Create other API clients

Important: Effective December 1, 2020, the other API client type is deprecated and no longer available as an option when you create a new API client. Existing API clients that use this type will continue to work. AppDirect recommends that you migrate existing API clients that use this type to another API client type. See Create API clients or Edit API clients for more information.

Marketplace Managers can create API clients that are design to ensure compatibility with existing APIs. When selecting the client type in step 4 in the following procedure, the option is named Other. AppDirect recommends that users create new API clients using only the four other API client types when creating a new API client. See Create API clients for web server applications, Create API clients for single page web applications, Create API clients for native applications and Create API clients for non-interactive applications for information on the recommended client types.

Note: The following procedure can no longer be completed after December 1, 2020. See API clients for a description of other options.

To create other API clients

Note: If the AppDirect logo appears in the upper-left corner of the page, when Manage > Marketplace appears in this topic, click the grid icon > Switch to | Store, instead.

  1. Go to Manage > Marketplace Settings > Integration | API Clients. The API Clients page opens.
  2. Click Create API Client. The API Client Settings dialog opens.
  3. Enter a name for the API client.
  4. Under Client Type, select Other from the drop-down list.
  5. (Optional) Enable or Disable OAuth 1.0 and OAuth 2.0 as required for your marketplace. Note that OAuth 1.0 is enabled by default, but it can be disabled.

  6. If you set OAuth 2.0 to Enable, grant type fields appear. Select at least one grant type from the following list:

    • Authorization Code—Used with server-side Applications. The API client interacts with the user's web browser and receives API authorization codes.
    • Implicit—Used with mobile applications or web applications (applications that run on the user's device). The user is asked to authorize the application, then the authorization server passes the access token back to the user-agent, which passes it to the application.
    • Password—Used with trusted applications. After a user gives their credentials to the application, the application requests an access token from the authorization server. After user credentials are verified, the authorization server returns an access token to the application.
    • Client Credentials—Provides an application a way to access its own service account, for example, to access other data stored in its service account via the API. The application requests an access token by sending its credentials, its client ID and client secret to the authorization server. After application credentials are verified, the authorization server returns an access token to the application.
    • Refresh Token—A special type of token that can be used to obtain a renewed access token at any time.
  7. If OAuth 2.0 is set to Enable and you selected Authorization Code or Implicit (or both) the Redirect URL field appears. Enter the redirect URL.

  8. (Optional) If OAuth 2.0 is set to Enable and you selected Authorization Code, Implicit or Password (or any combination of these), Allowed Scopes (Permissions) fields appear. The selections you make here define what the API client can do and what resources it can access. Manage any of the following scopes as required:

    • OpenID Connect scopes—Allows an API client to verify the identity of an end user using the OpenID Connect protocol. Select one of the following:

      • ID Token—Allows this client to be used for OpenID Connect SSO.
      • Basic User Information—Allows an API client to access a user’s email address and basic profile information such as first name, last name, and email address contained in the UserInfo API.
    • User-level scopes—Select one or more of the user roles in the checklist to allows the API client to act on behalf of marketplace users with those user roles.

    • System-level scopes—Defines if this client should be granted read only or read and write access.

    See Scopes to learn more.

  9. (Optional) If you selected ID Token under OpenID Connect scopes in the previous step, the Persistent SSO field appears. Selecting this option gives marketplace users the option to remain logged in when authenticating with a trusted mobile application that has enabled persistent Single Sign-On (SSO), such as Mobile MyApps.

  10. If OAuth 2.0 is set to Enable and you selected Authorization Code, Implicit or Password, Client Credentials (or any combination of these), the Requested Scopes Policy section opens, with a Require API Clients to Request Scopes setting. This setting is enabled by default for all new API clients. When this recommended setting is enabled, the marketplace no longer returns access tokens with all allowed scopes, when no scopes are requested by the API client.

    Note: To ensure compatibility with previously created API clients, this setting is disabled for all existing API clients. API developers of existing integrations are encouraged to update their integrations with the new setting enabled, thereby requiring the API client to request specific scopes they need. To disable this setting, clear the checkbox.

  11. (Optional) Allowed IP Addresses. Configure a comma-separated list of IP addresses from which this API client is allowed to send requests. Leave blank to allow all IP addresses. CIDR notation is supported.

  12. Click Save Settings. The new API client is created, along with a Consumer Secret and Consumer Key. A message appears that includes the Consumer Secret and a warning that you should copy and store the secret in a safe location because it cannot be retrieved after the message is dismissed.

  13. Copy the Consumer Secret, then paste it in a file where you can retrieve it later as needed.

    Note: If you cannot locate the Consumer Secret, you can regenerate it. See Edit API clients to learn more.