Skip to main content
POST
https://{tenantDomain}/api/v2
/
clients
/
{client_id}
/
credentials
C#
using Auth0.ManagementApi;
using System.Threading.Tasks;
using Auth0.ManagementApi.Clients;

public partial class Examples
{
    public async Task Example() {
        var client = new ManagementClient(
            token: "<token>"
        );

        await client.Clients.Credentials.CreateAsync(
            clientId: "client_id",
            request: new PostClientCredentialRequestContent {
                CredentialType = ClientCredentialTypeEnum.PublicKey
            }
        );
    }

}
package example

import (
    context "context"

    management "github.com/auth0/go-auth0/management/management"
    client "github.com/auth0/go-auth0/management/management/client"
    clients "github.com/auth0/go-auth0/management/management/clients"
    option "github.com/auth0/go-auth0/management/management/option"
)

func do() {
    client := client.NewClient(
        option.WithToken(
            "<token>",
        ),
    )
    request := &clients.PostClientCredentialRequestContent{
        CredentialType: management.ClientCredentialTypeEnumPublicKey,
    }
    client.Clients.Credentials.Create(
        context.TODO(),
        "client_id",
        request,
    )
}
package com.example.usage;

import com.auth0.client.mgmt.ManagementApi;
import com.auth0.client.mgmt.resources.clients.credentials.requests.PostClientCredentialRequestContent;
import com.auth0.client.mgmt.types.ClientCredentialTypeEnum;

public class Example {
    public static void main(String[] args) {
        ManagementApi client = ManagementApi
            .builder()
            .token("<token>")
            .build();

        client.clients().credentials().create(
            "client_id",
            PostClientCredentialRequestContent
                .builder()
                .credentialType(ClientCredentialTypeEnum.PUBLIC_KEY)
                .build()
        );
    }
}
<?php

namespace Example;

use Auth0\SDK\API\Management\Management;
use Auth0\SDK\API\Management\Clients\Credentials\Requests\PostClientCredentialRequestContent;
use Auth0\SDK\API\Management\Types\ClientCredentialTypeEnum;

$client = new Management(
    token: '<token>',
);
$client->clients->credentials->create(
    'client_id',
    new PostClientCredentialRequestContent([
        'credentialType' => ClientCredentialTypeEnum::PublicKey->value,
    ]),
);
from auth0.management import ManagementClient

client = ManagementClient(
    token="<token>",
)

client.clients.credentials.create(
    client_id="client_id",
    credential_type="public_key",
)
require "auth0"

client = Auth0::Management.new(token: "<token>")

client.clients.credentials.create(
  client_id: "client_id",
  credential_type: "public_key"
)
import { ManagementClient } from "auth0";

async function main() {
    const client = new ManagementClient({
        token: "<token>",
    });
    await client.clients.credentials.create("client_id", {
        credentialType: "public_key",
    });
}
main();
import { ManagementClient } from "auth0";

async function main() {
    const client = new ManagementClient({
        token: "<token>",
    });
    await client.clients.credentials.create("client_id", {
        credentialType: "public_key",
    });
}
main();
curl --request POST \
  --url https://{tenantDomain}/api/v2/clients/{client_id}/credentials \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "",
  "subject_dn": "<string>",
  "pem": "-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBg...\r\n-----END PUBLIC KEY-----\r\n",
  "alg": "RS256",
  "parse_expiry_from_cert": false,
  "expires_at": "2023-02-07T12:40:17.807Z",
  "kid": "<string>"
}
'
{
  "id": "cred_1m7sfABoNTTKYwTQ8qt6tX",
  "name": "",
  "kid": "IZSSTECp...",
  "alg": "RS256",
  "subject_dn": "<string>",
  "thumbprint_sha256": "<string>",
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

client_id
string
required

ID of the client.

Body

credential_type
enum<string>
required

The type of credential.

Available options:
public_key,
cert_subject_dn,
x509_cert
name
string
default:""

Friendly name for a credential.

Maximum string length: 128
subject_dn
string

Subject Distinguished Name. Mutually exclusive with pem property. Applies to cert_subject_dn credential type.

Required string length: 1 - 256
pem
string
default:-----BEGIN PUBLIC KEY----- MIIBIjANBg... -----END PUBLIC KEY-----

PEM-formatted public key (SPKI and PKCS1) or X509 certificate. Must be JSON escaped.

alg
enum<string>
default:RS256

Algorithm which will be used with the credential. Can be one of RS256, RS384, PS256. If not specified, RS256 will be used. Applies to public_key credential type.

Available options:
RS256,
RS384,
PS256
parse_expiry_from_cert
boolean
default:false

Parse expiry from x509 certificate. If true, attempts to parse the expiry date from the provided PEM. Applies to public_key credential type.

expires_at
string<date-time>
default:2023-02-07T12:40:17.807Z

The ISO 8601 formatted date representing the expiration of the credential. If not specified (not recommended), the credential never expires. Applies to public_key credential type.

kid
string

Optional kid (Key ID), used to uniquely identify the credential. If not specified, a kid value will be auto-generated. The kid header parameter in JWTs sent by your client should match this value. Valid format is [0-9a-zA-Z-_]{10,64}

Required string length: 10 - 64
Pattern: ^([0-9a-zA-Z-_]{10,64})$

Response

Credential successfully created.

id
string
default:cred_1m7sfABoNTTKYwTQ8qt6tX

ID of the credential. Generated on creation.

name
string
default:""

The name given to the credential by the user.

kid
string
default:IZSSTECp...

The key identifier of the credential, generated on creation.

alg
enum<string>
default:RS256

Algorithm which will be used with the credential. Supported algorithms: RS256,RS384,PS256

Available options:
RS256,
RS384,
PS256
credential_type
enum<string>

The type of credential.

Available options:
public_key,
cert_subject_dn,
x509_cert
subject_dn
string

The X509 certificate's Subject Distinguished Name

thumbprint_sha256
string

The X509 certificate's SHA256 thumbprint

created_at
string<date-time>

The ISO 8601 formatted date the credential was created.

updated_at
string<date-time>

The ISO 8601 formatted date the credential was updated.

expires_at
string<date-time>

The ISO 8601 formatted date representing the expiration of the credential.