> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kontext.security/llms.txt
> Use this file to discover all available pages before exploring further.
# Applications
> Create, configure, and manage applications and their integration attachments.
## Endpoints
| Method | Path | Purpose |
| -------- | ----------------------------------------------- | ------------------------------------------------------- |
| `POST` | `/applications` | Create application |
| `GET` | `/applications` | List applications |
| `GET` | `/applications/access-graph` | Access graph for policy visualization (dashboard/admin) |
| `GET` | `/applications/:id` | Get application |
| `PATCH` | `/applications/:id` | Update application |
| `DELETE` | `/applications/:id` | Archive application |
| `POST` | `/applications/:id/rotate-secret` | Rotate client secret |
| `GET` | `/applications/:id/oauth` | Get OAuth config |
| `PATCH` | `/applications/:id/oauth` | Update OAuth config |
| `GET` | `/applications/:id/integrations` | List attached integrations |
| `PUT` | `/applications/:id/integrations` | Replace all integrations |
| `POST` | `/applications/:id/integrations/:integrationId` | Attach integration |
| `DELETE` | `/applications/:id/integrations/:integrationId` | Detach integration |
`id` and `integrationId` path params are UUIDs.
## Create application
```bash curl theme={"system"}
curl -X POST https://api.kontext.security/api/v1/applications \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My App",
"oauth": {
"type": "public",
"redirectUris": ["http://localhost:3000/callback"],
"pkceRequired": true,
"scopes": [],
"allowedResources": []
}
}'
```
```typescript SDK theme={"system"}
const { application, oauth } = await client.applications.create({
name: "My App",
oauth: {
type: "public",
redirectUris: ["http://localhost:3000/callback"],
pkceRequired: true,
scopes: [],
},
});
// oauth.clientSecret is only returned on create
console.log(application.id, oauth.clientSecret);
```
### Request body
| Field | Type | Required | Description |
| ------- | -------- | -------- | -------------------------------- |
| `name` | `string` | Yes | Display name for the application |
| `oauth` | `object` | Yes | OAuth configuration (see below) |
### OAuth object
| Field | Type | Required | Description |
| ------------------ | ---------- | -------- | ------------------------------------------------ |
| `type` | `string` | Yes | `"public"` or `"confidential"` |
| `redirectUris` | `string[]` | Yes | Allowed OAuth redirect URIs |
| `pkceRequired` | `boolean` | No | Require PKCE for auth code flow (default `true`) |
| `scopes` | `string[]` | No | Allowed OAuth scopes |
| `allowedResources` | `string[]` | No | Allowed resource indicators |
### Response
The create response includes the full application object. The `oauth.clientSecret` field is only present in create and rotate-secret responses -- store it immediately.
## List applications
```bash curl theme={"system"}
curl "https://api.kontext.security/api/v1/applications?limit=20" \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
const { items, nextCursor } = await client.applications.list({ limit: 20 });
```
Returns a paginated list. Supports `limit` and `cursor` query parameters.
Privileged users (admin/owner) can add `all=true` to list applications across the organization.
## Get access graph
Admin-only endpoint used by the dashboard to visualize app ↔ integration access edges.
