Create an application
New application
Click New application. Choose a display name your users will see on the consent screen.
Redirect URIs
Add every URL that receives the authorization
code. URIs must match exactly — scheme, host, port, and path included.Client credentials
| Field | Format | Usage |
|---|---|---|
client_id | oak_ + hex | Public identifier — safe in frontend authorize URLs |
client_secret | Random string | Confidential clients only — send on /oauth/token, never expose in browser |
- Request body:
client_id+client_secretform fields, or - HTTP Basic auth:
Authorization: Basic base64(client_id:client_secret)
Manage applications
From the app detail page you can:- Edit redirect URIs — add or remove callback URLs
- Regenerate secret — invalidates the old secret and all active refresh tokens for that client
- Revoke user sessions — force re-consent for all users of this app
- View audit log — token issuances and consent events
Regenerating a client secret immediately breaks any integration still using the old secret. Update your server configuration before regenerating in production.
Allowed scopes
Default allowed scopes for new apps:| Scope | Consent text |
|---|---|
openid | Verify your identity (OIDC) |
profile | Read display name and avatar |
email | Read email address |
openid is required for ID token issuance. Request only scopes your app needs.
Personal access tokens
The Developer Portal also supports personal access tokens (PATs) for direct API access on behalf of your account — useful for scripts and CI. PATs are not OAuth tokens; they authenticate as you directly.Next steps
Quickstart
Complete your first authorization code exchange.
Authorization code flow
Full flow diagram and parameter reference.