Update app with CLIENT_SECRET_POST
PUT {{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}The PUT request updates the specified application to use CLIENT_SECRET_POST token endpoint authentication.
With this method, the client credentials are sent as parameters in the POST body rather than the Authorization header. This can be easier for some frameworks and legacy systems.
The response returns information about the application, including its id property, which identifies the ID for this application resource and the updated value for the tokenEndpointAuthMethod.
Body
raw ( application/json )
{
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
}Example Request
-
cURL
-
C#
-
Go
-
HTTP
-
Java
-
jQuery
-
NodeJS
-
Python
-
PHP
-
Ruby
-
Swift
curl --location --globoff --request PUT '{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--data '{
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
}'var options = new RestClientOptions("{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}")
{
MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Put);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer {{accessToken}}");
var body = @"{" + "\n" +
@" ""enabled"": true," + "\n" +
@" ""name"": ""Shared-Web-App""," + "\n" +
@" ""description"": ""Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.""," + "\n" +
@" ""type"": ""WEB_APP""," + "\n" +
@" ""protocol"": ""OPENID_CONNECT""," + "\n" +
@" ""grantTypes"": [" + "\n" +
@" ""AUTHORIZATION_CODE""" + "\n" +
@" ]," + "\n" +
@" ""redirectUris"": [" + "\n" +
@" ""http://localhost:3000/callback""" + "\n" +
@" ]," + "\n" +
@" ""responseTypes"": [" + "\n" +
@" ""CODE""" + "\n" +
@" ]," + "\n" +
@" ""tokenEndpointAuthMethod"": ""CLIENT_SECRET_POST""" + "\n" +
@"}";
request.AddStringBody(body, DataFormat.Json);
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);package main
import (
"fmt"
"strings"
"net/http"
"io"
)
func main() {
url := "{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}"
method := "PUT"
payload := strings.NewReader(`{
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
}`)
client := &http.Client {
}
req, err := http.NewRequest(method, url, payload)
if err != nil {
fmt.Println(err)
return
}
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Authorization", "Bearer {{accessToken}}")
res, err := client.Do(req)
if err != nil {
fmt.Println(err)
return
}
defer res.Body.Close()
body, err := io.ReadAll(res.Body)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(body))
}PUT /environments/{{envID}}/applications/{{sharedWebAppID}} HTTP/1.1
Host: {{apiPath}}
Content-Type: application/json
Authorization: Bearer {{accessToken}}
{
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
}OkHttpClient client = new OkHttpClient().newBuilder()
.build();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\n \"enabled\": true,\n \"name\": \"Shared-Web-App\",\n \"description\": \"Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.\",\n \"type\": \"WEB_APP\",\n \"protocol\": \"OPENID_CONNECT\",\n \"grantTypes\": [\n \"AUTHORIZATION_CODE\"\n ],\n \"redirectUris\": [\n \"http://localhost:3000/callback\"\n ],\n \"responseTypes\": [\n \"CODE\"\n ],\n \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_POST\"\n}");
Request request = new Request.Builder()
.url("{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}")
.method("PUT", body)
.addHeader("Content-Type", "application/json")
.addHeader("Authorization", "Bearer {{accessToken}}")
.build();
Response response = client.newCall(request).execute();var settings = {
"url": "{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}",
"method": "PUT",
"timeout": 0,
"headers": {
"Content-Type": "application/json",
"Authorization": "Bearer {{accessToken}}"
},
"data": JSON.stringify({
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
}),
};
$.ajax(settings).done(function (response) {
console.log(response);
});var request = require('request');
var options = {
'method': 'PUT',
'url': '{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}',
'headers': {
'Content-Type': 'application/json',
'Authorization': 'Bearer {{accessToken}}'
},
body: JSON.stringify({
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
})
};
request(options, function (error, response) {
if (error) throw new Error(error);
console.log(response.body);
});import requests
import json
url = "{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}"
payload = json.dumps({
