API Clients and Permissions

API clients control access to the Registration API. The features that are applied to an API client control the base level of read and write access it will have to user records and application management functionality. Additional access control can be put in place with client access schemas.

Client Feature Sets

The following features may be set for an API client. If client features are not set on creation, they can be added or updated through the Janrain Console or using the Client and Settings APIs.

Feature

Description

access_issuer

This type of client has permission to issue access tokens scoped for use with all clients.

direct_access

This type of client has read and write access to all user records using the client ID and secret.

direct_read_access

This type of client has read access to all user records using the client ID and secret.

login_client

This type of client is scoped with read and write access to only the currently authenticated user. It can only be used with sign-in and registration based API endpoints. All client-side API calls should be made using a client with this feature.

metadata

This type of client will not update the lastUpdated attribute when posting updates to a user record. This client feature set is commonly used with third-party integrations. This type of client can only be provisioned by the Janrain team. 

Note. Do not update a client with the metadata feature through the Console - this will remove the feature and may cause unexpected results.

owner

This type of client has complete admin access to the application. The application owner credentials should only be used for administrative configuration purposes, such as provisioning additional API Clients, updating client settings, and managing your schema. 

Client Access Schemas

API clients can also be restricted with read or write access to a subset of specific attributes within an entity type. Custom access schemas are commonly used for integrations with third-party applications. This allows controlled access to the user database based on the attributes that an application needs access to. This is configured on a per-client basis using the /entityType.setAccessSchema endpoint.

This diagram provides some more context about how authorization can be managed for API clients. Integrations with other systems such an Email Service Provider, Ad Server, or CRM make use of API clients can query the database and receive result sets used for data synchronization or data analysis efforts. Each of these clients can be granted access to only the attributes needed to support their specific business need as opposed to providing access to the whole record.

Within the diagram:

  • The API Client assigned to the Email Service Provider only has access to the user’s email address, first name, and opt-ins.
  • The API Client assigned to the Ad Server only has access to the user’s DOB and gender.
  • The API Client assigned to the Recommendation Engine only has access to the user’s Interests.