1Open a client

Navigation

Click a client in the Clients Center list

From the Clients Center (/idp/clients-center), click Configure on any client row or click the client's name. This opens the client detail and configuration page at /idp/clients-center/:clientId.

The page header shows the client name, client ID (monospace), type badge, and status indicator. Below are tabbed sections for each configuration area.

2Basic settings

BasicSettingsPanel

Update URIs and application metadata

SettingHow to updateEffect
Client NameEdit the name field, click SaveUpdated in admin UIs and consent screens immediately
Application URIEdit the URI field, click SaveMetadata only — no functional impact on auth flows
Redirect URIsAdd new URIs in the list; click ✕ to remove; SaveAuth requests to a removed redirect URI will be rejected immediately
Post-Logout Redirect URIsAdd or remove in the list; SaveLogout redirects to URIs not in this list will be blocked
⚠️
Removing a redirect URI is immediate

If you remove a redirect URI that is actively used by a deployed application, that application's login flow will start failing immediately after you save. Always add the new URI first, deploy and verify the updated app, then remove the old URI.

3Security settings

SecuritySettingsPanel

Configure authentication security controls

SettingDefaultRecommendation
Require PKCEOn for SPA, Off for othersAlways ON for SPAs and public clients. PKCE prevents auth-code interception attacks.
Allowed CORS OriginsEmpty (none allowed)Add only the exact domain(s) your SPA is served from. Wildcards are not supported.
Token Endpoint Auth Methodclient_secret_basicFor SPAs: none (public client). For confidential: client_secret_basic or client_secret_post.
mTLS Certificate BindingOffEnable for high-security M2M clients where you control the client certificate.

4Advanced settings

AdvancedSettingsPanel

Token lifetimes and logout configuration

SettingDefaultNotes
Access Token Lifetime3600s (1 hour)How long an access token is valid after issuance. Shorter = more secure; longer = fewer re-auth requests.
Refresh Token Lifetime86400s (24 hours)How long a refresh token can be used to obtain new access tokens. Session duration for silent refresh flows.
Refresh Token RotationOffWhen On: issuing a new access token also issues a new refresh token and invalidates the old one. Recommended for SPAs.
Back-Channel Logout URINoneA server endpoint the IdP calls when a user logs out elsewhere. Used for single sign-out in server-rendered apps.
Front-Channel Logout URINoneA page the browser loads in an iframe during logout to clear local sessions. For browser-based apps.

5Rotate client secret

Secret rotation

Click Rotate Secret — plan for a brief overlap window

In the client detail header or Settings panel, click Rotate Secret. A warning modal explains that the current secret will be invalidated. A configurable grace period (default 5 minutes) allows the new secret to be configured in your application before the old one expires.

Rotation workflow:

  1. Click Rotate Secret and confirm
  2. Copy the new secret from the one-time display modal
  3. Update your application's config or secrets manager with the new secret
  4. Deploy and verify the application is working (within the grace period)
  5. The old secret expires after the grace period automatically
🚨
Rotation without a grace plan causes downtime

If your application is using the old secret and you rotate without updating the app config, the app will start receiving 401 Unauthorized errors as soon as the old secret expires. Always update the application within the grace period.

6Manage scopes

Scopes tab

Control which scopes this client is allowed to request

The Scopes tab lists the scopes this client can include in its authorization requests. Default scopes openid, profile, and email are pre-configured for most templates.

To add a scope: type the scope name in the input field and press Enter. To remove: click the ✕ next to the scope tag. Scope changes take effect immediately — the client can only request scopes listed here on its next authorization request.

💡
Custom scopes

If your application uses custom scopes (e.g. api:read, api:write), they must be registered both at the resource server level and in this client's allowed scopes. Requests for unregistered scopes are rejected at the token endpoint.

7Enable & disable

Client lifecycle

Disable a client to block all its token requests without deleting it

The client detail header shows a status toggle: ● Enabled / ○ Disabled.

Click the toggle to flip status. Disabling takes effect immediately — any attempt by the client to exchange a code, refresh a token, or use client_credentials will be rejected with an error. Re-enabling restores all functionality immediately.

Use Disable for maintenance and incident response

If you suspect a client_secret has been compromised, disable the client immediately, then rotate the secret, update your application, and re-enable. This stops any unauthorized use during the incident window.

8Delete a client

Permanent deletion

Delete is irreversible — all issued tokens are revoked immediately

Click Delete Client in the danger zone at the bottom of the settings page. A confirmation modal explains the impact and asks you to type the client name to confirm.

🚨
Immediate token revocation

Deleting an OAuth client revokes all access tokens and refresh tokens issued to that client immediately. Every application that uses this client_id will receive 401 errors on their very next API call. There is no grace period for deletion. Ensure all applications using this client have been decommissioned or migrated to a replacement client before deleting.

ItemBehaviour on deletion
Active access tokensRevoked immediately — existing API calls in flight may fail
Refresh tokensRevoked — silent refresh flows break immediately
Client registrationRemoved from IdP — client_id is invalid
Audit logsPreserved — past token issuance events remain in the audit trail

Related guides

📝 Register a Client 🪙 Personal Access Tokens