Skip to main content
Version: 4.18.1

Create App

Apps are entities that can request Keycloak to authenticate a user. It also use Keycloak to encrypt themselves and provide a single sign-on solution which can securely invoke other services over the network.

Resource Informations

Requires authentication?Yes
Rate limited?No


Request headers

AuthorizationBearer token

HTTP request URL for SSMS

POST https://{tenantId}.{hostname}/digitanium/v4/apps

HTTP request URL for SHIFT

POST https://{hostname}/auth/realms/{tenantId}/v3_client/

API requests must be made over https. Calls made over plain http will fail.


No parameter fields are required.

Request body(* d)

Field NameTypeDescription
*appNameStringThe name of the app to be created
idStringThis is a unique auto-generated id
nameStringDisplay name of the client
descriptionStringThe description of the app to be created
rootUrlStringThe root URL is known to be the entire URL, including a slash.(Example:
adminUrlStringURL to the client's admin interface. The admin url template tag retrieves the url with the required protocol from the admin field of the current domain. adminUri of the created client should be same as rootUrl if it is not specified.
baseUrlStringA consistent part or root of the address of your website (Example:
surrogateAuthRequiredbooleanWhether or not it is required to substitute auth
enabledbooleanIs this enabled or not?
appAuthenticatorTypeStringType of Two-factor verification to sign-in to your accounts
secretStringYou may define a secret here when using the norm (otherwise one will be generated if it does not exit)
registrationAccessTokenStringThe registration authorization token offers access to the client registration service for clients
defaultRolesStringA list of this client's default roles. If the client functions referenced are not included, and if they already exist, they can be created.
redirectUrisList(String)Appropriate URIs for this client for redirection. redirectUri's of the created client should be same as rootUrl if it is not specified.
webOriginsList(String)List of allowed origins. webOrigins specified in the request should be set to the created client.
notBeforeIntegerRevoke all tokens for this client given previous to this date (this is a UNIX timestamp).
bearerOnlybooleanThis client's access form is bearer-only.
consentRequiredbooleansers have to agree to client access if allowed.
standardFlowEnabledbooleanEnable or not to enable standard flow for this client.
implicitFlowEnabledbooleanEnable or not to enable implicit flow for this client.
directAccessGrantsEnabledbooleanEnable or not to enable directAccessGrants for this client.
serviceAccountsEnabledbooleanEnable or not to enable serviceAccounts for this client.
authorizationServicesEnabledbooleanEnable or not to enable authorizationServices for this client.
directGrantsOnlybooleanEnable or not to enable directGrantsOnly for this client.
publicAppbooleanIs the access type for this app is public or not?
frontchannelLogoutbooleanFor this client, frontchannel logout is or is not enabled.
protocolStringIt defines the protocol for which this protocol mapper is involved.
attributesMap(String,String)Based on the user requirement the user attributes can be updated. User can add any customized attribute in form of key value pair.
authenticationFlowBindingOverridesMap(String,String)Describe the bug Configuring authenticationFlowBindingOverrides for a client appears not to be feasible.
fullScopeAllowedbooleanWhether or not the "Full Scope Allowed" function is set for this client.
nodeReRegistrationTimeoutIntegerCluster node timeout for this client's re-registration.
registeredNodesMap(String,String)Registered cluster node dictation with (nodename) as the key and the (last time of registration) as the value.
protocolMappersList(ProtocolMapperRepresentation)A list of client that describe protocol mappers.
appTemplateStringThe template is a specialized version of the App Template client.
useTemplateConfigbooleanWhether or not to use the (client_template) configuration
useTemplateScopebooleanWhether or not to use the (client template) scope setup
useTemplateMappersbooleanWhether or not to use the (client-template) mapper setup
defaultClientScopesList(String)A list of default client scopes.
optionalClientScopesList(String)A list of optionalClientScopes.
authorizationSettingsResourceServerRepresentationA data framework that determines this client's authorization settings.
accessMap(String,Boolean)A list of access type.
originStringList of allowed origins.

Attribute Details

Attribute NameTypeDescription
app_logoStringThis app logo will reflect under apps tab in user account page.

For confidential_client.

Request BodyPrevious BehaviourExpected and Current Behaviour
If secret field is not specifiedsecret is not generatedsecret is generated
If either publicApp or bearerOnly set as false and serviceAccountsEnabled set as trueThe service account(user) is not created, when the confidential client is created with service account enabledThe service account(user) is getting created, when the confidential client is created with service account enabled
serviceAccountsEnabled set as false and authorizationServicesEnabled set as trueFailed to create App Caused by Client does not have a service account. But the client was createdFailed to create App Caused by Client does not have a service account. The client creation will be rolled back.

In order for the Expected and Current Behaviour to function, the request body should have protocol set to openid-connect.

Sample Request

"appName": "new_client2",
"id": "new_client2",
"clientId": "new_client3",
"name": "test",
"description": "",
"rootUrl": "",
"adminUrl": "",
"baseUrl": "",
"attributes" : {
"app_logo": ""
"surrogateAuthRequired": true,
"enabled": true,
"appAuthenticatorType": "",
"secret": "",
"registrationAccessToken": "",
"defaultRoles": null,
"redirectUris": null,
"webOrigins": null,
"notBefore": 2,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"authorizationServicesEnabled": false,
"directGrantsOnly": false,
"publicApp": false,
"frontchannelLogout": false,
"protocol": "",
"authenticationFlowBindingOverrides": "",
"fullScopeAllowed": "",
"nodeReRegistrationTimeout": "",
"registeredNodes": "",
"protocolMappers": "",
"appTemplate": false,
"useTemplateConfig": false,
"useTemplateScope": false,
"useTemplateMappers": false,
"defaultClientScopes": "",
"optionalClientScopes": "",
"authorizationSettings": "",
"access": "",
"origin": ""


Field NameTypeDescription
messageStringMessage explains result of the API call. Refer Response status Information for details.
statusStringThe status of the API call. Refer Response status Information for details.
subSystemIntegersubSystem categorizes the type of API that has been called. Refer Subsystem details for details.

Sample Response

"message": "App created successfully.",
"status": "OK",
"subSystem": 2

Response Status Information

Status CodeStatusMessage
200OKApp created successfully.
400BAD_REQUESTApp name should not be null or empty.
401UnauthorizedHTTP 401 Unauthorized.
409CONFLICTApp already exists.