App Registration
Before using OAuth, register your application in the Developers Dashboard.
Creating an app
Provide the following:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Displayed on the consent screen |
| Description | No | Explains what your app does |
| Redirect URIs | Yes | Where to send users after authorization. Must be HTTPS (except http://localhost for development). |
| Client type | Yes | confidential (server-side) or public (SPA/mobile) |
| Scopes | Yes | Maximum scopes your app can request |
Client types
Confidential clients
Server-side applications that can securely store a client secret.
- Receive a
client_idandclient_secret - Must include
client_secretwhen exchanging tokens - PKCE is optional but recommended
Public clients
Browser-based SPAs and mobile apps that cannot securely store secrets.
- Receive only a
client_id(no secret) - Must use PKCE for all authorization requests
- Cannot use the
client_secretparameter
Credentials
After registration you'll receive:
- Client ID — public identifier, format:
vdo_client_* - Client Secret — (confidential clients only) shown once at creation. Store it securely.
The client secret cannot be retrieved after the initial display. If lost, revoke the app and create a new one.
Redirect URIs
- Must be registered before use — the authorization endpoint rejects unregistered URIs
- Exact match required (no wildcards)
http://localhostis allowed for development- All other URIs must use
https://
Managing apps
From the Developer Console you can:
- Edit name, description, redirect URIs, and scopes
- View connected user count
- Revoke an app (immediately invalidates all tokens)