You create a service client to enable a single application to register with Workspace ONE Access services to allow user access to applications. A service client token indicates that the application accesses the APIs on its own behalf, not on behalf of a user.

Note: For Workspace ONE Access 22.09 on premises release, see Create OAuth 2 User Access Clients for Single Catalog Resource (On Premises only).


  1. In the Workspace ONE Access console Settings > OAuth 2.0 Management page, click ADD CLIENT.
  2. In the Add Client page, configure the following.
    Label Description
    Access Type Options are User Access Token or Service Client Token. Select Service Client Token. The type of service client indicates that the application accesses the APIs on its own behalf, not on behalf of a user.
    Client ID To authenticate to Workspace ONE Access, enter a unique client identifier for the application to use.

    The client id must not match any client id in your tenant. The following characters can be used, alphanumeric (A-Z, a-z, 0-9) period (.), underscore (_), and hyphen (-) and at sign (@), and no more than 256 characters long.

    You use the client ID when authenticating.

    Scope For Service Client Token, the scope is Admin. You cannot change it.
    Access token time-to-live (TTL) The access token expires in the number of seconds set in Access Token Time-To-Live. If Issue Refresh Token is enabled, when the access token expires, the application uses a refresh token to request a new access token.
    Idle Token TTL Configure how long a refresh token can be idle before it cannot be used again.
    Token Type For Workspace ONE Access, the token type is Bearer Token.
  3. Click SAVE.
    The client page is refreshed and Client ID and hidden shared secret are displayed.
  4. Copy and save the client ID and generated shared secret. You add this information when you configure the application.

    The client secret must be kept confidential. If a deployed application cannot keep the secret confidential, then the secret is not used. The shared secret is not used with Web browser-based applications.

    Note: The shared secret is not saved. If you loose the secret code, you must generate a new secret, and update the app that uses the same shared secret with the regenerated secret.

    To regenerate a secret, select the client ID that requires a new secret from the OAuth 2.0 Management page and click REGENERATE SECRET.