Skip to main content

Service & Management Client API Reference

Manage your Pangea API Clients through the Access APIs

Base URL

authorization.access.<csp>.<region>.pangea.cloud

get/.well-known/oauth-authorization-server
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server' \
-H 'Content-Type: application/json'

Response

Get OAuth 2 server metadata

GET
https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server

Retrieve OAuth 2 Authorization Server Metadata, including supported grant types, scope values, endpoint URLs, and client authentication methods. This metadata is used by clients for dynamic discovery and integration.

object
string

URL of the authorization server's issuer identifier

string

URL of the authorization server's token endpoint

array<string>

List of the supported response types

string

URL of the authorization server's revocation endpoint

string

URL of the authorization server's introspection endpoint

array<string>

List of the supported authentication methods for the token endpoint

array<string>

List of the supported grant types

post/v1beta/oauth/token
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Get access token

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token

Request an access token to authorize API calls to Pangea service and management APIs.

Use the OAuth 2 Client Credentials grant by providing the client ID and secret in the Authorization header or request body. The token is issued based on the client's assigned scope and roles.

You can optionally limit the token's scope by specifying a space-delimited list of allowed values.

For details on managing API credentials, see the documentation for Organization and Project Management APIs.

required parameters

string

Grant type used to request the token. Currently only client_credentials is supported.

string

ID of an OAuth 2 client

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

object
string

Access token issued by the authorization server

string

Type of the token issued. Always set to Bearer.

integer

Time in seconds until the access token expires

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

post/v1beta/oauth/token/revoke
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Revoke token

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke

Invalidate a token so it can no longer be used to authorize API requests. A client must authenticate and may only revoke tokens that were issued to it.

required parameters

string

Token issued to the OAuth 2 client by the Pangea Authorization Server

object

Optional response body when the token was not found

string

Error type. Present if the token was not found.

string

Human-readable explanation of the error. Present if the token was not found.

post/v1beta/oauth/token/introspect
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Introspect token

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect

Check whether a token is active and retrieve its metadata.

Clients can optionally use this endpoint to verify tokens issued to them before calling Pangea APIs.

required parameters

string

Token to be introspected. Must be a token issued to the client by the Pangea Authorization Server.

string

Type of submitted token, such as access_token

object
boolean

Indicates whether the token is valid and currently active

string

Space-delimited list of scope values associated with the token

string

ID of the client that was issued the token

string

Username of the resource owner who authorized the token

string

Type of the token, such as access_token

integer

Expiration time of the token as a UNIX timestamp

integer

Time the token was issued as a UNIX timestamp

integer

Time before which the token must not be used as a UNIX timestamp

string

Subject identifier of the token

array<string>

List of audiences that the token is intended for

string

Issuer identifier for the token, typically the base URL of the authorization server

string

Unique identifier for the token. Can be used to track and revoke the token.

post/v1beta/oauth/clients/register
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Register client

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register

Create a new OAuth 2 client registration to access Pangea APIs. Specify metadata such as name, scope, authentication method, and token lifetimes. To authorize access to specific resource types, assign roles to the client.

Both scope and roles are required to grant full access: scopes define which API routes the client can call, while roles define object-level permissions.

For example, the scope pangea:service:ai-guard:read permits access to AI Guard endpoints, but the client must also be assigned a corresponding role such as:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

Scope and roles can be granted during client registration via the /v1beta/oauth/clients/register endpoint, and updated later using /v1beta/oauth/clients/id/grant.

Learn more in the documentation for registering organization and project management clients, as well as service API clients.

required parameters

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

string
(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

array<string>

List of allowed redirect URIs for the OAuth 2 client

Click 'Save' to use the value

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

Click 'Save' to use the value

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

  • maximum: 31,536,000
integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

string

Name assigned to the generated client secret

string

Description for the generated client secret

array<object>

List of roles to assign to the OAuth 2 client. Roles grant object-level access, while scope defines which API routes the client can call.

For example, a service API client role might look like:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

This role allows the client to issue access tokens for executing functionality exposed by the AI Guard APIs.

Click 'Save' to use the value

string

Type of the resource the role applies to. Examples include organization, project, or service_{snake_case(service)}_config.

