Skip to main content
GET
/
api
/
{serviceId}
/
client
/
get
/
{clientId}
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.client.get({
    serviceId: "<id>",
    clientId: "<id>",
  });

  console.log(result);
}

run();
{
  "applicationType": "WEB",
  "attributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "authTimeRequired": false,
  "bcUserCodeRequired": false,
  "clientId": 26478243745571,
  "clientIdAlias": "my-client",
  "clientIdAliasEnabled": true,
  "clientName": "My client",
  "clientSecret": "gXz97ISgLs4HuXwOZWch8GEmgL4YMvUJwu3er_kDVVGcA0UOhA9avLPbEmoeZdagi9yC_-tEiT2BdRyH9dbrQQ",
  "clientType": "CONFIDENTIAL",
  "createdAt": 1639468356000,
  "defaultMaxAge": 0,
  "derivedSectorIdentifier": "my-client.example.com",
  "developer": "john",
  "dynamicallyRegistered": false,
  "frontChannelRequestObjectEncryptionRequired": false,
  "grantTypes": [
    "AUTHORIZATION_CODE",
    "REFRESH_TOKEN"
  ],
  "idTokenSignAlg": "RS256",
  "modifiedAt": 1639468356000,
  "number": 6164,
  "parRequired": false,
  "redirectUris": [
    "https://my-client.example.com/cb1",
    "https://my-client.example.com/cb2"
  ],
  "requestObjectEncryptionAlgMatchRequired": false,
  "requestObjectEncryptionEncMatchRequired": false,
  "requestObjectRequired": false,
  "responseTypes": [
    "CODE",
    "TOKEN"
  ],
  "serviceNumber": 5041,
  "subjectType": "PUBLIC",
  "tlsClientCertificateBoundAccessTokens": false,
  "tokenAuthMethod": "CLIENT_SECRET_BASIC"
}

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

clientId
string
required

A client ID.

Response

number
integer<int32>

The sequential number of the client. The value of this property is assigned by Authlete.

serviceNumber
integer<int32>

The sequential number of the service of the client application. The value of this property is assigned by Authlete.

clientName
string

The name of the client application. This property corresponds to client_name in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

clientNames
object[]

Client names with language tags. If the client application has different names for different languages, this property can be used to register the names.

description
string

The description about the client application.

descriptions
object[]

Descriptions about the client application with language tags. If the client application has different descriptions for different languages, this property can be used to register the descriptions.

clientId
integer<int64>

The client identifier used in Authlete API calls. The value of this property is assigned by Authlete.

clientSecret
string

The client secret. A random 512-bit value encoded by base64url (86 letters). The value of this property is assigned by Authlete.

clientIdAlias
string

The value of the client's client_id property used in OAuth and OpenID Connect calls. By default, this is a string version of the clientId property.

clientIdAliasEnabled
boolean

Deprecated. Always set to true.

clientType
enum<string>

The client type, either CONFIDENTIAL or PUBLIC. See RFC 6749, 2.1. Client Types for details.

Available options:
PUBLIC,
CONFIDENTIAL
applicationType
enum<string>

The application type. The value of this property affects the validation steps for a redirect URI. See the description about redirectUris property for more details.

Available options:
WEB,
NATIVE
logoUri
string

The URL pointing to the logo image of the client application.

This property corresponds to logo_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

logoUris
object[]

Logo image URLs with language tags. If the client application has different logo images for different languages, this property can be used to register URLs of the images.

contacts
string[]

An array of email addresses of people responsible for the client application.

This property corresponds to contacts in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

tlsClientCertificateBoundAccessTokens
boolean

The flag to indicate whether this client use TLS client certificate bound access tokens.

dynamicallyRegistered
boolean

The flag to indicate whether this client has been registered dynamically. For more details, see RFC 7591.

softwareId
string

The unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.

This property corresponds to the software_id metadata defined in 2. Client Metadata of RFC 7591.

developer
string

The unique identifier of the developer who created this client application.

softwareVersion
string

The version identifier string for the client software identified by the software ID.

This property corresponds to the software_version metadata defined in 2. Client Metadata of RFC 7591.

registrationAccessTokenHash
string

The hash of the registration access token for this client.

createdAt
integer<int64>

The time at which this client was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

modifiedAt
integer<int64>

The time at which this client was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

grantTypes
enum<string>[]

A string array of grant types which the client application declares that it will restrict itself to using. This property corresponds to grant_types in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

The grant type of the access token when the access token was created.

