Applications
Overview
A FusionAuth Application is simply something a user can log into. When you use the Login API, you will provide an applicationId
to indicate what resource you’re attempting to obtain authorization.
When you use one of the OAuth2 / OpenID Connect authorization grants you will provide a client_id
in some fashion. This client identifier will be unique to a single FusionAuth application which allows FusionAuth to to verify the User is registered for the requested Application and subsequently return the correct roles.
The applicationId
and client_id
can be considered synonymous, both concepts leverage the same "Id" value.
Here’s a brief video covering some aspects of applications:
Admin UI
This page describes the Admin UI for creating and configuring an Application.
Add an Application
Before you start your integration with FusionAuth you need to setup at least one Application. Click on
from the left navigation to begin.
Form Fields
- Id Optional
-
An optional UUID. When this value is omitted a unique Id will be generated automatically.
- Name Required
-
The name of the application. This value is for display purposes only and can be changed at any time.
- Tenant Required
-
The tenant in which to create this application.
This field is only displayed once multiple tenants exist in FusionAuth. When only a single tenant exists the application will always be created in the default tenant.
Roles
The Roles tab will only be available on the Add Application form. To manage roles after the Application has been created you will use the Manage Roles action.
Table columns
- Name Required
-
The name of the role. This value should be short and descriptive. Roles can only be created and deleted, only the role description may be modified.
- Default Optional
-
One or more roles may be marked as default. A default role will be automatically added to new user registrations when no roles are explicitly provided on the API request.
- Super Role Optional
-
A role may be optionally marked as a super user role. This indicator is just a marker to indicate to you that this role encompasses all other roles. It has not affect on the usage of the role.
- Description Optional
-
An optional description to better describe the intended use of this role.
To manage Application Roles after you have added an Application, click the Manage Roles button on the index page. To edit an application click the edit icon. The following sections will walk you through each panel for the edit action.

OAuth
The OAuth tab allows you to configure the OAuth2 and OpenID Connect settings specific to this Application.

Form Fields
- Client Id Read-only
-
The read only client Id for this application. The client Id is used by OAuth2 / OpenID Connect to authenticate the grant request.
- Client secret Read-only
-
The read only client secret used for client authentication. When you enable Require authentication, this client secret will be required to obtain an access token from the Token endpoint.
You may optionally regenerate the client secret if you think the secret has been compromised.
- Require authentication Optional
-
When enabled access to the Token endpoint will require the use of the
client_secret
parameter. In most cases you will not want to disable this setting.There may be scenarios where you have a requirement to make a request to the Token endpoint where you cannot safely secure a client secret. In these scenarios you may need to disable client authentication.
- Generate refresh tokens Optional
-
When enabled, FusionAuth will return a refresh token when the
offline_access
scope has been requested. When this setting is disabled refresh tokens will not be generated even if theoffline_access
scope is requested. - Authorized redirect URLs Optional
-
In order to utilize grants that require a browser redirect using the
redirect_uri
parameter, the URLs need to be added to this list. URLs that are not authorized may not be utilized in theredirect_uri
. - Authorized request origin URLs Optional
-
This optional configuration allows you to restrict the origin of an OAuth2 / OpenID Connect grant request. If no origins are registered for this application, all origins are allowed.
By default FusionAuth will add the
X-Frame-Options: DENY
HTTP response header to the login pages to keep these pages from being rendered in an iframe. If the request comes from an authorized origin, FusionAuth will not add this header to the response. If you wish to load FusionAuth login pages in an iframe you will need to add the request origin to this configuration. - Logout URL Optional
-
The optional logout URL for this application. When provided this logout URL should handle the logout of a user in your application.
If you need to end an HTTP session, or delete cookies to logout a user from your application, these operations should be handled by this URL. When the
/oauth2/logout
endpoint is utilized, each Logout URL registered for applications in this tenant will be called within an iframe to complete the SSO logout.If the OAuth2 logout endpoint is used with this Client Id this configured Logout URL will be also utilized as the redirect URL if the
post_logout_redirect_uri
parameter was not provided.If this application has not defined a Logout URL, the value configured at the Tenant level will be utilized. If no Logout URL has been configured a redirect to
/
will occur. A specific redirect URL may also be provided by using thepost_logout_redirect_uri
request parameter.See the Logout endpoint for more information.
- Logout behavior Optional
-
This selector allows you to modify the behavior when using the Logout endpoint with this Client Id.
-
All applications - This is the default behavior. Logout out of the FusionAuth SSO, call each registered Logout URLs for the entire tenant and then redirect to the Logout URL registered for this application.
-
Redirect only - Do not call each registered Logout URL in the tenant, instead logout out of the FusionAuth SSO and then only redirect to the Logout URL registered for this application.
See the Logout endpoint for more information.
-
- Enabled grants Optional
-
The enabled OAuth2 grants. If a grant is not enabled and a client requests this grant during authentication an error will be returned to the caller indicating the grant is not enabled.
-
Authorization Code
-
Device
-
Implicit
-
Password
-
Refresh Token
See The OAuth 2.0 & OpenID Connect Overview for additional information on each of these grants.
-
When you enable the Device
grant you will be shown one additional configuration field.

