How do I generate and reveal a client secret?

Providing you are a LUSID user with sufficient privileges, you can specify a client ID and then get LUSID to generate a client secret for you.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article

Once generated, you can use these details to obtain a short-lived API access token and use it to authorise calls to the LUSID API, either directly or via the SDK.

Using the LUSID web app

To get LUSID to generate a client secret and then reveal it:

1. Sign in to the LUSID web app using the credentials of a LUSID administrator.

2. From the left-hand menu, select Identity and access > Applications:
   

3. On the Applications dashboard, click the Create application button:
   

4. Specify a Client Id (no spaces) and a Display name, and click the Save button. LUSID automatically generates a client secret.

5. On the Applications dashboard, click the   View icon to reveal the client secret and Okta's dedicated token URL for your LUSID domain:
   

   Note: Exporting credentials is useful when you want to call the LUSID API using the SDK.

Using the Identity API

You can use the Identity API to generate and then reveal a client secret the second and subsequent times you want to do so.

Note: Because you need an API access token to call the Identity API (for which you need a client secret), you'll either need to use the LUSID web app the first time, or else pass in a personal access token instead (which doesn't require a client secret).

1. Obtain an API access token, if possible.

2. Call the CreateApplication API, passing in your access token, a client ID and friendly name that are unique within your domain, and a type of Native. For example:

   curl -X POST "https://<your-domain>.lusid.com/identity/api/applications"
      -H "Authorization: Bearer <your-access-token>"
      -H "Content-Type: application/json"
      -d "{'clientId':'example-sdk-app','displayName':'Example SDK application','type':'Native'}"

   The response contains an automatically-generated client secret, and an issuer that is Okta's dedicated token URL for your LUSID domain:

   {
       "id": "0oabw8p5aaGCl5zAA2p8",
       "type": "Native",
       "displayName": "Example SDK application",
       "secret": "k94QiqJMrPOJaoUB0MJecOu0blANeWHX4MdcqdYH",
       "clientId": "example-sdk-app",
       "issuer": "https://lusid-<your-domain>.okta.com/oauth2/aus91lnun55CZDvav6p7"
   }