Available options:
AUTHORIZATION_CODE,
IMPLICIT,
PASSWORD,
CLIENT_CREDENTIALS,
REFRESH_TOKEN,
CIBA,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER,
PRE_AUTHORIZED_CODE
responseTypes
enum<string>[]

A string array of response types which the client application declares that it will restrict itself to using. This property corresponds to response_types in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

Available options:
NONE,
CODE,
TOKEN,
ID_TOKEN,
CODE_TOKEN,
CODE_ID_TOKEN,
ID_TOKEN_TOKEN,
CODE_ID_TOKEN_TOKEN
redirectUris
string[]

Redirect URIs that the client application uses to receive a response from the authorization endpoint. Requirements for a redirect URI are as follows.

authorizationSignAlg
enum<string> | null

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

  • as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
  • as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
  • or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.
Available options:
NONE,
HS256,
HS384,
HS512,
RS256,
RS384,
RS512,
ES256,
ES384,
ES512,
PS256,
PS384,
PS512,
ES256K,
EdDSA
authorizationEncryptionAlg
enum<string> | null

this is the 'alg' header value for encrypted JWT tokens. Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:

  • as authorizationEncryptionAlg value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
  • as requestEncryptionAlg value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
  • as idTokenEncryptionAlg value, it refers to the algorithm used by the server to key transport of id_tokens

Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak.

Available options:
RSA1_5,
RSA_OAEP,
RSA_OAEP_256,
A128KW,
A192KW,
A256KW,
DIR,
ECDH_ES,
ECDH_ES_A128KW,
ECDH_ES_A192KW,
ECDH_ES_A256KW,
A128GCMKW,
A192GCMKW,
A256GCMKW,
PBES2_HS256_A128KW,
PBES2_HS384_A192KW,
PBES2_HS512_A256KW
authorizationEncryptionEnc
enum<string> | null

This is the encryption algorithm to be used when encrypting a JWT on client or server side. Depending upon the context, this refers to encryption done by the client or by the server. For instance:

  • as authorizationEncryptionEnc value, it refers to the encryption algorithm used by server when creating a JARM response
  • as requestEncryptionEnc value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
  • as idTokenEncryptionEnc value, it refers to the algorithm used by the server to encrypt id_tokens
Available options:
A128CBC_HS256,
A192CBC_HS384,
A256CBC_HS512,
A128GCM,
A192GCM,
A256GCM
tokenAuthMethod
enum<string>

The client authentication method that the client application declares that it uses at the token endpoint. This property corresponds to token_endpoint_auth_method in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

Available options:
NONE,
CLIENT_SECRET_BASIC,
CLIENT_SECRET_POST,
CLIENT_SECRET_JWT,
PRIVATE_KEY_JWT,
TLS_CLIENT_AUTH,
SELF_SIGNED_TLS_CLIENT_AUTH,
ATTEST_JWT_CLIENT_AUTH
tokenAuthSignAlg
enum<string> | null

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

  • as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
  • as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
  • or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.
Available options:
NONE,
HS256,
HS384,
HS512,
RS256,
RS384,
RS512,
ES256,
ES384,
ES512,
PS256,
PS384,
PS512,
ES256K,
EdDSA
selfSignedCertificateKeyId
string

The key ID of a JWK containing a self-signed certificate of this client.

tlsClientAuthSubjectDn
string

The string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication.

See tls_client_auth_subject_dn in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client Registration" for details.

tlsClientAuthSanDns
string

The string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication.

See tls_client_auth_san_dns in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client Registration" for details.

tlsClientAuthSanUri
string

The string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication.

See tls_client_auth_san_uri in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client Registration" for details.

tlsClientAuthSanIp
string

The string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication.

See tls_client_auth_san_ip in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client Registration" for details.

tlsClientAuthSanEmail
string

The string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication.

See tls_client_auth_san_email in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client Registration" for details.

parRequired
boolean

The flag to indicate whether this client is required to use the pushed authorization request endpoint. This property corresponds to the require_pushed_authorization_requests client metadata defined in "OAuth 2.0 Pushed Authorization Requests".

requestObjectRequired
boolean

The flag to indicate whether authorization requests from this client are always required to utilize a request object by using either request or request_uri request parameter.

