Airlock as a Service Knowledge Base

Integrate an OAuth 2.0 client

OAuth 2.0 clients are typically used for system-to-system communication (without user interaction). In Airlock SaaS, an OAuth 2.0 client grants access to the Airlock SaaS public API to perform specific actions on your tenants. Currently, supported actions include uploading and activating Airlock IAM configurations for the selected tenant.

This article explains how to create, edit, and delete OAuth 2.0 clients in the Airlock Console. It also shows how to authenticate with the API and use the client to perform supported actions on your tenants.


Managing OAuth 2.0 clients


Prerequisites

To create, edit, and delete OAuth 2.0 clients, you need the SaaS Administrator role. For details, see SaaS roles and permissions.


Creating an OAuth 2.0 client

  1. In the Airlock Console, go to:
    Administration >> OAuth 2.0 clients

  2. Click New OAuth 2.0 client to open the creation dialog.

  3. Enter the following information:

    • Name: Enter a descriptive name for the OAuth client.

    • Permissions: Select the actions the OAuth client is allowed to perform. Select at least one permission.
      Note that after the OAuth client is created, you cannot change its permissions.
      Currently (May 2026), the following permissions are available:

      • Config activate (non-production tenants only): Activate a configuration.

      • Config upload: Upload a configuration.

      • Vault edit: Create, edit, and delete secrets.

      • Vault view: View secrets.
        Additional permissions may be added in future releases.

    • Tenant access: Select at least one tenant this OAuth client can access.
      Note that you can change the tenant selection after the client is created.

  4. Click Save.
    ▶ The new OAuth client's credentials — i.e., Client ID and Client secret — are shown.

  5. Copy the credentials and store them securely.
    ▶ You need these credentials to access the Airlock as a Service public API.

    Notice
    Copy and store the client secret now. For security reasons, you cannot view it again later.

  6. Click Close.

The OAuth 2.0 client is created, and its settings are displayed.


Viewing and editing an existing OAuth 2.0 client

  1. In the Airlock Console, go to:
    Administration >> OAuth 2.0 clients

  2. Select the client in the OAuth 2.0 clients list.

The details dialog opens and shows the current settings, including the client name, client ID, granted permissions, and tenant access. If required, you can rename the client or change the tenant access.

Notice

The client secret and granted permissions cannot be changed.


Deleting an OAuth 2.0 client

  1. In the Airlock Console, go to:
    Administration >> OAuth 2.0 clients

  2. Select the client you want to delete in the OAuth 2.0 clients list.

  3. Click Delete.


Accessing the SaaS public API with an OAuth 2.0 client

You can use the OAuth 2.0 clients to access the SaaS public API and perform granted actions on your tenants. To be able to do so, the OAuth client must authenticate to the public API using an access token, which is obtained via the OAuth Client Credentials Grant flow - a standard mechanism for machine-to-machine authentication without user involvement.

This section first explains how to obtain the access token. It then shows how to authenticate to the Saas public API and perform a granted action.

Notice

For more information about OAuth in general and about OAuth grant types, see the Airlock IAM documentation:


Step 1: Obtaining an access token

Prerequisite

The OAuth 2.0 client's ID and secret are available. These credentials are provided by the Airlock Console when you created the OAuth 2.0 client.

Instructions
  1. Call the OAuth 2.0 token endpoint of the Loginapp REST API to obtain an access token for an OAuth 2.0 client.

  2. Include the OAuth 2.0 client's ID and secret in the request.

  3. Configure your POST request as follows:

    POST https://manage.airlock.cloud/login/rest/oauth2/authorization-servers/airlock-console/token
    Authorization: Basic {{oauth-client-id oauth-client-secret}}
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=utf-8

    grant_type = client_credentials &
    scope = CONFIG_ACTIVATE CONFIG_UPLOAD
Path to the OAuth 2.0 token endpoint
  • https://manage.airlock.cloud/login/rest/oauth2/authorization-servers/management-center/token

Request headers
  • Authorization: Specifies the authentication scheme. Use Basic authentication. Provide the OAuth 2.0 client ID and client secret as username and password (<oauth-client-id>:<oauth-client-secret>).

  • Accept: Specifies the accepted media types for the response. Use */* to accept any media type.

  • Content-Type: Specifies the request body format. Set to application/x-www-form-urlencoded; charset=utf-8.


Request body
  • grant_type: Must be client_credentials (OAuth Client Credentials Grant).

  • scope: Space-separated list of permissions granted to the OAuth 2.0 client. Supported scopes:

    • CONFIG_ACTIVATE : Activate a configuration.

    • CONFIG_UPLOAD : Upload a configuration.

    • VAULT_EDIT: Create, edit, and delete secrets.

    • VAULT_VIEW: View secrets.

The above POST request returns the following response:

{ 
"access_token": "...",
"scope": "CONFIG_ACTIVATE CONFIG_UPLOAD",
"token_type": "Bearer",
"expires_in": 180
}

access_token: This token is required to authenticate the OAuth 2.0 client with the SaaS public API. Store the token value for step 2.

Notice

The returned access_token is valid for 180 seconds (expires_in: 180).


Step 2: Accessing the SaaS public API to perform a granted action

After obtaining an access token, the OAuth 2.0 client can authenticate to the Airlock SaaS public API and perform the actions permitted by its granted scopes.

Instructions

Configure your POST request as follows:

POST https://manage.airlock.cloud/api/public/v1/tenants/{tenantId}/{granted-action} 
Authorization: Bearer {{access_token}}
Accept: application/json
Content-Type: application/json
X-Same-Domain: 1
Path to the endpoint in the SaaS public API
  • https://manage.airlock.cloud/api/public/v1/tenants/{tenantId}/{granted-action}

    • tenantId: Unique 6-character tenant identifier. To find it, open the Airlock Console and go to Administration >> Tenants, then open the tenant.
      ▶ The tenant ID is part of the URL — e.g., https://manage.airlock.cloud/ui/administration/tenants/1t6y75 (tenant ID: 1t6y75).

    • granted-action: Action to perform, e.g.:

      • configs to upload a new configuration for the tenant

      • config-activations to activate a configuration for the tenant
        For the current list of endpoints and actions, see the SaaS API reference.

Request headers
  • Authorization: OAuth 2.0 Bearer token used to authenticate to the SaaS public API. Set to Bearer <access_token>, where <access_token> is the token you obtained previously.

  • Accept and Content-Type: Define the response and request body formats. Set both to application/json, unless the SaaS API reference specifies otherwise.

  • x-xsrf-token: XSRF token used to mitigate cross-site request forgery (CSRF). Use the same token value for all write requests. You can use a fixed value (as in the example) or obtain it from any GET response and reuse it for subsequent POST requests.

  • Cookie: Must include an XSRF-TOKEN cookie whose value matches the x-xsrf-token header.

Notice

The full REST API is documented in the SaaS API reference.