Form Fields
- Device verification URL Required
-
The URL to be returned during the Device Authorization request to be displayed to the end user. This URL will be where the end user navigates in order to complete the device authentication workflow.
Required when the
Device
grant has been enabled.
CleanSpeak
The CleanSpeak configuration panel allows you to optionally configure username filtering through the use of a CleanSpeak integration. See CleanSpeak Integration for additional configuration details.
The use of this feature requires a licensed instance of CleanSpeak. See https://cleanspeak.com for additional information.

The email configuration allows you to optionally select customized email templates for this application. When configured an application specific template will be used instead o the tenant configured email template when possible.

Form Fields
- Email verification Optional Available since 1.19.0
-
When a template is selected this will be used instead of the template configured by the tenant. This template can only be used when a user is created and registered at the same time, if a user is created without a User Registration the tenant configured template will be used because there is no application context available.
- Forgot password Optional Available since 1.19.0
-
When a template is selected this will be used instead of the template configured by the tenant if an application context is available.
- Passwordless login Optional Available since 1.19.0
-
When a template is selected this will be used instead of the template configured by the tenant.
- Setup password Optional Available since 1.19.0
-
When a template is selected this will be used instead of the template configured by the tenant. This template can only be used when a user is created and registered at the same time, if a user is created without a User Registration the tenant configured template will be used because there is no application context available.
JWT
The JWT configuration allow you to provide application specific JWT configuration. When this panel is left in the default state as in shown in this screenshot without the enable toggle turned on, the JWT configuration provided by the Tenant will be utilized.

- Enabled Optional
-
When enabled you may configure Application specific JWT configuration including signing keys, durations, etc.
Lambda settings
The application specific lambda settings are available even if you choose not to enable application specific JWT configuration by leaving the Enable field off.
- Access token populate lambda Optional
-
The lambda to be invoked during the generation of an Access Token (JWT) when a user authenticates against this Application.
- Id token populate lambda Optional
-
The lambda to be invoked during the generation of an Id Token (JWT) when a user authenticates against this Application.
Once you have enabled JWT configuration for this Application you will be provided with additional configuration options.

JWT Settings
- Issuer Read-only
-
The issuer used when building the Access Token and Id Token in the
iss
claim. This value is displayed for read-only purposes, it can be modified in the Tenant configuration. - JWT duration Required
-
The duration in seconds a JWT will be valid after creation. After this time has passed the JWT will expire and can no longer be used.
- Access token signing key Optional
-
The signing key used to sign the Access Token (JWT) when a user authenticates against this Application. When this value is not selected the default selection will cause FusionAuth to generate a new key pair and assign it to this configuration.
- Id token signing key Optional
-
The signing key used to sign the Id Token (JWT) when a user authenticates against this Application. When this value is not selected the default selection will cause FusionAuth to generate a new key pair and assign it to this configuration.

Refresh Token settings
- Refresh token duration Required
-
The duration in minutes the refresh token will be valid after creation. After this time has passed the refresh token will no longer be able to be used to receive a new Access Token (JWT).
- Refresh token expiration Optional
-
The refresh token expiration may use a fixed or sliding window expiration configuration. By default the expiration of a refresh token uses a fixed calculation from the time it was originally issued. A sliding window expiration means that the expiration is calculated from the last time the refresh token was used.
- Refresh token usage Optional
-
The refresh token usage may be configured to be reusable or one time use. By default, a token is reusable and does not change after it was issued. A a one time use token means the value will be changed each time the token is used to refresh a JWT which means the client must store the new value after each usage.
Registration
The registrations configuration allows you to provided Application specific registration configuration. Primarily registration verification and self service registration options.

Form Fields
- Verify registrations Optional
-
When enabled a registration can be verified using an email workflow. This is very similar to the email verification process but instead it allows you to send an email to an end user for them to confirm they registered for the application.
- Verification template Required
-
The email template to be used when sending the Registration Verification email to the end user.
Required when Verify registrations field toggle has been enabled.
- Delete unverified registrations Optional
-
When enabled, users who have not verified their registration for this application after a configurable duration since the registration was created will have the registration deleted.
- Delete after Required
-
The duration that a user’s registration to this application must exist before being deleted for being an unverified.
Required when Delete unverified registrations field toggle has been enabled.

