/
Contact usSee pricingStart building
Node
​

    About Stytch

    Introduction
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Migrations
      Migration overview
      Migrating users statically
      Migrating users dynamically
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for users
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    Magic Links

    • Email Magic Links

        • Getting started with the API
        Getting started with the SDK
        Replacing your password reset flow
        Building an invite user flow
        Add magic links to an existing auth flow
        Adding PKCE to a Magic Link flow
        Magic Link redirect routing

    • Embeddable Magic Links

        • Getting started with the API
    MFA
      Overview
      Backend integration
      Frontend integration
    Mobile Biometrics
      Overview
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    OAuth

    • Identity providers

        • Overview
        Provider setup
      Getting started with the API (Google)
      Add Google One Tap via the SDK
      Email address behavior
      Adding PKCE to an OAuth flow
    Connected AppsBeta
      Setting up Connected Apps
      Client types

    • Integration Guides

        • Integrate with AI agents
        Integrate with MCP servers
        Integrate with CLI Apps

    • Resources

        • About Remote MCP Servers
        Consent Management
    Passcodes
      Getting started with the API
      Getting started with the SDK

    • Toll fraud

        • What is SMS toll fraud?
        How you can prevent toll fraud
      Unsupported countries
    Passkeys & WebAuthn

    • Passkeys

        • Passkeys overview
        Set up Passkeys with the frontend SDK

    • WebAuthn

        • Getting started with the API
        Getting started with the SDK
    Passwords
      Getting started with the API
      Getting started with the SDK
      Password strength policy

    • Email verification

        • Overview
        Email verification before password creation
        Email verification after password creation
    Sessions
      How to use sessions
      Backend integrations
      Frontend integrations
      Custom claims
      Custom claim templates
      Session tokens vs JWTs
      How to use Stytch JWTs
    TOTP
      Getting started with the API
      Getting started with the SDK
    Web3
      Getting started with the API
      Getting started with the SDK

    Authorization

    Implement RBAC with metadata

    3rd Party Integrations

    Planetscale
    Supabase
    Feathery
    Unit

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Guides

/

Authentication

/

Connected Apps

/

Client types

Understanding Client Types in Stytch Connected Apps

Stytch's Connected Apps feature enables Stytch-powered Applications to act as the Identity Provider (IdP) for OAuth 2.0 clients—these might be internal tools, third-party integrations, or community-built apps. All clients fall into one of four categories, defined by two key properties:

  1. Ownership: Is the app first-party (owned by you) or third-party (built by an external developer)?
  2. Confidentiality: Is the app confidential (able to securely store a client secret) or public (unable to store secrets securely)?

Combining these yields four distinct client types: First-Party, First-Party Public, Third-Party, and Third-Party Public.

Note: Connected Apps always act on behalf of an end user and are constrained to a subset of that user's permissions.
For non-interactive machine identities that act independently of user sessions, refer to the M2M Product .

Use Case Overview

Use CaseRecommended Client Type
Secondary sites you own and want to share user data withFirst-Party
Native mobile apps or CLI tools developed by youFirst-Party Public
Third-party integrations that want to access user data (e.g. plugins)Third-Party
Third-party CLI tools, desktop apps, or dynamically registered clientsThird-Party Public

Ownership

First-Party Applications

These are trusted applications developed and managed by you, the owner of the Stytch project. First party applications are:

  • Often exempt from explicit consent screens, depending on your configuration and scopes.
  • Eligible for session exchange, enabling session sharing across websites and devices.

Third-Party Applications

These apps are built and maintained by external developers or companies.

  • End-user consent is required for all interactions.
  • Session exchange is not supported—access is scoped strictly to the OAuth tokens issued.

Confidentiality

Confidential Clients

Confidential clients are capable of storing secrets securely, typically traditional server-based applications. Confidential clients are:

  • Issued a client secret which can be used via client_secret_post or client_secret_basic authentication mechanisms. PKCE is recommended but not required.
  • Must adhere to strict HTTPS redirect URIs in production. Localhost or loopback redirects are not allowed.
  • Refresh tokens do not rotate; they remain valid until revoked or expired.

Public Clients

Public clients run in environments where secure storage is not possible, such as native or CLI apps. Public clients:

  • Are not issued a client secret and use the client_secret=none authentication strategy. Public clients must use PKCE for secure authorization code exchange.
  • May use more permissive redirect URIs, including loopback and custom schemes.
  • Refresh tokens rotate on use, and the platform detects replay attempts to guard against theft.

Use Case Overview

Ownership

First-Party Applications

Third-Party Applications

Confidentiality

Confidential Clients

Public Clients