1Open a client
Click a client in the Clients Center list
From the Clients Center (/idp/clients-center), click Configure on any client row or click the client's name. This opens the client detail and configuration page at /idp/clients-center/:clientId.
The page header shows the client name, client ID (monospace), type badge, and status indicator. Below are tabbed sections for each configuration area.
2Basic settings
Update URIs and application metadata
| Setting | How to update | Effect |
|---|---|---|
| Client Name | Edit the name field, click Save | Updated in admin UIs and consent screens immediately |
| Application URI | Edit the URI field, click Save | Metadata only — no functional impact on auth flows |
| Redirect URIs | Add new URIs in the list; click ✕ to remove; Save | Auth requests to a removed redirect URI will be rejected immediately |
| Post-Logout Redirect URIs | Add or remove in the list; Save | Logout redirects to URIs not in this list will be blocked |
If you remove a redirect URI that is actively used by a deployed application, that application's login flow will start failing immediately after you save. Always add the new URI first, deploy and verify the updated app, then remove the old URI.
3Security settings
Configure authentication security controls
| Setting | Default | Recommendation |
|---|---|---|
| Require PKCE | On for SPA, Off for others | Always ON for SPAs and public clients. PKCE prevents auth-code interception attacks. |
| Allowed CORS Origins | Empty (none allowed) | Add only the exact domain(s) your SPA is served from. Wildcards are not supported. |
| Token Endpoint Auth Method | client_secret_basic | For SPAs: none (public client). For confidential: client_secret_basic or client_secret_post. |
| mTLS Certificate Binding | Off | Enable for high-security M2M clients where you control the client certificate. |
4Advanced settings
Token lifetimes and logout configuration
| Setting | Default | Notes |
|---|---|---|
| Access Token Lifetime | 3600s (1 hour) | How long an access token is valid after issuance. Shorter = more secure; longer = fewer re-auth requests. |
| Refresh Token Lifetime | 86400s (24 hours) | How long a refresh token can be used to obtain new access tokens. Session duration for silent refresh flows. |
| Refresh Token Rotation | Off | When On: issuing a new access token also issues a new refresh token and invalidates the old one. Recommended for SPAs. |
| Back-Channel Logout URI | None | A server endpoint the IdP calls when a user logs out elsewhere. Used for single sign-out in server-rendered apps. |
| Front-Channel Logout URI | None | A page the browser loads in an iframe during logout to clear local sessions. For browser-based apps. |
5Rotate client secret
Click Rotate Secret — plan for a brief overlap window
In the client detail header or Settings panel, click Rotate Secret. A warning modal explains that the current secret will be invalidated. A configurable grace period (default 5 minutes) allows the new secret to be configured in your application before the old one expires.
Rotation workflow:
- Click Rotate Secret and confirm
- Copy the new secret from the one-time display modal
- Update your application's config or secrets manager with the new secret
- Deploy and verify the application is working (within the grace period)
- The old secret expires after the grace period automatically
If your application is using the old secret and you rotate without updating the app config, the app will start receiving 401 Unauthorized errors as soon as the old secret expires. Always update the application within the grace period.
6Manage scopes
Control which scopes this client is allowed to request
The Scopes tab lists the scopes this client can include in its authorization requests. Default scopes openid, profile, and email are pre-configured for most templates.
To add a scope: type the scope name in the input field and press Enter. To remove: click the ✕ next to the scope tag. Scope changes take effect immediately — the client can only request scopes listed here on its next authorization request.
If your application uses custom scopes (e.g. api:read, api:write), they must be registered both at the resource server level and in this client's allowed scopes. Requests for unregistered scopes are rejected at the token endpoint.
7Enable & disable
Disable a client to block all its token requests without deleting it
The client detail header shows a status toggle: ● Enabled / ○ Disabled.
Click the toggle to flip status. Disabling takes effect immediately — any attempt by the client to exchange a code, refresh a token, or use client_credentials will be rejected with an error. Re-enabling restores all functionality immediately.
If you suspect a client_secret has been compromised, disable the client immediately, then rotate the secret, update your application, and re-enable. This stops any unauthorized use during the incident window.
8Delete a client
Delete is irreversible — all issued tokens are revoked immediately
Click Delete Client in the danger zone at the bottom of the settings page. A confirmation modal explains the impact and asks you to type the client name to confirm.
Deleting an OAuth client revokes all access tokens and refresh tokens issued to that client immediately. Every application that uses this client_id will receive 401 errors on their very next API call. There is no grace period for deletion. Ensure all applications using this client have been decommissioned or migrated to a replacement client before deleting.
| Item | Behaviour on deletion |
|---|---|
| Active access tokens | Revoked immediately — existing API calls in flight may fail |
| Refresh tokens | Revoked — silent refresh flows break immediately |
| Client registration | Removed from IdP — client_id is invalid |
| Audit logs | Preserved — past token issuance events remain in the audit trail |