Application Client Auth Credentials

The Application Client Authentication Credentials API provides a set of operations to manage credentials used for OAuth 2.0 client authentication as described in Client authentication methods.

List all the OAuth 2.0 client JSON Web Keys
OAuth 2.0: okta.apps.read

Lists all JSON Web Keys for an OAuth 2.0 client app

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/apps/{appId}/credentials/jwks
Request samples
Response samples
application/json
{}

Add a JSON Web Key
OAuth 2.0: okta.apps.manage

Adds a new JSON Web Key to the client`s JSON Web Keys.

Note: This API doesn't allow you to add a key if the existing key doesn't have a kid. This is also consistent with how the Dynamic Client Registration or Applications APIs behave, as they don't allow the creation of multiple keys without kids. Use the Replace an Application or the Replace a Client Application operation to update the JWKS or Delete an OAuth 2.0 Client JSON Web Key and re-add the key with a kid.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
Request Body schema: application/json
required
alg
string

Algorithm used in the key

e
string

RSA key value (exponent) for key binding

kid
string or null

Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS

kty
string

Cryptographic algorithm family for the certificate's key pair

n
string

RSA key value (modulus) for key binding

status
string

Status of the OAuth 2.0 Client JSON Web Key

Enum: "ACTIVE" "INACTIVE"
use
string

Acceptable use of the JSON Web Key

Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

429

Too Many Requests

post/api/v1/apps/{appId}/credentials/jwks
Request samples
application/json
{
  • "id": "pks2f50kZB0cITmYU0g4",
  • "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
  • "kty": "RSA",
  • "alg": "RS256",
  • "use": "sig",
  • "e": "AQAB",
  • "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
  • "status": "ACTIVE"
}
Response samples
application/json
{}

Retrieve an OAuth 2.0 client JSON Web Key
OAuth 2.0: okta.apps.read

Retrieves an OAuth 2.0 Client JSON Web Key by keyId.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
keyId
required
string

Unique id of the OAuth 2.0 Client JSON Web Key

Example: pks2f4zrZbs8nUa7p0g4
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/apps/{appId}/credentials/jwks/{keyId}
Request samples
Response samples
application/json
{}

Delete an OAuth 2.0 client JSON Web Key
OAuth 2.0: okta.apps.manage

Deletes an OAuth 2.0 Client JSON Web Key by keyId. You can only delete an inactive key.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
keyId
required
string

Unique id of the OAuth 2.0 Client JSON Web Key

Example: pks2f4zrZbs8nUa7p0g4
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/apps/{appId}/credentials/jwks/{keyId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000001",
  • "errorSummary": "Api validation failed: JsonWebKey",
  • "errorLink": "E0000001",
  • "errorId": "sampleQPivGUj_ND5v78vbYWW",
  • "errorCauses": [
    • {
      }
    ]
}

Activate an OAuth 2.0 client JSON Web Key
OAuth 2.0: okta.apps.manage

Activates an OAuth 2.0 Client JSON Web Key by keyId

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
keyId
required
string

Unique id of the OAuth 2.0 Client JSON Web Key

Example: pks2f4zrZbs8nUa7p0g4
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate
Request samples
Response samples
application/json
{}

Deactivate an OAuth 2.0 client JSON Web Key
OAuth 2.0: okta.apps.manage

Deactivates an OAuth 2.0 Client JSON Web Key by keyId.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
keyId
required
string

Unique id of the OAuth 2.0 Client JSON Web Key

Example: pks2f4zrZbs8nUa7p0g4
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate
Request samples
Response samples
application/json
{}

List all OAuth 2.0 client secrets
OAuth 2.0: okta.apps.read

Lists all client secrets for an OAuth 2.0 client app

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/apps/{appId}/credentials/secrets
Request samples
Response samples
application/json
[]

Create an OAuth 2.0 client secret
OAuth 2.0: okta.apps.manage

Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects.

Note: This API lets you bring your own secret. If token_endpoint_auth_method of the app is client_secret_jwt, then the minimum length of client_secret is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
Request Body schema: application/json
client_secret
string

The OAuth 2.0 client secret string

status
string

Status of the OAuth 2.0 Client Secret

Enum: "ACTIVE" "INACTIVE"
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

429

Too Many Requests

post/api/v1/apps/{appId}/credentials/secrets
Request samples
application/json
{ }
Response samples
application/json
{}

Retrieve an OAuth 2.0 client secret
OAuth 2.0: okta.apps.read

Retrieves an OAuth 2.0 Client Secret by secretId

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
secretId
required
string

Unique id of the OAuth 2.0 Client Secret

Example: ocs2f4zrZbs8nUa7p0g4
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/apps/{appId}/credentials/secrets/{secretId}
Request samples
Response samples
application/json
{}

Delete an OAuth 2.0 client secret
OAuth 2.0: okta.apps.manage

Deletes an OAuth 2.0 Client Secret by secretId. You can only delete an inactive Secret.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
secretId
required
string

Unique id of the OAuth 2.0 Client Secret

Example: ocs2f4zrZbs8nUa7p0g4
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/apps/{appId}/credentials/secrets/{secretId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000001",
  • "errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
  • "errorLink": "E0000001",
  • "errorId": "sampleQPivGUj_ND5v78vbYWW",
  • "errorCauses": [
    • {
      }
    ]
}

Activate an OAuth 2.0 client secret
OAuth 2.0: okta.apps.manage

Activates an OAuth 2.0 Client Secret by secretId

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
secretId
required
string

Unique id of the OAuth 2.0 Client Secret

Example: ocs2f4zrZbs8nUa7p0g4
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate
Request samples
Response samples
application/json
{}

Deactivate an OAuth 2.0 client secret
OAuth 2.0: okta.apps.manage

Deactivates an OAuth 2.0 Client Secret by secretId. You can't deactivate a secret if it's the only secret of the client.

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
secretId
required
string

Unique id of the OAuth 2.0 Client Secret

Example: ocs2f4zrZbs8nUa7p0g4
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate
Request samples
Response samples
application/json
{}