System Settings – API Clients

OAuth2 Clients

photo_library Capture

notification_important Notes

• Name can be anything you choose to identify the client being given API access
• In Redirect URL, set the redirect URL (callback URL) of the client you want to authorize
• When you add a new client, a Client ID and Client Secret will be issued
  • Enter them along with the Authorization Endpoint URL and the Token Endpoint URL when setting up OAuth communication on the client system
• The supported authorization method is the Authorization Code Flow
• You can configure the client to require PKCE (Proof Key for Code Exchange)
  • Enabling [Require Proof Key (PKCE)] makes the configuration compliant with OAuth 2.1.
• For the client authentication method, you can select none in addition to client_secret_post
  • However, it is not permitted to set the client authentication method to none while disabling [Require Proof Key (PKCE)]
• You can configure the client to have either full API access or read-only access
  • Select this in the Scope section on the [Edit OAuth2 Client] screen
• Access tokens are valid for 12 hours, and refresh tokens are valid for 30 days
• For a single client ID, a user can hold up to 10 authorized API sessions (refresh tokens)
  • If the number exceeds 10, the older refresh tokens are discarded
• Delete Client will remove that client record from your system
• Deactivate Client disables API access but keeps the client details so that it can be reactivated in the future if required

balance See also

• M317: Controlling OAuth2 Authorization and Basic Authentication Access Externally