Managing Applications
Applications in Auris represent the OAuth 2.0 client registrations for your web apps, mobile apps, APIs, and machine-to-machine services. Every client that connects to Auris to authenticate users or obtain tokens must first be registered as an application.
The Applications section of the Console is where you create and manage these registrations, configure the OAuth settings each client needs, and control what data appears in the tokens your applications receive.
Application Types
Auris supports four application types. Choose the type that best matches your client’s architecture:
| Type | Use Case | Grant Types | Secret Required |
|---|---|---|---|
| WEB | Browser-based single-page apps, server-rendered web apps | Authorization Code + PKCE | No (PKCE replaces secret) |
| MOBILE | Native iOS and Android apps | Authorization Code + PKCE | No (PKCE replaces secret) |
| API | Resource servers that validate tokens but do not initiate auth | Token introspection | Optional |
| M2M | Server-to-server services, background workers, CI/CD pipelines | Client Credentials | Yes |
Note: For WEB and MOBILE applications, do not embed the client secret in your frontend code. PKCE (Proof Key for Code Exchange) provides equivalent security without requiring a secret on the client side.
Creating an Application
Open the Applications list
In the Console sidebar, click Applications. The list shows all registered applications with their name, type badge, client ID, and creation date.
Click Create Application
Click the Create Application button in the top-right corner of the Applications list page.
Choose the application type
Select from WEB, MOBILE, API, or M2M. This determines which configuration tabs and grant types are available for this application. The type cannot be changed after creation.
Enter the application name and description
The name appears in the Console UI and may optionally appear on the hosted login page if you configure per-application branding. The description is for internal administrative reference only.
Configure initial settings
Depending on the type, you may be prompted to enter:
- Redirect URIs (WEB, MOBILE): At least one callback URL is required before the application can be used with the Authorization Code flow.
- Allowed Scopes (M2M): The scopes this service account is permitted to request.
Save
Click Create. The application is created immediately. The Credentials tab opens, showing your Client ID and Client Secret (for M2M applications).
Application Detail Page
Once an application is created, clicking its name opens the detail page. The detail page is organized into tabs:
Credentials Tab
The Credentials tab shows the OAuth identifiers for this application.
Client ID
The client ID is a unique identifier assigned by Auris at creation time. It is safe to expose in frontend code. Use this value as the clientId in your SDK configuration.
your-client-id-hereClient Secret (M2M and API applications only)
The client secret is shown in full only once — immediately after creation. After you leave the Credentials tab, the Console displays only the last four characters.
To view or rotate the secret:
- Click Show Secret to reveal the last-four-character preview
- Click Rotate Secret to generate a new secret
Note: When you rotate a client secret, the old secret remains valid for a grace period of 24 hours. This allows you to update your server-side configuration without causing an immediate authentication failure. After the grace period, the old secret is permanently invalidated.
Store client secrets securely. Treat them as passwords — never commit them to source control or expose them in logs.
URIs Tab
The URIs tab configures which URLs Auris will interact with for this application.
Redirect URIs (Allowed Callback URLs)
These are the URLs Auris is permitted to redirect to after a successful authorization code exchange. The redirect_uri provided at runtime must exactly match one of the registered values — partial matches, wildcards, and trailing slash mismatches are all rejected.
For security, Auris does not support wildcard redirect URIs. Each callback URL must be registered
exactly as it will be used at runtime, including the protocol (https://), hostname, port, and
path.
