Service & Management Client API Reference

Manage your Pangea API Clients through the Access APIs

Base URL

authorization.access.<csp>.<region>.pangea.cloud

• OpenAPI Specification

get/.well-known/oauth-authorization-server

cURL

Code Snippet Language

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server' \
-H 'Content-Type: application/json'

Response

Raw Output

200

Code Snippet Language

Get OAuth 2 server metadata

GET

https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server

Retrieve OAuth 2 Authorization Server Metadata, including supported grant types, scope values, endpoint URLs, and client authentication methods. This metadata is used by clients for dynamic discovery and integration.

Response Fields

object

issuer

string

URL of the authorization server's issuer identifier

token_endpoint

string

URL of the authorization server's token endpoint

response_types_supported

array<string>

List of the supported response types

revocation_endpoint

string

URL of the authorization server's revocation endpoint

introspection_endpoint

string

URL of the authorization server's introspection endpoint

token_endpoint_auth_methods_supported

array<string>

List of the supported authentication methods for the token endpoint

grant_types_supported

array<string>

List of the supported grant types

post/v1beta/oauth/token

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Raw Output

200

Code Snippet Language

Get access token

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token

Request an access token to authorize API calls to Pangea service and management APIs.

Use the OAuth 2 Client Credentials grant by providing the client ID and secret in the Authorization header or request body. The token is issued based on the client's assigned scope and roles.

You can optionally limit the token's scope by specifying a space-delimited list of allowed values.

For details on managing API credentials, see the documentation for Organization and Project Management APIs.

required parameters

grant_type

string

Grant type used to request the token. Currently only client_credentials is supported.

grant_type

​

grant_type

Client ID (Basic Auth)

Client ID (Basic Auth)

Client Secret (Basic Auth)

Client Secret (Basic Auth)

optional parameters

client_id

string

ID of an OAuth 2 client

​

client_secret

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

​

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

​

Response Fields

object

access_token

string

Access token issued by the authorization server

token_type

string

Type of the token issued. Always set to Bearer.

expires_in

integer

Time in seconds until the access token expires

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

post/v1beta/oauth/token/revoke

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Raw Output

200

Code Snippet Language

Revoke token

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke

Invalidate a token so it can no longer be used to authorize API requests. A client must authenticate and may only revoke tokens that were issued to it.

required parameters

token

string

Token issued to the OAuth 2 client by the Pangea Authorization Server

​

Client ID (Basic Auth)

Client ID (Basic Auth)

Client Secret (Basic Auth)

Client Secret (Basic Auth)

Response Fields

object

Optional response body when the token was not found

error

string

Error type. Present if the token was not found.

error_description

string

Human-readable explanation of the error. Present if the token was not found.

post/v1beta/oauth/token/introspect

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Raw Output

200

Code Snippet Language

Introspect token

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect

Check whether a token is active and retrieve its metadata.

Clients can optionally use this endpoint to verify tokens issued to them before calling Pangea APIs.

required parameters

token

string

Token to be introspected. Must be a token issued to the client by the Pangea Authorization Server.

token

token

Client ID (Basic Auth)

Client ID (Basic Auth)

Client Secret (Basic Auth)

Client Secret (Basic Auth)

optional parameters

token_type_hint

string

Type of submitted token, such as access_token

token_type_hint

​

token_type_hint

Response Fields

object

active

boolean

Indicates whether the token is valid and currently active

scope

string

Space-delimited list of scope values associated with the token

client_id

string

ID of the client that was issued the token

username

string

Username of the resource owner who authorized the token

token_type

string

Type of the token, such as access_token

exp

integer

Expiration time of the token as a UNIX timestamp

iat

integer

Time the token was issued as a UNIX timestamp

nbf

integer

Time before which the token must not be used as a UNIX timestamp

sub

string

Subject identifier of the token

aud

array<string>

List of audiences that the token is intended for

iss

string

Issuer identifier for the token, typically the base URL of the authorization server

jti

string

Unique identifier for the token. Can be used to track and revoke the token.

post/v1beta/oauth/clients/register

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Register client

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register

Create a new OAuth 2 client registration to access Pangea APIs. Specify metadata such as name, scope, authentication method, and token lifetimes. To authorize access to specific resource types, assign roles to the client.

Both scope and roles are required to grant full access: scopes define which API routes the client can call, while roles define object-level permissions.

