ReferenceStructures
OAuth Application Structures
OAuthApplicationView and OAuthAppPublicView returned by OAuth app endpoints.
OAuthApplicationView
Returned by the OAuth application management endpoints (GET, PATCH, POST /secret). The client_secret field is never present in this view — it is only returned once, at creation time, inside CreateAppResponse.
Fields
| Field | Type | Description |
|---|---|---|
id | string (UUID) | Internal application identifier. |
name | string | Human-readable application name. |
description | string | null | Optional description provided at registration. |
client_id | string (UUID) | Public OAuth client identifier. Include this in authorization URLs. |
client_secret_prefix | string | First 12 characters of the raw client secret (display only — used to identify which secret is active). |
redirect_uris | array of strings | Registered callback URIs. |
created_at | string (ISO 8601) | UTC timestamp when the application was registered. |
revoked_at | string (ISO 8601) | null | Set when the application is deleted; null if still active. |
Example
{
"id": "b3c4d5e6-0000-0000-0000-000000000001",
"name": "My Integration",
"description": "Connects MyApp to hzel containers",
"client_id": "a1b2c3d4-0000-0000-0000-000000000001",
"client_secret_prefix": "hzcs_AbCdEfGh",
"redirect_uris": ["https://myapp.example.com/callback"],
"created_at": "2025-06-15T10:00:00Z",
"revoked_at": null
}CreateAppResponse
Returned only by POST /api/v1/oauth/apps. Contains all OAuthApplicationView fields plus the one-time client_secret.
| Field | Type | Description |
|---|---|---|
client_secret | string | The raw client secret — returned only at creation. Prefix hzcs_. Store it immediately and securely. |
(all OAuthApplicationView fields) | See above. |
{
"client_secret": "hzcs_AbCdEfGhIjKlMnOpQrSt...",
"id": "b3c4d5e6-0000-0000-0000-000000000001",
"name": "My Integration",
"description": "Connects MyApp to hzel containers",
"client_id": "a1b2c3d4-0000-0000-0000-000000000001",
"client_secret_prefix": "hzcs_AbCdEfGh",
"redirect_uris": ["https://myapp.example.com/callback"],
"created_at": "2025-06-15T10:00:00Z",
"revoked_at": null
}OAuthAppPublicView
Returned by the unauthenticated GET /api/v1/oauth/apps/public/{client_id} endpoint. Used by the consent screen to show the application's identity before a user approves access.
Fields
| Field | Type | Description |
|---|---|---|
client_id | string (UUID) | Public OAuth client identifier. |
name | string | Application name as registered by the owner. |
description | string | null | Optional description. |
owner_name | string | Display name or email of the user who registered the application. |
Example
{
"client_id": "a1b2c3d4-0000-0000-0000-000000000001",
"name": "My Integration",
"description": "Connects MyApp to hzel containers",
"owner_name": "Alice Example"
}