Client Registration
Client Registration
Before your website can use "Sign in with SeloraX", you need to register an OAuth client. This gives you a client_id and client_secret that identify your application to the SeloraX platform.
Register a Client
POST /api/oauth/clients
Requires merchant authentication ([auth, admin] middleware).
Request Body
{
"name": "My Website",
"description": "E-commerce analytics dashboard",
"logo_url": "https://example.com/logo.png",
"homepage_url": "https://example.com",
"privacy_policy_url": "https://example.com/privacy",
"terms_url": "https://example.com/terms",
"redirect_uris": [
"https://example.com/auth/callback",
"https://my-app.example.com/auth/callback"
],
"allowed_scopes": ["openid", "profile", "email"],
"client_type": "confidential"
}| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Display name shown on the consent screen |
description | string | No | Short description of your application |
logo_url | string | No | Logo URL shown on the consent screen |
homepage_url | string | No | Link to your application's homepage |
privacy_policy_url | string | No | Link to your privacy policy |
terms_url | string | No | Link to your terms of service |
redirect_uris | string[] | Yes | Allowed callback URLs (must match exactly during authorization) |
allowed_scopes | string[] | No | Scopes this client can request. Defaults to ["openid", "profile"] |
client_type | string | No | "confidential" (default) or "public" (for SPAs — no secret, requires PKCE) |
Response
{
"message": "OAuth client created. Save the client_secret — it will not be shown again.",
"data": {
"client_id_pk": 1,
"client_id": "sx_oc_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
"client_secret": "sx_os_...",
"client_type": "confidential",
"name": "My Website"
},
"status": 200
}:::danger Save your client_secret immediately
The client_secret is returned only once during registration. Store it securely on your server. If you lose it, you'll need to rotate the secret.
:::
Client Types
| Type | Secret | PKCE | Use Case |
|---|---|---|---|
confidential | Required | Optional | Server-rendered apps, backend services |
public | None | Required | Single-page apps (SPAs), mobile apps |
Public clients cannot keep secrets safe, so they must use PKCE instead.
List Your Clients
GET /api/oauth/clients
Returns all clients created by the authenticated admin.
Response
{
"message": "OK",
"data": [
{
"client_id_pk": 1,
"client_id": "sx_oc_...",
"client_type": "confidential",
"name": "My Website",
"description": "E-commerce analytics dashboard",
"logo_url": "https://example.com/logo.png",
"homepage_url": "https://example.com",
"is_active": 1,
"is_verified": 0,
"created_at": "2026-03-01T12:00:00.000Z"
}
],
"status": 200
}Get Client Details
GET /api/oauth/clients/:id
| Parameter | Type | Description |
|---|---|---|
id | integer | The client_id_pk (numeric primary key) |
Update a Client
PUT /api/oauth/clients/:id
Request Body
Send only the fields you want to update:
{
"name": "Updated Name",
"redirect_uris": [
"https://example.com/auth/callback",
"https://staging.example.com/auth/callback"
]
}Updatable fields: name, description, logo_url, homepage_url, privacy_policy_url, terms_url, redirect_uris, allowed_scopes.
Delete a Client
DELETE /api/oauth/clients/:id
Soft-deletes the client. All associated tokens will stop working.
Rotate Secret
If your client secret is compromised, generate a new one:
POST /api/oauth/clients/:id/rotate-secret
Response
{
"message": "Secret rotated. Save the new secret — it will not be shown again.",
"data": {
"client_secret": "sx_os_..."
},
"status": 200
}:::warning Rotating the secret invalidates the previous secret immediately. Update your server configuration before rotating. :::
Only available for confidential clients. Public clients do not have secrets.