Applications

An Application in Optare represents an OAuth client - your web app, mobile app, or backend service.

Application Types

Type	Use Case	Example
Single Page App (SPA)	Browser-only JavaScript	React, Vue, Angular
Regular Web App	Server-rendered pages	Next.js, Express, Rails
Native/Mobile	iOS, Android, Desktop	Flutter, Swift, Kotlin
Machine-to-Machine (M2M)	Backend services	Cron jobs, APIs

Create an Application

Go to Optare Console (opens in a new tab)
Navigate to Applications → OAuth Clients
Click Create Client

Basic Settings

Field	Description
Name	Display name for the application
Application Type	SPA, Web App, Native, or M2M
Logo	Optional app icon

OAuth Settings

Redirect URIs

URLs where Optare can redirect after authentication.

Development:

https://yourapp.com/callback
https://yourapp.com/api/auth/callback

Production:

https://myapp.com/callback
https://myapp.com/api/auth/callback

Note: Redirect URIs must match exactly. Use separate entries for different paths.

Logout URIs

URLs for post-logout redirects:

https://yourapp.com
https://myapp.com

Allowed Origins (CORS)

Origins allowed to make requests to Optare:

https://yourapp.com
https://myapp.com

Credentials

Client ID

A public identifier for your application. Safe to expose in frontend code.

pub_abc123xyz789

Client Secret

A private key for server-side applications. Never expose in frontend code.

sk_secret_key_here

Warning: Client secrets should only be used in backend applications. SPAs and mobile apps should not use client secrets.

Application Type Details

Single Page App (SPA)

For browser-only JavaScript applications.

Settings:

✅ Use Authorization Code Flow with PKCE
❌ No client secret (public client)
✅ Enable token rotation

Example:

const client = new OptareClient({
  domain: 'https://id.optare.one',
  clientId: 'pub_abc123',
  // No clientSecret for SPAs
});

Regular Web App

For server-rendered applications with a backend.

Settings:

✅ Use Authorization Code Flow
✅ Client secret (confidential client)
✅ Secure token storage (httpOnly cookies)

Example:

const client = new OptareClient({
  domain: 'https://id.optare.one',
  clientId: 'pub_abc123',
  clientSecret: process.env.OPTARE_CLIENT_SECRET, // Server-side only!
});

Native/Mobile App

For iOS, Android, or desktop applications.

Settings:

✅ Use Authorization Code Flow with PKCE
❌ No client secret
✅ Custom URL scheme for redirect

Redirect URI:

myapp://callback
com.mycompany.myapp:/callback

Machine-to-Machine (M2M)

For backend services that don't involve users.

Settings:

✅ Use Client Credentials Flow
✅ Client ID + Client Secret
✅ Scoped to specific APIs

Example:

const token = await client.auth.getM2MToken({
  clientId: 'srv_abc123',
  clientSecret: process.env.SERVICE_SECRET,
  audience: 'https://api.myapp.com',
});

Scopes

Define what data and actions the application can access.

Standard Scopes

Scope	Access
`openid`	User identifier
`profile`	Name, picture
`email`	Email address
`offline_access`	Refresh tokens

Organization Scopes

Scope	Access
`organization`	Current organization
`organization:read`	Read org details
`organization:write`	Modify org settings

Custom Scopes

Define custom scopes for your APIs:

read:products
write:products
admin:users

Rotate Credentials

To rotate a client secret:

Go to your application settings
Click Rotate Secret
Copy the new secret
Update your application
The old secret remains valid for 24 hours

Delete an Application

Go to application settings
Scroll to Danger Zone
Click Delete Application
Confirm deletion

Warning: Deleting an application immediately invalidates all tokens. Users will be logged out.

Next Steps

APIs - Define API resources
Connections - Set up SSO
React Quickstart - Integrate your SPA

Tenant Settings APIs