# OAuth Configuration

OAuth authorization is an alternative authentication mechanism for the License API, available exclusively for **enterprise clients**.

## OAuth Client ID and Secret Structure

OAuth credentials (Client ID and Secret) can be associated with different levels of specificity within the system:

* **License**
* **Customer**
* **Customer Account**
* **Company**

### OAuth Token Validation Hierarchy

When validating OAuth tokens, the system follows a hierarchy of specificity:

{% stepper %}
{% step %}

### Most specific: License level

Check for an OAuth secret at the **License** level.
{% endstep %}

{% step %}

### Customer level

If not found at the License level, check at the **Customer** level.
{% endstep %}

{% step %}

### Customer Account level

If not found at the Customer level, check at the **Customer Account** level.
{% endstep %}

{% step %}

### Least specific: Company level

If not found at the Customer Account level, check at the **Company** level.
{% endstep %}
{% endstepper %}

### User Interface Access

* **License, Customer, and Customer Account Views**: OAuth settings are accessible via the **OAuth tab**.
* **Company Level**: OAuth settings can be found under **Settings → Keys**.

![OAuth Initialization Location on Platform](/files/eb30fdce56cfacf366ee7abb6d06653221000a56)

## Default Rotation Settings

* When creating new OAuth credentials, the system applies **default rotation settings**, unless overridden for specific credentials:
  * **Secret Expiration Period**: Defines the time before a newly generated secret expires.
  * **Secret Rotation Grace Period**: Specifies the period before the current secret expires, allowing for a smooth transition.

![Setting the Default Rotation Settings](/files/c48a93d5f274296c6d5d267caa1baffb02d2941d)

## Enforcing OAuth Authentication

A company account may have an optional flag, `is_oauth_required`, when enabled:

* OAuth authentication is **mandatory** for all users under that company account.
* API key and shared key authentication methods are **disabled**.

This setting is available under **Settings → Preferences**.

### API Error Response

If a request is sent using an API/shared key while OAuth is required, the License API will return the following error:

```json
{
    status: 400,
    code: 'oauth_required',
    message: 'This account requires OAuth authentication'
  }
```

## Authorization Process

To authorize with OAuth:

{% stepper %}
{% step %}

### Obtain short-lived access token

Users obtain a **short-lived access token** using their **Client ID** and **Secret**.
{% endstep %}

{% step %}

### Include token in requests

The access token must be included in the **License API request headers**, replacing the traditional API key or shared key.
{% endstep %}
{% endstepper %}

For more details, refer to [**OAuth Authorization**](/license-api/license-api-authorization/oauth-authorization.md).

## SDK Integration

OAuth authentication will be implemented in the SDKs to simplify integration. See your SDK specific documentation for more information.

## OAuth Key Management

### License Manager Permissions

License managers can:

* View a list of client IDs and secrets for the licenses and customers they manage.
* Revoke OAuth secrets.
* Manage expiration dates of OAuth secrets.

### Explicit Permission Requirement

License managers can **only** revoke or modify expiration dates of OAuth keys if they have been granted explicit permission to do so.

![](/files/d66796368b5550071278adb70149833974c19e47)

## OAuth Expiration Notifications

Platform users can define **notification policies** for OAuth key expiration. These policies trigger email notifications when:

* A secret is about to expire.
* A secret has already expired.

![](/files/60ccaffd6bdcd97987076a199684408bd83d7539)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.licensespring.com/vendor-platform/settings/oauth-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.