If this flag is set to true and the service's traditionalRequestObjectProcessingApplied is set to false, authorization requests from this client are processed as if require_signed_request_object client metadata of this client is true. The metadata is defined in "JAR (JWT Secured Authorization Request)".

requestSignAlg
enum<string> | null

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

  • as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
  • as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
  • or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.
Available options:
NONE,
HS256,
HS384,
HS512,
RS256,
RS384,
RS512,
ES256,
ES384,
ES512,
PS256,
PS384,
PS512,
ES256K,
EdDSA
requestEncryptionAlg
enum<string> | null

this is the 'alg' header value for encrypted JWT tokens. Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:

  • as authorizationEncryptionAlg value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
  • as requestEncryptionAlg value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
  • as idTokenEncryptionAlg value, it refers to the algorithm used by the server to key transport of id_tokens

Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak.

Available options:
RSA1_5,
RSA_OAEP,
RSA_OAEP_256,
A128KW,
A192KW,
A256KW,
DIR,
ECDH_ES,
ECDH_ES_A128KW,
ECDH_ES_A192KW,
ECDH_ES_A256KW,
A128GCMKW,
A192GCMKW,
A256GCMKW,
PBES2_HS256_A128KW,
PBES2_HS384_A192KW,
PBES2_HS512_A256KW
requestEncryptionEnc
enum<string> | null

This is the encryption algorithm to be used when encrypting a JWT on client or server side. Depending upon the context, this refers to encryption done by the client or by the server. For instance:

  • as authorizationEncryptionEnc value, it refers to the encryption algorithm used by server when creating a JARM response
  • as requestEncryptionEnc value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
  • as idTokenEncryptionEnc value, it refers to the algorithm used by the server to encrypt id_tokens
Available options:
A128CBC_HS256,
A192CBC_HS384,
A256CBC_HS512,
A128GCM,
A192GCM,
A256GCM
requestUris
string[]

An array of URLs each of which points to a request object.

Authlete requires that URLs used as values for request_uri request parameter be pre-registered. This property is used for the pre-registration. See OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference for details.

defaultMaxAge
integer<int32>

The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have max_age request parameter.

This property corresponds to default_max_age in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

defaultAcrs
string[]

The default ACRs (Authentication Context Class References). This value is used when an authorization request from the client application has neither acr_values request parameter nor acr claim in claims request parameter.

idTokenSignAlg
enum<string> | null

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

  • as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
  • as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
  • or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.
Available options:
NONE,
HS256,
HS384,
HS512,
RS256,
RS384,
RS512,
ES256,
ES384,
ES512,
PS256,
PS384,
PS512,
ES256K,
EdDSA
idTokenEncryptionAlg
enum<string> | null

this is the 'alg' header value for encrypted JWT tokens. Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:

  • as authorizationEncryptionAlg value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
  • as requestEncryptionAlg value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
  • as idTokenEncryptionAlg value, it refers to the algorithm used by the server to key transport of id_tokens

Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak.

Available options:
RSA1_5,
RSA_OAEP,
RSA_OAEP_256,
A128KW,
A192KW,
A256KW,
DIR,
ECDH_ES,
ECDH_ES_A128KW,
ECDH_ES_A192KW,
ECDH_ES_A256KW,
A128GCMKW,
A192GCMKW,
A256GCMKW,
PBES2_HS256_A128KW,
PBES2_HS384_A192KW,
PBES2_HS512_A256KW
idTokenEncryptionEnc
enum<string> | null

This is the encryption algorithm to be used when encrypting a JWT on client or server side. Depending upon the context, this refers to encryption done by the client or by the server. For instance:

  • as authorizationEncryptionEnc value, it refers to the encryption algorithm used by server when creating a JARM response
  • as requestEncryptionEnc value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
  • as idTokenEncryptionEnc value, it refers to the algorithm used by the server to encrypt id_tokens
Available options:
A128CBC_HS256,
A192CBC_HS384,
A256CBC_HS512,
A128GCM,
A192GCM,
A256GCM
authTimeRequired
boolean

The flag to indicate whether this client requires auth_time claim to be embedded in the ID token.

This property corresponds to require_auth_time in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

subjectType
enum<string>

The subject type that the client application requests. Details about the subject type are described in OpenID Connect Core 1.0, 8. Subjct Identifier Types.

