Public clients such as native and mobile apps cannot maintain the confidentiality of a client secret. When using OAuth 2.0 for native and mobile apps, we generate an app ID, and use the Public Key for Code Exchange (PKCE) to provide additional verification.

PKCE is a technique to secure public clients that don't use a client secret. See this blog for more information about using PKCE with mobile apps.



  1. Click your user name and select View Organization > OAuth Apps, and then click Create New OAuth App.
  2. Select Native/Mobile app and click Continue.
  3. Register your app by entering the app details.
    Enter at least one redirect URI. After a user authorizes your client, the authorization server redirects the user back to your client to the URI you specified with an access token. It is best practice to add more than one URI. Use the format Then, specify a time span for your access token. If you want your access token to authorize requests continuously, issue a refresh token.
  4. Define scopes.
    Scopes provide a way to implement control over what areas in your organization your client can access - specifically which of your services and the level of permission.
  5. Select the Open ID check box to get information about the users that authorize your app.
  6. Click Create to generate the client credentials.
  7. Copy the app ID or download a JSON file that contains the app ID. You are responsible for storing these credentials in a safe place.
  8. Click Continue.

What to do next

Paste the credentials into your script.