For example, the scope pangea:service:ai-guard:read permits access to AI Guard endpoints, but the client must also be assigned a corresponding role such as:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

Scope and roles can be granted during client registration via the /v1beta/oauth/clients/register endpoint, and updated later using /v1beta/oauth/clients/id/grant.

Learn more in the documentation for registering organization and project management clients, as well as service API clients.

required parameters

client_name

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

​

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

​

optional parameters

token_endpoint_auth_method

string

(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

token_endpoint_auth_method

​

token_endpoint_auth_method

redirect_uris

array<string>

List of allowed redirect URIs for the OAuth 2 client

Click 'Save' to use the value

grant_types

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

Click 'Save' to use the value

response_types

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

​

client_secret_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

• maximum: 31,536,000

client_secret_expires_in

client_secret_expires_in

client_token_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

client_token_expires_in

client_token_expires_in

client_secret_name

string

Name assigned to the generated client secret

client_secret_name

client_secret_name

client_secret_description

string

Description for the generated client secret

client_secret_description

client_secret_description

roles

array<object>

List of roles to assign to the OAuth 2 client. Roles grant object-level access, while scope defines which API routes the client can call.

For example, a service API client role might look like:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

This role allows the client to issue access tokens for executing functionality exposed by the AI Guard APIs.

Click 'Save' to use the value

type

string

Type of the resource the role applies to. Examples include organization, project, or service_{snake_case(service)}_config.

type

type

id

ID of the resource the role applies to, such as the ID of an organization, project, or service configuration.

​

role

string

Specific role assigned to the OAuth 2 client. Examples include manager for service clients or admin for organization and projects management clients.

role

role

Response Fields

object

API Client information with initial secret

client_id

string

ID of an OAuth 2 client

created_at

string (date-time)

Timestamp in ISO 8601 format

updated_at

string (date-time)

Timestamp in ISO 8601 format

client_name

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

token_endpoint_auth_method

string

(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

redirect_uris

array<string>

List of allowed redirect URIs for the OAuth 2 client

grant_types

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

response_types

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

client_token_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

owner_id

string

ID of a Pangea user

owner_username

string

Username of the owner

creator_id

string

ID of a Pangea resource

org_id

string

ID of the Pangea Organization

project_id

string

ID of a Pangea Project

client_class

string

Class of the OAuth 2 client, such as service or management

client_secret

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

client_secret_expires_at

string (date-time)

Timestamp in ISO 8601 format

client_secret_name

string

Name assigned to the generated client secret

client_secret_description

string

Description for the generated client secret

get/v1beta/oauth/clients

cURL

Code Snippet Language

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

200

Code Snippet Language

List clients

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients

Retrieve a paginated list of OAuth 2 clients. Project clients can view only clients within the project, while organization clients can view all clients across the organization's projects.

Filter by name, ID, scope, and timestamps to audit or manage client registrations.

query parameters

created_at

string (date-time)

Clients created after or at the specified timestamp

​

created_at__gt

string (date-time)

Clients created after the specified timestamp

​

created_at__gte

string (date-time)

Clients created after or at the specified timestamp

​

created_at__lt

string (date-time)

Clients created before the specified timestamp

​

created_at__lte

string (date-time)

Clients created before or at the specified timestamp

​

client_id

string

Clients with the client_id matching the specified value

​

client_id__contains

array<string>

Clients with a client_id containing each specified substring

Click 'Save' to use the value

client_id__in

array<string>

Clients with a client_id matching one of the specified values

Click 'Save' to use the value

client_name

string

Clients with a client_name matching the specified value

client_name

client_name

client_name__contains

array<string>

Clients with a client_name containing one of the specified substrings

Click 'Save' to use the value

client_name__in

array<string>

Clients with a client_name matching one of the specified values

Click 'Save' to use the value

scopes

array<string>

Clients assigned all of the specified scope values

Click 'Save' to use the value

updated_at

string (date-time)

Clients updated at the specified timestamp

​

updated_at__gt

string (date-time)

Clients updated after the specified timestamp

​

updated_at__gte

string (date-time)

Clients updated after or at the specified timestamp

​

updated_at__lt

string (date-time)

Clients updated before the specified timestamp

​

updated_at__lte

string (date-time)

Clients updated before or at the specified timestamp

​

last

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

​

order

string

Sort results in ascending (asc) or descending (desc) order.

