Managing Applications
All your applications live under Developers → Applications, a single list mixing OIDC and SAML rows (each with a protocol badge). This page covers everything after creation.
The default application
The first row is your project's built-in default OIDC application — the credentials that ship with every MojoAuth project (its own API Key / Client ID). It's marked Default and is view-only here; open it to see its API credentials and Authentication Endpoints. Use it for quick first-party integrations, or register dedicated applications for anything more.
Editing
Click a connection or application's name (or ⋯ → Edit) to open its detail page.
Edits are a full replace. When you save, MojoAuth stores the entire configuration you see on the page. The detail form always loads the current values first, so just change what you need and save — but don't clear a field you still want (e.g. removing all redirect URIs takes an OIDC app offline).
OIDC applications
Editable: name, callback / post-logout URLs, scopes, grant types, token TTLs, skip-consent, custom claims, and enabled/disabled status. The Client ID is read-only; the Client Secret is never shown again (rotate to get a new one).
SAML connections
Editable: name, SP Entity ID, ACS URL, NameID format, signing/encryption toggles, attribute mappings, and enabled/disabled status. The IdP details card provides copy buttons for the metadata / SSO / SLO URLs and the signing certificate. Use Import metadata to auto-fill (under Configure) to re-import the SP's metadata at any time.
Rotate a client secret
On an OIDC application's detail page, click Rotate secret. MojoAuth generates a new
client_secret and shows it once — copy it, update your app, and deploy.
Rotating replaces the secret immediately. Update and deploy your app promptly to avoid downtime.
Enable / disable
Toggle Enabled on the detail page (SAML) or set status (OIDC). A disabled application is rejected
at /authorize and /oauth/token (OIDC) or at the SSO endpoint (SAML) — users can't log in through
it until you re-enable it.
Draft connections
A SAML connection created from just a name (with no entity_id / ACS yet) is a Draft — it shows a
"Draft — needs metadata" badge. It exists and has its IdP URLs, but can't complete SSO until you
add the SP's details. Open it and use Import metadata to auto-fill or the manual fields to finish.
Delete
⋯ → Delete on the list, or the Delete danger zone on the detail page. Deletion is permanent —
users can no longer sign in through that application, and for OIDC the client_id stops working.
Environments & permissions
- Test vs Live — the list and every action are scoped to the current environment (badged TEST / LIVE). Applications don't cross environments.
- Permissions — creating, editing, rotating and deleting require the Applications: Manage permission. Members without it can view but not change.