Stytch · Schema
Stytch Connected App (OAuth Client)
An OAuth 2.0 / OIDC client registered under a Stytch project. Connected Apps back third-party integrations, desktop apps, AI agents, and MCP servers that need scoped, user-consented access to the host application.
AuthenticationIdentityPasswordlessSecurityB2BConnected AppsMCPAI AgentsDeveloper Tools
Properties
| Name | Type | Description |
|---|---|---|
| client_id | string | Stable identifier for the Connected App client. Format: connected-app-live- |
| client_name | string | Human-readable name displayed on Stytch's consent screen. |
| client_type | string | OAuth client type. Public clients (e.g. desktop / SPA / MCP server distributed to end users) must use PKCE; confidential clients hold a client_secret. |
| client_secret | string | Returned only at creation / rotation for confidential clients. |
| redirect_urls | array | Allowed OAuth redirect URIs. |
| scopes | array | Scopes the Connected App is allowed to request (e.g. openid, profile, email, plus custom resource scopes). |
| logo_url | string | Logo shown on the consent screen. |
| client_description | string | Short description shown on the consent screen, useful for explaining what an AI agent will do with the granted access. |
| trusted_metadata | object | Server-only metadata about the client; never visible to end users. |
| access_token_expiry_minutes | integer | Lifetime of issued access tokens, in minutes. |
| refresh_token_expiry_minutes | integer | Lifetime of issued refresh tokens, in minutes. |
| post_logout_redirect_urls | array | |
| created_at | string |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/stytch/main/json-schema/stytch-connected-app-schema.json",
"title": "Stytch Connected App (OAuth Client)",
"description": "An OAuth 2.0 / OIDC client registered under a Stytch project. Connected Apps back third-party integrations, desktop apps, AI agents, and MCP servers that need scoped, user-consented access to the host application.",
"type": "object",
"required": ["client_id", "client_name", "client_type"],
"properties": {
"client_id": {
"type": "string",
"description": "Stable identifier for the Connected App client. Format: connected-app-live-<uuid> or connected-app-test-<uuid>.",
"examples": ["connected-app-live-12345678-90ab-cdef-1234-567890abcdef"]
},
"client_name": {
"type": "string",
"description": "Human-readable name displayed on Stytch's consent screen.",
"examples": ["Acme MCP Server"]
},
"client_type": {
"type": "string",
"enum": ["public", "confidential"],
"description": "OAuth client type. Public clients (e.g. desktop / SPA / MCP server distributed to end users) must use PKCE; confidential clients hold a client_secret."
},
"client_secret": {
"type": "string",
"description": "Returned only at creation / rotation for confidential clients.",
"writeOnly": true
},
"redirect_urls": {
"type": "array",
"items": { "type": "string", "format": "uri" },
"description": "Allowed OAuth redirect URIs."
},
"scopes": {
"type": "array",
"items": { "type": "string" },
"description": "Scopes the Connected App is allowed to request (e.g. openid, profile, email, plus custom resource scopes)."
},
"logo_url": {
"type": "string",
"format": "uri",
"description": "Logo shown on the consent screen."
},
"client_description": {
"type": "string",
"description": "Short description shown on the consent screen, useful for explaining what an AI agent will do with the granted access."
},
"trusted_metadata": {
"type": "object",
"description": "Server-only metadata about the client; never visible to end users."
},
"access_token_expiry_minutes": {
"type": "integer",
"description": "Lifetime of issued access tokens, in minutes."
},
"refresh_token_expiry_minutes": {
"type": "integer",
"description": "Lifetime of issued refresh tokens, in minutes."
},
"post_logout_redirect_urls": {
"type": "array",
"items": { "type": "string", "format": "uri" }
},
"created_at": { "type": "string", "format": "date-time" }
}
}