Service & Management Client API Reference
Manage your Pangea API Clients through the Access APIs
Base URL
authorization.access.<csp>.<region>.pangea.cloud
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server' \
-H 'Content-Type: application/json'
Response
Get OAuth 2 server metadata
Retrieve OAuth 2 Authorization Server Metadata, including supported grant types, scope values, endpoint URLs, and client authentication methods. This metadata is used by clients for dynamic discovery and integration.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'
Response
Get access token
Request an access token to authorize API calls to Pangea service and management APIs.
Use the OAuth 2 Client Credentials grant by providing the client ID and secret in the Authorization header or request body. The token is issued based on the client's assigned scope and roles.
You can optionally limit the token's scope by specifying a space-delimited list of allowed values.
For details on managing API credentials, see the documentation for Organization and Project Management APIs.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'
Response
Revoke token
Invalidate a token so it can no longer be used to authorize API requests. A client must authenticate and may only revoke tokens that were issued to it.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'
Response
Introspect token
Check whether a token is active and retrieve its metadata.
Clients can optionally use this endpoint to verify tokens issued to them before calling Pangea APIs.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Register client
Create a new OAuth 2 client registration to access Pangea APIs. Specify metadata such as name, scope, authentication method, and token lifetimes. To authorize access to specific resource types, assign roles to the client.
Both scope and roles are required to grant full access: scopes define which API routes the client can call, while roles define object-level permissions.
For example, the scope pangea:service:ai-guard:read
permits access to AI Guard endpoints, but the client must also be assigned a corresponding role such as:
{
"type": "service_ai_guard_config",
"id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
"role": "manager"
}
Scope and roles can be granted during client registration via the /v1beta/oauth/clients/register
endpoint, and updated later using /v1beta/oauth/clients/id/grant
.
Learn more in the documentation for registering organization and project management clients, as well as service API clients.
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
List clients
Retrieve a paginated list of OAuth 2 clients. Project clients can view only clients within the project, while organization clients can view all clients across the organization's projects.
Filter by name, ID, scope, and timestamps to audit or manage client registrations.
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
Get client details
Fetch metadata for a specific OAuth 2 client by its ID. Returns information such as client identity, scope, parent, authentication method, and other metadata.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Update client configuration
Update the configuration of an existing OAuth 2 client registration. Modify fields such as name, scope, authentication method, and other client metadata.
curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
No content
Delete client
Delete an OAuth 2 client registration by ID and revoke all tokens issued to the client.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Create a new client secret
Generate a new secret for an existing OAuth 2 client. The response includes the secret, which can be used for client authentication, along with its metadata.
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
List client secret metadata
Retrieve metadata for all secrets associated with a specific OAuth 2 client.
Secret values are not returned. To retrieve a secret value, use the Vault APIs with the vault_item_id
included in the response.
curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
No content
Revoke client secret
Invalidate a specific client secret to prevent it from being used for future authentication and token requests.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Update client secret metadata
Update metadata for a specific client secret, such as its name, description, or expiration time. This operation does not change the secret value.
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
List client roles
Retrieve roles assigned to a specific OAuth 2 client, optionally filtered by resource type and role properties. Roles define object-level access to organization or project resources and service configurations.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Grant access to client
Assign scope and roles to a specific OAuth 2 client to authorize access to specific operations and resources.
Scope controls which API routes the client can call, while roles define object-level permissions to organization or project resources or service configurations.
For example, the scope pangea:service:ai-guard:read
permits access to AI Guard endpoints, but the client must also be assigned a corresponding role such as:
{
"type": "service_ai_guard_config",
"id": "pci_jhoyo5zqveqx632vaou4j6sdhswvvaai",
"role": "manager"
}
Scope and roles can be granted during client registration via the /v1beta/oauth/clients/register
endpoint, and updated later using /v1beta/oauth/clients/id/grant
.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Revoke access from client
Remove previously granted scopes and roles from a specific OAuth 2 client to reduce or revoke its access. Use this to limit access to APIs or resources without deleting the client.
curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'
Response
Create/update client restrictions
Set usage restrictions on an existing client.
curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
Get client restrictions
Fetches detailed information about usage restrictions on the specified client.
curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/restrictions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'
Response
No content
Delete client restrictions
Removes client restrictions.
Status Codes
Was this article helpful?