Skip to main content

Service & Management Client API Reference

Manage your Pangea API Clients through the Access APIs

Base URL

authorization.access.<csp>.<region>.pangea.cloud

OpenAPI Specification

get/.well-known/oauth-authorization-server

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server' \
-H 'Content-Type: application/json'

Response

Raw Output

Get OAuth Authorization Server Metadata

GET

https://authorization.access.aws.us.pangea.cloud/.well-known/oauth-authorization-server

Provides OAuth 2.0 Authorization Server metadata, including supported grant types, token endpoints, and other relevant discovery information.

post/v1beta/oauth/token

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Raw Output

Get Access Token

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token

Exchanges valid client credentials (client_id and client_secret) for an access token using the client_credentials grant type.

grant_type

string

The type of grant. Currently limited to 'client_credentials' support only.

grant_type

Client ID

Client Secret

client_id

string

An ID for a service account

client_secret

An secret for an API Client

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

Client ID

Client Secret

object

access_token

string

The access token issued by the authorization server.

token_type

string

The type of the token issued. Typically 'Bearer'.

expires_in

integer

The lifetime in seconds of the access token.

post/v1beta/oauth/token/revoke

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Raw Output

Revoke Access Token

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/revoke

Revokes a previously issued token, preventing any further use for protected resource access.

token

string

A token value

Client ID

Client Secret

object

success

boolean

Indicates if the token was successfully revoked..

post/v1beta/oauth/token/introspect

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect' \
-H 'Authorization: Basic base64<clientId:clientSecret>' \
-H 'Content-Type: application/x-www-form-urlencoded'

Response

Raw Output

Introspect Access or Refresh Token

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/token/introspect

Checks an access token or refresh token to determine if it is active, and retrieves additional metadata such as expiry and associated scopes.

token

string

Access token

token

Client ID

Client Secret

token_type_hint

string

A hint about the type of the token submitted for revocation.

token_type_hint

Client ID

Client Secret

object

active

boolean

Indicates whether the token is active

scope

string

A space-separated list of scopes associated with this token

client_id

string

Client identifier for the OAuth 2.0 client that requested this token

username

string

Username of the resource owner who authorized this token

token_type

string

Type of the token, e.g., 'access_token'

exp

integer

Timestamp when the token expires

iat

integer

Timestamp when the token was issued

nbf

integer

Timestamp when the token is not to be used before

sub

string

Subject of the token

aud

array<string>

Audience for the token

iss

string

Issuer of the token

jti

string

JWT ID, a unique identifier for the token

post/v1beta/oauth/clients/register

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

Create Platform Client

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/register

Registers a new OAuth client with the authorization server by specifying client information such as name, grant types, and scopes. Note that scopes define which API routes the client can access, while roles define object-level permissions. For example, a scope like 'pangea:service:ai-guard:read' may allow calling AI Guard endpoints, but the client also needs a corresponding role (e.g., 'type:service_ai_guard_config,role:manager') to be fully authorized. Both scopes and roles must be granted to ensure the client has complete access to the intended resources.

client_name

string

client_name

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

token_endpoint_auth_method

string

The authentication method for the token endpoint.

token_endpoint_auth_method

redirect_uris

array<string>

A list of allowed redirect URIs for the client.

redirect_uris

grant_types

array<string>

A list of OAuth grant types that the client can use.

grant_types

response_types

array,null<string,null>

A list of OAuth response types that the client can use.

response_types

client_secret_expires_in

integer, null

A positive time duration in seconds or null

client_secret_expires_in

client_token_expires_in

integer, null

A positive time duration in seconds or null

client_token_expires_in

client_secret_name

string

client_secret_name

client_secret_description

string

client_secret_description

roles

array<object>

A list of roles. Roles are required to grant object access to clients, while client scopes dictate which API routes the clients may access. An example role: { "type": "service_ai_guard_config", "id": "pci_xxx", "role": "manager" }.

roles

role

string

The specific role being assigned to a client. Examples include 'manager' for service configurations or 'admin' for projects.

role

type

string

The role resource type. Examples include 'organization', 'project', or 'service_{snake_case(service)}_config'.

type

id

The role resource id for the specified type. Examples include the id of an organization, project, or service_config.

