The Credentials tab is the first stop for any developer integrating against an application. Everything needed to wire up an OIDC library or call the token endpoint is here — read-only values to copy, a secret to protect, and runnable code snippets to get moving.
/screenshots/admin.applications.credentials/tab.png Integration Endpoints
Section titled “Integration Endpoints”The Integration Endpoints section groups the three values a developer needs before writing a single line of code.
OIDC Discovery URL
Section titled “OIDC Discovery URL”The OIDC Discovery URL is a single address that hands back every protocol endpoint your OIDC library needs — the authorization endpoint, the token endpoint, the JWKS public keys, supported grant types, and more. Pointing a compliant OIDC client library at this URL is typically all the configuration it requires; the library fetches the rest automatically.
The URL follows the pattern {issuerUrl}/.well-known/openid-configuration. It appears as a highlighted card at the top of the section with a copy button alongside it. Use that button — a stray space or line break will cause hard-to-diagnose failures.
Client ID
Section titled “Client ID”The Client ID is the stable identifier for this application inside the OAuth/OIDC protocol. It tells the authorization server which application is making the request. Unlike a secret, the Client ID is safe to include in browser-side code, mobile bundles, and public repositories — it is an identifier, not a credential.
The Client ID is immutable. Once an application is created its Client ID never changes, so you can safely hard-code it in your configuration files or CI pipelines.
Issuer URL
Section titled “Issuer URL”The Issuer URL is the iss claim value that IntelliAuth stamps into every token it issues for this tenant. It also forms the base of the Discovery URL: appending /.well-known/openid-configuration to the Issuer URL gives you the discovery address. Most JWT verification libraries require the Issuer URL to validate the iss claim, so copy it from here rather than constructing it by hand.
Client Secret
Section titled “Client Secret”SPA and Native applications use PKCE instead of a client secret and do not have this section. PKCE is the correct pattern for apps that cannot keep a secret — it does not require a secret at all.
The Client Secret is the credential that lets a server-side application prove its identity at the token endpoint. It is shown masked — •••••••••••••••••••••••••••••••• — because a plaintext display after the initial setup moment is a leak waiting to happen.
Rotating the secret
Section titled “Rotating the secret”Rotate the secret whenever it may have been exposed: leaked via a log, accidentally committed, or shared across environments. Click Rotate to start. IntelliAuth opens a two-step modal:
- Confirm — a short explanation of what rotation does and a prompt to continue.
- Copy — the new plaintext secret appears once. Check I have copied this secret to acknowledge you have it somewhere safe, then close the modal.
The old secret is invalidated immediately on confirmation. There is no grace window where both secrets work in parallel.
/screenshots/admin.applications.credentials/rotate-modal.png After the modal closes, the display returns to the masked state and the new secret is never shown again. Any in-flight token exchange that uses the old secret will fail with an authentication error at the token endpoint.
Do not rotate during the same change window as a deploy. The safe sequence is: rotate the secret, paste the new value into your secrets manager (AWS Secrets Manager, HashiCorp Vault, a k8s Secret, or equivalent), confirm it propagated, then deploy. Combining rotation and deploy in one step means a failed deploy leaves your application with no working secret.
Quick Start
Section titled “Quick Start”The Quick Start section shows runnable code for the frameworks your team is most likely using. Tabs across the top let you switch between React, Node.js, cURL, and others. Each snippet is pre-seeded with this application's actual Client ID, Issuer URL, and the first callback URL you configured — copy and run without editing the values.
For the full annotated walkthrough of each language tab, see Quick Start snippets.