Managing Applications
Applications in Signia represent OAuth2/OIDC clients that can authenticate users. Each application has its own client ID, redirect URIs, and configuration.
Creating an Application
1. Navigate to Applications
From the dashboard, click OAuth2/OIDC Applications in the sidebar.
2. Click "Add Application"
Click the Add Application button in the top-right.
3. Fill in Application Details
Required Fields:
-
Application Name
- User-friendly name for your app
- Example: "My Web App", "Mobile App", "Admin Portal"
-
Login Redirect URL
- Where users are sent after successful login
- Must match exactly in your application code
- Example:
http://localhost:5173/oidc-callback
The redirect URI must match exactly, including protocol, domain, port, and path. Any mismatch will cause authentication to fail.
Examples:
# Development
http://localhost:5173/oidc-callback
http://localhost:3000/auth/callback
# Production
https://myapp.com/oidc-callback
https://app.example.com/auth/callback
# Mobile (deep linking)
myapp://oidc-callback
4. Save and Get Credentials
After clicking Create, you'll receive:
-
Client ID - Your application's unique identifier
5190b937-5392-4eab-984e-ac0cb0fc0c9a -
Client Secret - For backend applications (shown once)
sk_live_abc123...
The client secret is only shown once. Copy it immediately and store it securely. If lost, you'll need to regenerate it.
Application Configuration
Basic Settings
Application Name
- Display name shown to users during login
- Can be updated anytime
Description
- Optional description for internal reference
- Not shown to users
Status
- Active - Application can authenticate users
- Disabled - Authentication blocked, existing sessions remain valid
- Archived - Application hidden from list (can be restored)
Redirect URIs
You can configure multiple redirect URIs for different environments:
# Development
http://localhost:5173/oidc-callback
# Staging
https://staging.myapp.com/oidc-callback
# Production
https://myapp.com/oidc-callback
Add separate redirect URIs for development, staging, and production. Your application code can dynamically choose the correct one based on the environment.
Allowed Scopes
Control what information your application can access:
openid- Required for OIDC (always granted)profile- Access to user profile (name, etc.)email- Access to user email addressoffline_access- Ability to get refresh tokens
Example Configuration:
✅ openid
✅ profile
✅ email
❌ offline_access
Token Lifetime
Configure how long tokens remain valid:
-
Access Token - Default: 1 hour
- Used for API authentication
- Short-lived for security
-
ID Token - Default: 1 hour
- Contains user identity claims
- Validated on client side
-
Refresh Token - Default: 30 days
- Used to get new access tokens
- Only available with
offline_accessscope
Application Types
Single Page Application (SPA)
Examples: React, Vue, Angular
Configuration:
- ✅ Public client (no client secret)
- ✅ PKCE required
- ✅ Multiple redirect URIs
- ❌ Client credentials flow
// Example configuration
import { SigniaAuthProvider } from '@getsignia/signia-auth-ui-react';
<SigniaAuthProvider config={{
clientId: 'YOUR_CLIENT_ID',
redirectUri: 'http://localhost:5173/oidc-callback',
issuer: 'https://tenant.signiaauth.com',
scopes: ['openid', 'profile', 'email']
}}>
<App />
</SigniaAuthProvider>
Web Application (Server-Side)
Examples: Next.js, Express, Django
Configuration:
- ✅ Confidential client (has client secret)
- ✅ PKCE recommended
- ✅ Token refresh
- ✅ Server-side token exchange
// Example configuration
const oidcClient = new OIDCClient({
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET', // Server-side only
redirectUri: 'http://localhost:3001/auth/callback',
issuer: 'https://tenant.signiaauth.com',
scopes: ['openid', 'profile', 'email']
});
Mobile Application
Examples: React Native, Flutter
Configuration:
- ✅ Public client (no client secret)
- ✅ PKCE required
- ✅ Custom URL scheme for deep linking
- ✅ Biometric authentication support
// Example configuration (Flutter)
final oidcClient = OIDCClient(
clientId: 'YOUR_CLIENT_ID',
redirectUri: 'myapp://oidc-callback', // Deep link
issuer: 'https://tenant.signiaauth.com',
scopes: ['openid', 'profile', 'email'],
);
Native Desktop Application
Examples: Electron, Tauri
Configuration:
- ✅ Public client
- ✅ PKCE required
- ✅ Localhost redirect URI
- ✅ System browser for login
Managing Existing Applications
Editing an Application
- Click on the application name in the list
- Update the desired fields
- Click Save Changes
What you can update:
- Application name
- Description
- Redirect URIs
- Allowed scopes
- Token lifetimes
- Status (active/disabled)
What you cannot update:
- Client ID (permanent)
- Creation date
- Tenant assignment
Regenerating Client Secret
If your client secret is compromised:
- Open the application details
- Click Regenerate Secret in the credentials section
- Confirm the action
- Copy the new secret immediately
- Update your application code with the new secret
Regenerating the secret will immediately invalidate the old one. Update your application code before regenerating to avoid downtime.
Viewing Application Usage
See authentication metrics for your application:
- Total logins - Number of successful authentications
- Active users - Users who logged in recently
- Failed attempts - Authentication failures
- Last login - Most recent successful login
Disabling an Application
Temporarily disable authentication:
- Open the application details
- Change status to Disabled
- Click Save Changes
Effects:
- ✅ New login attempts are blocked
- ✅ Existing sessions remain valid
- ✅ Can be re-enabled anytime
- ✅ Configuration preserved
Deleting an Application
Permanently remove an application:
- Open the application details
- Scroll to Danger Zone
- Click Delete Application
- Confirm by typing the application name
- Click Delete Permanently
Deleting an application cannot be undone. All configuration, credentials, and usage history will be lost. Active sessions will be invalidated.
Security Best Practices
1. Use HTTPS in Production
# ❌ Insecure
http://myapp.com/oidc-callback
# ✅ Secure
https://myapp.com/oidc-callback
2. Validate Redirect URIs
Only add redirect URIs you control:
# ✅ Your domain
https://myapp.com/oidc-callback
# ❌ Third-party domain
https://evil-site.com/steal-tokens
3. Protect Client Secrets
- ❌ Never commit secrets to version control
- ❌ Never expose secrets in frontend code
- ✅ Use environment variables
- ✅ Store in secure secret management systems
4. Use Minimal Scopes
Only request scopes your application needs:
// ✅ Minimal - only what's needed
scopes: ['openid', 'email']
// ❌ Excessive - requesting unnecessary data
scopes: ['openid', 'profile', 'email', 'offline_access']
5. Rotate Secrets Regularly
- Regenerate client secrets every 90 days
- Update immediately if compromise suspected
- Maintain audit logs of secret changes
Troubleshooting
"Invalid redirect URI" error
Cause: Redirect URI mismatch
Solution:
- Check the redirect URI in your code
- Compare with configured URI in dashboard
- Ensure exact match (protocol, domain, port, path)
// Code
redirectUri: 'http://localhost:5173/oidc-callback'
// Dashboard
http://localhost:5173/oidc-callback // ✅ Match
http://localhost:5173/callback // ❌ Different path
https://localhost:5173/oidc-callback // ❌ Different protocol
"Invalid client" error
Cause: Incorrect client ID or secret
Solution:
- Verify client ID matches exactly
- Check client secret (backend apps)
- Ensure application is active
Users can't login
Cause: Application disabled or deleted
Solution:
- Check application status in dashboard
- Ensure status is Active
- Check that application hasn't been deleted
Next Steps
- Managing Users - User administration
- Quick Start Guide - Integrate your application
- React SDK - Frontend integration