This property corresponds to subject_type in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

Available options:
PUBLIC,
PAIRWISE
sectorIdentifierUri
string

The value of the sector identifier URI. This represents the sector_identifier_uri client metadata which is defined in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata

derivedSectorIdentifier
string

The sector identifier host component as derived from either the sector_identifier_uri or the registered redirect URI. If no sector_identifier_uri is registered and multiple redirect URIs are also registered, the value of this property is null.

jwksUri
string

The URL pointing to the JWK Set of the client application. The content pointed to by the URL is JSON which complies with the format described in JSON Web Key (JWK), 5. JWK Set Format. The JWK Set must not include private keys of the client application.

jwks
string

The content of the JWK Set of the client application. The format is described in JSON Web Key (JWK), 5. JWK Set Format. The JWK Set must not include private keys of the client application.

userInfoSignAlg
enum<string> | null

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

  • as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
  • as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
  • or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.
Available options:
NONE,
HS256,
HS384,
HS512,
RS256,
RS384,
RS512,
ES256,
ES384,
ES512,
PS256,
PS384,
PS512,
ES256K,
EdDSA
userInfoEncryptionAlg
enum<string> | null

this is the 'alg' header value for encrypted JWT tokens. Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:

  • as authorizationEncryptionAlg value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
  • as requestEncryptionAlg value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
  • as idTokenEncryptionAlg value, it refers to the algorithm used by the server to key transport of id_tokens

Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak.

Available options:
RSA1_5,
RSA_OAEP,
RSA_OAEP_256,
A128KW,
A192KW,
A256KW,
DIR,
ECDH_ES,
ECDH_ES_A128KW,
ECDH_ES_A192KW,
ECDH_ES_A256KW,
A128GCMKW,
A192GCMKW,
A256GCMKW,
PBES2_HS256_A128KW,
PBES2_HS384_A192KW,
PBES2_HS512_A256KW
userInfoEncryptionEnc
enum<string> | null

This is the encryption algorithm to be used when encrypting a JWT on client or server side. Depending upon the context, this refers to encryption done by the client or by the server. For instance:

  • as authorizationEncryptionEnc value, it refers to the encryption algorithm used by server when creating a JARM response
  • as requestEncryptionEnc value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
  • as idTokenEncryptionEnc value, it refers to the algorithm used by the server to encrypt id_tokens
Available options:
A128CBC_HS256,
A192CBC_HS384,
A256CBC_HS512,
A128GCM,
A192GCM,
A256GCM
loginUri
string

The URL which a third party can use to initiate a login by the client application.

This property corresponds to initiate_login_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

tosUri
string

The URL pointing to the "Terms Of Service" page.

This property corresponds to tos_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

tosUris
object[]

URLs of "Terms Of Service" pages with language tags.

If the client application has different "Terms Of Service" pages for different languages, this property can be used to register the URLs.

policyUri
string

The URL pointing to the page which describes the policy as to how end-user's profile data is used.

This property corresponds to policy_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

policyUris
object[]

URLs of policy pages with language tags. If the client application has different policy pages for different languages, this property can be used to register the URLs.

clientUri
string

The URL pointing to the home page of the client application.

This property corresponds to client_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

clientUris
object[]

Home page URLs with language tags. If the client application has different home pages for different languages, this property can be used to register the URLs.

bcDeliveryMode
string

The backchannel token delivery mode.

This property corresponds to the backchannel_token_delivery_mode metadata. The backchannel token delivery mode is defined in the specification of "CIBA (Client Initiated Backchannel Authentication)".

bcNotificationEndpoint
string

The backchannel client notification endpoint.

This property corresponds to the backchannel_client_notification_endpoint metadata. The backchannel token delivery mode is defined in the specification of "CIBA (Client Initiated Backchannel Authentication)".

bcRequestSignAlg
enum<string> | null

The signature algorithm for JWT. This value is represented on 'alg' attribute of the header of JWT.

it's semantics depends upon where is this defined, for instance:

  • as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your KB article.
  • as client authorizationSignAlg value, it represents the signature algorithm used when creating a JARM response.
  • or as client requestSignAlg value, it specifies which is the expected signature used by client on a Request Object.
Available options:
NONE,
HS256,
HS384,
HS512,
RS256,
RS384,
RS512,
ES256,
ES384,
ES512,
PS256,
PS384,
PS512,
ES256K,
EdDSA
bcUserCodeRequired
boolean

The boolean flag to indicate whether a user code is required when this client makes a backchannel authentication request.

This property corresponds to the backchannel_user_code_parameter metadata.

attributes
object[]

The attributes of this client.

extension
object
authorizationDetailsTypes
string[]

The authorization details types that this client may use as values of the type field in authorization_details.

This property corresponds to the authorization_details_types metadata. See OAuth 2.0 Rich Authorization Requests (RAR) for details.

