/{account_id}/oauth_clients
OAuth Client Details
GET/accounts/{account_id}/oauth_clients/{oauth_client_id}
Create OAuth Client
POST/accounts/{account_id}/oauth_clients
Update OAuth Client
PATCH/accounts/{account_id}/oauth_clients/{oauth_client_id}
Delete OAuth Client
DELETE/accounts/{account_id}/oauth_clients/{oauth_client_id}
Rotate OAuth Client Secret
POST/accounts/{account_id}/oauth_clients/{oauth_client_id}/rotate_secret
Delete Rotated OAuth Client Secret
DELETE/accounts/{account_id}/oauth_clients/{oauth_client_id}/rotate_secret
ModelsExpand Collapse
OAuthClientListResponse object { client_id, visibility, allowed_cors_origins, 16 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" or "private"

Visibility of the OAuth client.

One of the following:
"public"
"private"
allowed_cors_origins: optional array of string

Array of allowed CORS origins.

client_name: optional string

Human-readable name of the OAuth client.

client_uri: optional string

URL of the home page of the client.

client_uri_verification: optional object { status, text }

Client URI domain control verification state.

status: optional "pending" or "in_progress" or "verified" or "failed"

Current verification status for the client URI host.

One of the following:
"pending"
"in_progress"
"verified"
"failed"
text: optional string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at: optional string

Timestamp when the OAuth client was created.

formatdate-time
grant_types: optional array of "authorization_code" or "refresh_token"

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:
"authorization_code"
"refresh_token"
has_rotated_secret: optional boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri: optional string

URL of the client’s logo.

policy_uri: optional string

URL that points to a privacy policy document.

post_logout_redirect_uris: optional array of string

Array of allowed post-logout redirect URIs.

redirect_uris: optional array of string

Array of allowed redirect URIs for the client.

response_types: optional array of "token" or "id_token" or "code"

Array of OAuth response types the client is allowed to use.

One of the following:
"token"
"id_token"
"code"
scopes: optional array of string

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method: optional "none" or "client_secret_basic" or "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:
"none"
"client_secret_basic"
"client_secret_post"
tos_uri: optional string

URL that points to a terms of service document.

updated_at: optional string

Timestamp when the OAuth client was last updated.

formatdate-time
OAuthClientGetResponse object { client_id, visibility, allowed_cors_origins, 16 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" or "private"

Visibility of the OAuth client.

One of the following:
"public"
"private"
allowed_cors_origins: optional array of string

Array of allowed CORS origins.

client_name: optional string

Human-readable name of the OAuth client.

client_uri: optional string

URL of the home page of the client.

client_uri_verification: optional object { status, text }

Client URI domain control verification state.

status: optional "pending" or "in_progress" or "verified" or "failed"

Current verification status for the client URI host.

One of the following:
"pending"
"in_progress"
"verified"
"failed"
text: optional string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at: optional string

Timestamp when the OAuth client was created.

formatdate-time
grant_types: optional array of "authorization_code" or "refresh_token"

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:
"authorization_code"
"refresh_token"
has_rotated_secret: optional boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri: optional string

URL of the client’s logo.

policy_uri: optional string

URL that points to a privacy policy document.

post_logout_redirect_uris: optional array of string

Array of allowed post-logout redirect URIs.

redirect_uris: optional array of string

Array of allowed redirect URIs for the client.

response_types: optional array of "token" or "id_token" or "code"

Array of OAuth response types the client is allowed to use.

One of the following:
"token"
"id_token"
"code"
scopes: optional array of string

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method: optional "none" or "client_secret_basic" or "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:
"none"
"client_secret_basic"
"client_secret_post"
tos_uri: optional string

URL that points to a terms of service document.

updated_at: optional string

Timestamp when the OAuth client was last updated.

formatdate-time
OAuthClientCreateResponse object { client_id, visibility, allowed_cors_origins, 17 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" or "private"

Visibility of the OAuth client.

One of the following:
"public"
"private"
allowed_cors_origins: optional array of string

Array of allowed CORS origins.

client_name: optional string

Human-readable name of the OAuth client.

client_secret: optional string

The client secret. This is the only time the secret is returned in a response.

client_uri: optional string

URL of the home page of the client.

client_uri_verification: optional object { status, text }

Client URI domain control verification state.

status: optional "pending" or "in_progress" or "verified" or "failed"

Current verification status for the client URI host.

One of the following:
"pending"
"in_progress"
"verified"
"failed"
text: optional string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at: optional string

Timestamp when the OAuth client was created.

formatdate-time
grant_types: optional array of "authorization_code" or "refresh_token"

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:
"authorization_code"
"refresh_token"
has_rotated_secret: optional boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri: optional string

URL of the client’s logo.

policy_uri: optional string

URL that points to a privacy policy document.

post_logout_redirect_uris: optional array of string

Array of allowed post-logout redirect URIs.

redirect_uris: optional array of string

Array of allowed redirect URIs for the client.

response_types: optional array of "token" or "id_token" or "code"

Array of OAuth response types the client is allowed to use.

One of the following:
"token"
"id_token"
"code"
scopes: optional array of string

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method: optional "none" or "client_secret_basic" or "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:
"none"
"client_secret_basic"
"client_secret_post"
tos_uri: optional string

URL that points to a terms of service document.

updated_at: optional string

Timestamp when the OAuth client was last updated.

formatdate-time
OAuthClientUpdateResponse object { client_id, visibility, allowed_cors_origins, 16 more }

Fields shared by OAuth client responses and create/update requests.

client_id: string

The unique identifier for an OAuth client.

visibility: "public" or "private"

Visibility of the OAuth client.

One of the following:
"public"
"private"
allowed_cors_origins: optional array of string

Array of allowed CORS origins.

client_name: optional string

Human-readable name of the OAuth client.

client_uri: optional string

URL of the home page of the client.

client_uri_verification: optional object { status, text }

Client URI domain control verification state.

status: optional "pending" or "in_progress" or "verified" or "failed"

Current verification status for the client URI host.

One of the following:
"pending"
"in_progress"
"verified"
"failed"
text: optional string

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at: optional string

Timestamp when the OAuth client was created.

formatdate-time
grant_types: optional array of "authorization_code" or "refresh_token"

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

One of the following:
"authorization_code"
"refresh_token"
has_rotated_secret: optional boolean

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri: optional string

URL of the client’s logo.

policy_uri: optional string

URL that points to a privacy policy document.

post_logout_redirect_uris: optional array of string

Array of allowed post-logout redirect URIs.

redirect_uris: optional array of string

Array of allowed redirect URIs for the client.

response_types: optional array of "token" or "id_token" or "code"

Array of OAuth response types the client is allowed to use.

One of the following:
"token"
"id_token"
"code"
scopes: optional array of string

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method: optional "none" or "client_secret_basic" or "client_secret_post"

The authentication method the client uses at the token endpoint.

One of the following:
"none"
"client_secret_basic"
"client_secret_post"
tos_uri: optional string

URL that points to a terms of service document.

updated_at: optional string

Timestamp when the OAuth client was last updated.

formatdate-time
OAuthClientDeleteResponse object { id }
id: string

Identifier

maxLength32
minLength32
OAuthClientRotateSecretResponse object { client_secret }
client_secret: optional string

The new client secret.

OAuthClientDeleteRotatedSecretResponse object { id }
id: string

Identifier

maxLength32
minLength32