Delete removes the application from the tenant entirely. Different from Disable — disable is reversible, delete is not.
How to delete
Section titled “How to delete”Application detail → menu (top right) → Delete.
A confirmation modal asks you to type delete (literal lowercase) to confirm. This is the platform's "are you sure" gate.
What gets deleted
Section titled “What gets deleted”- The application record (name, type, configuration).
- The
client_idand (if applicable) theclient_secret. Both retire permanently — theclient_idis never reissued, ever. - Redirect URIs, allowed origins, allowed scopes, audience, tags.
- SAML configuration if applicable (entity ID, certificates, attribute mappings).
What does NOT get deleted
Section titled “What does NOT get deleted”- The audit log entries about this application. Audit records who-did-what to this application historically, including the deletion event itself. Retention is per-tenant policy (default 365 days).
- User records that signed into this application. Those users live in the Users surface; their sign-in history references the deleted application by id, but the users themselves are unaffected.
- Sessions or tokens already in flight — they continue to validate until they expire on their own (typically minutes for access tokens; days for refresh).
The token-expiry detail is the only "soft tail" of delete. If you need outstanding tokens to be invalidated immediately, you can revoke them via the application's Credentials tab before deleting. Audit log records both the bulk revocation and the subsequent delete.
Disable vs delete — pick one
Section titled “Disable vs delete — pick one”| Reversible? | Effect | When to use | |
|---|---|---|---|
| Disable | Yes | New tokens refused; existing tokens age out; configuration preserved | You might want to bring this back |
| Delete | No | Application erased; client_id retired forever; configuration gone | You're certain the application is going away |
Default to disable when in doubt. A disabled application is easy to delete next quarter; a deleted application can't be undone.
What happens if a client tries to authenticate against a deleted application?
Section titled “What happens if a client tries to authenticate against a deleted application?”Token requests return invalid_client. The audit log records each failed attempt with the IP + user agent — useful for finding lingering consumers you thought were torn down.
If the deletion was a mistake, you can register a new application with the same name, but the client_id will be different. Every consumer of the old client_id has to be updated to the new one.
Bulk delete
Section titled “Bulk delete”The application list supports multi-select + bulk delete; see Bulk operations. The confirmation prompt scales — bulk deleting 12 applications asks you to type delete 12 applications (literal).
When to disable before deleting
Section titled “When to disable before deleting”A safe procedure for taking an application out of service:
- Disable the application.
- Wait — at least the longest token TTL it issued (1 hour to 90 days, depending on configuration).
- Monitor audit for
oauth.token_request_failedwitherror: unauthorized_client— these are stragglers still trying. - When you see no recent stragglers, delete.
This is the "blue-green for application decommissioning" pattern. Cheap insurance against deleting something that turns out to be still in use somewhere.