All Products
Search

This Product

    Identity as a Service:Basic configurations

    Document Center

    Identity as a Service:Basic configurations

    Last Updated:Sep 26, 2025

    This topic describes how to manage general configurations for applications in IDaaS. It focuses on enabling or disabling API access and the procedure for key rotation.

    General configurations

    Each application has configurations that are either feature-independent or apply to multiple features. These are managed together in the general configurations section.

    In the Applications menu, find your application, click Manage, and then go to the General tab.

    In the current version, administrators can enable or disable API access and perform key rotation.

    API access

    For each application in IDaaS, you can enable a series of APIs to support different feature scenarios. These include the following:

    • APIs for single sign-on (SSO) based on the OpenID Connect (OIDC) protocol

    • APIs for account synchronization

    • APIs for permission management Coming soon

    To call these APIs, the application must use its client_id and client_secret to obtain an access_token.

    Note

    By default, the client_id is the same as the application_id. It starts with "app_" and is about 26 characters long. The client_secret is a random string that starts with CS and is between 44 and 46 characters long.

    Key rotation

    To ensure secure application access, IDaaS allows administrators to manage the API access status of applications and perform key rotation (for the client_secret). You can configure a custom key rotation policy for each application.

    Core mechanism: Dual-key support

    • Each application can have up to two valid client_secrets at any given time.

    • At least one client_secret must be enabled at all times.

    • This design allows both the new and old keys to be valid during the rotation period, which ensures a smooth transition for your services. You can safely delete the old key after you confirm that it is no longer in use.

    Set the key validity period

    1. On the application key management page, click the Set Validity Period option.

    2. In the dialog box that appears, select an expiration time:

      • 3 Months: The key expires three calendar months from the current date. For example, if you set the key on September 18, it will expire on December 18.

      • 6 Months: The key expires six calendar months from the current date. For example, if you set the key on September 18, it will expire on March 18 of the next year.

      • 1 Year: The key expires one year from the current date. For example, if you set the key on September 18, it will expire on September 18 of the next year.

      • Custom: You can specify a custom expiration date and time. The validity period must be between 1 day and 3 years. Permanent validity is not supported.

      Note

      • By default, a client secret created through backend configurations is permanently valid.

      • A red indicator is displayed if the key has expired or will expire within 3 days. A yellow indicator is displayed if the key will expire in less than 15 days.

    3. Click OK to save the settings.

    Key rotation procedure

    Follow these steps to safely rotate keys:

    1. To create a new key, create a new client_secret on the key management page of the application. The new key is automatically enabled.

    2. Update the application configuration: Replace the old client_secret with the new one in the configuration of your application that uses the key.

    3. Disable the old key (Verification phase): Return to the key management page in IDaaS. Find the old client_secret and click Disable. The system displays the timestamp of the key's last use. Verify that the key is no longer used by any service or system before you proceed.

    4. Monitor and verify: After disabling the old key, closely monitor your application's status and logs. Ensure that all features work correctly and are not affected by the key change.

    5. As a final cleanup step, confirm that the application runs without issues for a few days or a week after the old key is disabled. You can then safely Delete the legacy client_secret.

    Basic information

    Field

    Description

    Application ID

    The resource ID of the application. This ID is for reference only and cannot be changed.

    Source

    The template used to create the application. This cannot be changed.

    Valid values: Application Template, Standard Protocol, and Custom Application.

    Application Name

    The display name of the application.

    Application Icon

    The display icon for the application. The icon file must be in PNG or JPG format and cannot exceed 1 MB. A 256 × 256 pixel square icon is recommended.