Create Connected App - Stytch Docs

// POST /v1/connected_apps/clients
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  client_type: "first_party",
  client_name: "My Sample Client",
  client_description: "My sample client for testing out Connected Apps",
  redirect_urls: ["https://example.com/callback"],
  full_access_allowed: false,
};

client.ConnectedApp.Clients.Create(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

{
  "request_id": "<string>",
  "connected_app": {
    "client_id": "<string>",
    "client_name": "<string>",
    "client_description": "<string>",
    "status": "<string>",
    "full_access_allowed": true,
    "client_type": "<string>",
    "redirect_urls": [
      "<string>"
    ],
    "access_token_expiry_minutes": 123,
    "access_token_template_content": "<string>",
    "post_logout_redirect_urls": [
      "<string>"
    ],
    "bypass_consent_for_offline_access": true,
    "client_secret_last_four": "<string>",
    "next_client_secret_last_four": "<string>",
    "client_secret": "<string>",
    "access_token_custom_audience": "<string>",
    "logo_url": "<string>",
    "client_id_metadata_url": "<string>"
  },
  "status_code": 123
}

POST

connected_apps

clients

// POST /v1/connected_apps/clients
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  client_type: "first_party",
  client_name: "My Sample Client",
  client_description: "My sample client for testing out Connected Apps",
  redirect_urls: ["https://example.com/callback"],
  full_access_allowed: false,
};

client.ConnectedApp.Clients.Create(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

{
  "request_id": "<string>",
  "connected_app": {
    "client_id": "<string>",
    "client_name": "<string>",
    "client_description": "<string>",
    "status": "<string>",
    "full_access_allowed": true,
    "client_type": "<string>",
    "redirect_urls": [
      "<string>"
    ],
    "access_token_expiry_minutes": 123,
    "access_token_template_content": "<string>",
    "post_logout_redirect_urls": [
      "<string>"
    ],
    "bypass_consent_for_offline_access": true,
    "client_secret_last_four": "<string>",
    "next_client_secret_last_four": "<string>",
    "client_secret": "<string>",
    "access_token_custom_audience": "<string>",
    "logo_url": "<string>",
    "client_id_metadata_url": "<string>"
  },
  "status_code": 123
}

If the Connected App client_type is first_party or third_party (i.e. a confidential client), a client_secret is returned.

This is the only time you will be able to view the generated client_secret in the API response. Stytch stores a hash of the client_secret and cannot recover the value if lost. Be sure to persist the client_secret in a secure location. If the client_secret is lost, you will need to trigger a secret rotation flow to receive another one.

Authorizations

Authorization

string

header

required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

client_type

enum<string>

required

The type of Connected App. Supported values are first_party, first_party_public, third_party, and third_party_public.

Available options:

first_party,

first_party_public,

third_party,

third_party_public

client_name

string

A human-readable name for the client.

client_description

string

A human-readable description for the client.

redirect_urls

string[]

Array of redirect URI values for use in OAuth Authorization flows.

full_access_allowed

boolean

Valid for first party clients only. If true, an authorization token granted to this Client can be exchanged for a full Stytch session.

access_token_expiry_minutes

integer<int32>

The number of minutes before the access token expires. The default is 60 minutes.

access_token_custom_audience

string

The custom audience for the access token.

access_token_template_content

string

The content of the access token custom claims template. The template must be a valid JSON object.

post_logout_redirect_urls

string[]

Array of redirect URI values for use in OIDC Logout flows.

logo_url

string

The logo URL of the Connected App, if any.

Valid for first party clients only. If true, the client does not need to request explicit user consent for the offline_access scope.

Response

Successful response

request_id

string

required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

connected_app

object

required

The Connected App created by this API call.

Show child attributes

status_code

integer<int32>

required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

⌘I