Skip to Content
Admin ConsoleApplications

Managing Applications

Applications in Auris represent the OAuth 2.0 client registrations for your web apps, mobile apps, APIs, and machine-to-machine services. Every client that connects to Auris to authenticate users or obtain tokens must first be registered as an application.

The Applications section of the Console is where you create and manage these registrations, configure the OAuth settings each client needs, and control what data appears in the tokens your applications receive.


Application Types

Auris supports four application types. Choose the type that best matches your client’s architecture:

TypeUse CaseGrant TypesSecret Required
WEBBrowser-based single-page apps, server-rendered web appsAuthorization Code + PKCENo (PKCE replaces secret)
MOBILENative iOS and Android appsAuthorization Code + PKCENo (PKCE replaces secret)
APIResource servers that validate tokens but do not initiate authToken introspectionOptional
M2MServer-to-server services, background workers, CI/CD pipelinesClient CredentialsYes

Note: For WEB and MOBILE applications, do not embed the client secret in your frontend code. PKCE (Proof Key for Code Exchange) provides equivalent security without requiring a secret on the client side.


Creating an Application

Open the Applications list

In the Console sidebar, click Applications. The list shows all registered applications with their name, type badge, client ID, and creation date.

Click Create Application

Click the Create Application button in the top-right corner of the Applications list page.

Choose the application type

Select from WEB, MOBILE, API, or M2M. This determines which configuration tabs and grant types are available for this application. The type cannot be changed after creation.

Enter the application name and description

The name appears in the Console UI and may optionally appear on the hosted login page if you configure per-application branding. The description is for internal administrative reference only.

Configure initial settings

Depending on the type, you may be prompted to enter:

  • Redirect URIs (WEB, MOBILE): At least one callback URL is required before the application can be used with the Authorization Code flow.
  • Allowed Scopes (M2M): The scopes this service account is permitted to request.

Save

Click Create. The application is created immediately. The Credentials tab opens, showing your Client ID and Client Secret (for M2M applications).


Application Detail Page

Once an application is created, clicking its name opens the detail page. The detail page is organized into tabs:

Credentials Tab

The Credentials tab shows the OAuth identifiers for this application.

Client ID

The client ID is a unique identifier assigned by Auris at creation time. It is safe to expose in frontend code. Use this value as the clientId in your SDK configuration.

your-client-id-here

Client Secret (M2M and API applications only)

The client secret is shown in full only once — immediately after creation. After you leave the Credentials tab, the Console displays only the last four characters.

To view or rotate the secret:

  1. Click Show Secret to reveal the last-four-character preview
  2. Click Rotate Secret to generate a new secret

Note: When you rotate a client secret, the old secret remains valid for a grace period of 24 hours. This allows you to update your server-side configuration without causing an immediate authentication failure. After the grace period, the old secret is permanently invalidated.

Store client secrets securely. Treat them as passwords — never commit them to source control or expose them in logs.


URIs Tab

The URIs tab configures which URLs Auris will interact with for this application.

Redirect URIs (Allowed Callback URLs)

These are the URLs Auris is permitted to redirect to after a successful authorization code exchange. The redirect_uri provided at runtime must exactly match one of the registered values — partial matches, wildcards, and trailing slash mismatches are all rejected.

For security, Auris does not support wildcard redirect URIs. Each callback URL must be registered exactly as it will be used at runtime, including the protocol (https://), hostname, port, and path.

Add one URI per line. Typical values:

https://app.yourdomain.com/auth/callback http://localhost:3000/auth/callback

Allowed Origins (CORS)

Origins from which the browser is allowed to make direct requests to the Auris API. Used for cross-origin token refresh requests from SPAs. Enter origins without a trailing path:

https://app.yourdomain.com http://localhost:3000

Logout URLs

URLs Auris is permitted to redirect to after a logout request (/logout endpoint). Add the post-logout landing page for your application:

https://app.yourdomain.com http://localhost:3000

Settings Tab

The Settings tab controls token lifetimes and grant type permissions.

SettingDescriptionDefault
Access Token LifetimeHow long access tokens are valid (seconds)3600 (1 hour)
Refresh Token LifetimeHow long refresh tokens are valid (seconds)2592000 (30 days)
Refresh Token RotationIssue a new refresh token each time one is usedEnabled
Allowed Grant TypesWhich OAuth 2.0 grant types this application may useauthorization_code, refresh_token
Require PKCEWhether PKCE is enforced for this application (WEB/MOBILE always on)Yes for WEB/MOBILE

Refresh Token Rotation

When enabled (default), each use of a refresh token issues a new refresh token and invalidates the one that was just used. This limits the window of exposure if a refresh token is stolen, because the legitimate client will detect that its token was already used and can revoke the session.


Custom Claims Tab

Custom claims allow you to embed additional data into the JWT access tokens issued for this application. Claims are evaluated at token issuance time and vary per user.

Claim Types

TypeDescriptionExample Value
STATICA fixed value, the same for every token"v2", "eu-west"
USER_ATTRIBUTEA value read from the user’s profile attributesmetadata.department
ROLE_BASEDA value that varies based on which roles the user hasMap admin role → "premium"
EXPRESSIONA JavaScript expression evaluated against the user objectuser.emailVerified ? 'verified' : 'unverified'

Adding a Claim

  1. Click Add Claim
  2. Enter the Claim Key — this is the property name that will appear in the JWT payload (for example, department, plan, org_id)
  3. Select the Value Type from the dropdown
  4. Configure the value source based on the type
  5. Toggle Active on to include this claim in issued tokens
  6. Click Save

Preview

Use the Preview button to test claim resolution. Enter a user ID and click Preview to see what the JWT payload would look like for that user with all configured claims applied.

Custom claim keys must not collide with reserved JWT claims (iss, sub, aud, exp, iat, jti) or Auris standard claims (roles, type, tenantId). The Console will warn you if a reserved key is entered.

For implementation details on reading custom claims in your SDK, see Custom Claims.


M2M Scopes Tab

This tab is only visible for applications of type M2M. It controls which scopes a machine-to-machine client is permitted to request when using the client_credentials grant type.

Scope Format

Scopes follow the action:resource format, matching the same permission format used throughout Auris:

read:users write:invoices admin:reports

Configuring Scopes

  1. Click Add Scope
  2. Enter the scope string (for example, read:orders)
  3. Optionally add a description for the scope
  4. Click Save

When the M2M client requests a token, it may only request scopes that are listed here. Requesting an unlisted scope results in an error.

Verifying Scopes on Your API

Your API server should validate that the incoming token contains the required scope before serving a request:

// Node.js example — verify M2M token scope import { createLocalJWKSet, jwtVerify } from 'jose' export async function verifyM2MToken(bearerToken, requiredScope) { const JWKS = createLocalJWKSet(await fetchJwks()) const { payload } = await jwtVerify(bearerToken, JWKS) if (payload.type !== 'm2m') { throw new Error('Not an M2M token') } const scopes = payload.scope?.split(' ') ?? [] if (!scopes.includes(requiredScope)) { throw new Error(`Missing required scope: ${requiredScope}`) } return payload }

For full M2M implementation details, see M2M Client Credentials.


Deleting an Application

To delete an application:

  1. Open the application detail page
  2. Scroll to the bottom of the Settings tab
  3. Click Delete Application
  4. Confirm deletion in the dialog

Note: Deleting an application is permanent. Any tokens issued for this application will become unverifiable after deletion, since the client ID will no longer exist. Ensure all running services using this application’s credentials have been updated before deleting.