object

API Client information with initial secret

client_id

string

An ID for a service account

created_at

string (date-time)

A time in ISO-8601 format

updated_at

string (date-time)

A time in ISO-8601 format

client_name

string

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

token_endpoint_auth_method

string

The authentication method for the token endpoint.

redirect_uris

array<string>

A list of allowed redirect URIs for the client.

grant_types

array<string>

A list of OAuth grant types that the client can use.

response_types

array,null<string,null>

A list of OAuth response types that the client can use.

client_token_expires_in

integer, null

A positive time duration in seconds or null

owner_id

owner_username

string

creator_id

client_class

string

client_secret

An secret for an API Client

client_secret_expires_at

string (date-time)

A time in ISO-8601 format

client_secret_name

string

client_secret_description

string

get/v1beta/oauth/clients

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

List platform clients

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients

Retrieves a paginated list of registered OAuth clients, with optional filters for name, client_id, and creation or update time.

created_at

string (date-time)

created_at

created_at__gt

string (date-time)

created_at__gt

created_at__gte

string (date-time)

created_at__gte

created_at__lt

string (date-time)

created_at__lt

created_at__lte

string (date-time)

created_at__lte

client_id

string

client_id

client_id__contains

array<string>

client_id__contains

client_id__in

array<string>

client_id__in

client_name

string

client_name

client_name__contains

array<string>

client_name__contains

client_name__in

array<string>

client_name__in

scopes

array<string>

scopes

updated_at

string (date-time)

updated_at

updated_at__gt

string (date-time)

updated_at__gt

updated_at__gte

string (date-time)

updated_at__gte

updated_at__lt

string (date-time)

updated_at__lt

updated_at__lte

string (date-time)

updated_at__lte

last

string

last

order

string

order

order_by

string

order_by

size

integer

minimum: 1

size

get/v1beta/oauth/clients/{id}

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

Get Platform Client

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Fetches detailed information about a specific OAuth client by its unique identifier.

id

string

id

object

API Client information

client_id

string

An ID for a service account

created_at

string (date-time)

A time in ISO-8601 format

updated_at

string (date-time)

A time in ISO-8601 format

client_name

string

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

token_endpoint_auth_method

string

The authentication method for the token endpoint.

redirect_uris

array<string>

A list of allowed redirect URIs for the client.

grant_types

array<string>

A list of OAuth grant types that the client can use.

response_types

array,null<string,null>

A list of OAuth response types that the client can use.

client_token_expires_in

integer, null

A positive time duration in seconds or null

owner_id

owner_username

string

creator_id

client_class

string

post/v1beta/oauth/clients/{id}

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

Update Platform Client

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Updates an existing OAuth client's configuration, such as grant types, redirect URIs, or scope.

id

string

id

client_id

string

An ID for a service account

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

client_name

string

client_name

token_endpoint_auth_method

string

The authentication method for the token endpoint.

token_endpoint_auth_method

redirect_uris

array<string>

A list of allowed redirect URIs for the client.

redirect_uris

response_types

array,null<string,null>

A list of OAuth response types that the client can use.

response_types

grant_types

array<string>

A list of OAuth grant types that the client can use.

grant_types

object

API Client information

client_id

string

An ID for a service account

created_at

string (date-time)

A time in ISO-8601 format

updated_at

string (date-time)

A time in ISO-8601 format

client_name

string

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

token_endpoint_auth_method

string

The authentication method for the token endpoint.

redirect_uris

array<string>

A list of allowed redirect URIs for the client.

grant_types

array<string>

A list of OAuth grant types that the client can use.

response_types

array,null<string,null>

A list of OAuth response types that the client can use.

client_token_expires_in

integer, null

A positive time duration in seconds or null

owner_id

owner_username

string

creator_id

client_class

string

delete/v1beta/oauth/clients/{id}

curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

No content

Delete Platform Client

DELETE

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}

Removes an OAuth client and invalidates any tokens issued to it.

id

string

id

post/v1beta/oauth/clients/{id}/secrets

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

Create Client Secret

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets

Generates and returns a new client secret for an existing OAuth client, typically used for client authentication.