order

​

order

order_by

string

Field to sort results by

order_by

​

order_by

size

integer

Maximum number of results to include in the response

• minimum: 1

size

size

Response Fields

object

clients

array<object>

client_id

string

ID of an OAuth 2 client

created_at

string (date-time)

Timestamp in ISO 8601 format

updated_at

string (date-time)

Timestamp in ISO 8601 format

client_name

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

token_endpoint_auth_method

string

(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

redirect_uris

array<string>

List of allowed redirect URIs for the OAuth 2 client

grant_types

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

response_types

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

client_token_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

owner_id

string

ID of a Pangea user

owner_username

string

Username of the owner

creator_id

string

ID of a Pangea resource

org_id

string

ID of the Pangea Organization

project_id

string

ID of a Pangea Project

client_class

string

Class of the OAuth 2 client, such as service or management

count

integer

Number of records returned

last

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

get/v1beta/oauth/clients/{id}

cURL

Code Snippet Language

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

200

Code Snippet Language

Get client details

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Fetch metadata for a specific OAuth 2 client by its ID. Returns information such as client identity, scope, parent, authentication method, and other metadata.

endpoint parameters

id

string

ID of an OAuth 2 client

​

Response Fields

object

API Client information

client_id

string

ID of an OAuth 2 client

created_at

string (date-time)

Timestamp in ISO 8601 format

updated_at

string (date-time)

Timestamp in ISO 8601 format

client_name

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

token_endpoint_auth_method

string

(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

redirect_uris

array<string>

List of allowed redirect URIs for the OAuth 2 client

grant_types

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

response_types

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

client_token_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

owner_id

string

ID of a Pangea user

owner_username

string

Username of the owner

creator_id

string

ID of a Pangea resource

org_id

string

ID of the Pangea Organization

project_id

string

ID of a Pangea Project

client_class

string

Class of the OAuth 2 client, such as service or management

post/v1beta/oauth/clients/{id}

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Update client configuration

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Update the configuration of an existing OAuth 2 client registration. Modify fields such as name, scope, authentication method, and other client metadata.

endpoint parameters

id

string

ID of an OAuth 2 client

​

required parameters

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

​

optional parameters

client_name

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

​

token_endpoint_auth_method

string

(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

token_endpoint_auth_method

​

token_endpoint_auth_method

redirect_uris

array<string>

List of allowed redirect URIs for the OAuth 2 client

Click 'Save' to use the value

response_types

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

​

grant_types

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

Click 'Save' to use the value

Response Fields

object

API Client information

client_id

string

ID of an OAuth 2 client

created_at

string (date-time)

Timestamp in ISO 8601 format

updated_at

string (date-time)

Timestamp in ISO 8601 format

client_name

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

token_endpoint_auth_method

string

(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

redirect_uris

array<string>

List of allowed redirect URIs for the OAuth 2 client

grant_types

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

response_types

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

client_token_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

owner_id

string

ID of a Pangea user

owner_username

string

Username of the owner

creator_id

string

ID of a Pangea resource

org_id

string

ID of the Pangea Organization

project_id

string

ID of a Pangea Project

client_class

string

Class of the OAuth 2 client, such as service or management

delete/v1beta/oauth/clients/{id}

cURL

Code Snippet Language

curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

204

Code Snippet Language

No content

Delete client

DELETE

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Delete an OAuth 2 client registration by ID and revoke all tokens issued to the client.

endpoint parameters

id

string

ID of an OAuth 2 client

​

post/v1beta/oauth/clients/{id}/secrets

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Create a new client secret

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets

Generate a new secret for an existing OAuth 2 client. The response includes the secret, which can be used for client authentication, along with its metadata.

endpoint parameters

id

string

ID of an OAuth 2 client

​

fields

client_secret_expires_in

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

• maximum: 31,536,000

client_secret_expires_in

client_secret_expires_in

client_secret_name

string

Name assigned to the generated client secret

client_secret_name

client_secret_name

client_secret_description

string

Description for the generated client secret

client_secret_description

client_secret_description

Response Fields

object

client_id

string

ID of an OAuth 2 client

client_secret_id

string

ID of the Vault item containing the OAuth 2 client secret

client_secret

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

client_secret_expires_at

string (date-time)

Timestamp in ISO 8601 format

client_secret_name

string

Name assigned to the generated client secret

client_secret_description

string

Description for the generated client secret

get/v1beta/oauth/clients/{id}/secrets/metadata

cURL

Code Snippet Language

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

200

Code Snippet Language

List client secret metadata

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata

Retrieve metadata for all secrets associated with a specific OAuth 2 client.

