OAuth Clients
The console and API expose an OAuth client registry and authorization-code endpoints with PKCE. They are useful for inspecting the intended delegated authorization shape, but they do not currently form a supported end-to-end public API authentication contract.
:::danger Current support boundary
Tokens returned by /v1/oauth/token are not accepted by the main public API
bearer-authentication path. Do not ship a production integration on this flow
until Keeptrusts publishes a supported OAuth bearer contract. For unattended
service automation, use a scoped API token.
:::
Register a client
Open API Tokens → OAuth Clients, open Actions, and select Register OAuth client. Provide:
- a recognizable application name;
- every exact redirect URI; and
- the scopes you intend the application to request.
The API registers a public PKCE client and returns a client ID. It does not issue a client secret. Copy the client ID and keep the registered metadata in the integration's design record.
The current console success view still contains client-secret copy, but the
API response has no client_secret field. A blank value in that view is not a
credential.
Registered scopes are currently stored and displayed as client metadata, but the authorization handler does not enforce that a requested scope is a subset of the registered values. Do not treat the registry selection as an authorization boundary.
Redirect URI rules
Register an HTTPS callback. The current validator also accepts an HTTP
local-development URI string that begins with http://localhost; keep that
exception on an actual localhost host. The callback must match the registered
URI exactly, including:
- scheme;
- hostname;
- port;
- path; and
- any environment-specific distinction.
Do not add broad or unused callbacks. Register development, staging, and production URIs only when each is an intentional deployment target. Prefer separate clients when the environments need separate ownership or revocation.
Understand the current PKCE mechanics
The current endpoints implement these mechanics:
- The caller creates a high-entropy code verifier and its
S256challenge. - An authenticated Keeptrusts user calls
/v1/oauth/authorizewith the client, redirect URI, scope, challenge, and state. - The API returns JSON containing
redirect_urias the full callback URL with the code and optional state appended, plus the one-time authorizationcodeas a separate field; it does not perform the browser redirect. - The caller validates
state, moves the browser to the returned URI, and exchanges the code and original verifier at/v1/oauth/token. - The caller stops at the current support boundary: the resulting access token is not a supported public API bearer credential.
There is no separate consent screen or approval step in the current authorize
handler. Validate state in the client to bind the callback to the initiating
browser session. Never log authorization codes, code verifiers, or token
artifacts.
Use the discovery and endpoint details published by the active Keeptrusts environment rather than hard-coding an endpoint copied from another region or deployment.
Least-privilege review
For each client, record:
- owner and support contact;
- business purpose;
- environments and redirect URIs;
- intended scopes;
- client replacement review date; and
- revocation plan.
The console registry supports search by name, client ID, scope, and redirect URI. Use it during periodic review to find unexpected callbacks or scopes.
Replace a client registration
There is no client secret to rotate. To change client identity or isolate an environment, use a controlled registration replacement:
- Register a new client with the exact callbacks and intended scopes.
- Update the application to use the new client ID.
- Exercise the PKCE mechanics in a non-production environment while observing the support boundary above.
- Deactivate the old client after every registered environment is accounted for.
- Revoke known old access and refresh token artifacts separately.
- Review Trail.
Do not deactivate the old client before every environment has a reviewed replacement plan.
Deactivate a client
The console delete action deactivates the client rather than removing its
record. Deactivation blocks new authorization requests for that client, but it
does not revoke existing token records. Revoke each known access or refresh
token separately at /v1/oauth/revoke.
Before deactivation:
- identify every environment using the client ID;
- inventory and revoke known token artifacts;
- preserve required audit evidence;
- schedule and communicate the change; and
- verify the replacement registration where continued testing is required.
Troubleshooting
| Failure | Check |
|---|---|
| Redirect mismatch | Exact registered URI, including scheme, port, path, and trailing slash |
| Invalid client | Client ID, active state, and environment |
| PKCE failure | Same verifier used for the challenge and code exchange; S256 challenge method |
| Authorize call does not redirect | Expected current behavior: read the JSON redirect_uri and code; the API does not issue an HTTP redirect |
Issued token receives 401 on the public API | Expected current boundary: OAuth token artifacts are not accepted by the main public bearer path |
| Scope appears accepted unexpectedly | Registered scope values are not currently enforced as the authorize-request ceiling |
| Repeated callback or state error | One-time code use, state validation, session storage, and clock |