Authorization Code Clients
- Last UpdatedFeb 26, 2025
- 6 minute read
Authorization code clients are used in JavaScript/Browser (SPA) based applications or native mobile applications with the presence of a user. These clients are issued a unique identifier. You can read more about these clients here. Authorization code clients are not issued secrets or refresh tokens. For some guidelines on use of secrets, refer to the Credential management topic. For some recommendations on least privilege for users and clients, refer to the Least privilege topic.
List All Authorization Code Clients from Tenant
Returns all authorization code clients from a tenant. Optionally, returns a list of requested clients. Total number of clients in the tenant is set in the Total-Count header.
Request
GET /api/v1/Tenants/{tenantId}/AuthorizationCodeClients
?id={id}&tag={tag}&query={query}&skip={skip}&count={count}
Parameters
string tenantId
Tenant identifier.
[optional] array id
Unordered list of identifiers for all clients to get. Empty or whitespace identifiers will be ignored.[optional] array tag
Only return clients that have these tags.[optional] string query
(Not supported) Search string identifier.[optional] integer skip
Parameter representing the zero-based offset of the first object to retrieve. If unspecified, a default value of 0 is used.[optional] integer count
Parameter representing the maximum number of objects to retrieve. If unspecified, a default value of 100 is used.
Response
| Status Code | Body Type | Description |
|---|---|---|
| 200 | AuthorizationCodeClient[] | Authorization code clients found |
| 401 | ErrorResponse | Unauthorized. |
| 403 | ErrorResponse | Forbidden. |
| 404 | ErrorResponse | Client or tenant not found |
| 500 | ErrorResponse | Internal server error. |
Example response body
200 Response (AuthorizationCodeClient[])
[
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
]
Authorization
Allowed for these roles:
- Tenant Member
Get Total Count Authorization Code Clients from Tenant
Returns the total number of authorization code clients in a tenant. Optionally, checks based on a list of requested clients. The value will be set in the Total-Count header. This method is identical to the GET method but it does not return any objects in the body.
Request
HEAD /api/v1/Tenants/{tenantId}/AuthorizationCodeClients
?id={id}&tag={tag}
Parameters
string tenantId
Tenant identifier.
[optional] array id
Unordered list of identifiers for all clients to get. Empty or whitespace identifiers will be ignored.[optional] array tag
Only return clients that have these tags.
Response
| Status Code | Body Type | Description |
|---|---|---|
| 200 | None | Authorization code client headers |
| 401 | None | Unauthorized. |
| 403 | None | Forbidden. |
| 404 | None | Client or tenant not found |
| 500 | None | Internal server error. |
Authorization
Allowed for these roles:
- Tenant Member
Create an Authorization Code Client
Creates an authorization code client. No secret will be generated for this client.
Request
POST /api/v1/Tenants/{tenantId}/AuthorizationCodeClients
Parameters
string tenantId
Tenant identifier.
Request Body
New AuthorizationCodeClient object
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
Response
| Status Code | Body Type | Description |
|---|---|---|
| 201 | AuthorizationCodeClient | Authorization code client created |
| 400 | ErrorResponse | Missing or invalid inputs, or client limit exceeded |
| 401 | ErrorResponse | Unauthorized. |
| 403 | ErrorResponse | Forbidden. |
| 404 | ErrorResponse | Client or tenant not found |
| 408 | ErrorResponse | Operation timed out. |
| 409 | ErrorResponse | Client identifier already exists |
| 500 | ErrorResponse | Internal server error. |
Example response body
201 Response (AuthorizationCodeClient)
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
Authorization
Allowed for these roles:
- Tenant Administrator
Get an Authorization Code Client from Tenant
Returns an authorization code client from a tenant.
Request
GET /api/v1/Tenants/{tenantId}/AuthorizationCodeClients/{clientId}
Parameters
string tenantId
Tenant identifier.string clientId
Client identifier.
Response
| Status Code | Body Type | Description |
|---|---|---|
| 200 | AuthorizationCodeClient | Authorization code client specified |
| 401 | ErrorResponse | Unauthorized. |
| 403 | ErrorResponse | Forbidden. |
| 404 | ErrorResponse | Client or tenant not found |
| 500 | ErrorResponse | Internal server error. |
Example response body
200 Response (AuthorizationCodeClient)
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
Authorization
Allowed for these roles:
- Self
- Tenant Member
Get Header for Authorization Code Client
Validates that an authorization code client exists in tenant.
Request
HEAD /api/v1/Tenants/{tenantId}/AuthorizationCodeClients/{clientId}
Parameters
string tenantId
Tenant identifier.string clientId
Client identifier.
