What are Applications?

Applications represent the clients that authenticate users through Transactional Auth. Each application has its own Client ID, settings, and can have different authentication configurations.

Application Types

Choose the type that matches your application architecture:

SPA (Single-Page Application)

For client-side JavaScript applications (React, Vue, Angular).

Setting	Value
Token Storage	In-memory or secure storage
Client Secret	Not used (public client)
PKCE	Required
Refresh Tokens	Optional (with rotation)

Best for: React apps, Vue.js apps, Angular apps

Native

For mobile and desktop applications.

Setting	Value
Token Storage	Secure device storage
Client Secret	Not used (public client)
PKCE	Required
Refresh Tokens	Yes (with rotation)

Best for: iOS apps, Android apps, Electron apps

Server

For server-side web applications with a secure backend.

Setting	Value
Token Storage	Server-side session
Client Secret	Required (confidential client)
PKCE	Recommended
Refresh Tokens	Yes

Best for: Next.js, Express, Django, Rails apps

Machine

For service-to-service (M2M) communication.

Setting	Value
Token Storage	Server environment
Client Secret	Required
Grant Type	Client Credentials
User Context	None

Best for: APIs, microservices, cron jobs, background workers

Creating an Application

Via Dashboard

Go to Auth > Applications
Click Create Application
Fill in the details:

Field	Description
Name	Display name for the application
Type	SPA, Native, Server, or Machine
Description	Optional description
Logo URL	Logo for consent screens

Via API

TypeScript:

const app = await client.auth.applications.create({
  name: 'My Web App',
  type: 'SERVER',
  description: 'Main web application',
  redirectUris: ['https://myapp.com/callback'],
  allowedOrigins: ['https://myapp.com'],
  logoutUris: ['https://myapp.com/logout'],
});
 
console.log('Client ID:', app.clientId);
console.log('Client Secret:', app.clientSecret);

Python:

app = client.auth.applications.create(
    name="My Web App",
    type="SERVER",
    description="Main web application",
    redirect_uris=["https://myapp.com/callback"],
    allowed_origins=["https://myapp.com"],
    logout_uris=["https://myapp.com/logout"],
)
 
print(f"Client ID: {app.client_id}")
print(f"Client Secret: {app.client_secret}")

Application Settings

Redirect URIs

URLs where users are sent after authentication.

// Development
redirectUris: [
  'http://localhost:3000/callback',
  'http://localhost:3000/auth/callback',
]
 
// Production
redirectUris: [
  'https://myapp.com/callback',
  'https://app.myapp.com/callback',
]

Security: Use exact matches. Wildcards are not supported.

Allowed Origins

Origins allowed for CORS requests (SPAs only).

allowedOrigins: [
  'http://localhost:3000',
  'https://myapp.com',
]

Logout URIs

URLs where users are sent after logout.

logoutUris: [
  'https://myapp.com',
  'https://myapp.com/logged-out',
]

Grant Types

Allowed OAuth grant types:

grantTypes: [
  'AUTHORIZATION_CODE',  // Interactive login
  'REFRESH_TOKEN',       // Token renewal
  'CLIENT_CREDENTIALS',  // M2M (Machine type only)
]

Response Types

Allowed OAuth response types:

responseTypes: [
  'code',         // Authorization Code flow
  'token',        // Implicit flow (not recommended)
  'id_token',     // OIDC ID token
]

Token Settings

Configure token lifetimes:

tokenSettings: {
  accessTokenTtl: 3600,      // 1 hour (seconds)
  refreshTokenTtl: 2592000,  // 30 days (seconds)
  idTokenTtl: 3600,          // 1 hour (seconds)
}

Control the consent screen:

consentSettings: {
  skipConsent: false,         // Always show consent
  skipConsentForFirstParty: true, // Skip for your own apps
}

Managing Applications

List Applications

const apps = await client.auth.applications.list();
for (const app of apps) {
  console.log(`${app.name}: ${app.clientId}`);
}

Get Application

const app = await client.auth.applications.get('app_xxx');

Update Application

await client.auth.applications.update('app_xxx', {
  name: 'Updated Name',
  redirectUris: ['https://newdomain.com/callback'],
});

Delete Application

await client.auth.applications.delete('app_xxx');

Rotate Client Secret

const { clientSecret } = await client.auth.applications.rotateSecret('app_xxx');
console.log('New secret:', clientSecret);

Warning: Rotating the secret invalidates the old one immediately.

Application Status

Applications can be active or inactive:

// Deactivate an application
await client.auth.applications.update('app_xxx', {
  isActive: false,
});

Inactive applications cannot:

Issue new tokens
Authenticate users
Make API calls

Existing tokens remain valid until they expire.

Best Practices

1. Use Appropriate Application Types

Match the type to your architecture:

Web frontend only → SPA
Web with backend → Server
Mobile app → Native
Backend service → Machine

2. Secure Your Client Secret

For Server and Machine applications:

Store in environment variables
Never commit to version control
Rotate regularly
Use different secrets per environment

3. Restrict Redirect URIs

Use exact URLs, not patterns
Include only necessary URIs
Use HTTPS in production
Validate state parameter

4. Configure Token Lifetimes

Balance security and user experience:

Token	Recommended
Access Token	15 min - 1 hour
Refresh Token	7 - 30 days
ID Token	15 min - 1 hour

5. Enable PKCE

Always use PKCE for SPA and Native applications:

// Generate code verifier
const codeVerifier = generateRandomString(64);
const codeChallenge = base64UrlEncode(sha256(codeVerifier));
 
// Include in authorization request
const authUrl = `${authEndpoint}?` + new URLSearchParams({
  code_challenge: codeChallenge,
  code_challenge_method: 'S256',
  // ... other params
});

Next Steps

OAuth - Understand OAuth flows
Users - Manage user accounts
Sessions - Handle user sessions