---
title: "Register an OAuth app"
description: "Register an OAuth app in BankSync, generate public or confidential client credentials, manage redirect URIs, and rotate secrets."
section: "API"
canonical: "https://banksync.io/docs/api/registering-an-app"
---

An OAuth app lets a product connect to BankSync on behalf of a user through the standard OAuth 2.1 authorization-code flow, rather than a copy-pasted API key. You register the **app** once (its name, branding, and the scopes it may request), then create one or more **client credentials** under it — a `client_id`, and for confidential clients a `client_secret`. This is the same model as GitHub Apps or Slack apps.

[![Registering an OAuth app: the Apps list in the Developer section, the registration dialog with name, slug, tagline and scopes, uploading a logo, submitting for review, the verified badge, rotating client credentials to reveal the one-time bscs\_ secret, and the connected apps your users see.](https://cdn.banksync.io/videos/oauth-app-registration.poster.02caa98794761883.png)](https://cdn.banksync.io/videos/oauth-app-registration.eabbd11c31d55d9f.mp4)

[Watch: Registering an OAuth app: the Apps list in the Developer section, the registration dialog with name, slug, tagline and scopes, uploading a logo, submitting for review, the verified badge, rotating client credentials to reveal the one-time bscs\_ secret, and the connected apps your users see.](https://cdn.banksync.io/videos/oauth-app-registration.eabbd11c31d55d9f.mp4)

> **Before you start:** You need the Admin or Owner role in the workspace to register or manage apps. Apps you
> register are internal to your workspace until you request verification — they work for your own
> workspace with no review.

## App vs client

- An **app** is the product a user sees on the consent screen: name, logo, description, and verification status.
- A **client** is a set of credentials your software authenticates with. One app can have several clients — for example separate `dev`, `staging`, and `prod` credentials.

## Register an app

**Register an app**

1. **Open Developer settings** — Click your workspace menu, then select Developers, and open the Apps tab.
2. **Start a new app** — Click Create app. The dialog asks for the name, slug, a tagline and description, a category,
   optional tags, and the scopes your app needs.
3. **Name the app** — Enter a Name (shown on the consent screen) and a Slug — lowercase letters, numbers, and
   hyphens, unique across BankSync. The slug is suggested from the name; edit it if you like.
4. **Describe it** — Add a Tagline (a one-line summary shown on cards and the consent header), a longer
   Description, and optional Tags. You can edit all of these later on the Details tab.
5. **Choose scopes** — Under Scopes, toggle the read and write permissions your app needs per resource. Request the
   least you need — the user reviews these when they authorize your app, and can downgrade them.
6. **Create it** — Click Create app. You land on the app's detail page, where you add client credentials and
   branding.

## Create client credentials

**Create a client**

1. **Open the Credentials tab** — On the app detail page, open Credentials and click New client.
2. **Choose a client type** — Pick Confidential for a backend service that can keep a secret, or Public (PKCE) for a
   native app or SPA that cannot. Public clients use PKCE and have no secret.
3. **Add redirect URIs** — Enter one or more exact redirect URIs the authorization server will redirect back to. They
   must match exactly at authorization time.
4. **Create the client** — Click Create client. For a confidential client, the client secret is shown once — copy
   it now and store it securely. BankSync only keeps a hash and the last four characters; the
   secret cannot be retrieved again.

> **The secret is shown once:** A confidential client's secret appears exactly once, at creation and after each rotation. If you
> lose it, rotate the secret to get a new one.

## Rotate a secret

Rotating replaces a client's secret with a new one and shows it once. The **previous secret keeps working for 7 days** so you can roll it out to your servers without downtime. After the grace period the old secret returns `invalid_client`.

To rotate, open the client on the **Credentials** tab and click the rotate control, then copy the new secret.

## Manage redirect URIs

Open a client's **Edit** control under Credentials to add or remove redirect URIs. Each must be a valid `https://` URL (loopback `http://localhost` is allowed for development). Changes take effect immediately.

## Delete an app or client

Deleting a client revokes its active authorizations and refresh tokens. Deleting the whole app removes all of its clients and revokes every grant. Already-issued short-lived access tokens keep working until they expire (up to one hour).

## Next steps

- [API keys](/docs/api/api-keys) — the simpler credential for scripts and CI that your workspace owns.
- [Authentication](/docs/api/authentication) — how the OAuth 2.1 authorization-code + PKCE flow works end to end.
- [MCP overview](/docs/mcp/overview) — connect AI tools to BankSync.
