YouTrack Server 2026.2 Help

OAuth Clients

OAuth clients are external applications that use YouTrack as an OAuth authorization server. These clients let users authorize access on a page in YouTrack where they approve the application request without sharing their credentials or creating a permanent token. This setup can be used by REST API integrations, MCP clients, and other third-party applications that support OAuth.

Access granted through an OAuth client never exceeds the permissions of the user who authorizes the application.

Each OAuth client has a generated Client ID and, when required, a Client secret. External applications use these credentials to identify themselves when they request OAuth authorization or access tokens from YouTrack.

The OAuth Clients page in Access Management.

Use the OAuth Clients page to add application-specific clients, configure OAuth flows, manage redirect URIs, and review clients that were registered automatically. To open this page, select Administration > Access Management > OAuth Clients.

Automatic OAuth Client Registration

The Automatic OAuth Client Registration section.

The first section on the page controls whether compatible applications can register OAuth clients automatically.

Setting

Description

Allow automatic OAuth client registration via CIMD

Allows compatible applications to use Client ID Metadata Documents (CIMD) to register OAuth clients automatically during authorization. This setting is only required for automatic registration.

This option is inactive by default. Leave it inactive when you want administrators to create and review OAuth clients manually before users connect external applications.

OAuth Clients List

The OAuth Clients list with the filter field, toolbar actions, and client rows.

The OAuth Clients section shows the registered OAuth clients. Use the Filter by name field to find clients in the list. Click New OAuth client to add a client manually.

The list contains the following columns:

Column

Description

Name

The client name, icon, and status badges.

Home URL

The website or base location for the external application.

Application

The application name, when this information is available.

OAuth clients can show the following status badges:

Badge

Description

inactive

No supported authentication flow is active for the client.

auto-registered

The client was registered automatically by a CIMD-compatible application.

Create an OAuth Client

The New OAuth client dialog.

Create a separate OAuth client for each external application that needs to request access to YouTrack on behalf of users.

To create an OAuth client:

  1. Open Administration > Access Management > OAuth Clients.

  2. Click New OAuth client.

  3. Enter a name for the client.

  4. Configure the client in the details sidebar. Depending on the external application, you might need to set the Home URL, Base URLs, Redirect URIs, supported authentication flows, user consent requirement, and URI patterns. For more information, see OAuth Client Details.

  5. On the Authentication tab, select at least one supported authentication flow.

  6. Click Save.

  7. Copy the generated Client ID. If the application is a confidential client, also copy the generated Client secret.

Delete an OAuth Client

Select one or more OAuth clients in the list and click Delete to remove them. The same action is also available from the Show more menu for each client.

Deleting an OAuth client removes its OAuth access configuration from YouTrack.

OAuth Client Details

The details sidebar for a selected OAuth client.

Select a client in the list to open its details sidebar. The sidebar stays on the same page and contains the Authentication and Settings tabs for the selected client.

Authentication Settings

Authentication settings for an OAuth client.

The Authentication tab contains the client ID, the client secret action, supported OAuth flows, consent requirement, Base URLs, and Redirect URIs. Authentication is off until at least one supported flow is selected.

Setting

Description

Client ID

The identifier that the external application uses when it starts an OAuth authorization request.

Client secret

A secret value for confidential clients. Store this value securely and use it only from trusted server-side code. Click Change to replace the current secret.

Authentication is off

A warning shown when no supported authentication flow is active for the client.

Client Credentials flow

Lets a client application authenticate and access resources directly using its own credentials, with no user involvement.

Authorization Code flow

Lets a web application obtain tokens by exchanging an authorization code after the user logs in.

Require PKCE

Requires Proof Key for Code Exchange for the Authorization Code flow. Select this option when the external application uses PKCE, especially for public clients.

Implicit flow

Lets browser-based applications obtain tokens directly from the authorization server after user login. This flow is deprecated in favor of the Authorization Code flow with PKCE.

Resource Owner flow

Lets applications obtain tokens by asking users to enter their credentials directly. This flow is deprecated in favor of more secure authorization methods.

Require user consent

Requires users to approve access before the client can access YouTrack on their behalf.

Base URLs

The trusted base URLs for the external application. YouTrack uses these URLs, together with the Home URL, to resolve relative redirect URIs and validate token audience.

Redirect URIs

The redirect locations that the client can use after authorization. A redirect URI in an authorization request must match a registered absolute URI, a registered loopback IP URI, or a relative URI resolved against the OAuth client Home URL or one of its Base URLs.

Untrusted redirect URIs

Redirect URIs that were used in authorization requests but aren't registered for the client. Review these values before adding them to the trusted redirect URIs for the client.

If a user tries to authorize an OAuth client with a redirect URI that isn't trusted, YouTrack blocks the request and stores the URI for administrator review. Add the URI only when you recognize it as a valid endpoint for the external application.

The Change OAuth Client Secret dialog.

To change the client secret:

  1. Open Administration > Access Management > OAuth Clients.

  2. Select the OAuth client in the list.

  3. On the Authentication tab, click Change next to the Client secret.

  4. Choose how to set the new secret:

    • Select Generate to let YouTrack create a new secret value.

    • Select Key in to enter and confirm a custom secret value.

  5. Copy and store the new secret value.

  6. Click Change secret.

  7. Update the connected application with the new secret.

General Settings

General settings for an OAuth client.

Use the Settings tab to review and update general client information.

Setting

Description

Name

The display name of the OAuth client. Use a name that helps administrators identify the external application.

Description

An optional description for the client.

Home URL

The absolute base URL for the external application. YouTrack also uses this URL to resolve relative redirect URIs.

User URI pattern

A URI pattern that uses :id or :login to reference users in the external application.

Group URI pattern

A URI pattern that uses :id or :name to reference groups in the external application.

Application information

Read-only application metadata, such as application name, version, vendor, and release date, when this information is available.

23 June 2026
Permission UpdatesAuth Modules