Admin endpoints — external applications
Registers OAuth2 applications and controls which clients/brands each one may access. Auth:
Entra ID JWT bearer with the ADMIN role. The formal schema is on the API Reference.
Applications
| Method | Path | Code | Does |
|---|---|---|---|
GET | /v1/admin/external-applications | 200 | List all applications |
PUT | /v1/admin/external-applications/{oAuthAppId} | 200 | Create or update an application |
GET | /v1/admin/external-applications/{oAuthAppId} | 200 | Get one application |
DELETE | /v1/admin/external-applications/{oAuthAppId} | 204 | Remove an application |
Client/brand access (nested under an application)
| Method | Path | Code | Does |
|---|---|---|---|
GET | /v1/admin/external-applications/{oAuthAppId}/clients | 200 | List the clients/brands this application may access |
PUT | /v1/admin/external-applications/{oAuthAppId}/clients/{slug} | 200 | Grant (or update) access for one client/brand |
GET | /v1/admin/external-applications/{oAuthAppId}/clients/{slug} | 200 | Get one access grant |
DELETE | /v1/admin/external-applications/{oAuthAppId}/clients/{slug} | 204 | Revoke access for one client/brand |
Notes for operators
- Order. Register the application first; the client/brand it should access must already
exist before you grant it (
{slug}references an existing client). - Idempotent, and
PUTrestores. BothPUTroutes upsert. Re-PUT-ing a previously removed application or access grant silently re-activates it — the response does not flag that a deleted record was restored. - Delete is a soft-remove. Deleting something already removed (or absent) returns
404 GEN000000.