Settings

The Settings tab on an application controls everything from its identifiers and redirect URIs to token lifetimes and feature toggles. Changes take effect immediately — there's no separate publish step.

Core fields

These fields are required and shown to every application type.

Name — The display name shown to users in the login flow. Pick something they'll recognize.
Client ID — The stable identifier your code uses. Auto-generated from the name on create, but you can edit it. Allowed characters: alphanumerics, underscores, and dashes. Kenni prefixes it with your team domain at runtime, e.g. @my-app.is/web.
Application type — Web, Web (SPA), Native, Machine to Machine, or Device. See Applications overview for what each one means.
Application URI (Web / SPA / Native) — The absolute URL of your app. If something goes wrong mid-login, Kenni offers users a button to return here.
Redirect URIs (Web / SPA / Native) — One URI per line. Kenni only redirects to URIs on this list. Wildcards are not allowed; list every callback explicitly.

Client secret

Only Web and Machine-to-Machine applications get a client_secret. The full value is shown once when the application is created. After that, the Settings tab displays a masked value you can copy.

If you suspect the secret has leaked, use Rotate client secret at the bottom of the Settings tab. Rotation is immediate and irreversible — every integration using the old secret will start failing until updated.

Never embed a client_secret in a SPA, native app, or anything that ships to end users. If you're unsure, use the SPA, Native, or Device application type instead — they authenticate without a secret.

Token lifetimes

Hidden inside the Token lifetimes (TTLs) collapsible section. Values are in seconds.

Access token TTL — How long an access token is valid. Default 7200 (2 hours).
ID token TTL — How long an ID token is valid. Default 7200 (2 hours).
Refresh token TTL — How long a refresh token is valid. Default 86400 (1 day). Not shown for M2M (no refresh tokens).

Shorter TTLs limit the blast radius of a leaked token but mean more refresh round-trips. The defaults are a reasonable starting point; tune only if you have a specific reason.

Advanced settings

Hidden inside the Advanced settings collapsible section. Not available for Machine-to-Machine or Device clients.

Initiate login URI — A URL on your side that can start the login flow. Used by Kenni for recoverable errors.
Post logout redirect URIs — Allowed return URLs after RP-initiated logout. One per line. Particularly relevant when single sign-on is enabled.
Require PKCE (Web only) — On by default. SPA and Native clients always require PKCE; this toggle exists only because confidential Web clients can disable it for legacy integrations. Leave it on unless you know you need to.
Enable test user access — Lets test users (configured under Settings → Test users) authenticate to this application. Only shown if your plan supports test users.
Skip passkey prompt — Hides the passkey registration prompt for this application. See Skipping passkeys. Only shown if your plan supports it.

These live on their own tabs alongside Settings:

Branding — Logo, accent color, border radius, and light/dark appearance. See Theming.
Consent — Identity scopes the application can request and which ones the user must agree to. See Consent. Plan-gated.
API Scopes — Authorize this application to request your team's API scopes.
Delegation — Self-delegation toggle plus company and custom delegation configuration. Plan-gated.

Deleting an application

The Delete your application action at the bottom of the Settings tab is permanent and irreversible. Make sure no production traffic still depends on the client_id — once deleted, every authentication and token request against it will fail.

Next steps

Theming

Customize the login screen with your logo, accent color, and border radius.

Get started

Applications

API scopes

Integration guides

Features

Troubleshooting