"enabled": True,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
})
headers = {
'Content-Type': 'application/json',
'Authorization': 'Bearer {{accessToken}}'
}
response = requests.request("PUT", url, headers=headers, data=payload)
print(response.text)<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}');
$request->setMethod(HTTP_Request2::METHOD_PUT);
$request->setConfig(array(
'follow_redirects' => TRUE
));
$request->setHeader(array(
'Content-Type' => 'application/json',
'Authorization' => 'Bearer {{accessToken}}'
));
$request->setBody('{\n "enabled": true,\n "name": "Shared-Web-App",\n "description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",\n "type": "WEB_APP",\n "protocol": "OPENID_CONNECT",\n "grantTypes": [\n "AUTHORIZATION_CODE"\n ],\n "redirectUris": [\n "http://localhost:3000/callback"\n ],\n "responseTypes": [\n "CODE"\n ],\n "tokenEndpointAuthMethod": "CLIENT_SECRET_POST"\n}');
try {
$response = $request->send();
if ($response->getStatus() == 200) {
echo $response->getBody();
}
else {
echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
$response->getReasonPhrase();
}
}
catch(HTTP_Request2_Exception $e) {
echo 'Error: ' . $e->getMessage();
}require "uri"
require "json"
require "net/http"
url = URI("{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}")
http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Put.new(url)
request["Content-Type"] = "application/json"
request["Authorization"] = "Bearer {{accessToken}}"
request.body = JSON.dump({
"enabled": true,
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"grantTypes": [
"AUTHORIZATION_CODE"
],
"redirectUris": [
"http://localhost:3000/callback"
],
"responseTypes": [
"CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
})
response = http.request(request)
puts response.read_bodylet parameters = "{\n \"enabled\": true,\n \"name\": \"Shared-Web-App\",\n \"description\": \"Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.\",\n \"type\": \"WEB_APP\",\n \"protocol\": \"OPENID_CONNECT\",\n \"grantTypes\": [\n \"AUTHORIZATION_CODE\"\n ],\n \"redirectUris\": [\n \"http://localhost:3000/callback\"\n ],\n \"responseTypes\": [\n \"CODE\"\n ],\n \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_POST\"\n}"
let postData = parameters.data(using: .utf8)
var request = URLRequest(url: URL(string: "{{apiPath}}/environments/{{envID}}/applications/{{sharedWebAppID}}")!,timeoutInterval: Double.infinity)
request.addValue("application/json", forHTTPHeaderField: "Content-Type")
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")
request.httpMethod = "PUT"
request.httpBody = postData
let task = URLSession.shared.dataTask(with: request) { data, response, error in
guard let data = data else {
print(String(describing: error))
return
}
print(String(data: data, encoding: .utf8)!)
}
task.resume()Example Response
200 OK
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/applications/7029adfa-164d-4234-a3ca-3e4900ef94a6"
},
"environment": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
},
"metadata": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/applications/7029adfa-164d-4234-a3ca-3e4900ef94a6/metadata"
},
"attributes": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/applications/7029adfa-164d-4234-a3ca-3e4900ef94a6/attributes"
},
"secret": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/applications/7029adfa-164d-4234-a3ca-3e4900ef94a6/secret"
},
"grants": {
"href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/applications/7029adfa-164d-4234-a3ca-3e4900ef94a6/grants"
}
},
"environment": {
"id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
},
"id": "7029adfa-164d-4234-a3ca-3e4900ef94a6",
"name": "Shared-Web-App",
"description": "Application using CLIENT_SECRET_POST - credentials are sent in the POST body instead of the Authorization header. Useful for systems where header manipulation is difficult.",
"enabled": true,
"type": "WEB_APP",
"protocol": "OPENID_CONNECT",
"createdAt": "2026-04-08T15:39:17.367Z",
"updatedAt": "2026-04-20T16:24:25.874Z",
"clientId": "7029adfa-164d-4234-a3ca-3e4900ef94a6",
"assignActorRoles": false,
"responseTypes": [
"CODE"
],
"grantTypes": [
"AUTHORIZATION_CODE"
],
"tokenEndpointAuthMethod": "CLIENT_SECRET_POST",
"pkceEnforcement": "OPTIONAL",
"requestScopesForMultipleResourcesEnabled": false,
"parRequirement": "OPTIONAL",
"devicePollingInterval": 5,
"redirectUris": [
"http://localhost:3000/callback"
],
"parTimeout": 60,
"deviceTimeout": 600
}