All Products
Search

This Product

    Resource Access Management:Create an OAuth application

    Document Center

    Resource Access Management:Create an OAuth application

    Last Updated:Mar 25, 2026

    This topic describes how to create an OAuth application in Resource Access Management (RAM). OAuth applications can obtain user information and call Alibaba Cloud APIs on behalf of a user.

    Prerequisites

    You have permissions to manage applications in the RAM console.

    Note

    Applications are specific to the Alibaba Cloud site where they are created. To support users on both the China site (aliyun.com) and the International site (alibabacloud.com), you must create a separate application on each site.

    Procedure

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Integrations > OAuth.

    3. On the OAuth Application page, click Create Application.

      image

    4. On the Create Application page, configure the following parameters:

      Application Name: Enter a unique name for the application within your Alibaba Cloud account.

      Display Name: Enter a user-friendly name that will be shown to users on the consent screen during the authorization process.

      OAuth Protocol Version: Select the protocol version for the application.

      • 2.0: The widely adopted standard.

      • 2.1: A newer, more secure iteration that consolidates best practices from OAuth 2.0. Choose this if your client library supports it.

      Application Type: Select the type that best describes your application:

      • Web Application: A server-side application that runs in a browser. This type requires a client secret for secure authentication.

      • Native Application: A desktop or mobile application installed on a user's device. This type uses the Proof Key for Code Exchange (PKCE) for enhanced security.

      • Server Application: A non-interactive application for machine-to-machine workflows. This type is primarily used for provisioning user information via the System for Cross-domain Identity Management (SCIM) protocol. For more information, see Provision users from an on-premises system with SCIM.

      Access Token Validity: Specify the duration (in seconds) for which the access token is valid. The value can be between 900 (15 minutes) and 10,800 (3 hours). The default is 3,600 (1 hour).

      Refresh Token Validity: (For web and native applications only) Specify the duration (in seconds) for which the refresh token is valid. The value can be between 7,200 (2 hours) and 31,536,000 (1 year). The default is 2,592,000 (30 days).

      Callback Address: Enter one or more callback URLs. After a user grants authorization, the Alibaba Cloud OAuth service will redirect the user back to one of these registered URIs. This is a critical security measure to prevent authorization codes from being intercepted.

      OAuth Scope: Select the permissions (scopes) that your application will request from the user. The access token issued to your application will be limited to the scopes granted by the user. Key scopes include:

      • openid: (Required) Grants permission to get a unique identifier for the user.

      • profile: Grants permission to access the user's basic profile information, such as their display name.

      • aliuid: Grants permission to access the user's Alibaba Cloud account ID (UID).

      • /acs/scim: Grants permission to manage identities using the SCIM protocol.

      For more information, see Manage OAuth scopes.

    5. Click Create Application.