How do I generate and reveal a client secret?

Providing you are a LUSID user with sufficient privileges, you can specify a client ID and then get LUSID to generate a client secret for you.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article

Once generated, you can use these details to obtain a short-lived API access token and use it to authorise calls to the LUSID API, either directly or via the SDK.

Using the LUSID web app

To get LUSID to generate a client secret and then reveal it:

  1. Sign in to the LUSID web app using the credentials of a LUSID administrator.

  2. From the left-hand menu, select Identity and access > Applications:

  3. On the Applications dashboard, click the Create application button:

  4. Specify a Client Id (no spaces) and a Display name, and click the Save button. LUSID automatically generates a client secret.

  5. On the Applications dashboard, click the   View icon to reveal the client secret and Okta's dedicated token URL for your LUSID domain:

    Note: Exporting credentials is useful when you want to call the LUSID API using the SDK.

Using the Identity API

You can use the Identity API to generate and then reveal a client secret the second and subsequent times you want to do so.

Note: Because you need an API access token to call the Identity API (for which you need a client secret), you'll either need to use the LUSID web app the first time, or else pass in a personal access token instead (which doesn't require a client secret).

  1. Obtain an API access token, if possible.

  2. Call the CreateApplication API, passing in your access token, a client ID and friendly name that are unique within your domain, and a type of Native. For example:

    curl -X POST "https://<your-domain>.lusid.com/identity/api/applications"
       -H "Authorization: Bearer <your-access-token>"
       -H "Content-Type: application/json"
       -d "{'clientId':'example-sdk-app','displayName':'Example SDK application','type':'Native'}"

    The response contains an automatically-generated client secret, and an issuer that is Okta's dedicated token URL for your LUSID domain:

    {
        "id": "0oabw8p5aaGCl5zAA2p8",
        "type": "Native",
        "displayName": "Example SDK application",
        "secret": "k94QiqJMrPOJaoUB0MJecOu0blANeWHX4MdcqdYH",
        "clientId": "example-sdk-app",
        "issuer": "https://lusid-<your-domain>.okta.com/oauth2/aus91lnun55CZDvav6p7"
    }