ID of the resource the role applies to, such as the ID of an organization, project, or service configuration.

string

Specific role assigned to the OAuth 2 client. Examples include manager for service clients or admin for organization and projects management clients.

object

API Client information with initial secret

string

ID of an OAuth 2 client

string (date-time)

Timestamp in ISO 8601 format

string (date-time)

Timestamp in ISO 8601 format

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

string
(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

array<string>

List of allowed redirect URIs for the OAuth 2 client

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

string

ID of a Pangea user

string

Username of the owner

string

ID of a Pangea resource

string

ID of the Pangea Organization

string

ID of a Pangea Project

string

Class of the OAuth 2 client, such as service or management

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

string (date-time)

Timestamp in ISO 8601 format

string

Name assigned to the generated client secret

string

Description for the generated client secret

get/v1beta/oauth/clients
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

List clients

GET
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients

Retrieve a paginated list of OAuth 2 clients. Project clients can view only clients within the project, while organization clients can view all clients across the organization's projects.

Filter by name, ID, scope, and timestamps to audit or manage client registrations.

query parameters

string (date-time)

Clients created after or at the specified timestamp

string (date-time)

Clients created after the specified timestamp

string (date-time)

Clients created after or at the specified timestamp

string (date-time)

Clients created before the specified timestamp

string (date-time)

Clients created before or at the specified timestamp

string

Clients with the client_id matching the specified value

array<string>

Clients with a client_id containing each specified substring

Click 'Save' to use the value

array<string>

Clients with a client_id matching one of the specified values

Click 'Save' to use the value

string

Clients with a client_name matching the specified value

array<string>

Clients with a client_name containing one of the specified substrings

Click 'Save' to use the value

array<string>

Clients with a client_name matching one of the specified values

Click 'Save' to use the value

array<string>

Clients assigned all of the specified scope values

Click 'Save' to use the value

string (date-time)

Clients updated at the specified timestamp

string (date-time)

Clients updated after the specified timestamp

string (date-time)

Clients updated after or at the specified timestamp

string (date-time)

Clients updated before the specified timestamp

string (date-time)

Clients updated before or at the specified timestamp

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

string

Sort results in ascending (asc) or descending (desc) order.

string

Field to sort results by

integer

Maximum number of results to include in the response

  • minimum: 1

object
array<object>
string

ID of an OAuth 2 client

string (date-time)

Timestamp in ISO 8601 format

string (date-time)

Timestamp in ISO 8601 format

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

string
(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

array<string>

List of allowed redirect URIs for the OAuth 2 client

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

string

ID of a Pangea user

string

Username of the owner

string

ID of a Pangea resource

string

ID of the Pangea Organization

string

ID of a Pangea Project

string

Class of the OAuth 2 client, such as service or management

integer

Number of records returned

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

get/v1beta/oauth/clients/{id}
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Get client details

GET
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Fetch metadata for a specific OAuth 2 client by its ID. Returns information such as client identity, scope, parent, authentication method, and other metadata.

endpoint parameters

string

ID of an OAuth 2 client

object

API Client information

string

ID of an OAuth 2 client

string (date-time)

Timestamp in ISO 8601 format

string (date-time)

Timestamp in ISO 8601 format

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

string
(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

array<string>

List of allowed redirect URIs for the OAuth 2 client

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

string

ID of a Pangea user

string

Username of the owner

string

ID of a Pangea resource

string

ID of the Pangea Organization

string

ID of a Pangea Project

string

Class of the OAuth 2 client, such as service or management

post/v1beta/oauth/clients/{id}
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Update client configuration

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Update the configuration of an existing OAuth 2 client registration. Modify fields such as name, scope, authentication method, and other client metadata.

endpoint parameters

string

ID of an OAuth 2 client

required parameters

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

string
(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

array<string>

List of allowed redirect URIs for the OAuth 2 client

Click 'Save' to use the value

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

Click 'Save' to use the value

object

API Client information

string

ID of an OAuth 2 client

string (date-time)

Timestamp in ISO 8601 format

string (date-time)

Timestamp in ISO 8601 format

string

Human-readable name assigned to the OAuth 2 client. Not used for authentication or authorization.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

string
(default: "client_secret_basic")

Authentication method used by the OAuth 2 client for the token endpoints

array<string>

List of allowed redirect URIs for the OAuth 2 client

array<string>

List of OAuth grant types that the OAuth 2 client can use. Currently limited to client_credentials.

array,null<string,null>

List of OAuth response types that the client can use. Currently limited to token.

