O Auth Client Update
Update an OAuth client created by the authenticated account. Allowed scopes must remain within the authenticated account's current permissions. If the account has `ADMINISTRATOR`, it may configure any Storyden permission scope because `ADMINISTRATOR` implicitly grants all permissions. Changing allowed scopes affects future grants and refreshes but does not immediately invalidate already-issued JWT access tokens.
Update an OAuth client created by the authenticated account.
Allowed scopes must remain within the authenticated account's current
permissions. If the account has ADMINISTRATOR, it may configure any
Storyden permission scope because ADMINISTRATOR implicitly grants all
permissions.
Changing allowed scopes affects future grants and refreshes but does not immediately invalidate already-issued JWT access tokens.
/auth/oauth/clients/{oauth_client_id}Authorization
browser In: cookie
Path Parameters
OAuth client ID.
xidRequest Body
application/json
Response Body
application/json
application/json
curl -X PATCH "https://loading/api/auth/oauth/clients/cc5lnd2s1s4652adtu50" \ -H "Content-Type: application/json" \ -d '{}'{
"id": "cc5lnd2s1s4652adtu50",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"account_id": "cc5lnd2s1s4652adtu50",
"client_id": "string",
"name": "string",
"type": "public",
"scope_policy": "explicit",
"redirect_uris": [
"http://example.com"
],
"allowed_scopes": [
"string"
],
"allowed_grants": [
"string"
]
}{
"error": "string",
"message": "string",
"suggested": "string",
"metadata": {}
}O Auth Client List GET
List OAuth clients created by the authenticated account. This is the member-facing "apps I created" view. OAuth clients are application definitions: client ID, client type, redirect URIs, allowed scopes, and allowed grants. This does not list built-in first-party clients or third-party apps the member has merely authorised. Use `/auth/oauth/tokens` for the "apps I have authorised" view.
O Auth Device Authorisation POST
Start the OAuth 2.0 Device Authorization Grant for clients that cannot receive a browser redirect directly, such as CLIs, terminals, and desktop tools. The `scope` parameter follows OAuth 2.0 and is optional. Storyden applies additional client policy after parsing the request: - Built-in first-party device clients, such as the default Storyden CLI client, must request exactly `openid profile offline_access`. On approval Storyden expands the issued scope to the approving account's current permissions. - Third-party explicit-scope clients may omit `scope`; omitted scope means no requested scopes. `verification_uri` and `verification_uri_complete` point at the configured frontend consent page, not at an API-rendered HTML page. Custom frontends can change this URL with `OAUTH_DEVICE_AUTHORISATION_CONSENT_URL`.