Skip to main content

API clients

Manage API clients to authenticate API request

API credentials securely authenticates your application with IDnow. You can manage multiple clients and their credentials in the IDnow dashboard.

Each API client has a Client ID and a Client secret. Never share client secrets or store them in version control.**

Manage clients

  1. Log in to the IDnow dashboard at Loading....
  2. Go to Settings > Developer > API clients.

Create client

  1. Select New API client.
  2. Enter a descriptive name.
  3. Select an environment (Live or Staging). The environment cannot be changed after creation.
  4. Select permissions:
    • Read API resources (api.read)
    • Edit and create API resources (api.write)
    • Execute flows (flows.execute)
  5. Select Create API client.

Add allowed redirect URLs (optional)

To automatically redirect users at the end of a session when using this API client, you can configure one or more Allowed redirect URLs.

When a session is created via the Create a Session API call, the optional redirectUrl value provided in that call must be present in this allowlist. If it isn’t, the redirectUrl is rejected and won’t be stored/used for the session completion redirect.

  • Each URL must match exactly — wildcards are not supported.
  • Each redirect URL must be a fully qualified URI and include a valid scheme (for example https:// or an app deep link like myapp://).

Validation rules

  • Invalid URLs / deep links are rejected.
  • Duplicate URLs are rejected.

Save API client details

  1. Copy Client ID and Client secret securely.
  2. Confirm you have saved them.

Copy the client secret now. You won't see it again.
Lost secrets must be regenerated and updated in all apps.

Edit client

  1. Find your API client, select View details.
  2. Edit name, permissions, or regenerate client secret.

'Client ID' cannot be changed.

Regenerate secret

  1. Select Regenerate.
  2. Confirm and copy new secret.

Important: Old secret is revoked. Update all apps.

Delete client

  1. Find your API client and select the delete icon.
  2. Confirm deletion in the dialog.

This action cannot be undone. The client's access is immediately revoked. Update or disable all apps using this client before deletion.

Security best practices

  • Never share secrets.
  • Don't store secret in version control.
  • Use environment variables or secure storage.
  • Grant minimum permissions.
  • Remove unused clients.
  • Regenerate secrets periodically.
  • Use separate clients for each environment.
  • Test rotation before applying to Live.