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

string

ID of a Pangea user

string

Username of the owner

string

ID of a Pangea resource

string

ID of the Pangea Organization

string

ID of a Pangea Project

string

Class of the OAuth 2 client, such as service or management

delete/v1beta/oauth/clients/{id}
curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

No content

Delete client

DELETE
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Delete an OAuth 2 client registration by ID and revoke all tokens issued to the client.

endpoint parameters

string

ID of an OAuth 2 client

post/v1beta/oauth/clients/{id}/secrets
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Create a new client secret

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets

Generate a new secret for an existing OAuth 2 client. The response includes the secret, which can be used for client authentication, along with its metadata.

endpoint parameters

string

ID of an OAuth 2 client

fields

integer, null

Positive lifetime duration in seconds. If not provided, a default value is applied.

  • maximum: 31,536,000
string

Name assigned to the generated client secret

string

Description for the generated client secret

object
string

ID of an OAuth 2 client

string

ID of the Vault item containing the OAuth 2 client secret

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

string (date-time)

Timestamp in ISO 8601 format

string

Name assigned to the generated client secret

string

Description for the generated client secret

get/v1beta/oauth/clients/{id}/secrets/metadata
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

List client secret metadata

GET
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata

Retrieve metadata for all secrets associated with a specific OAuth 2 client.

Secret values are not returned. To retrieve a secret value, use the Vault APIs with the vault_item_id included in the response.

endpoint parameters

string

ID of an OAuth 2 client

query parameters

string (date-time)

Secrets created at the specified timestamp

string (date-time)

Secrets created after the specified timestamp

string (date-time)

Secrets created after or at the specified timestamp

string (date-time)

Secrets created before the specified timestamp

string (date-time)

Secrets created before or at the specified timestamp

string

Secrets with a name matching the specified value

array<string>

Secrets with a name containing one of the specified substrings

Click 'Save' to use the value

array<string>

Secrets with a name matching one of the specified values

Click 'Save' to use the value

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

string

Sort results in ascending (asc) or descending (desc) order.

string

Field to sort results by

integer

Maximum results to include in the response

  • minimum: 1

object
array<object>
string

ID of an OAuth 2 client

string

ID of the Vault item containing the OAuth 2 client secret

string (date-time)

Timestamp in ISO 8601 format

string

Name assigned to the generated client secret

string

Description for the generated client secret

string (date-time)

Timestamp in ISO 8601 format

string (date-time)

Timestamp in ISO 8601 format

object
string

Origin of the request that created the secret, such as access for Management APIs

string

ID of the entity that created the secret, such as a client ID

string

Type of the entity that created the secret, such as client_account

string

IP address of the client that initiated the request

string

User agent string sent by the client that created the secret

string

ID of the Vault configuration used to store the secret

string

ID of the Vault item where the client secret is stored

string

Type of the Vault item, such as pangea_platform_client_secret

string

Version of the Vault item containing the client secret

string

ID of the Pangea project where the secret is stored in Vault

integer

Number of records returned

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

delete/v1beta/oauth/clients/{id}/secrets/{client_secret_id}
curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

No content

Revoke client secret

DELETE
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

Invalidate a specific client secret to prevent it from being used for future authentication and token requests.

endpoint parameters

string

ID of an OAuth 2 client

string

ID of the Vault item containing the OAuth 2 client secret

post/v1beta/oauth/clients/{id}/secrets/{client_secret_id}
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Update client secret metadata

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

Update metadata for a specific client secret, such as its name, description, or expiration time. This operation does not change the secret value.

endpoint parameters

string

ID of an OAuth 2 client

string

ID of the Vault item containing the OAuth 2 client secret

fields

integer

Positive lifetime duration in seconds

  • maximum: 31,536,000
string

Name assigned to the generated client secret

string

Description for the generated client secret

object
string

ID of an OAuth 2 client

string

ID of the Vault item containing the OAuth 2 client secret

string

Client secret used to authenticate the OAuth 2 client at token, introspection, and revocation endpoints

string (date-time)

Timestamp in ISO 8601 format

string

Name assigned to the generated client secret

string

Description for the generated client secret

get/v1beta/oauth/clients/{id}/roles
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

List client roles

GET
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles

Retrieve roles assigned to a specific OAuth 2 client, optionally filtered by resource type and role properties. Roles define object-level access to organization or project resources and service configurations.

endpoint parameters

string

ID of an OAuth 2 client

query parameters

string

Roles where resource_type matches the specified value

string

Roles where resource_id matches the specified value

string

Roles where role matches the specified value

object
array<array>
integer

Number of records returned

string

Base64-encoded pagination cursor from the previous response, used to retrieve the next page of results

post/v1beta/oauth/clients/{id}/grant
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Grant access to client

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant

Assign scope and roles to a specific OAuth 2 client to authorize access to specific operations and resources.

