OAuth 2.0 clients are typically used for system-to-system communication (without user interaction). In Airlock SaaS, an OAuth 2.0 client grants access to the Airlock SaaS public API to perform specific actions on your tenants. Currently, supported actions include uploading and activating Airlock IAM configurations for the selected tenant.
This article explains how to create, edit, and delete OAuth 2.0 clients in the Airlock Console. It also shows how to authenticate with the API and use the client to perform supported actions on your tenants.
Managing OAuth 2.0 clients
Prerequisites
To create, edit, and delete OAuth 2.0 clients, you need the SaaS Administrator role. For details, see SaaS roles and permissions.
Creating an OAuth 2.0 client
In the Airlock Console, go to:
Administration >> OAuth 2.0 clientsClick New OAuth 2.0 client to open the creation dialog.
-
Enter the following information:
Name: Enter a descriptive name for the OAuth client.
-
Permissions: Select the actions the OAuth client is allowed to perform. Select at least one permission.
Note that after the OAuth client is created, you cannot change its permissions.
Currently (May 2026), the following permissions are available:Config activate (non-production tenants only): Activate a configuration.
Config upload: Upload a configuration.
Vault edit: Create, edit, and delete secrets.
Vault view: View secrets.
Additional permissions may be added in future releases.
Tenant access: Select at least one tenant this OAuth client can access.
Note that you can change the tenant selection after the client is created.
Click Save.
▶ The new OAuth client's credentials — i.e., Client ID and Client secret — are shown.-
Copy the credentials and store them securely.
▶ You need these credentials to access the Airlock as a Service public API.Notice
Copy and store the client secret now. For security reasons, you cannot view it again later. Click Close.
The OAuth 2.0 client is created, and its settings are displayed.
Viewing and editing an existing OAuth 2.0 client
In the Airlock Console, go to:
Administration >> OAuth 2.0 clientsSelect the client in the OAuth 2.0 clients list.
The details dialog opens and shows the current settings, including the client name, client ID, granted permissions, and tenant access. If required, you can rename the client or change the tenant access.
Notice
The client secret and granted permissions cannot be changed.
Deleting an OAuth 2.0 client
In the Airlock Console, go to:
Administration >> OAuth 2.0 clientsSelect the client you want to delete in the OAuth 2.0 clients list.
Click Delete.
Accessing the SaaS public API with an OAuth 2.0 client
You can use the OAuth 2.0 clients to access the SaaS public API and perform granted actions on your tenants. To be able to do so, the OAuth client must authenticate to the public API using an access token, which is obtained via the OAuth Client Credentials Grant flow - a standard mechanism for machine-to-machine authentication without user involvement.
This section first explains how to obtain the access token. It then shows how to authenticate to the Saas public API and perform a granted action.
Notice
For more information about OAuth in general and about OAuth grant types, see the Airlock IAM documentation:
Step 1: Obtaining an access token
Prerequisite
The OAuth 2.0 client's ID and secret are available. These credentials are provided by the Airlock Console when you created the OAuth 2.0 client.
Instructions
Call the OAuth 2.0 token endpoint of the Loginapp REST API to obtain an access token for an OAuth 2.0 client.
Include the OAuth 2.0 client's ID and secret in the request.
-
Configure your POST request as follows:
POST https://manage.airlock.cloud/login/rest/oauth2/authorization-servers/airlock-console/token
Authorization: Basic {{oauth-client-id oauth-client-secret}}
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
grant_type = client_credentials &
scope = CONFIG_ACTIVATE CONFIG_UPLOAD
Path to the OAuth 2.0 token endpoint
https://manage.airlock.cloud/login/rest/oauth2/authorization-servers/management-center/token
Request headers
Authorization: Specifies the authentication scheme. UseBasicauthentication. Provide the OAuth 2.0 client ID and client secret as username and password (<oauth-client-id>:<oauth-client-secret>).Accept: Specifies the accepted media types for the response. Use*/*to accept any media type.Content-Type: Specifies the request body format. Set toapplication/x-www-form-urlencoded; charset=utf-8.
Request body
grant_type: Must beclient_credentials(OAuth Client Credentials Grant).-
scope: Space-separated list of permissions granted to the OAuth 2.0 client. Supported scopes:CONFIG_ACTIVATE: Activate a configuration.CONFIG_UPLOAD: Upload a configuration.VAULT_EDIT: Create, edit, and delete secrets.VAULT_VIEW: View secrets.
The above POST request returns the following response:
{
"access_token": "...",
"scope": "CONFIG_ACTIVATE CONFIG_UPLOAD",
"token_type": "Bearer",
"expires_in": 180
}access_token: This token is required to authenticate the OAuth 2.0 client with the SaaS public API. Store the token value for step 2.
Notice
The returned access_token is valid for 180 seconds (expires_in: 180).
Step 2: Accessing the SaaS public API to perform a granted action
After obtaining an access token, the OAuth 2.0 client can authenticate to the Airlock SaaS public API and perform the actions permitted by its granted scopes.
Instructions
Configure your POST request as follows:
POST https://manage.airlock.cloud/api/public/v1/tenants/{tenantId}/{granted-action}
Authorization: Bearer {{access_token}}
Accept: application/json
Content-Type: application/json
X-Same-Domain: 1Path to the endpoint in the SaaS public API
-
https://manage.airlock.cloud/api/public/v1/tenants/{tenantId}/{granted-action}tenantId: Unique 6-character tenant identifier. To find it, open the Airlock Console and go to Administration >> Tenants, then open the tenant.
▶ The tenant ID is part of the URL — e.g.,https://manage.airlock.cloud/ui/administration/tenants/1t6y75(tenant ID: 1t6y75).-
granted-action: Action to perform, e.g.:configsto upload a new configuration for the tenantconfig-activationsto activate a configuration for the tenant
For the current list of endpoints and actions, see the SaaS API reference.
Request headers
Authorization: OAuth 2.0 Bearer token used to authenticate to the SaaS public API. Set toBearer <access_token>, where<access_token>is the token you obtained previously.AcceptandContent-Type: Define the response and request body formats. Set both toapplication/json, unless the SaaS API reference specifies otherwise.x-xsrf-token: XSRF token used to mitigate cross-site request forgery (CSRF). Use the same token value for all write requests. You can use a fixed value (as in the example) or obtain it from anyGETresponse and reuse it for subsequentPOSTrequests.Cookie: Must include anXSRF-TOKENcookie whose value matches thex-xsrf-tokenheader.
Notice
The full REST API is documented in the SaaS API reference.