Client Application Management
CMap’s APIs use OAuth2.0 to authenticate consumers. Before you can authenticate, you or your system administrator need to create a Client Application within CMap.
Navigate to the Admin section in your CMap instance and select Client Application Management within the Users & Security section. This tool will allow you to create Client Applications, representing individual integrations.
Please note that this functionality is only available for CMap enterprise clients - Contact your account manager to discuss if you would like access to the CMap API.
Select “Create New Client” to proceed. On the following page you will be required to enter a Name for your integration, a description for your own reference, and to select a Client Type (detailed below) - This will inform how you may authenticate.
When saving, if the Client Type selected requires a Client Secret for Authentication, a secret will be provided. The Client Secret must be stored somewhere securely, as you will need to exchange it for a token each time you use this client.
The client secret can be reset from this page any any time.
Resetting a client secret will invalidate the old secret, preventing any consumers using it from authenticating
Client Credentials (Machine-to-Machine)Copied!
The Client Credentials type is intended for Machine to Machine interactions where no user will be sat interacting with your application. Examples of this may include export or import tools, where your integration runs on a schedule or trigger.
To setup this client type, you must select a Security Group which will restrict the application’s access via the API. CMap recommends limiting access as much as is feasible.
You will also be prompted to select an Office and a Team - This will not affect the data available to your application, which will see data from any office. However any records created by this integration will sit under the selected Office and/or Team unless otherwise specified.
Authorization Code (Interactive Application)Copied!
The Authorization Code type is intended for integrations where a user will be actively interacting with your application. Examples of this may include reporting tools or web applications, where a user is performing actions as themselves and should themselves be responsible for actions taken by the integration on their behalf.
You must also specify an Application Type which will inform the authorization method used. For web applications with a secure backend you should select Secrets, whereas for installed Desktop or Mobile applications you should select Proof Key Code Exchange (PKCE) in order to protect your client secret.
To setup this client type, you must specify at least one Redirect URI which will then be validated during the Authorization flow detailed here:
Authentication and AuthorizationYou may also specify Post-Logout Redirect URIs if you wish to support Single-Sign Out in your application, and optionally a Back-Channel Logout URI if you wish to receive a notification when a user signs out of CMap or uses the "Sign Out Everywhere" button.
