Register an OAuth app
Register an OAuth app in BankSync, generate public or confidential client credentials, manage redirect URIs, and rotate secrets.
3 min read
On this page
An OAuth app lets a product connect to BankSync on behalf of a user through the standard OAuth 2.1 authorization-code flow, rather than a copy-pasted API key. You register the app once (its name, branding, and the scopes it may request), then create one or more client credentials under it — a client_id, and for confidential clients a client_secret. This is the same model as GitHub Apps or Slack apps.
Before you start
You need the Admin or Owner role in the workspace to register or manage apps. Apps you register are internal to your workspace until you request verification — they work for your own workspace with no review.
App vs client#
- An app is the product a user sees on the consent screen: name, logo, description, and verification status.
- A client is a set of credentials your software authenticates with. One app can have several clients — for example separate
dev,staging, andprodcredentials.
Register an app#
Register an app
Open Developer settings
Click your workspace menu, then select Developers, and open the Apps tab.
Start a new app
Click Create app. The dialog asks for the name, slug, a tagline and description, a category, optional tags, and the scopes your app needs.
Name the app
Enter a Name (shown on the consent screen) and a Slug — lowercase letters, numbers, and hyphens, unique across BankSync. The slug is suggested from the name; edit it if you like.
Describe it
Add a Tagline (a one-line summary shown on cards and the consent header), a longer Description, and optional Tags. You can edit all of these later on the Details tab.
Choose scopes
Under Scopes, toggle the read and write permissions your app needs per resource. Request the least you need — the user reviews these when they authorize your app, and can downgrade them.
Create it
Click Create app. You land on the app's detail page, where you add client credentials and branding.
Create client credentials#
Create a client
Open the Credentials tab
On the app detail page, open Credentials and click New client.
Choose a client type
Pick Confidential for a backend service that can keep a secret, or Public (PKCE) for a native app or SPA that cannot. Public clients use PKCE and have no secret.
Add redirect URIs
Enter one or more exact redirect URIs the authorization server will redirect back to. They must match exactly at authorization time.
Create the client
Click Create client. For a confidential client, the client secret is shown once — copy it now and store it securely. BankSync only keeps a hash and the last four characters; the secret cannot be retrieved again.
The secret is shown once
A confidential client's secret appears exactly once, at creation and after each rotation. If you lose it, rotate the secret to get a new one.
Rotate a secret#
Rotating replaces a client's secret with a new one and shows it once. The previous secret keeps working for 7 days so you can roll it out to your servers without downtime. After the grace period the old secret returns invalid_client.
To rotate, open the client on the Credentials tab and click the rotate control, then copy the new secret.
Manage redirect URIs#
Open a client's Edit control under Credentials to add or remove redirect URIs. Each must be a valid https:// URL (loopback http://localhost is allowed for development). Changes take effect immediately.
Delete an app or client#
Deleting a client revokes its active authorizations and refresh tokens. Deleting the whole app removes all of its clients and revokes every grant. Already-issued short-lived access tokens keep working until they expire (up to one hour).
Next steps#
- API keys — the simpler credential for scripts and CI that your workspace owns.
- Authentication — how the OAuth 2.1 authorization-code + PKCE flow works end to end.
- MCP overview — connect AI tools to BankSync.
Use this page with your AI assistant
Every BankSync doc is available as plain Markdown for agents and LLMs.