OIDC clients
An OIDC client is an app registered to authenticate users via Huudis. Every Forjio product is an OIDC client; yours is no different.
This page covers how to register, configure, rotate, and revoke a client from the Huudis dashboard at Dashboard → OIDC clients.
Viewing clients
The OIDC clients page lists every client in the current workspace. Each row shows:
- Name — what you typed at creation. Human-readable, can be changed any time.
- Client ID — the public identifier (
oc_…). Safe to embed in front-end code. - Created — when the client was first registered.
- Last used — the most recent successful token exchange. Useful for finding stale clients.
- Status — Active, Disabled, or Revoked.
Creating a client
Click New client. You'll fill in:
Name
Anything human-readable. We recommend <App name> <Environment> — e.g., "My App Production", "My App Local Dev". You'll thank yourself when you have ten of them.
Redirect URIs
Where Huudis is allowed to send users back after sign-in. You can add multiple — common patterns:
https://myapp.com/callback(production)https://staging.myapp.com/callback(staging)http://localhost:3000/callback(local development)
Huudis only redirects to URIs on this list — any other value in the redirect_uri parameter is rejected with invalid_redirect_uri. The match is exact; trailing slashes matter.
Wildcards aren't supported. No
https://*.myapp.com/*. This is intentional — wildcards are a known source of redirect-URI confusion attacks. List every concrete URI explicitly.
Allowed grant types
Pick the OAuth grant types this client is allowed to use:
authorization_code— the default. Web and mobile apps where the user does a redirect dance.refresh_token— for renewing access tokens silently. Enable this unless you specifically want to force users to re-sign-in every time their token expires.device_code— only for CLIs and other devices without a browser. Don't enable for web apps.
Client type
- Confidential — the client can keep a secret (server-side apps, CLIs storing a secret on disk). Huudis issues a
client_secret. - Public — the client cannot keep a secret (SPAs, mobile apps). Huudis does not issue a secret; PKCE is the only protection.
Huudis defaults to Confidential. Switch to Public for SPAs or mobile apps.
The client secret
Confidential clients get a secret on creation. Huudis shows it exactly once — the next page in the creation wizard. Copy it immediately into your app's environment:
export HUUDIS_CLIENT_SECRET=ocs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
If you lose the secret, you can't recover it — you have to rotate.
Rotating the secret
Dashboard → OIDC clients → [client] → Rotate secret.
Rotation generates a new secret and shows it once. The old secret is invalidated immediately — any service still using it will fail with invalid_client. Plan your rotation:
- Generate a new secret.
- Roll out the new secret to your app's config.
- After the new config is fully deployed, the old secret stops being used.
For zero-downtime rotation, Huudis supports overlapping secrets — keep the old one valid for a configurable window. See Settings → Rotate secret → Grace period.
Disabling vs revoking
- Disable — the client can no longer perform new authorizations, but existing refresh tokens still work until they naturally expire. Useful for graceful sunsets.
- Revoke — the client and all its issued tokens are killed immediately. Use only when you suspect compromise.
Both are reversible from the dashboard.
API endpoints
| Method | Path |
|---|---|
GET |
/api/v1/oidc-clients |
POST |
/api/v1/oidc-clients |
PATCH |
/api/v1/oidc-clients/:id |
POST |
/api/v1/oidc-clients/:id/rotate-secret |
DELETE |
/api/v1/oidc-clients/:id |
See API reference for the wire format.
Next
- OIDC overview — what your client actually does once registered.
- Quickstart — end-to-end with a real client.