Important: As of December 1, 2020, when you create a new API client or edit an existing API client, the Requested scopes policy option is no longer available. All new API clients will be required to explicitly request the scopes they need. Existing API clients will continue to work after the update takes effect.
To create an API client for a web server application
Note: If the AppDirect logo appears in the upper-left corner of the page, when Manage > Marketplace appears in this topic, click the grid icon > Switch to | Store, instead.
Under Client Type, select Single page web application from the drop-down list.
Note that for single page web application API clients, the only available grant type is implicit. It is selected by default and cannot be changed. The implicit grant type is used with applications that run on the user's device. The user is asked to authorize the application, then the authorization server passes the access token back to the user-agent, which passes it to the application. The implicit grant type is similar to authorization code with notable differences:
Under Allowed Scopes (Permissions), define the API client's permissions—that is, what it can do on behalf of a user and what resources it can access. Manage any of the following scopes as required:
OpenID Connect scopes—Allows an API client to verify the identity of an end user using the OpenID Connect protocol. Select one of the following:
See Scopes to learn more.
(Optional) Allowed IP Addresses. Configure a comma-separated list of IP addresses from which this API client is allowed to send requests. Leave blank to allow all IP addresses. CIDR notation is supported.
If you selected the Authorization Code or Password grant type, or both, the Requested Scopes Policy section opens, with a Require API Clients to Request Scopes setting. This setting is enabled by default for all new API clients. When this recommended setting is enabled, the marketplace no longer returns access tokens with all allowed scopes, when no scopes are requested by the API client.
Note: To ensure compatibility with previously created API clients, this setting is disabled for all existing API clients. API developers of existing integrations are encouraged to update their integrations with the new setting enabled, thereby requiring the API client to request specific scopes they need. To disable this setting, clear the checkbox.
Copy the Consumer Secret, then paste it in a file where you can retrieve it later as needed.
Note: If you cannot locate the Consumer Secret, you can regenerate it. See Edit API clients to learn more.