Add one URI per line. Typical values:
https://app.yourdomain.com/auth/callback
http://localhost:3000/auth/callbackAllowed Origins (CORS)
Origins from which the browser is allowed to make direct requests to the Auris API. Used for cross-origin token refresh requests from SPAs. Enter origins without a trailing path:
https://app.yourdomain.com
http://localhost:3000Logout URLs
URLs Auris is permitted to redirect to after a logout request (/logout endpoint). Add the post-logout landing page for your application:
https://app.yourdomain.com
http://localhost:3000Settings Tab
The Settings tab controls token lifetimes and grant type permissions.
| Setting | Description | Default |
|---|---|---|
| Access Token Lifetime | How long access tokens are valid (seconds) | 3600 (1 hour) |
| Refresh Token Lifetime | How long refresh tokens are valid (seconds) | 2592000 (30 days) |
| Refresh Token Rotation | Issue a new refresh token each time one is used | Enabled |
| Allowed Grant Types | Which OAuth 2.0 grant types this application may use | authorization_code, refresh_token |
| Require PKCE | Whether PKCE is enforced for this application (WEB/MOBILE always on) | Yes for WEB/MOBILE |
Refresh Token Rotation
When enabled (default), each use of a refresh token issues a new refresh token and invalidates the one that was just used. This limits the window of exposure if a refresh token is stolen, because the legitimate client will detect that its token was already used and can revoke the session.
Custom Claims Tab
Custom claims allow you to embed additional data into the JWT access tokens issued for this application. Claims are evaluated at token issuance time and vary per user.
Claim Types
| Type | Description | Example Value |
|---|---|---|
| STATIC | A fixed value, the same for every token | "v2", "eu-west" |
| USER_ATTRIBUTE | A value read from the user’s profile attributes | metadata.department |
| ROLE_BASED | A value that varies based on which roles the user has | Map admin role → "premium" |
| EXPRESSION | A JavaScript expression evaluated against the user object | user.emailVerified ? 'verified' : 'unverified' |
Adding a Claim
- Click Add Claim
- Enter the Claim Key — this is the property name that will appear in the JWT payload (for example,
department,plan,org_id) - Select the Value Type from the dropdown
- Configure the value source based on the type
- Toggle Active on to include this claim in issued tokens
- Click Save
Preview
Use the Preview button to test claim resolution. Enter a user ID and click Preview to see what the JWT payload would look like for that user with all configured claims applied.
Custom claim keys must not collide with reserved JWT claims (iss, sub, aud, exp, iat,
jti) or Auris standard claims (roles, type, tenantId). The Console will warn you if a
reserved key is entered.
For implementation details on reading custom claims in your SDK, see Custom Claims.
M2M Scopes Tab
This tab is only visible for applications of type M2M. It controls which scopes a machine-to-machine client is permitted to request when using the client_credentials grant type.
Scope Format
Scopes follow the action:resource format, matching the same permission format used throughout Auris:
read:users
write:invoices
admin:reportsConfiguring Scopes
- Click Add Scope
- Enter the scope string (for example,
read:orders) - Optionally add a description for the scope
- Click Save
When the M2M client requests a token, it may only request scopes that are listed here. Requesting an unlisted scope results in an error.
Verifying Scopes on Your API
Your API server should validate that the incoming token contains the required scope before serving a request:
// Node.js example — verify M2M token scope
import { createLocalJWKSet, jwtVerify } from 'jose'
export async function verifyM2MToken(bearerToken, requiredScope) {
const JWKS = createLocalJWKSet(await fetchJwks())
const { payload } = await jwtVerify(bearerToken, JWKS)
if (payload.type !== 'm2m') {
throw new Error('Not an M2M token')
}
const scopes = payload.scope?.split(' ') ?? []
if (!scopes.includes(requiredScope)) {
throw new Error(`Missing required scope: ${requiredScope}`)
}
return payload
}For full M2M implementation details, see M2M Client Credentials.
Deleting an Application
To delete an application:
- Open the application detail page
- Scroll to the bottom of the Settings tab
- Click Delete Application
- Confirm deletion in the dialog
Note: Deleting an application is permanent. Any tokens issued for this application will become unverifiable after deletion, since the client ID will no longer exist. Ensure all running services using this application’s credentials have been updated before deleting.
Related Guides
- Hosted Login (Authorization Code + PKCE) — Implement OAuth 2.0 PKCE in your frontend
- M2M Client Credentials — Server-to-server authentication with client credentials
- Custom Claims — Embed user and role data in JWT tokens
- Token Verification — Validate Auris JWTs on your API server