API clients
Manage API clients to authenticate API request
API credentials securely authenticates your application with IDnow. You can manage multiple clients and their credentials in the IDnow dashboard.
Each API client has a Client ID and a Client secret. Never share client secrets or store them in version control.
Manage clients
- Log in to the IDnow dashboard at Loading....
- Go to Settings > Developer > API clients.
Create client
- Select New API client.
- Enter a descriptive name.
- Select an environment (Live or Staging). The environment cannot be changed after creation.
- Select Create API client.
Add allowed redirect URLs (optional)
To automatically redirect users at the end of a session when using this API client, you can configure one or more Allowed redirect URLs.
When a session is created via the Create a Session API call, the optional redirectUrl value provided in that call must be present in this allowlist. If it isn’t, the redirectUrl is rejected and won’t be stored/used for the session completion redirect.
- Each URL must match exactly — wildcards are not supported.
- Each redirect URL must be a fully qualified URI and include a valid scheme. HTTPS (
https://) and app deep links (e.g.myapp://) are accepted. Plain HTTP (http://) is not allowed.
Validation rules
- Invalid URLs / deep links are rejected.
- Duplicate URLs are rejected.
Save API client details
- Copy Client ID and Client secret securely.
- Confirm you have saved them.
Copy the client secret now. You won't see it again. If you lose the secret, create a new API client and delete the old one.
Edit client
- Find your API client, select View details.
- Edit the name or allowed redirect URLs as needed.
- Select Save changes.
'Client ID' and environment cannot be changed.
Delete client
- Find your API client and select the delete icon.
- Confirm deletion in the dialog.
This action cannot be undone. The client's access is immediately revoked. Update or disable all apps using this client before deleting.
Security best practices
- Never share secrets.
- Don't store secrets in version control.
- Use environment variables or secure storage.
- Grant minimum permissions.
- Remove unused clients.
- Use separate clients for each environment.
- Rotate credentials by creating a new client, updating your apps, then deleting the old client.