Application API Clients


This article describes how a native application integrated with IBM Security Verify can be granted permissions to access IBM Security Verify REST APIs on behalf of authenticated users.


Delegated authority is better for security

Granting an application access via delegated user authority is good for security because it does not give the application privileged access in its own right. The application can only perform actions that are granted to a user that has authenticated and accessed the application.

Application API Client

When a custom application definition in IBM Security Verify is configured for OpenID Connect, an application API client is created when the definition is first saved. This API client, identified by a client_id and (optional) client_secret, is used to run OAuth and OIDC flows in order to acquire identity and access tokens.

An access token acquired by running an OIDC or OAuth user-based flow (i.e. any flow other than the client credentials flow), grants the application API client authority to act on behalf of the user authenticated during the flow.

Permissions required for REST API access

Access to an IBM Security Verify REST API is only granted if the application API client and the user associated with the presented access token both have the required permissions.

User permissions

A set of basic IBM Security Verify permissions are granted to all users. These include permissions such as the ability to update their own directory record, the ability to change their own password, or the ability to lookup and initiate a strong authentication flow for themselves. Users are granted additional permissions via administrative roles.

Application permissions

An application API client is granted permissions to IBM Security Verify APIs in the application definition. An entry for the application API client appears in the API Access tab of the application definition.

You can distinguish the application API client entry from any privileged API client entries because:

  • It is always listed first
  • It has the same name as the application
  • It has no client credentials defined within the API client details page


Jon Harry, IBM Security