Related resources:




Providing you are a LUSID user with sufficient privileges, you can specify a client ID and then get LUSID to generate a client secret for you.

Once generated, you can use these details to obtain a short-lived API access token and use it to authorise calls to the LUSID API.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

Using the LUSID graphical web app

To get LUSID to generate a client secret and then reveal it:

  1. Sign in to the LUSID web app using the credentials of a LUSID administrator.
  2. From the left-hand menu, select Identity and access > Applications:
  3. On the Applications dashboard, click the Create application button:
  4. Specify a Client Id (no spaces) and a Display name, and click the Save button. LUSID automatically generates a client secret.
  5. On the Applications dashboard, click the  View icon to reveal the client secret and Okta's dedicated token URL for your LUSID domain:

    Note: Exporting credentials is useful when you want to call the LUSID API using the SDKs.

Using the Identity API

You can use the Identity API to generate and then reveal a client secret the second and subsequent times you want to do so.

Because you need an API access token to call the Identity API (for which you need a client secret), you'll either need to use the LUSID web app the first time, or else pass in a personal access token instead (which doesn't require a client secret).

  1. Obtain an API access token, if possible.
  2. Call the Identity CreateApplication API endpoint for your LUSID domain, passing in your access token, a client ID and friendly name that are unique within your domain, and a type of Native. For example:
    curl -X POST "https://<your-domain>"
       -H "Authorization: Bearer <your-access-token>"
       -H "Content-Type: application/json"
       -d "{'clientId':'example-sdk-app','displayName':'Example SDK application','type':'Native'}"
    The response contains an automatically-generated client secret, and an issuer that is Okta's dedicated token URL for your LUSID domain:
        "id": "0oabw8p5aaGCl5zAA2p8",
        "type": "Native",
        "displayName": "Example SDK application",
        "secret": "k94QiqJMrPOJaoUB0MJecOu0blANeWHX4MdcqdYH",
        "clientId": "example-sdk-app",
        "issuer": "https://lusid-<your-domain>"