Note that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes to align with the change made by the 5th draft of the RAR specification.

customMetadata
string

The custom client metadata in JSON format.

frontChannelRequestObjectEncryptionRequired
boolean

The flag indicating whether encryption of request object is required when the request object is passed through the front channel.

requestObjectEncryptionAlgMatchRequired
boolean

The flag indicating whether the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata.

requestObjectEncryptionEncMatchRequired
boolean

The flag indicating whether the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata.

digestAlgorithm
string

The digest algorithm that this client requests the server to use when it computes digest values of external attachments, which may be referenced from within ID tokens or userinfo responses (or any place that can have the verified_claims claim). Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority), but the server does not necessarily support all the values there. When this property is omitted, sha-256 is used as the default algorithm. This property corresponds to the digest_algorithm client metadata which was defined by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

singleAccessTokenPerSubject
boolean

If Enabled is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.

Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.

Even if Disabled is selected here, single access token per subject is effective if singleAccessTokenPerSubject of the Service this client belongs to is Enabled.

pkceRequired
boolean

The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.

If true, code_challenge request parameter is always required for authorization requests using Authorization Code Flow.

See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details about code_challenge request parameter.

pkceS256Required
boolean

The flag to indicate whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.

If this flag is set to true, code_challenge_method=S256 must be included in the authorization request whenever it includes the code_challenge request parameter. Neither omission of the code_challenge_method request parameter nor use of plain (code_challenge_method=plain) is allowed.

dpopRequired
boolean

If the DPoP is required for this client

automaticallyRegistered
boolean

The flag indicating whether this client was registered by the "automatic" client registration of OIDC Federation.

explicitlyRegistered
boolean

The flag indicating whether this client was registered by the "explicit" client registration of OIDC Federation.

rsRequestSigned
boolean

The flag indicating whether this service signs responses from the resource server.

rsSignedRequestKeyId
string

The key ID of a JWK containing the public key used by this client to sign requests to the resource server.

clientRegistrationTypes
enum<string>[]

The client registration types that the client has declared it may use.

Values for the client_registration_types RP metadata and the client_registration_types_supported OP metadata that are defined in OpenID Connect Federation 1.0.

Available options:
AUTOMATIC,
EXPLICIT
organizationName
string

The human-readable name representing the organization that manages this client. This property corresponds to the organization_name client metadata that is defined in OpenID Connect Federation 1.0.

signedJwksUri
string

The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property corresponds to the signed_jwks_uri client metadata defined in OpenID Connect Federation 1.0.

entityId
string

the entity ID of this client.

trustAnchorId
string

The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Connect Federation 1.0

trustChain
string[]

The trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Connect Federation 1.0

trustChainExpiresAt
integer<int64>

the expiration time of the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).

trustChainUpdatedAt
integer<int64>

the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0

locked
boolean

The flag which indicates whether this client is locked.

credentialOfferEndpoint
string

The URL of the credential offer endpoint at which this client (wallet) receives a credential offer from the credential issuer.

fapiModes
enum<string>[]

The FAPI modes for this client.

Available options:
FAPI1_ADVANCED,
FAPI1_BASELINE,
FAPI2_MESSAGE_SIGNING_AUTH_REQ,
FAPI2_MESSAGE_SIGNING_AUTH_RES,
FAPI2_MESSAGE_SIGNING_INTROSPECTION_RES,
FAPI2_SECURITY
responseModes
enum<string>[]

The response modes that this client may use.

Available options:
QUERY,
FRAGMENT,
FORM_POST,
JWT,
QUERY_JWT,
FRAGMENT_JWT,
FORM_POST_JWT
credentialResponseEncryptionRequired
boolean

True if credential responses to this client must be always encrypted.

mtlsEndpointAliasesUsed
boolean

The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.

This property corresponds to the use_mtls_endpoint_aliases client metadata that is defined in FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases.

inScopeForTokenMigration
boolean

The flag indicating whether this client is in scope for token migration operations.

metadataDocumentLocation
string<uri>

Location of the Client ID Metadata Document that was used for this client.

metadataDocumentExpiresAt
integer<int64>

Expiration time of the metadata document (UNIX time in milliseconds).

metadataDocumentUpdatedAt
integer<int64>

Last-updated time of the metadata document (UNIX time in milliseconds).

discoveredByMetadataDocument
boolean

Indicates whether this client was discovered via a Client ID Metadata Document.

clientSource
enum<string>

Source of this client record.

Available options:
DYNAMIC_REGISTRATION,
AUTOMATIC_REGISTRATION,
EXPLICIT_REGISTRATION,
METADATA_DOCUMENT,
STATIC_REGISTRATION