Basic self service registration
This configuration demonstrates the Self Service registration configuration when the Basic
type has been selected.
- Enabled Optional
-
When enabled, a button on the login page will be rendered to allow users to create a new account.
- Type Optional
-
Select
Basic
orAdvanced
self service registration forms.A paid edition of FusionAuth is required to use the Advanced self service registration forms.
- Confirm password Optional
-
Toggle this field if you want FusionAuth to require a password confirmation when setting a new password during registration.
- Login type Optional
-
This field indicates if the email address or username should be collected as the user’s unique identifier.
- Registration fields Optional
-
The optional fields to be displayed on the registration form.
- Field Read-only
-
The user attribute that can be shown on the registration form.
- Enabled Optional
-
When enabled this field will be shown on the registration form.
- Required Optional
-
When enabled this field will be set as required and the user will be unable to complete registration unless the field is provided.

Advanced self service registration
This configuration demonstrates the Self Service registration configuration when the Advanced
type has been selected.
A paid edition of FusionAuth is required to use the Advanced self service registration forms.
- Enabled Optional
-
When enabled, a button on the login page will be rendered to allow users to create a new account.
- Form Required
-
The selected form will be used to provide self service registration for this application.

Form settings
- Form Optional Available since 1.20.0
-
The form that will be used in the FusionAuth UI for adding and editing user registrations.
Updating this field requires a paid edition of FusionAuth.
SAML
The SAML configuration allows you to reveal FusionAuth as a SAML v2 Identity Provider (IdP).

Form Fields
- Enabled Optional
-
When enabled you may configure FusionAuth to reveal this application as a SAML v2 Identity Provider (IdP).
Once you have enabled SAML for this Application you will be provided with additional configurations options.

- Issuer Required
-
The issuer used by service providers (i.e. Google, Zendesk, etc.) to identify themselves to FusionAuth’s SAML identity provider. Often you cannot set this in the service provider and need to read their documentation or test the integration and use the error messages to determine the correct value.
- Audience Optional
-
Some service providers require a different audience (such as Zendesk). You can leave this blank if the audience is the same as the issuer.
- Authorized redirect URLs Required
-
One or more allowed URLs that FusionAuth may redirect to after the user has logged in via SAML v2, also known as the Assertion Consumer Service URL (ACS).
- Logout URL Optional
-
The URL that the user is redirected to after they are logged out. Usually this is the starting location of the application.
- Debug enabled Optional
-
Enable debug to create an event log to assist you in debugging integration errors.
- Require signature Optional
-
When enabled, all unsigned requests will be rejected.
- Default verification key Optional Available since 1.20.0
-
The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.
When HTTP POST Bindings are used, this is the default verification key used if a
<KeyInfo>
element is not found in the SAML AuthNRequest. If a<KeyInfo>
element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.This field is required when Require signature is enabled.
- Signing key Optional
-
The signing key used to sign the SAML request. When this value is not selected the default selection will cause FusionAuth to generate a new key pair and assign it to this configuration.
- XML signature canonicalization method Optional defaults to
Exclusive with comments
-
The XML signature canonicalization method. If you are unsure which method to select, leave the default and begin testing, or contact your service provider for configuration assistance.
- XML signature location Optional defaults to
Assertion
Available since 1.21.0 -
The location of the XML signature in the SAML response.
- Response populate lambda Optional
-
The lambda used to add additional values from the user and registration to the SAML response.
Security
The security tab contains some additional security configuration for this application.

Login API Settings
- Require an API key Optional
-
When enabled the Login API will require an API key, this is functionally equivalent to requiring client authentication during OAuth2.
- Generate refresh tokens Optional
-
When enabled the Login API will return refresh tokens, this is functionally equivalent to requesting the offline_scope during an OAuth2 grant.
- Allow token refresh Optional
-
When enabled a JWT may be refreshed using the JWT Refresh API, this is functionally equivalent to enabling the Refresh Grant in OAuth2
Passwordless Login
- Enabled Optional
-
When enabled, allow users to request login using a link sent via email. Enabling this feature will cause a button to be displayed on the FusionAuth login form and allow you to utilize the Passwordless Login API.
Authentication Tokens
- Enabled Optional
-
When enabled, allow users to optionally authenticate using an Application specific token in place of their password. This should only be used when the security requirements are low and the user’s normal password is not a good option for authentication. For example, if a password needs to be stored in an external configuration and the exposure risk is low, a token can be used in place of the user’s password. This token may only be used for authorization for this application.
Webhooks
The Webhooks tab allows you to select one or more webhooks to be used for this Application. In this example screenshot either not webhooks have been configured, or no application specific webhooks are configured.
In most cases you will not need to configure this panel. Only a few specific events are considered application specific, and when a webhook is configured to be application specific, only those events will be sent to the webhook.
In a future release this configuration tab will be removed.

This example screenshot shows one Application specific webhook selected. This option will be visible if at least one webhook is configured as application specific.
