Skip to main content

Admin endpoints — external applications

Registers OAuth2 applications and controls which clients/brands each one may access. Auth: Entra ID JWT bearer with the ADMIN role. The formal schema is on the API Reference.

Applications

MethodPathCodeDoes
GET/v1/admin/external-applications200List all applications
PUT/v1/admin/external-applications/{oAuthAppId}200Create or update an application
GET/v1/admin/external-applications/{oAuthAppId}200Get one application
DELETE/v1/admin/external-applications/{oAuthAppId}204Remove an application

Client/brand access (nested under an application)

MethodPathCodeDoes
GET/v1/admin/external-applications/{oAuthAppId}/clients200List the clients/brands this application may access
PUT/v1/admin/external-applications/{oAuthAppId}/clients/{slug}200Grant (or update) access for one client/brand
GET/v1/admin/external-applications/{oAuthAppId}/clients/{slug}200Get one access grant
DELETE/v1/admin/external-applications/{oAuthAppId}/clients/{slug}204Revoke access for one client/brand

Notes for operators

  • Order. Register the application first; the client/brand it should access must already exist before you grant it ({slug} references an existing client).
  • Idempotent, and PUT restores. Both PUT routes upsert. Re-PUT-ing a previously removed application or access grant silently re-activates it — the response does not flag that a deleted record was restored.
  • Delete is a soft-remove. Deleting something already removed (or absent) returns 404 GEN000000.