To enable a single application to register with Workspace ONE Access services to allow user access the application, create a user access token client.

Note: For Workspace ONE Access 22.09 on premises release, see Create OAuth 2 User Access Clients for Single Catalog Resource (On Premises only)

Registering the details of the application identifies the application as a trusted client for the OAuth service.

You register the client ID, client secret, and redirect URI with Workspace ONE Access service.


  1. In the Workspace ONE Access console Settings > OAuth 2.0 Management page, click ADD CLIENT.
  2. In the Add Client page, configure the following.
    Label Description
    Access Type Options are to create either an User Access Token or a Service Client Token. Set to User Access Token.
    Client ID Enter a unique client identifier for the application. The client ID is used to authenticate to Workspace ONE Access. The client id must not match any client id in your tenant. The following characters can be used, alphanumeric (A-Z, a-z, 0-9) period (.), underscore (_), and hyphen (-) and at sign (@), and no more than 256 characters long.
    Redirect URI Enter the registered redirect URI. Enter as

    You can use a comma separated list to add more than one redirect URL.

    Scope The scope defines which part of the user's account the token can access. Select one or more identity scopes that you want as part of the OAuth 2.0 authorization request.
    Issue refresh token

    To allow for the return of a refresh token, leave this option enabled.

    Refresh Token TTL Set the Refresh Token time to live value. New access tokens can be requested until the refresh token expires. See Managing OAuth 2.0 Clients in Workspace ONE Access (Cloud only).
    Access token time-to-live (TTL) The access token expires in the number of seconds set in Access Token Time-To-Live. If Issue Refresh Token is enabled, when the access token expires, the application uses the refresh token to request a new access token.
    Idle Token TTL Configure how long a refresh token can be idle before it cannot be used again.
    Token Type For Workspace ONE Access, the token type is Bearer Token.
    User Grant Prompt users for scope acceptance is enabled. Users are shown a message that lists the scopes that are being sent.
  3. Click SAVE.
    The client page is refreshed and the Client ID and the hidden Shared Secret are displayed.
  4. Copy and save the client ID and generated shared secret. You add this information when you configure the application.

    The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, then the secret is not used. The shared secret is not used with Web browser-based applications.

    Note: The shared secret is not saved. If you loose the secret code, you must generate a new secret, and update the app that uses the same shared secret with the regenerated secret.

    To regenerate a secret, click the client ID that requires a new secret from the OAuth 2.0 Management page and click REGENERATE SECRET.

What to do next

In the resource application, configure the client ID and the generated shared secret. See the application documentation.