{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml","oas-apis/platform/iam/openapi/iam-openapi.json":"oas-apis/platform/iam/openapi/iam-openapi.json"},"props":{"metadata":{"markdoc":{"tagList":["openapi-code-sample","admonition"]},"type":"markdown"},"seo":{"title":"Create a Service Client","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":["openapi"],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"create-a-service-client","__idx":0},"children":["Create a Service Client"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A backend service — such as a scheduled job or ERP integration — needs to call Aritma APIs without a human user. You need to give it scoped, revocable credentials."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approach:"]}," Create an OIDC client, add a secret, then grant it access via a policy."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":1},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["An access token with IAM admin permissions"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A configured tenant"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The scope URI for the resource you want the client to access"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-create-the-client","__idx":2},"children":["Step 1: Create the client"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreateClient","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["allowedGrantTypes: [\"client_credentials\"]"]}," and an empty ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["redirectUris"]}," array for service accounts."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-add-a-secret","__idx":3},"children":["Step 2: Add a secret"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreateClientSecret","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Save the secret"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Store the returned ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["value"]}," immediately — it is only shown once and cannot be retrieved again."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-get-the-clients-subject-id","__idx":4},"children":["Step 3: Get the client's subject ID"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"GetClientSubjects","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Note the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subjectId"]}," from the response — you will use it as the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subject"]}," in the policy."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-4-grant-the-client-permissions","__idx":5},"children":["Step 4: Grant the client permissions"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreatePolicy","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the client's ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subjectId"]}," as the policy ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subject"]},". The client can now exchange its credentials for an access token and call the API within the granted scope."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"rotate-credentials-without-downtime","__idx":6},"children":["Rotate credentials without downtime"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When you need to rotate the secret, add a new secret first, update your service to use it, verify it works, then delete the old one. This ensures the service is never without valid credentials during the rotation."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["See ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/clients/overview#secret-rotation"},"children":["OIDC Clients"]}," for the full rotation procedure."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"next-steps","__idx":7},"children":["Next steps"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["To update the client configuration, see ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/clients/overview"},"children":["OIDC Clients"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["To view what the client can access, use ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/clients/overview#get-client-permissions"},"children":["Get client permissions"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["To revoke all access, delete the policy or the client"]}]}]},"headings":[{"value":"Create a Service Client","id":"create-a-service-client","depth":1},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Step 1: Create the client","id":"step-1-create-the-client","depth":2},{"value":"Step 2: Add a secret","id":"step-2-add-a-secret","depth":2},{"value":"Step 3: Get the client's subject ID","id":"step-3-get-the-clients-subject-id","depth":2},{"value":"Step 4: Grant the client permissions","id":"step-4-grant-the-client-permissions","depth":2},{"value":"Rotate credentials without downtime","id":"rotate-credentials-without-downtime","depth":2},{"value":"Next steps","id":"next-steps","depth":2}],"frontmatter":{"title":"Create a Service Client","seo":{"title":"Create a Service Client"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/use-cases/service-client","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}