id

string

id

client_secret_expires_in

integer

A positive time duration in seconds

exclusiveMinimum: 0

client_secret_expires_in

client_secret_name

string

client_secret_name

client_secret_description

string

client_secret_description

object

client_id

string

An ID for a service account

client_secret_id

string

An ID for an API Client secret

client_secret

An secret for an API Client

client_secret_expires_at

string (date-time)

A time in ISO-8601 format

client_secret_name

string

client_secret_description

string

get/v1beta/oauth/clients/{id}/secrets/metadata

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

List Client Secret Metadata

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/metadata

Retrieves metadata for all secrets associated with the specified OAuth client, including creation time, name, and expiration.

id

string

id

created_at

string (date-time)

created_at

created_at__gt

string (date-time)

created_at__gt

created_at__gte

string (date-time)

created_at__gte

created_at__lt

string (date-time)

created_at__lt

created_at__lte

string (date-time)

created_at__lte

client_secret_name

string

client_secret_name

client_secret_name__contains

array<string>

client_secret_name__contains

client_secret_name__in

array<string>

client_secret_name__in

last

string

last

order

string

order

order_by

string

order_by

size

integer

minimum: 1

size

delete/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

curl -sSLX DELETE 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

No content

Revoke Client Secret

DELETE

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

Invalidates a specific client secret, preventing its further use for token requests.

id

string

id

client_secret_id

string

client_secret_id

post/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

Update Client Secret

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/secrets/{client_secret_id}

Modifies metadata for an existing client secret, such as its expiration or descriptive fields.

id

string

id

client_secret_id

string

client_secret_id

client_secret_expires_in

integer

A positive time duration in seconds

exclusiveMinimum: 0

client_secret_expires_in

client_secret_name

string

client_secret_name

client_secret_description

string

client_secret_description

object

client_id

string

An ID for a service account

client_secret_id

string

An ID for an API Client secret

client_secret

An secret for an API Client

client_secret_expires_at

string (date-time)

A time in ISO-8601 format

client_secret_name

string

client_secret_description

string

get/v1beta/oauth/clients/{id}/roles

curl -sSLX GET 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json'

Response

Raw Output

List Client Roles

GET

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/roles

Retrieves roles currently assigned to a particular OAuth client, optionally filtered by resource type or role name.

id

string

id

resource_type

string

resource_type

resource_id

string

resource_id

role

string

role

post/v1beta/oauth/clients/{id}/grant

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

Grant Client Access

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/grant

Assigns or updates roles and scopes to extend the client’s permissions for accessing specific resources or operations.

id

string

id

roles

array<object>

A list of roles. Roles are required to grant object access to clients, while client scopes dictate which API routes the clients may access. An example role: { "type": "service_ai_guard_config", "id": "pci_xxx", "role": "manager" }.

roles

role

string

The specific role being assigned to a client. Examples include 'manager' for service configurations or 'admin' for projects.

role

type

string

The role resource type. Examples include 'organization', 'project', or 'service_{snake_case(service)}_config'.

type

id

The role resource id for the specified type. Examples include the id of an organization, project, or service_config.

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

object

post/v1beta/oauth/clients/{id}/revoke

curl -sSLX POST 'https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Raw Output

Revoke Client Access

POST

https://authorization.access.aws.us.pangea.cloud/v1beta/oauth/clients/{id}/revoke

Removes previously assigned roles or scopes from the specified OAuth client, reducing or revoking its permissions.

id

string

id

roles

array<object>

A list of roles. Roles are required to grant object access to clients, while client scopes dictate which API routes the clients may access. An example role: { "type": "service_ai_guard_config", "id": "pci_xxx", "role": "manager" }.

roles

role

string

The specific role being assigned to a client. Examples include 'manager' for service configurations or 'admin' for projects.

role

type

string

The role resource type. Examples include 'organization', 'project', or 'service_{snake_case(service)}_config'.

type

id

The role resource id for the specified type. Examples include the id of an organization, project, or service_config.

scope

string

A list of space separated scopes. Examples include "scope": "pangea:service:ai-guard:read pangea:service:redact:read" for granting AI Guard & Redact API access. The actual service configurations the client has access to for those services is dictated through roles.

object

Status Codes

Was this article helpful?