Skip to content

Applications

Applications are OAuth2 clients registered in a workspace. They represent pieces of software — SPAs, mobile apps, backend services — that authenticate users or request tokens from Kotauth.

Required scopes: applications:read for GET requests, applications:write for PUT / DELETE.


{
"id": 5,
"clientId": "my-spa",
"name": "My SPA",
"description": "Frontend web application",
"accessType": "public",
"enabled": true,
"redirectUris": [
"https://app.yourdomain.com/callback",
"http://localhost:3000/callback"
],
"audience": "https://api.yourdomain.com"
}
FieldTypeDescription
idintegerInternal numeric ID
clientIdstringThe OAuth2 client_id — what you pass to OAuth2 libraries
namestringHuman-readable application name
descriptionstring | nullOptional description
accessTypepublic | confidentialPublic = no secret, must use PKCE; Confidential = has client secret
enabledbooleanfalse = disabled, blocks new logins
redirectUrisstring[]Allowed OAuth2 redirect URIs
audiencestring | nullCustom JWT aud claim. Falls back to clientId if null. Max 200 characters.

GET /t/{slug}/api/v1/applications

Example request:

Terminal window
curl https://auth.yourdomain.com/t/my-app/api/v1/applications \
-H "Authorization: Bearer kauth_my-app_KEY"

Response 200 OK:

{
"data": [
{
"id": 5,
"clientId": "my-spa",
"name": "My SPA",
"description": null,
"accessType": "public",
"enabled": true,
"redirectUris": ["https://app.yourdomain.com/callback"]
}
],
"meta": { "total": 1, "offset": 0, "limit": 20 }
}

GET /t/{slug}/api/v1/applications/{appId}

Path parameters:

ParameterTypeDescription
appIdintegerThe application’s numeric ID

Response 200 OK: Returns the application object.


PUT /t/{slug}/api/v1/applications/{appId}

Updates the application’s name, description, access type, and allowed redirect URIs. Changing accessType between public and confidential affects which OAuth2 flows the app can use.

Request body:

{
"name": "My SPA v2",
"description": "Updated frontend application",
"accessType": "public",
"redirectUris": [
"https://app.yourdomain.com/callback",
"https://staging.yourdomain.com/callback"
]
}
FieldRequiredDescription
nameYesDisplay name
descriptionNoOptional description (pass null to clear)
accessTypeYespublic or confidential
redirectUrisYesArray of allowed redirect URIs. Must be exact matches.

Response 200 OK: Returns the updated application object.


GET /t/{slug}/api/v1/applications/{appId}/default-roles

Returns the roles that are automatically assigned to users who self-register through this application (via password signup, social login, or Email OTP).

Required scope: applications:read

Response 200 OK:

{
"data": [
{ "id": 3, "name": "viewer", "description": "Read-only access", "composite": false }
],
"meta": { "total": 1 }
}

PUT /t/{slug}/api/v1/applications/{appId}/default-roles
Content-Type: application/json
{
"roleIds": [3, 7]
}

Replaces the full set of default roles for the application. Pass an empty array to clear all default roles.

Required scope: applications:write

FieldRequiredDescription
roleIdsYesArray of role IDs to auto-assign at registration. Full-set replace.

Response 200 OK: Returns the updated default roles in the same format as the GET endpoint.


DELETE /t/{slug}/api/v1/applications/{appId}

Soft-disables the application. New authorization requests are rejected, but existing valid tokens continue to work until they expire.

To re-enable a disabled application, use the admin console.

Response 204 No Content