Secret values are not returned. To retrieve a secret value, use the Vault APIs with the vault_item_id included in the response.

endpoint parameters

id

string

ID of an OAuth 2 client

​

query parameters

created_at

string (date-time)

Secrets created at the specified timestamp

​

created_at__gt

string (date-time)

Secrets created after the specified timestamp

​

created_at__gte

string (date-time)

Secrets created after or at the specified timestamp

​

created_at__lt

string (date-time)

Secrets created before the specified timestamp

​

created_at__lte

string (date-time)

Secrets created before or at the specified timestamp

​

client_secret_name

string

Secrets with a name matching the specified value

client_secret_name

client_secret_name

client_secret_name__contains

array<string>

Secrets with a name containing one of the specified substrings

Click 'Save' to use the value

client_secret_name__in

array<string>

Secrets with a name matching one of the specified values

Click 'Save' to use the value

last

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

​

order

string

Sort results in ascending (asc) or descending (desc) order.

order

​

order

order_by

string

Field to sort results by

order_by

​

order_by

size

integer

Maximum results to include in the response

• minimum: 1

size

size

Response Fields

object

client-secrets

array<object>

client_id

string

ID of an OAuth 2 client

client_secret_id

string

ID of the Vault item containing the OAuth 2 client secret

client_secret_expires_at

string (date-time)

Timestamp in ISO 8601 format

client_secret_name

string

Name assigned to the generated client secret

client_secret_description

string

Description for the generated client secret

created_at

string (date-time)

Timestamp in ISO 8601 format

updated_at

string (date-time)

Timestamp in ISO 8601 format

client_secret_metadata

object

creator

string

Origin of the request that created the secret, such as access for Management APIs

creator_id

string

ID of the entity that created the secret, such as a client ID

creator_type

string

Type of the entity that created the secret, such as client_account

source_ip

string

IP address of the client that initiated the request

user_agent

string

User agent string sent by the client that created the secret

vault_config_id

string

ID of the Vault configuration used to store the secret

vault_item_id

string

ID of the Vault item where the client secret is stored

vault_item_type

string

Type of the Vault item, such as pangea_platform_client_secret

vault_item_version

string

Version of the Vault item containing the client secret

vault_project_id

string

ID of the Pangea project where the secret is stored in Vault

count

integer

Number of records returned

last

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

delete/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

cURL

Code Snippet Language

curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

204

Code Snippet Language

No content

Revoke client secret

DELETE

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

Invalidate a specific client secret to prevent it from being used for future authentication and token requests.

endpoint parameters

id

string

ID of an OAuth 2 client

​

client_secret_id

string

ID of the Vault item containing the OAuth 2 client secret

​

post/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Update client secret metadata

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

Update metadata for a specific client secret, such as its name, description, or expiration time. This operation does not change the secret value.

endpoint parameters

id

string

ID of an OAuth 2 client

​

client_secret_id

string

ID of the Vault item containing the OAuth 2 client secret

​

fields

client_secret_expires_in

integer

Positive lifetime duration in seconds

• maximum: 31,536,000

client_secret_expires_in

client_secret_expires_in

client_secret_name

string

Name assigned to the generated client secret

client_secret_name

client_secret_name

client_secret_description

string

Description for the generated client secret

client_secret_description

client_secret_description

Response Fields

object

client_id

string

ID of an OAuth 2 client

client_secret_id

string

ID of the Vault item containing the OAuth 2 client secret

client_secret

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

client_secret_expires_at

string (date-time)

Timestamp in ISO 8601 format

client_secret_name

string

Name assigned to the generated client secret

client_secret_description

string

Description for the generated client secret

get/v1beta/oauth/clients/{id}/roles

cURL

Code Snippet Language

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

200

Code Snippet Language

List client roles

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles

Retrieve roles assigned to a specific OAuth 2 client, optionally filtered by resource type and role properties. Roles define object-level access to organization or project resources and service configurations.

endpoint parameters

id

string

ID of an OAuth 2 client

​

query parameters

resource_type

string

Roles where resource_type matches the specified value

​

resource_id

string

Roles where resource_id matches the specified value

​

role

string

Roles where role matches the specified value

​

Response Fields

object

roles

array<array>

count

integer

Number of records returned

last

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

post/v1beta/oauth/clients/{id}/grant

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Grant access to client

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant

Assign scope and roles to a specific OAuth 2 client to authorize access to specific operations and resources.