Response
| Status Code | Body Type | Description |
|---|---|---|
| 200 | string | Header for specified authorization code client |
| 401 | ErrorResponse | Unauthorized. |
| 403 | ErrorResponse | Forbidden. |
| 404 | ErrorResponse | Client or tenant not found |
| 500 | ErrorResponse | Internal server error. |
Authorization
Allowed for these roles:
- Self
- Tenant Member
Update an Authorization Code Client
Updates an authorization code client. It can take up to one hour for update to manifest in the authentication process.
Request
PUT /api/v1/Tenants/{tenantId}/AuthorizationCodeClients/{clientId}
Parameters
string tenantId
Tenant identifier.string clientId
Client identifier.
Request Body
Updated authorization code client values. Properties that are not set or are null will not be changed.
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
Response
| Status Code | Body Type | Description |
|---|---|---|
| 200 | AuthorizationCodeClient | Authorization code client updated |
| 400 | ErrorResponse | Missing or invalid inputs. |
| 401 | ErrorResponse | Unauthorized. |
| 403 | ErrorResponse | Forbidden. |
| 404 | ErrorResponse | Client or tenant not found |
| 408 | ErrorResponse | Operation timed out. |
| 500 | ErrorResponse | Internal server error. |
Example response body
200 Response (AuthorizationCodeClient)
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
Authorization
Allowed for these roles:
- Tenant Administrator
Delete an Authorization Code Client
Deletes an authorization code client. It can take up to one hour for deletion to manifest in the authentication process. Access tokens issued to this client will be valid until their expiration.
Request
DELETE /api/v1/Tenants/{tenantId}/AuthorizationCodeClients/{clientId}
Parameters
string tenantId
Tenant identifier.string clientId
Client identifier.
Response
| Status Code | Body Type | Description |
|---|---|---|
| 204 | None | No content |
| 401 | ErrorResponse | Unauthorized. |
| 403 | ErrorResponse | Forbidden. |
| 404 | ErrorResponse | Client or tenant not found |
| 408 | ErrorResponse | Operation timed out. |
| 409 | ErrorResponse | Found. |
| 500 | ErrorResponse | Internal server error. |
Authorization
Allowed for these roles:
- Tenant Administrator
Definitions
AuthorizationCodeClient
Object used during AuthorizationCodeClient creation
Properties
| Property Name | Data Type | Required | Nullable | Description |
|---|---|---|---|---|
| RedirectUris | string[] | false | true | Note: Required when creating a client, but optional when updating a client. Allowed URIs to which return tokens or authorization codes can be returned. Wildcards are ignored. URIs must match exactly what you are redirecting to after login. If URIs do not match, the authentication process will fail with a bad_client error. Maximum 10 per client. |
| PostLogoutRedirectUris | string[] | false | true | Allowed URIs to redirect to after logout. Wildcards are ignored. URIs must match exactly what you are redirecting to after logout. Maximum 10 per client. |
| ClientUri | string | false | true | URI to a page with information about client (used on consent screen) |
| LogoUri | string | false | true | URI to client logo (used on consent screen) |
| Id | string | false | true | Client identifier for this client. This identifier should be a GUID. |
| Name | string | false | true | Name of client |
| Enabled | boolean | false | true | Whether client is enabled. Client can be used for authentication if set to true. Client cannot be used for authentication if set to false. |
| AccessTokenLifetime | int32 | false | true | Lifetime of access token issued for this client after authentication. Minimum 60 seconds. Maximum 3600 seconds. Defaults to 3600 seconds. |
| Tags | string[] | false | true | Tags for AVEVA internal use only |
| AllowedCorsOrigins | string[] | false | true | Values used by the default CORS policy service implementations to build a CORS policy for JavaScript clients |
| AllowOfflineAccess | boolean | false | true | Whether this client can request refresh tokens, by providing the offline_access scope. |
{
"RedirectUris": [
"string"
],
"PostLogoutRedirectUris": [
"string"
],
"ClientUri": "string",
"LogoUri": "string",
"Id": "string",
"Name": "string",
"Enabled": true,
"AccessTokenLifetime": 0,
"Tags": [
"string"
],
"AllowedCorsOrigins": [
"string"
],
"AllowOfflineAccess": true
}
ErrorResponse
Object returned whenever there is an error
Properties
| Property Name | Data Type | Required | Nullable | Description |
|---|---|---|---|---|
| OperationId | string | true | false | Operation identifier of action that caused the error |
| Error | string | true | false | Error description |
| Reason | string | true | false | Reason for the error |
| Resolution | string | true | false | Resolution to resolve the error |
| DynamicProperties | object | false | true | Additional properties |
{
"OperationId": "string",
"Error": "string",
"Reason": "string",
"Resolution": "string",
"DynamicProperties": {
"property1": null,
"property2": null
},
"property1": null,
"property2": null
}