The Access tab controls the boundary between "what your tenant allows" and "what this specific application is permitted to use." What you see here depends on the application type — interactive applications get Login Methods; machine-to-machine applications get a capabilities picker.
Login Methods (Web, SPA, and Native applications)
Section titled “Login Methods (Web, SPA, and Native applications)”/screenshots/admin.applications.access/login-methods.png The Login Methods section shows every authentication method that has been enabled at the tenant level, with a checkbox next to each one. The hint text reads: "Control which authentication methods users can use with this application. Currently allowing all configured methods."
Password is always present — it reflects the password-based credential flow and cannot be unchecked as long as password authentication is enabled for the tenant.
Social providers — Google, Microsoft, GitHub, and others you have configured — appear as additional checkboxes. Magic link appears if you have enabled it. Each checkbox maps directly to what users see on the sign-in screen for this application.
A few points worth knowing before you start unchecking:
- Disabling a method here affects only this application's sign-in screen. The method remains active tenant-wide and is still available to other applications.
- If you uncheck everything except Password and a user has only a social account — no password set — they cannot sign in to this application. Think through the user population before removing methods.
- The Allow all connections link at the top of the section re-enables every method in one click, useful if you narrowed the list and want to reset.
What this client can do (M2M applications)
Section titled “What this client can do (M2M applications)”/screenshots/admin.applications.access/m2m.png Machine-to-machine applications authenticate as themselves rather than on behalf of a user. Because they call management APIs directly, you control exactly which capabilities they are allowed to request. The What this client can do section shows the picker.
The hint text reads: "Pick only what this integration actually needs. You can change this later."
How the picker works
Section titled “How the picker works”The left rail lists resource categories — Users, Applications, Tokens, and others. Clicking a category opens its actions in the right pane: checkboxes for Read, Write, Delete, and similar operations depending on the resource. A chip strip at the top of the section shows your current selection as Resource · Action pairs — for example, "Users · Read" or "Applications · Delete" — so you can see the full picture without scrolling the picker.
Saving the changes here defines the ceiling of what this client is allowed to request at the token endpoint. The client can request a subset of what you have enabled here, but it cannot exceed it.
Choosing capabilities with care
Section titled “Choosing capabilities with care”Grant only what the integration actually needs right now. A common pattern:
- A read-only reporting integration needs read access to Users and maybe Tokens — nothing else.
- A user-provisioning integration needs write access to Users — not Delete, unless it also deactivates accounts.
- A full-lifecycle management integration may need Read, Write, and Delete across Users and Applications — but this is a wide grant; document why.
Granting Delete access to any resource category means a misconfigured or compromised client can remove production data. If the integration doesn't need Delete today, don't enable it. You can return to this tab and add it later; removing it if you granted it by mistake is equally easy.
Application type summary
Section titled “Application type summary”| Type | Login Methods | Capabilities picker |
|---|---|---|
| Web | Yes | No |
| SPA | Yes | No |
| Native | Yes | No |
| M2M | No | Yes |
| SAML | No | No |
SAML applications have neither section. The SAML protocol delegates authentication entirely to IntelliAuth as the identity provider — the application does not select login methods, and it does not use the management API directly.