You can create a client to enable a single application to register with Workspace ONE Access services to allow user access to a specific application.

Registering the details of the application identifies the application as a trusted client for the OAuth service.

You register the client ID, client secret, and a redirect URI with Workspace ONE Access service.


  1. In the Workspace ONE Access console Catalog tab, select Settings > Remote App Access.
  2. On the Clients page, click Create Client.
  3. On the Create Client page, enter the following information about the application.
    Label Description
    Access Type Options are User Access Token or Service Client Token. Set to Service Client Token. This indicates that the application accesses the APIs on its own behalf, not on behalf of a user.
    Client ID Enter a unique client identifier for the application to use to authenticate to Workspace ONE Access. The client id must not match any client id in your tenant. The following characters can be used, alphanumeric (A-Z, a-z, 0-9) period (.), underscore (_), and hyphen (-) and at sign (@).
    Application Select Identity Manager.
    Scope Select the information that the token contains. When you select NAAPS, OpenID is also selected.
    Redirect URI Enter the registered redirect URI.
    Advanced Section Click Advanced.
    Shared Secret Click Generate Shared Secret to generate a secret that is shared between this service and the application resource service.

    Copy and save the client secret to configure in the application setup.

    The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, then the secret is not used. The shared secret is not used with Web browser-based applications.

    Issue Refresh Token

    To use refresh tokens, leave this option enabled.

    Token Type Select Bearer. This attribute tells the application what type of access token it was given. For Workspace ONE Access, the tokens are bearer tokens.
    Access Token TTL The access token expires in the number of seconds set in Access Token Time-To-Live. If Issue Refresh Token is enabled, when the access token expires, the application uses the refresh token to request a new access token.
    Refresh Token TTL Set the Refresh Token time to live. New access tokens can be requested until the refresh token expires.
    Idle Token TTL Configure how long a refresh token can be idle before it cannot be used again.
    User Grant Do not check Prompt users for access.
  4. Click Add.


The client configuration is displayed on the OAuth2 Client page.

What to do next

In the resource application, configure the Client ID and the generated shared secret. See the application documentation.