OAuth client
The API Access screen lets administrators configure OAuth clients that allow external systems to authenticate against your wallet using the OAuth 2.0 Client Credentials flow.
Each client has its own client ID, a set of permissions, an expiry date, and optional notes — so you can grant different integrating parties exactly the access they need, for as long as they need it.
What you can do
- Add an OAuth client to grant an external system access to your wallet
- Edit an OAuth client to update its permissions, expiry date, or notes
- Delete an OAuth client to revoke access
Navigate to API Access
Go to Settings → API access.
The screen has two tabs:
- OAuth2 API access — OAuth clients (covered on this page)
- API key API access — simple Bearer-token API keys (see API keys)
The OAuth2 API access table lists all configured OAuth clients. Each row shows:
| Column | Description |
|---|---|
| Client ID | The unique identifier used during OAuth authentication |
| Roles | The permissions assigned to this client |
| Expiry date | The date after which this client is rejected |
| Notes | Optional context about the integrating party |
The Wallet external key is shown at the bottom of the screen — this value is part of the client ID and is used to scope the OAuth token to your wallet.
You need the API access (View) permission to view this screen, and API access (Change) to add, edit, or delete OAuth clients.
Add an OAuth client
Click Add API client in the top right of the screen. The Add API client dialog opens.
Fill in the fields:
Client ID (required)
A unique identifier for this client. Choose something meaningful, such as the name of the integrating party or its purpose (e.g. acme-backend or reporting-service). This value cannot be changed after creation.
Expiry date (required) The date on which this client expires. Defaults to one year from today. After the expiry date, the client can no longer obtain tokens.
Notes (optional) Free-text field to record context about the client, such as the integrating party's name, contact person, or purpose.
Permissions Select which permissions to assign to this client using the permissions grid. Each row represents a resource (such as Holder credentials, Identifier, Trusted contacts, Issue credentials, API access, Wallet, …) and has two checkboxes:
- Change — grants full create/read/update/delete access for the resource (and implicitly selects View)
- View — grants read-only access; can be selected independently
A few resources only have a Change column (for example Send Invoices and Audit trail) because read-only access is not meaningful for them.
Click Save to create the client. A dialog appears showing the generated client secret.
The client secret is only shown once. Store it securely — it cannot be retrieved afterwards.
The new OAuth client now appears in the list.
Edit an OAuth client
Click the pencil icon on any row to edit an OAuth client.
You can update the expiry date, notes, and permissions. The client ID cannot be changed.
Click Save to apply the changes.
Delete an OAuth client
Click the trash icon on any row. A confirmation dialog appears.
Click Yes to permanently revoke access for this OAuth client.
Authenticate using an OAuth client
Use the token endpoint shown at the bottom of the OAuth2 API access tab to obtain an access token via the OAuth 2.0 Client Credentials flow.
Example request:
POST {token-endpoint}
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=wallet-{wallet-external-key}-{your-client-id}
&client_secret={your-client-secret}
The returned access_token can then be passed as a Bearer token in API requests to your wallet.