Skip to main content
POST
https://{tenantDomain}/api/v2
/
clients
/
{client_id}
/
credentials
Go
package example

import (
    context "context"

    management "github.com/auth0/go-auth0/management/management"
    client "github.com/auth0/go-auth0/management/management/client"
    clients "github.com/auth0/go-auth0/management/management/clients"
    option "github.com/auth0/go-auth0/management/management/option"
)

func do() {
    client := client.NewClient(
        option.WithToken(
            "<token>",
        ),
    )
    request := &clients.PostClientCredentialRequestContent{
        CredentialType: management.ClientCredentialTypeEnumPublicKey,
    }
    client.Clients.Credentials.Create(
        context.TODO(),
        "client_id",
        request,
    )
}
import { ManagementClient } from "auth0";

async function main() {
const client = new ManagementClient({
token: "<token>",
});
await client.clients.credentials.create("client_id", {
credentialType: "public_key",
});
}
main();
import { ManagementClient } from "auth0";

async function main() {
const client = new ManagementClient({
token: "<token>",
});
await client.clients.credentials.create("client_id", {
credentialType: "public_key",
});
}
main();
curl --request POST \
--url https://{tenantDomain}/api/v2/clients/{client_id}/credentials \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"name": "",
"subject_dn": "<string>",
"pem": "-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBg...\r\n-----END PUBLIC KEY-----\r\n",
"alg": "RS256",
"parse_expiry_from_cert": false,
"expires_at": "2023-02-07T12:40:17.807Z",
"kid": "<string>"
}
'
import requests

url = "https://{tenantDomain}/api/v2/clients/{client_id}/credentials"

payload = {
"name": "",
"subject_dn": "<string>",
"pem": "-----BEGIN PUBLIC KEY-----
MIIBIjANBg...
-----END PUBLIC KEY-----
",
"alg": "RS256",
"parse_expiry_from_cert": False,
"expires_at": "2023-02-07T12:40:17.807Z",
"kid": "<string>"
}
headers = {
"Authorization": "Bearer <token>",
"Content-Type": "application/json"
}

response = requests.post(url, json=payload, headers=headers)

print(response.text)
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => "https://{tenantDomain}/api/v2/clients/{client_id}/credentials",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => json_encode([
'name' => '',
'subject_dn' => '<string>',
'pem' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBg...
-----END PUBLIC KEY-----
',
'alg' => 'RS256',
'parse_expiry_from_cert' => false,
'expires_at' => '2023-02-07T12:40:17.807Z',
'kid' => '<string>'
]),
CURLOPT_HTTPHEADER => [
"Authorization: Bearer <token>",
"Content-Type: application/json"
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
HttpResponse<String> response = Unirest.post("https://{tenantDomain}/api/v2/clients/{client_id}/credentials")
.header("Authorization", "Bearer <token>")
.header("Content-Type", "application/json")
.body("{\n \"name\": \"\",\n \"subject_dn\": \"<string>\",\n \"pem\": \"-----BEGIN PUBLIC KEY-----\\r\\nMIIBIjANBg...\\r\\n-----END PUBLIC KEY-----\\r\\n\",\n \"alg\": \"RS256\",\n \"parse_expiry_from_cert\": false,\n \"expires_at\": \"2023-02-07T12:40:17.807Z\",\n \"kid\": \"<string>\"\n}")
.asString();
require 'uri'
require 'net/http'

url = URI("https://{tenantDomain}/api/v2/clients/{client_id}/credentials")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'Bearer <token>'
request["Content-Type"] = 'application/json'
request.body = "{\n \"name\": \"\",\n \"subject_dn\": \"<string>\",\n \"pem\": \"-----BEGIN PUBLIC KEY-----\\r\\nMIIBIjANBg...\\r\\n-----END PUBLIC KEY-----\\r\\n\",\n \"alg\": \"RS256\",\n \"parse_expiry_from_cert\": false,\n \"expires_at\": \"2023-02-07T12:40:17.807Z\",\n \"kid\": \"<string>\"\n}"

response = http.request(request)
puts response.read_body
{
  "id": "cred_1m7sfABoNTTKYwTQ8qt6tX",
  "name": "",
  "kid": "IZSSTECp...",
  "alg": "RS256",
  "subject_dn": "<string>",
  "thumbprint_sha256": "<string>",
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

client_id
string
required

ID of the client.

Body

credential_type
enum<string>
required

The type of credential.

Available options:
public_key,
cert_subject_dn,
x509_cert
name
string
default:""

Friendly name for a credential.

Maximum string length: 128
subject_dn
string

Subject Distinguished Name. Mutually exclusive with pem property. Applies to cert_subject_dn credential type.

Required string length: 1 - 256
pem
string
default:-----BEGIN PUBLIC KEY----- MIIBIjANBg... -----END PUBLIC KEY-----

PEM-formatted public key (SPKI and PKCS1) or X509 certificate. Must be JSON escaped.

alg
enum<string>
default:RS256

Algorithm which will be used with the credential. Can be one of RS256, RS384, PS256. If not specified, RS256 will be used. Applies to public_key credential type.

Available options:
RS256,
RS384,
PS256
parse_expiry_from_cert
boolean
default:false

Parse expiry from x509 certificate. If true, attempts to parse the expiry date from the provided PEM. Applies to public_key credential type.

expires_at
string<date-time>
default:2023-02-07T12:40:17.807Z

The ISO 8601 formatted date representing the expiration of the credential. If not specified (not recommended), the credential never expires. Applies to public_key credential type.

kid
string

Optional kid (Key ID), used to uniquely identify the credential. If not specified, a kid value will be auto-generated. The kid header parameter in JWTs sent by your client should match this value. Valid format is [0-9a-zA-Z-_]{10,64}

Required string length: 10 - 64
Pattern: ^([0-9a-zA-Z-_]{10,64})$

Response

Credential successfully created.

id
string
default:cred_1m7sfABoNTTKYwTQ8qt6tX

ID of the credential. Generated on creation.

name
string
default:""

The name given to the credential by the user.

kid
string
default:IZSSTECp...

The key identifier of the credential, generated on creation.

alg
enum<string>
default:RS256

Algorithm which will be used with the credential. Supported algorithms: RS256,RS384,PS256

Available options:
RS256,
RS384,
PS256
credential_type
enum<string>

The type of credential.

Available options:
public_key,
cert_subject_dn,
x509_cert
subject_dn
string

The X509 certificate's Subject Distinguished Name

thumbprint_sha256
string

The X509 certificate's SHA256 thumbprint

created_at
string<date-time>

The ISO 8601 formatted date the credential was created.

updated_at
string<date-time>

The ISO 8601 formatted date the credential was updated.

expires_at
string<date-time>

The ISO 8601 formatted date representing the expiration of the credential.