OAuth Apps

You can create and manage your own OAuth applications directly in the app.

Open your user settings, switch to Development, and use the Owned OAuth Applications section.

What you can do there

  • create a new OAuth application
  • edit its name
  • update allowed redirect URIs
  • choose whether the app requires a client secret
  • rotate the client secret for confidential apps
  • copy the client id
  • reveal and copy the client secret when one is enabled; it stays hidden by default in the list
  • delete the app

Public vs confidential apps

  • Leave Require a client secret off for public clients that cannot safely store secrets.
  • Turn it on for server-side integrations that can keep the client secret private.
  • Turning Require a client secret off removes the previously stored client secret for that app and signs out existing OAuth sessions for it.
  • Public apps must use PKCE with the S256 method when they create and exchange authorization codes.
  • Authorize links must request explicit read, write, or delete scopes. Links without valid scopes are blocked instead of defaulting to broad access.
  • Older tokens with pre-release custom scopes are treated as read-only until the app is authorized again with explicit scopes.
  • Authorizing or revoking an OAuth app requires your signed-in Bnder session; an OAuth API token cannot authorize or revoke apps.
  • Do not put a client secret in an authorize link. Confidential apps send the secret only to the token endpoint when exchanging a code or refresh token.
  • If a confidential app secret leaks, rotate it from the owned-app list instead of creating a new client id from scratch.
  • Rotating a client secret signs out existing OAuth sessions for that app, so connected integrations need to authorize again with the new secret.

Revoking access

The Authorized OAuth Applications list is separate from the apps you own.

Use that list when you want to revoke an app's access to your account. Use the owned-app list when you want to edit or delete the application itself.

API access

If you prefer automation, the same owner-management actions are also available in the REST API under /consumer/v1/oauth/clients.

Important behavior

Deleting an OAuth application immediately breaks further OAuth API access for that app, even if it still had unexpired tokens.