Optionalabsolute_Specifies the maximum lifetime of a refresh token (in seconds), regardless of how often it is used.
Optionalaccess_Specifies how long an access token remains valid (in seconds).
Optionalaccess_Specifies whether access tokens are issued as self-contained JWTs or as opaque references stored server-side.
Optionalallow_Controls whether access tokens may be transmitted via the browser for this client.
Optionalallow_Allows the client to use any redirect URI when using Pushed Authorization Requests (PAR), instead of being limited to the configured redirect URI list.
Optionalallow_Allows the client to obtain refresh tokens using the offline_access scope.
Optionalallow_Allows Proof Key for Code Exchange (PKCE) verification using the plain (unhashed) method.
Optionalallowed_Configures the set of trusted origins permitted to perform cross-origin requests for this client.
Defines which OAuth / OIDC grant types this client is permitted to use.
Optionalallowed_Defines the approved identity scopes that this client is authorized to request.
Optionalalways_Always embeds user claims in the ID token instead of requiring calls to the UserInfo endpoint.
Optionalalways_Always prompts users for consent when requesting offline (refresh token) access.
Optionalalways_Controls whether client claims are always emitted in access tokens, or only when using the client credentials flow.
Optionalapp_Preferred application type for the client.
Optionalauthenticator_Defines the authenticators users may use to sign in with this client. Leave empty to inherit the global authenticator policy.
Optionalauthorization_Specifies how long an authorization code remains valid (in seconds).
Optionalauthorization_Lifetime of the authorization request (in seconds). Controls how long the request data is considered valid during the authorization flow.
Optionalauto_Automatically generates a secure application secret when the application is created.
Optionalback_Indicates whether the user’s session identifier should be included when invoking the back-channel logout URI.
Optionalback_Server-side (back-channel) endpoint that MonoCloud calls to notify the application of a user logout.
Optionalbind_Binds issued tokens to the user's session. When enabled, all tokens and grants are automatically revoked when the user signs out or the session expires.
OptionalclaimsDefines custom claims issued to this client and embedded into access tokens for downstream APIs and resources.
Optionalclient_Configures a prefix for client claims, helping avoid naming collisions across tokens and downstream APIs.
Human-readable name for the client application, displayed to users on the login and consent screens.
Optionalclient_Public URL that provides additional information about the client application.
Optionalconsent_Specifies the validity period for stored user consent (in seconds). Set to 0 to allow consent to remain valid indefinitely.
OptionaldescriptionDescription that explains the purpose of the client application.
Optionaldevice_Specifies the length of the user verification code generated for the device flow.
Optionaldevice_Specifies the lifetime of the device authorization code (in seconds).
Optionalemit_Includes the offline_access scope in issued access tokens when requested by the client.
Optionalenable_Indicates whether the consents are enabled for the client.
OptionalenabledIndicates whether the client is enabled.
Optionalfront_Indicates whether the user’s session identifier should be included when invoking the front-channel logout URI.
Optionalfront_Browser-based (front-channel) endpoint on the client that receives user logout notifications from MonoCloud.
Optionalidentity_Specifies how long an ID token remains valid (in seconds).
Optionalinclude_Determines whether issued access tokens include a unique token identifier (jti).
Optionallogo_URL of the client application logo, displayed on the consent screen to help users identify the application.
Optionalpost_List of approved URIs users can be redirected to after a successful logout.
Optionalredirect_List of approved redirect URIs where authorization codes or tokens may be sent.
Optionalrefresh_Controls whether refresh tokens expire at a fixed time or are extended with continued use.
Optionalrefresh_Controls whether refresh tokens are single-use (rotated) or reusable.
Optionalremember_Controls how consent decisions are remembered for future sign-ins.
Optionalrequire_Requires confidential clients to present a client secret when requesting tokens.
Optionalrequire_Controls whether users are prompted to review and approve requested permissions.
Optionalrequire_Requires Proof Key for Code Exchange (PKCE) for authorization code flows.
Optionalrequire_Requires clients to use Pushed Authorization Requests (PAR) instead of sending parameters directly to the authorization endpoint.
Optionalrequire_Requires authorization requests to be sent as signed JWT request objects (JAR).
Optionalshow_Allows end users to choose which requested scopes to grant on the consent screen.
Optionalsliding_Defines the sliding expiration window for refresh tokens (in seconds). Token expiry is extended on each valid refresh, subject to the absolute refresh token lifetime.
Optionaltech_Preferred technology stack for the client.
Optionalupdate_Controls whether access token claims are recalculated and reissued when refreshing a token.
Optionaluser_Maximum allowed SSO duration (in seconds). After this window, users must sign in again to confirm identity. Set to 0 to disable the limit.
Create Application Request: Creates an OpenID Connect or OAuth 2.0 client configuration.
Export
CreateApplicationRequest