Scope controls which API routes the client can call, while roles define object-level permissions to organization or project resources or service configurations.

For example, the scope pangea:service:ai-guard:read permits access to AI Guard endpoints, but the client must also be assigned a corresponding role such as:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

Scope and roles can be granted during client registration via the /v1beta/oauth/clients/register endpoint, and updated later using /v1beta/oauth/clients/id/grant.

endpoint parameters

string

ID of an OAuth 2 client

required parameters

array<object>

List of roles to assign to the OAuth 2 client. Roles grant object-level access, while scope defines which API routes the client can call.

For example, a service API client role might look like:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

This role allows the client to issue access tokens for executing functionality exposed by the AI Guard APIs.

Click 'Save' to use the value

string

Type of the resource the role applies to. Examples include organization, project, or service_{snake_case(service)}_config.

ID of the resource the role applies to, such as the ID of an organization, project, or service configuration.

string

Specific role assigned to the OAuth 2 client. Examples include manager for service clients or admin for organization and projects management clients.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

object

Empty object

post/v1beta/oauth/clients/{id}/revoke
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Revoke access from client

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke

Remove previously granted scopes and roles from a specific OAuth 2 client to reduce or revoke its access. Use this to limit access to APIs or resources without deleting the client.

endpoint parameters

string

ID of an OAuth 2 client

required parameters

array<object>

List of roles to assign to the OAuth 2 client. Roles grant object-level access, while scope defines which API routes the client can call.

For example, a service API client role might look like:

{
  "type": "service_ai_guard_config",
  "id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
  "role": "manager"
}

This role allows the client to issue access tokens for executing functionality exposed by the AI Guard APIs.

Click 'Save' to use the value

string

Type of the resource the role applies to. Examples include organization, project, or service_{snake_case(service)}_config.

ID of the resource the role applies to, such as the ID of an organization, project, or service configuration.

string

Specific role assigned to the OAuth 2 client. Examples include manager for service clients or admin for organization and projects management clients.

string

Space-delimited list of scope values that restrict API access granted by the token. If omitted, the token inherits all scopes assigned to the OAuth 2 client.

For example, pangea:service:ai-guard:read grants access to the AI Guard service APIs.

The full list of supported scopes is available in the scopes_supported field of the OAuth 2 authorization server metadata, returned by the /.well-known/oauth-authorization-server-get/ endpoint.

Note that permissions to objects accessed via the APIs are enforced by the roles assigned to the client.

object

Empty object

post/v1beta/oauth/clients/{id}/restrictions
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Create/update client restrictions

POST
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions

Set usage restrictions on an existing client.

endpoint parameters

string

ID of an OAuth 2 client

required parameters

array<object>

Click 'Save' to use the value

string

Alphanumeric-with-underscores restriction identifier

string

Type of restriction (currently only api_usage)

array<object>

List of API routes this restriction applies to

Click 'Save' to use the value

string

The API path suffix to be restricted

string

The Pangea service for the path

integer

Maximum number of calls allowed

  • minimum: 0

object
get/v1beta/oauth/clients/{id}/restrictions
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Get client restrictions

GET
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions

Fetches detailed information about usage restrictions on the specified client.

endpoint parameters

string

ID of an OAuth 2 client

object
array<object>
integer

Number of calls already made under this restriction

  • minimum: 0
string (date-time)

Timestamp in ISO 8601 format

string

Alphanumeric-with-underscores restriction identifier

string

Type of restriction (currently only api_usage)

array<object>

List of API routes this restriction applies to

string

The API path suffix to be restricted

string

The Pangea service for the path

integer

Maximum number of calls allowed

  • minimum: 0
delete/v1beta/oauth/clients/{id}/restrictions
curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

No content

Delete client restrictions

DELETE
https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions

Removes client restrictions.

endpoint parameters

string

ID of an OAuth 2 client

required parameters

array<object>

Click 'Save' to use the value

string

Alphanumeric-with-underscores restriction identifier

  • maxLength: 32
string

Type of restriction (currently only api_usage)

Status Codes

Was this article helpful?

Contact us