Specifies the maximum lifetime of a refresh token (in seconds), regardless of how often it is used.
Specifies how long an access token remains valid (in seconds).
Specifies whether access tokens are issued as self-contained JWTs or as opaque references stored server-side.
Controls whether access tokens may be transmitted via the browser for this client.
Allows the client to use any redirect URI when using Pushed Authorization Requests (PAR), instead of being limited to the configured redirect URI list.
Allows the client to obtain refresh tokens using the offline_access scope.
Allows Proof Key for Code Exchange (PKCE) verification using the plain (unhashed) method.
Configures the set of trusted origins permitted to perform cross-origin requests for this client.
Defines which OAuth / OIDC grant types this client is permitted to use.
Defines the approved identity scopes that this client is authorized to request.
Always embeds user claims in the ID token instead of requiring calls to the UserInfo endpoint.
Always prompts users for consent when requesting offline (refresh token) access.
Controls whether client claims are always emitted in access tokens, or only when using the client credentials flow.
Preferred application type for the client.
Defines the authenticators users may use to sign in with this client. Leave empty to inherit the global authenticator policy.
Specifies how long an authorization code remains valid (in seconds).
Lifetime of the authorization request (in seconds). Controls how long the request data is considered valid during the authorization flow.
Indicates whether the user’s session identifier should be included when invoking the back-channel logout URI.
Optionalback_Server-side (back-channel) endpoint that MonoCloud calls to notify the application of a user logout.
Binds issued tokens to the user's session. When enabled, all tokens and grants are automatically revoked when the user signs out or the session expires.
Defines custom claims issued to this client and embedded into access tokens for downstream APIs and resources.
Optionalclient_Configures a prefix for client claims, helping avoid naming collisions across tokens and downstream APIs.
Human-readable name for the client application, displayed to users on the login and consent screens.
Optionalclient_Public URL that provides additional information about the client application.
Specifies the validity period for stored user consent (in seconds). Set to 0 to allow consent to remain valid indefinitely.
Specifies the creation time of the client (in Epoch).
OptionaldescriptionDescription that explains the purpose of the client application.
Specifies the length of the user verification code generated for the device flow.
Specifies the lifetime of the device authorization code (in seconds).
Includes the offline_access scope in issued access tokens when requested by the client.
Indicates whether the consents are enabled for the client.
Indicates whether the client is enabled.
Indicates whether the user’s session identifier should be included when invoking the front-channel logout URI.
Optionalfront_Browser-based (front-channel) endpoint on the client that receives user logout notifications from MonoCloud.
The unique identifier of the client.
Specifies how long an ID token remains valid (in seconds).
Determines whether issued access tokens include a unique token identifier (jti).
Specifies the last update time of the client (in Epoch).
Optionallogo_URL of the client application logo, displayed on the consent screen to help users identify the application.
List of approved URIs users can be redirected to after a successful logout.
List of approved redirect URIs where authorization codes or tokens may be sent.
Controls whether refresh tokens expire at a fixed time or are extended with continued use.
Controls whether refresh tokens are single-use (rotated) or reusable.
Controls how consent decisions are remembered for future sign-ins.
Requires confidential clients to present a client secret when requesting tokens.
Controls whether users are prompted to review and approve requested permissions.
Requires Proof Key for Code Exchange (PKCE) for authorization code flows.
Requires clients to use Pushed Authorization Requests (PAR) instead of sending parameters directly to the authorization endpoint.
Requires authorization requests to be sent as signed JWT request objects (JAR).
Allows end users to choose which requested scopes to grant on the consent screen.
Defines the sliding expiration window for refresh tokens (in seconds). Token expiry is extended on each valid refresh, subject to the absolute refresh token lifetime.
Preferred technology stack for the client.
Controls whether access token claims are recalculated and reissued when refreshing a token.
Maximum allowed SSO duration (in seconds). After this window, users must sign in again to confirm identity. Set to 0 to disable the limit.
Application: Represents an OAuth 2.0 / OIDC client application configuration.
Export
Application