Create a dynamic client.

post https://{tenanturl}/oauth2/register

Use this API to create a dynamic client. If dynamic client registration is configured to require bearer token authentication, the token needs to have the manageAppAccessAdmin (Manage application lifecycle) entitlement.

Body Params

Dynamic client payload

access_policy

string

Access Policy ID.

all_users_entitled

boolean

Set to true if all users are entitled to use this client.

api_entitlements

array of strings

List of API entitlements.

api_entitlements

authorization_encrypted_response_alg

string

JWE 'alg' algorithm required for encrypting authorization responses.

authorization_encrypted_response_enc

string

JWE 'enc' algorithm required for encrypting authorization responses.

authorization_signed_response_alg

string

JWS 'alg' required for signing authorization responses.

authorize_request_mapping

array of objects

Configuration to add request parameters for authorize endpoint

authorize_request_mapping

authorize_response_mapping

array of objects

Configuration to add response parameters for authorize endpoint

authorize_response_mapping

client_name

string

Client name.

consent_action

string

Request for user consent.

enforce_pkce

boolean

Enforce the usage of PKCE.

grant_types

array of strings

Array of grant types that the client may use. The allowed grant types are 'authorization_code', 'implicit', 'password', and 'refresh_token'.

grant_types

id_token_encrypted_response_alg

string

JWE alg algorithm required for encrypting the ID Token assigned to this client.

id_token_encrypted_response_enc

string

JWE enc algorithm required for encrypting the ID Token assigned to this client.

id_token_signed_response_alg

string

Token signing algorithm required for signing the ID token issued for this client.

identity_providers

array of strings

List of identity providers.

identity_providers

initiate_login_uri

string

URI that uses the https scheme that a third party can use to initiate a login by the RP.

jwks_uri

string

URL referencing the client's JSON Web Key Set document representing the client's public keys.

redirect_uris

array of strings

required

Array of redirection URIs for use in redirect-based flows.

redirect_uris*

request_object_check_expiry

boolean

Flag to indicate whether expiry claims should be set in the request object.

request_object_encryption_alg

string

JWE 'alg' algorithm the RP is declaring that it can use for encrypting Request Objects sent to the OP.

request_object_encryption_enc

string

JWE 'enc' algorithm the RP is declaring that it can use for encrypting Request Objects sent to the OP.

request_object_lifetime

integer

The lifetime of the request object.

request_object_parameters_only

boolean

Flag to suggest whether all the request parameters should only be in the request object.

request_object_signing_alg

string

JWS 'alg' algorithm that MUST be used for signing Request Objects sent to the OP.

require_pushed_authorization_requests

boolean

Flag to indicate whether pushed authorization request (PAR) is required.

request_uris

array of strings

Array of request_uri values that are pre-registered by the RP for use at the OP.

request_uris

response_types

array of strings

Array of the OAuth 2.0 response types that the client may use.

response_types

restrict_api_entitlements

boolean

Flag to indicate whether API entitlements should be restricted.

scope

string

A space-delimited string of allowed scopes.

software_id

string

A unique identifier string that identifies the client software to be digitally registered.

software_statement

string

A signed JWT that asserts metadata values about the client software as a bundle.

theme_id

string

The theme ID, if any.

tls_client_auth_san_dns

string

The expected DNS name SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_auth_subject_dn

string

The expected subject distinguished name of the certificate that the client will use in mutual TLS authentication.

tls_client_auth_san_email

string

The expected email address SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_auth_san_ip

string

The expected IP address SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_auth_san_uri

string

The expected URI SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_certificate_bound_access_tokens

boolean

Indicates if certificate binding for access token is required.

token_endpoint_auth_method

string

The client authentication method for the token endpoint.

token_endpoint_auth_signing_alg

string

JWS 'alg' algorithm that must be used for signing the JWT used to authenticate the client at the Token Endpoint for the 'private_key_jwt' authentication methods.

token_endpoint_auth_single_use_jti

boolean

Flag to indicate whether the JTI for token endpoint is single-use only.

token_request_mapping

array of objects

Configuration to add request parameters for token endpoint

token_request_mapping

token_response_mapping

array of objects

Configuration to add response parameters for token endpoint

token_response_mapping

userinfo_encrypted_response_alg

string

Userinfo response JWT encryption algorithm.

userinfo_encrypted_response_enc

string

Userinfo response JWT encryption content algorithm.

userinfo_signed_response_alg

string

Userinfo response JWT signing algorithm.

client_id

string

Client ID. Will be automatically generated if not provided.

client_secret

string

Client secret. Will be automatically generated if not provided.

id_token_claims

array of strings

List of claims for id_token and user information.

id_token_claims

token_claims

array of strings

List of claims for introspect and JWT access token.

token_claims

Headers

Authorization

string

Bearer access token

Responses

Response body

object

access_policy

string

Access Policy ID.

all_users_entitled

boolean

Set to true if all users are entitled to use this client.

api_entitlements

array of strings

List of API entitlements.

api_entitlements

authorization_encrypted_response_alg

string

JWE 'alg' algorithm required for encrypting authorization responses.

authorization_encrypted_response_enc

string

JWE 'enc' algorithm required for encrypting authorization responses.

authorization_signed_response_alg

string

JWS 'alg' required for signing authorization responses.

authorize_request_mapping

array of objects

Configuration to add request parameters for authorize endpoint

authorize_request_mapping

object

name

string

The name of the target parameter. 'context' sets the rule for authorization context. 'scope' sets the rule for the Consent request. 'intentId' sets the rule for the Open Banking intent ID.

