Qeet Docs
OIDC / OAuth provider

Clients

Register OIDC/OAuth clients — public or confidential — with dynamic registration, redirect URIs, grant types, and secret rotation.

An OIDC client represents an application that authenticates users through Qeet ID. Clients are tenant-scoped and come in two types:

  • public — SPAs / native apps that can't keep a secret. Use Authorization Code + PKCE; no client secret.
  • confidential — server-side apps that can hold a secret.

Client IDs look like qci_….

Register a client

POST/v1/oidc/clientsRegister a client (dynamic registration)
Bash
curl -X POST https://api.qeetid.com/v1/oidc/clients \
  -H "Authorization: ApiKey $QEETID_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_id": "'$TENANT'",
    "name": "Acme Web",
    "type": "confidential",
    "redirect_uris": ["https://app.acme.com/api/auth/callback"],
    "post_logout_uris": ["https://app.acme.com"],
    "grant_types": ["authorization_code", "refresh_token"]
  }'
201 — secret shown once
JSON
{
  "client": { "id": "qci_…", "name": "Acme Web", "type": "confidential", "redirect_uris": ["…"] },
  "client_secret": "…",
  "warning": "Store the secret now — it is not retrievable later."
}

The secret is shown once

Confidential-client secrets are returned only at creation (and on rotation). Store them immediately in your secret manager.

Manage clients

GET/v1/tenants/{tenantID}/oidc/clientsList clients
PATCH/v1/tenants/{tenantID}/oidc/clients/{id}Update a client
POST/v1/tenants/{tenantID}/oidc/clients/{id}/rotate-secretRotate the secret
DELETE/v1/oidc/clients/{id}Delete a client

The admin dashboard exposes all of this — list, edit, rotate-secret, and delete OIDC clients per tenant.

When a user consents to a client's scopes, Qeet ID records a grant. Admins (and users) can view and revoke them.

GET/v1/tenants/{tenantID}/oauth/grantsList consent grants
DELETE/v1/tenants/{tenantID}/oauth/grants/{id}Revoke a grant

Next

Authorization Code + PKCE

Tokens

OIDC / OAuth provider

Qeet ID is a full OpenID Connect provider — discovery, JWKS, dynamic client registration, Authorization Code + PKCE, hosted login & consent, ES256 ID tokens, device grant, and M2M.

Authorization Code + PKCE

The browser login flow — authorize, hosted login & consent, callback, and code exchange — with PKCE (S256) required.

On this page

Register a clientManage clientsConsent grantsNext