```bash theme={"system"}
curl "https://api.kontext.security/api/v1/applications/access-graph?includePolicy=true" \
-H "Authorization: Bearer $TOKEN"
```
Query parameter:
| Parameter | Type | Description |
| --------------- | --------- | ------------------------------------------------------ |
| `includePolicy` | `boolean` | Include computed policy overlays in the graph response |
## Get application
```bash curl theme={"system"}
curl https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
const { application } = await client.applications.get(
"550e8400-e29b-41d4-a716-446655440000",
);
```
### Response fields
Response shape: `{ "application": { ... } }`
| Field | Type | Description |
| -------------------- | ---------------- | -------------------------------------------------- |
| `id` | `string` | Application ID |
| `name` | `string` | Display name |
| `ownerUserId` | `string` | ID of the user who created the application |
| `createdAt` | `string` | ISO 8601 timestamp |
| `updatedAt` | `string` | ISO 8601 timestamp |
| `archivedAt` | `string \| null` | Set when the application is archived |
| `canModify` | `boolean` | Whether the current user can edit this application |
| `activeSessionCount` | `number` | Sessions currently active |
| `idleSessionCount` | `number` | Sessions idle but not expired |
| `liveSessionCount` | `number` | Sessions connected right now |
| `totalSessionCount` | `number` | All sessions (any state) |
| `mcpUrlTemplate` | `string \| null` | MCP URL template generated for the application |
| `integrations` | `object[]` | Attached integrations |
| `oauth` | `object \| null` | OAuth configuration |
## Update application
```bash curl theme={"system"}
curl -X PATCH https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "name": "Renamed App" }'
```
```typescript SDK theme={"system"}
const { application } = await client.applications.update(
"550e8400-e29b-41d4-a716-446655440000",
{
name: "Renamed App",
},
);
```
Send only the fields you want to change. Omitted fields are left unchanged.
## Archive application
```bash curl theme={"system"}
curl -X DELETE https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
await client.applications.archive("550e8400-e29b-41d4-a716-446655440000");
```
Archiving sets `archivedAt` and revokes all active sessions. This does not permanently delete the application. Returns HTTP 204 with no response body.
## Rotate client secret
```bash curl theme={"system"}
curl -X POST https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/rotate-secret \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
const result = await client.applications.rotateSecret(
"550e8400-e29b-41d4-a716-446655440000",
);
console.log(result.oauth.clientSecret);
```
Returns the application with a new `oauth.clientSecret`. The previous secret is invalidated immediately. Store the new secret -- it will not be shown again.
## Get OAuth config
```bash curl theme={"system"}
curl https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/oauth \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
const { oauth } = await client.applications.getOAuth(
"550e8400-e29b-41d4-a716-446655440000",
);
```
## Update OAuth config
```bash curl theme={"system"}
curl -X PATCH https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/oauth \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "redirectUris": ["https://myapp.com/callback"] }'
```
```typescript SDK theme={"system"}
const { oauth } = await client.applications.updateOAuth(
"550e8400-e29b-41d4-a716-446655440000",
{
redirectUris: ["https://myapp.com/callback"],
},
);
```
Partial update -- send only the fields you want to change.
## List attached integrations
```bash curl theme={"system"}
curl https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
const { integrationIds } = await client.applications.listIntegrations(
"550e8400-e29b-41d4-a716-446655440000",
);
```
Returns the integrations currently attached to this application.
## Replace all integrations
```bash curl theme={"system"}
curl -X PUT https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "integrationIds": ["11111111-1111-4111-8111-111111111111", "22222222-2222-4222-8222-222222222222"] }'
```
```typescript SDK theme={"system"}
await client.applications.setIntegrations(
"550e8400-e29b-41d4-a716-446655440000",
{
integrationIds: [
"11111111-1111-4111-8111-111111111111",
"22222222-2222-4222-8222-222222222222",
],
},
});
```
Replaces the entire integration set. Any previously attached integration not in the list is detached.
## Attach integration
```bash curl theme={"system"}
curl -X POST https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations/11111111-1111-4111-8111-111111111111 \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
await client.applications.attachIntegration(
"550e8400-e29b-41d4-a716-446655440000",
"11111111-1111-4111-8111-111111111111",
);
```
Adds a single integration to the application. No-ops if already attached.
## Detach integration
```bash curl theme={"system"}
curl -X DELETE https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations/11111111-1111-4111-8111-111111111111 \
-H "Authorization: Bearer $TOKEN"
```
```typescript SDK theme={"system"}
await client.applications.detachIntegration(
"550e8400-e29b-41d4-a716-446655440000",
"11111111-1111-4111-8111-111111111111",
);
```
Removes the integration from this application. Existing user connections to that integration remain intact but will no longer be usable through this application.