Creating a Client Using the Vantage API

Before creating a client, you need to be authorized in the Vantage API, see Authentication for details.

Creating a Client

To create a client, you will need to do send a POST request with the 1Authorization = Bearer <access token> header to {baseUrl}/api/adminapi2/v1/tenants/{tenantId}/clients/ with the following request body parameters:

Parameter	Description
`clientId`	The client’s identifier.
`clientName`	The client name (e.g. the name of your app).
`allowOfflineAccess`	Specifies whether a refresh token will be generated along with the access token, which the application can use to automatically update the access token without user intervention. Set to False by default.
`allowRememberConsent`	Specifies whether the user can choose to store consent decisions. Set to True by default.
`backChannelLogoutSessionRequired`	Specifies whether the Backchannel Logout mechanism is required. Set to True by default.
`requireClientSecret`	Specifies whether a client secret is required. Set to True by default.
`requireConsent`	Specifies whether a consent screen is required. Set to False by default.
`allowNoPkce`	Specifies whether the Authorization Code Flow with Proof Key for Code Exchange (PKCE) authentication scheme is allowed. Set to False by default, allowing only the Authorization Code Flow with Proof Key for Code Exchange (PKCE) authentication scheme.
`allowedGrantTypes`	Specifies the grant types that can be used.
`allowedCorsOrigins`	Specifies whether the default cross-origin resource sharing (CORS) mechanism is used.
`allowedScopes`	Defines a set of resources and user data which should be transferred in the token. The value scope should be exactly “openid permissions publicapi.all”.
`postLogoutRedirectUris`	A list of allowed URIs to redirect to after logout.
`redirectUris`	A list of websites or app URLs whitelisted for authorization token redirects. Prefixes are allowed for the URL. If the prefix matches, any URL will be allowed, for example: [ “https://myDomain.”, “https://myApp.myDomain.com/oauth-signin.html” ].

Important! When authenticating using Resource Owner Password Credentials, you must set the allowRopc parameter to TRUE. Note that this authentication scheme assumes that the user sends his credentials to the application, therefore, it is recommended to use ROPC only if a trusted confidential client is authenticated. Sample request:

For Windows

curl --location --request POST "{baseUrl}/api/adminapi2/v1/tenants/{tenantId}/clients/" 
-H "accept: application/json" \
-H "Authorization: Bearer {token}"
{ 
  "clientId": "{clientId}",
  "clientName": "{clientName}", 
  "allowOfflineAccess": true,
  "allowRememberConsent": true,
  "backChannelLogoutSessionRequired": true,
  "requireClientSecret": true,    
  "requireConsent": false,  
  "allowNoPkce": true, 
  "allowedGrantTypes": [    
    "{allowedGrantTypes}"  
  ],
  "allowedCorsOrigins": [
    "{allowedCorsOrigins}"
  ],
  "allowedScopes": [ 
    "openid",
    "permissions",
    "publicapi.all" 
  ] 
  "postLogoutRedirectUris": [
     "{postLogoutRedirectUris}"
  ], 
  "redirectUris": [ 
    "{redirectUris}" 
  ]
}

For Linux

curl --location --request POST '{baseUrl}/api/adminapi2/v1/tenants/{tenantId}/clients/'
-H 'accept: application/json' \
-H 'Authorization: Bearer {token}'
{ 
  'clientId': '{clientId}',
  'clientName': '{clientName}', 
  'allowOfflineAccess': true,
  'allowRememberConsent': true,
  'backChannelLogoutSessionRequired': true,
  'requireClientSecret': true,    
  'requireConsent': false,  
  'allowNoPkce': true, 
  'allowedGrantTypes': [    
    '{allowedGrantTypes}'  
  ],
  'allowedCorsOrigins': [
    '{allowedCorsOrigins}'
  ],
  'allowedScopes': [ 
    'openid',
    'permissions',
    'publicapi.all' 
  ] 
  'postLogoutRedirectUris': [
     '{postLogoutRedirectUris}'
  ], 
  'redirectUris': [ 
    '{redirectUris}' 
  ]
}

The response from the server will contain a description of the created client.

Creating a Secret

Each client can have multiple secrets. This allows the client to begin using a new secret upon the expiration of the current one without deleting it. By default, a client secret expires after six months. To create a secret, you will need to send a POST request with the Authorization = Bearer <access token> header to {baseUrl}/api/adminapi2/v1/tenants/{tenantId}/clients/{clientId}/secrets/ with the following request body parameters:

Parameter	Description
`description`	A description of the client secret. This can be a short comment to help you tell the secrets apart. This is an optional parameter.
`start time`	Specifies the secret start date.
`expiration`	Specifies the secret expiry date (between 1 day and 3 years). For example, “2021-09-07T13:03:38.380Z”. By default, this date is set to exactly six months from the secret creation date.

Sample request:

For Windows

curl --location --request POST "{baseUrl}/api/adminapi2/v1/tenants/{tenantId}/clients/{clientId}/secrets/"
-H "accept: application/json" \
-H "Authorization: Bearer {token}"
-H "Content-Type: application/json-patch+json" \ 
-d 
{ 
  "description": "{description}",
  "startTime": "{startTime}"
  "expiration": "{expiration}" 
}

For Linux

curl --location --request POST '{baseUrl}/api/adminapi2/v1/tenants/{tenantId}/clients/{clientId}/secrets/'
-H 'accept: application/json' \
-H 'Authorization: Bearer {token}'
-H 'Content-Type: application/json-patch+json' \ 
-d 
{ 
  'description': '{description}',
  'startTime': '{startTime}'
  'expiration': '{expiration}' 
}

The response to your request from the server will contain a client secret (value) and its validity period (startTime, expiration). Important! The client secret value will only be available when it is being created. Store it in a secure location to avoid losing access to a client via its secret. Later on, you will only be able to view the first three characters of the client secret value (valueDisplay).

Skill Catalog

Skill Designer

Advanced Designer

Runtime Guide

Tenant Admin Guide

Scanning Station Guide