Scope controls which API routes the client can call, while roles define object-level permissions to organization or project resources or service configurations.

For example, the scope pangea:service:ai-guard:read permits access to AI Guard endpoints, but the client must also be assigned a corresponding role such as:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

Scope and roles can be granted during client registration via the /v1beta/oauth/clients/register endpoint, and updated later using /v1beta/oauth/clients/id/grant.

endpoint parameters

id

string

ID of an OAuth 2 client

​

required parameters

roles

array<object>

List of roles to assign to the OAuth 2 client. Roles grant object-level access, while scope defines which API routes the client can call.

For example, a service API client role might look like:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

This role allows the client to issue access tokens for executing functionality exposed by the AI Guard APIs.

Click 'Save' to use the value

type

string

Type of the resource the role applies to. Examples include organization, project, or service_{snake_case(service)}_config.

type

type

id

ID of the resource the role applies to, such as the ID of an organization, project, or service configuration.

​

role

string

Specific role assigned to the OAuth 2 client. Examples include manager for service clients or admin for organization and projects management clients.

role

role

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

​

Response Fields

object

Empty object

post/v1beta/oauth/clients/{id}/revoke

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Revoke access from client

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke

Remove previously granted scopes and roles from a specific OAuth 2 client to reduce or revoke its access. Use this to limit access to APIs or resources without deleting the client.

endpoint parameters

id

string

ID of an OAuth 2 client

​

required parameters

roles

array<object>

List of roles to assign to the OAuth 2 client. Roles grant object-level access, while scope defines which API routes the client can call.

For example, a service API client role might look like:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

This role allows the client to issue access tokens for executing functionality exposed by the AI Guard APIs.

Click 'Save' to use the value

type

string

Type of the resource the role applies to. Examples include organization, project, or service_{snake_case(service)}_config.

type

type

id

ID of the resource the role applies to, such as the ID of an organization, project, or service configuration.

​

role

string

Specific role assigned to the OAuth 2 client. Examples include manager for service clients or admin for organization and projects management clients.

role

role

scope

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

​

Response Fields

object

Empty object

post/v1beta/oauth/clients/{id}/restrictions

cURL

Code Snippet Language

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

200

Code Snippet Language

Create/update client restrictions

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions

Set usage restrictions on an existing client.

endpoint parameters

id

string

ID of an OAuth 2 client

​

required parameters

restrictions

array<object>

Click 'Save' to use the value

id

string

Alphanumeric-with-underscores restriction identifier

id

id

type

string

Type of restriction (currently only api_usage)

type

​

type

routes

array<object>

List of API routes this restriction applies to

Click 'Save' to use the value

path

string

The API path suffix to be restricted

path

path

service

string

The Pangea service for the path

service

service

limit

integer

Maximum number of calls allowed

• minimum: 0

limit

limit

Response Fields

object

get/v1beta/oauth/clients/{id}/restrictions

cURL

Code Snippet Language

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

200

Code Snippet Language

Get client restrictions

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions

Fetches detailed information about usage restrictions on the specified client.

endpoint parameters

id

string

ID of an OAuth 2 client

​

Response Fields

object

restrictions

array<object>

used

integer

Number of calls already made under this restriction

• minimum: 0

updated_at

string (date-time)

Timestamp in ISO 8601 format

id

string

Alphanumeric-with-underscores restriction identifier

type

string

Type of restriction (currently only api_usage)

routes

array<object>

List of API routes this restriction applies to

path

string

The API path suffix to be restricted

service

string

The Pangea service for the path

limit

integer

Maximum number of calls allowed

• minimum: 0

delete/v1beta/oauth/clients/{id}/restrictions

cURL

Code Snippet Language

curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

204

Code Snippet Language

No content

Delete client restrictions

DELETE

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions

Removes client restrictions.

endpoint parameters

id

string

ID of an OAuth 2 client

​

required parameters

restrictions

array<object>

Click 'Save' to use the value

id

string

Alphanumeric-with-underscores restriction identifier

• maxLength: 32

id

id

type

string

Type of restriction (currently only api_usage)

type

​

type

Status Codes

Was this article helpful?

Contact us