1What an OAuth client is

Concept

A client registration tells the IdP who can request tokens

An OAuth 2.0 client is a registration that identifies a specific application to EmpowerNow's identity provider. The registration defines what the application is allowed to do: which grant types it can use, which redirect URIs are permitted, how long its tokens last, and whether it requires a secret or uses PKCE.

Every application that needs to authenticate users through EmpowerNow, or call EmpowerNow APIs on behalf of users or services, must have a registered client.

Client typeTypical useHas client_secret?
SPA (Single-Page App)React, Vue, Angular apps running in the browser. Uses PKCE β€” no secret needed.No β€” uses PKCE instead
Web App (Confidential)Server-rendered apps (Next.js SSR, Rails, etc.) that can keep a secret server-side.Yes
Service / M2MBackend services, CI/CD pipelines, crons. Use client_credentials grant type (no user).Yes
Device CodeTVs, CLIs, or other devices with limited input. Uses device_code grant flow.No

2Open Clients Center

Navigation

Administration β†’ OAuth β†’ Clients Center (/idp/clients-center)

experience.your-tenant.empowernow.ai/idp/clients-center
OAuth Client Applications
+ Register Client
Client NameClient IDTypeRedirectsStatusActions
My SPA Appspa_abc123SPA2● Active
Configure
Backend Servicesvc_xyz789M2M—● Active
Configure

The list shows all registered clients. Click + Register Client to start the template-driven registration wizard. Click Configure on an existing client to open its detail page.

3Choose a template

Template Selector

The first step is picking the right client type

The registration wizard opens with the Template Selector screen. Four templates are available. Each template pre-fills the correct grant types, security settings, and defaults for its client type.

experience.your-tenant.empowernow.ai/idp/clients-center/new
What type of client are you registering?
πŸ–₯️
Single-Page App (SPA)
Browser app Β· PKCE Β· No secret needed
🌐
Web Application
Server-side app Β· Confidential Β· Has secret
βš™οΈ
Service / M2M
Backend service Β· Client credentials Β· No user
πŸ“Ί
Device Code
Limited-input device Β· device_code grant
βœ…
When in doubt, use SPA

For modern JavaScript frontends that authenticate users, SPA + PKCE is the most secure choice. It requires no secret in the browser and is the current best practice per OAuth 2.0 Security BCP.

4Basic settings

BasicSettingsPanel

After selecting a template, fill in the basic settings form

FieldRequiredNotes
Client NameYesHuman-readable label. Appears in consent screens and admin logs. e.g. "My SPA App" or "Inventory Backend".
Application URINoThe app's homepage URL. Shown in admin UIs; not functionally enforced in the auth flow.
Redirect URIsYes (for auth-code flows)Newline-separated list of allowed callback URLs after login. Must exactly match what the app sends in the auth request. Required for SPA and Web App templates.
Post-Logout Redirect URIsNoWhere to send users after logout. Must be whitelisted here to avoid open redirect vulnerabilities.
Grant TypesAuto-filledPre-filled by template (e.g. authorization_code + PKCE for SPA). Editable but changing grant types changes the security model.
⚠️
Redirect URIs must be exact

The IdP does strict string matching on redirect URIs β€” no wildcards, no partial matches. If your app sends https://myapp.com/callback but you registered https://myapp.com/callback/ (trailing slash), the login will fail with an error.

5Live Preview Card

LivePreviewCard

The right panel shows the JSON payload in real time

As you fill in the form, the Live Preview Card on the right side of the registration page updates in real time to show the exact JSON configuration that will be sent to the IdP when you click Register. This lets you verify every field before creating the client.

βœ…
Review before saving

The Live Preview is especially useful for validating that redirect URIs are formatted correctly and that grant types match your expected flow. Compare against your IdP documentation before clicking Register.

6Copy credentials

One-time display

Copy the client secret immediately β€” it will never be shown again

After clicking Register, the credentials modal appears showing:

🚨
The client secret is shown once

After you close this modal, the secret cannot be retrieved β€” only rotated. Copy it now and store it in EmpowerNow Secrets Hub or another secure secrets manager. Never paste it into source code, config files committed to version control, or messaging apps.

7Post-creation checklist

Next steps

Verify the client works before marking it production-ready

StepHow to verify
1. Update your application configSet client_id in your app. For confidential clients, also set the client_secret from the credentials modal.
2. Test the redirect URIInitiate a login from your app. The browser should redirect to your app's callback URL after login. A redirect URI mismatch will show an error page.
3. Configure allowed scopesIn the Client Configuration page (Scopes tab), add any custom scopes your app needs beyond the defaults (openid profile email).
4. Enable PKCE enforcement (for SPAs)In Security Settings, toggle Require PKCE to ON. This prevents auth-code interception attacks.
5. Review token lifetimesDefault access token lifetime is 1 hour. For long-running services, consider increasing the refresh token lifetime in Advanced Settings.
βœ…
Test in staging first

Register a separate client for each environment (staging, production). Staging and production clients should have different redirect URIs and separate secrets. Never share a client_id or secret across environments.

Next steps

βš™οΈ Client Configuration πŸͺ™ Personal Access Tokens