Client applications

  • Updated

What are client applications? 

Client applications provide a secure, machine-to-machine access mechanism for SheerID services. They leverage the "OAuth Client Credentials Flow" to retrieve a JSON Web Token (JWT), which is then used for authentication and authorization across our various APIs. You can refer to the Auth0 documentation for a deeper dive into the OAuth Client Credentials Flow.

How to create a client application

Screenshot 2025-07-21 at 9.30.33 AM.png

Developer users (API Access permission) can easily create and manage client applications directly within MySheerID. However, they cannot assign or un-assign roles for a client application unless they also have the User Admin permission. 

  1. Log in to your MySheerID account, then navigate to the account menu located in the bottom left corner
  2. Select Access Management from the menu.
  3. A new Applications area will appear where you can create and edit your client applications. Please note that the Secret Token associated with the account information section is only visible to the account owner. Each client application will have its own Client Secret token.

  4. Click on the +Add button to create a new record

    image5.png
  5. To create a new application, the following fields are required:
    1. Name

    2. Role(s) – learn more about the permission of these roles

      image3.png

  6. Once you have created your application(s), you will see them listed in the Applications section. You can toggle the dropdown menu to view more details about each application

    image6.png

  7. With the section expanded, you can edit or delete the application

    image7.png
  8. You will additionally be able to rotate, reveal, and copy the Client Secret, the token associated with the created application
Screenshot 2025-07-24 at 2.05.55 PM.png

Generating a JWT

Now that you have client applications, you are ready to start generating JWTs. For information on how to generate the JWT, click here.

Rotating a Client Secret

The client secret acts as the secure reference to authenticate your application is trusted, similar to a password for a user login. Just like a password, there are times when changing the client secret is recommended, such as:

  1. Rotating periodically to maintain security
  2. A Client Secret was found to be exposed publicly

For these cases, each application provides a button to rotate the client secret. This will generate a new value that should be used when generating an access token with the client application. By default, any existing authentication tokens created with the application will continue to function until they expire. This allows any integrations using the application to update to the new secret without any downtime.

image3.png

When rotating a client secret, you will be prompted to confirm the action since it cannot be undone.

In the case a client secret has been compromised, an option is provided to immediately invalidate all access tokens associated with that client application to prevent any further action. Using this option will break any existing integrations relying on the application, so use with caution.

For more information about the technology behind SheerID's client applications, check out the official Okta Auth0 documentation here.

You can also find further details in our Developer Center.

Was this article helpful?

/