Manage OAuth API Clients
OAuth clients offer fine-grained permissions, require client authentication before issuing access tokens, and allow configurable token validity, offering enhanced security and control over API access. For information about OAuth2-based RSA API permissions, see OAuth 2.0-Based Permissions for the Cloud Administration APIs.
In contrast, API keys offer basic access but lack granular permissions, authorization for incoming requests, and have long lifespans, which can pose security risks. If you have configured your clients using legacy API keys, RSA recommends transitioning to OAuth API clients for secure access and better control.
Add API Client
This section provides instructions for adding an API client to the Cloud Administration Console. Adding an API client allows you to configure and manage access to the Cloud Administration and Authentication APIs, providing detailed control over API permissions and security.
Procedure
In the Cloud Administration Console, click Platform> API Access Management.
In the OAuth Clients section, click Add API Client.
On the Basic Information tab, complete these fields.
In the Name field, enter a name for the OAuth client application that will register with the authorization server (for example, Splunk OAuth Demo Client).
(Optional) In the Description field, enter a description for the OAuth client.
From the Client Type drop-down list, select the appropriate client type:
Admin API - Grants access to Cloud Access Service (CAS) administration API scopes.
RSA Agent API - Enables certificate provisioning for passwordless authentication in MFA Agents.
MFA API (Authentication API) - Provides access to multi-factor authentication APIs.
SCIM API - Provid access to SCIM using OAuth-based authentication.
Click Next Step.
On the Authentication tab, complete these fields.
The Issuer URL is read-only and displays the URL endpoint that identifies the authorization server issuing the tokens.
The Client ID field is auto-populated. Make sure to note it down for later use in the client application.
The Grant Type is a read-only field that is set to 'Client Credentials' type.
The Client Authentication is a read-only field that displays the method required for client authentication. It is set to 'Private Key JWT'.
In the Public Key field, enter the public key corresponding to the private key used by the client to sign the JWT.
Alternatively, click Generate Key to create a new key. In the Key Pair Generator dialog box, specify the key type, click Generate Key Pair and then click Autofill. Make sure to download or copy the private key to a secure location, as it will be needed later by the client to sign the JWT.
Note: Be sure to note the Issuer URL, Client ID, and Private Key (if generated via the Cloud Administration Console), as you will need them when accessing the Cloud Administration or Authentication API from your client application.
In the Access Token Lifetime field, enter the duration of the access token’s validity. The default duration is 5 minutes, with a maximum validity of 24 hours.
(Optional) Select the Encrypt Access Token checkbox to encrypt the access token, ensuring that it can only be decrypted by RSA and hiding its payload from unauthorized access. This also enhances security using JSON Web Encryption (JWE).
In the Network Zone drop-down list, select a network zone. Network zones are used to classify IP addresses as Trusted or Restricted, allowing you to manage and identify traffic coming into the application. For information about network zones, see Manage Networks
On the Permissions tab, select the checkboxes for the permissions categorized into groups.
Note: Available permissions will vary depending on the client type you selected.
For Cloud Administration APIs, select from the following groups, depending on which Administration APIs will be used by the client: Agent, Audit, Authenticator, Report, User, and Local Group.
For Cloud Authentication APIs, select the MFA group.
Selecting a permission checkbox includes it in the request, along with any other selected permissions. For more information, see OAuth 2.0-Based Permissions for the Cloud Administration APIs.
Note: Default permissions are automatically included in the access token if the scope parameter is empty or not explicitly requested. Non-default scopes are included only when specifically requested.
Click Save and Finish.
- (Optional) To publish this configuration, click Publish Changes.
Use the Sample Code to generate the access token for the Cloud Administration APIs. For more information, see Cloud Administration APIs - Sample Code.
Related Articles
Change the display pictures of the software token profiles on RSA Authentication Manager 8.x Security and Self-Service con… Number of Views In the General Settings associations page clicking reset creates System Internal Error Number of Views Zimbra integration with RSA Via Access Number of Views Cloud Administration Generate and Download Report APIs Number of Views Cloud Administration Event Log API Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