context scope intentId

custom

string

The custom rule that defines the value of the target parameter to be set.

authorize_response_mapping

array of objects

Configuration to add response parameters for authorize endpoint

authorize_response_mapping

object

name

string

The name of the target parameter.

custom

string

The custom rule that defines the value of the target parameter to be set.

type

string

The type of the target parameter. Allowed values are 'header' or 'parameter'.

header parameter

client_name

string

Client name.

consent_action

string

Request for user consent.

never_prompt always_prompt

enforce_pkce

boolean

Enforce the usage of PKCE.

grant_types

array of strings

Array of grant types that the client may use. The allowed grant types are 'authorization_code', 'implicit', 'password', and 'refresh_token'.

grant_types

id_token_encrypted_response_alg

string

JWE alg algorithm required for encrypting the ID Token assigned to this client.

id_token_encrypted_response_enc

string

JWE enc algorithm required for encrypting the ID Token assigned to this client.

id_token_signed_response_alg

string

Token signing algorithm required for signing the ID token issued for this client.

identity_providers

array of strings

List of identity providers.

identity_providers

initiate_login_uri

string

URI that uses the https scheme that a third party can use to initiate a login by the RP.

jwks_uri

string

URL referencing the client's JSON Web Key Set document representing the client's public keys.

redirect_uris

array of strings

required

Array of redirection URIs for use in redirect-based flows.

redirect_uris*

request_object_check_expiry

boolean

Flag to indicate whether expiry claims should be set in the request object.

request_object_encryption_alg

string

JWE 'alg' algorithm the RP is declaring that it can use for encrypting Request Objects sent to the OP.

request_object_encryption_enc

string

JWE 'enc' algorithm the RP is declaring that it can use for encrypting Request Objects sent to the OP.

request_object_lifetime

integer

The lifetime of the request object.

request_object_parameters_only

boolean

Flag to suggest whether all the request parameters should only be in the request object.

request_object_signing_alg

string

JWS 'alg' algorithm that MUST be used for signing Request Objects sent to the OP.

require_pushed_authorization_requests

boolean

Flag to indicate whether pushed authorization request (PAR) is required.

request_uris

array of strings

Array of request_uri values that are pre-registered by the RP for use at the OP.

request_uris

response_types

array of strings

Array of the OAuth 2.0 response types that the client may use.

response_types

restrict_api_entitlements

boolean

Flag to indicate whether API entitlements should be restricted.

scope

string

A space-delimited string of allowed scopes.

software_id

string

A unique identifier string that identifies the client software to be digitally registered.

software_statement

string

A signed JWT that asserts metadata values about the client software as a bundle.

theme_id

string

The theme ID, if any.

tls_client_auth_san_dns

string

The expected DNS name SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_auth_subject_dn

string

The expected subject distinguished name of the certificate that the client will use in mutual TLS authentication.

tls_client_auth_san_email

string

The expected email address SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_auth_san_ip

string

The expected IP address SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_auth_san_uri

string

The expected URI SAN entry in the certificate that the client will use in mutual TLS authentication.

tls_client_certificate_bound_access_tokens

boolean

Indicates if certificate binding for access token is required.

token_endpoint_auth_method

string

The client authentication method for the token endpoint.

default client_secret_basic client_secret_post private_key_jwt tls_client_auth

token_endpoint_auth_signing_alg

string

JWS 'alg' algorithm that must be used for signing the JWT used to authenticate the client at the Token Endpoint for the 'private_key_jwt' authentication methods.

token_endpoint_auth_single_use_jti

boolean

Flag to indicate whether the JTI for token endpoint is single-use only.

token_request_mapping

array of objects

Configuration to add request parameters for token endpoint

token_request_mapping

object

name

string

The name of the target parameter.

custom

string

The custom rule that defines the value of the target parameter to be set.

token_response_mapping

array of objects

Configuration to add response parameters for token endpoint

token_response_mapping

object

name

string

The name of the target parameter.

custom

string

The custom rule that defines the value of the target parameter to be set.

type

string

The type of the target parameter. Allowed values are 'header' or 'parameter'.

header parameter

userinfo_encrypted_response_alg

string

Userinfo response JWT encryption algorithm.

userinfo_encrypted_response_enc

string

Userinfo response JWT encryption content algorithm.

userinfo_signed_response_alg

string

Userinfo response JWT signing algorithm.

client_id

string

Client identifier.

client_id_issued_at

string

Time at which the client identifier was assigned.

client_secret

string

Client secret.

client_secret_expires_at

string

Time at which the client secret expires.

id_token_map

array of objects

The attributes that should be present in the generated ID token.

id_token_map

object

name

string

The name of the attribute to be shown in the ID Token.

attribute_id

string

The ID of the attribute to retrieve the value for the ID Token from.

registration_access_token

string

Access token that is used to run subsequent operations at the client configuration endpoint.

registration_client_uri

string

URL of the client configuration endpoint for this client.

token_map

array of objects

List of claims for introspect and JWT access token.

token_map

object

name

string

The name of the attribute to be shown in the token.

attribute_id

string

The ID of the attribute to retrieve the value for the token from.

Language

URL


xxxxxxxxxx
1
curl --request POST \
2
     --url https://tenant_url/oauth2/register \
3
     --header 'accept: application/json' \
4
     --header 'content-type: application/json'

Choose an example:

application/json

*/*

200Successful Creation

400Bad Request Exception

403Forbidden

500An internal server error occurred.