Applications are the entrypoint into Nexus211.
An app can interact with Nexus211 API directly, or set up OAuth to allow users to sign in to your app.
Scopes
Your application's scopes will determine what endpoints it can use on Nexus211 API. It's wise to enable only the scopes that your app is actually going to use. This way, in case your Client Secret is ever stolen the damage can be limited.
You can update your application scopes at any time, so feel free to start with none and add them to your app as needed.
Access Isolation
An app created by one Nexus211 organization cannot access the data of another organization, unless it's explicitly allowed access to do so.
Currently, there are two ways to grant such an access:
- OAuth Flow (for personal interactions)
- Third-party Authorization (for programmatic interactions)
If you wish to develop a general purpose app for all Nexus211 organizations to use, it's paramount that you understand how multi tenancy works in Nexus211, and how to authenticate correctly with the Nexus211 API.
Multi-Tenant Applications
Single Tenant is when one application is used solely by one organization. Multi Tenant means that one application developed by an organization can be utilized by many others.
OAuth is Multi-Tenant by Default
Nexus211 applications are single tenant when first created. However, once you add OAuth sign in capabilities to your app, it's possible for users from any organization to sign in to your app. It's possible to change this default behavior by configuring your OAuth setup accordingly.
Third-party Authorization
If your app requires programmatic access to Nexus211 API on behalf of another organization, third-party authorization is what you need. This is a scheme in which one of the admins of an organization grants your application access to their organization. To the organization granting this access you are a third party, hence the name "Third-party Authorization".
The app will be provided a unique Client Secret (the Client ID stays the same) for each organization that authorized them. The app can access these keys at any point by making a request to GET /keys. When the app wants to act on behalf of another org, it should simply authenticate with its own Client ID, and the Client Secret issued for the organization in question.
As an organization granting access to third-party apps, you can view & revoke access in Nexus211 ID Applications page, under the "Authorized Applications" tab.
💡 You cannot grant your own application third-party authorization.