RestApiCategories.platformAdministration.desc

platform_administration

2024.09

2024.03

Viya_35

2025.08

2025.09

2025.10

2025.03

2025.11

2025.07

The SAS Logon API provides the standard OAuth protocol endpoints through which clients obtain access tokens to make API calls. Terminology: <ul> <li> Client: An application making protected resource requests on behalf of the resource owner and with its authorization.</li> </ul>

SAS Logon

Deletes the client that is specified in the request. Authorization: Bearer token with clients.write, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

clientId

No client exists at the requested path. The requested client could not be found or was deleted successfully.

Delete client

The OAuth client information that is returned from the server response.

Client

Client Collection

The OAuth client information that is passed as input to the POST/PUT calls.

Client Input

Client Secret

Error

A link to a related operation or resource.

Link

A list of links related to an operation or resource

Links

An example of a request body to change a secret.

An example of performing a PUT request to change a secret.

An example of a request body for creating a client

My custom application

An example of performing a POST request to create a client

An example of a request body for obtaining an access token on behalf of an end user by providing an authorization code

Obtain an Access Token Using an authorization code request body

An example of a client application obtaining an access token on behalf of an end user by providing the users password credentials

Obtain an Access Token Using an authorization code response

An example of a request body for obtaining an access token using its client credentials

An example of a client application obtaining an access token using its client credentials

Obtain Access Token Using Client Credentials

An example of a request body for obtaining an access token on behalf of an end user by providing the users password credentials

Obtain an Access Token Using Resource Owner Password Credentials

Microsoft Azure SCIM client

An example of a request body for updating a client

An example of performing a PUT request to update a client

Here is an example of an error response when the body is missing from a PUT request to change the client secret.

The epoch (milliseconds) of the moment the client information was last altered.

The time in seconds to access token expiration after it is issued.

The list of the origin keys (alias) for identity providers that the client is limited to. Null implies any identity provider is allowed.

An indication whether the approvals were deleted for the client and an audit event was sent.

The list of groups the client is a member of, to access resources and endpoints.

The list of grant types that can be used to obtain a token with this client. Types can include authorization_code, password, implicit, and client_credentials.

The scopes that do not require user approval, or a simple Boolean value to apply to all scopes.

The client identifier that is unique within identity zone.

The secret string used for authenticating as this client. To support secret rotation this can be a space-delimited string of two secrets. This is required if the client allows authorization_code or client_credentials grant type.

The scope that the bearer token had when the client was created.

The allowed URI pattern for redirect during authorization or "urn:ietf:wg:oauth:2.0:oob" for out-of-band delivery.

The time in seconds to refresh token expiration after it is issued.

A list of group names. If a user does not belong to all the required groups, the user will not be authenticated and no tokens are issued to this client for that user. If this field is not specified, authentication and token issuance proceeds normally.

The resources that the client is allowed to access.

The list of scopes allowed for the client to obtain on behalf of users, when using any grant type other than "client_credentials". For most SAS Viya APIs, "openid" and "uaa.user" are sufficient. For client applications that only use the grant type "client_credentials" and therefore do not act on behalf of users, use the default scope "uaa.none".

A random string that is used to generate the client's revocation key. Change this value to revoke all active tokens for the client.

(Optional) The default is UPDATE. If change mode is set to ADD, then the new secret is added to the existing one. If the change mode is set to DELETE, then the old secret is deleted to support secret rotation. Only two client secrets are supported at any given time.

The valid client secret before updating. This is optional if authenticated as an admin client. Otherwise, it is required.

Messages that provide additional details about the cause of the error.

A message that describes how to resolve the error.

The version number of the error representation. This representation is version 2.

If this is a link to a container, `itemType` is the media type or link type for the items in the container.

The relationship of this URL to the object.

The media type or link type of the items in the response body for a `PUT`, `POST`, or `PATCH` operation.

The media type or link type of the response body for a `PUT`, `POST`, or `PATCH` operation.

SAS Developers

Returns a list containing a link to only top-level collections surfaced by this API. These top level links include the server information endpoint.

OK - returns the collection of top level links

Returns the collection of clients registered. Authorization: Bearer token with clients.read, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

The SCIM filter for querying clients. The default is 'client_id pr'.

filter

The field to sort results by. The default is client_id.

sortBy

The sort order of results by ascending or descending order. The default is ascending.

sortOrder

The index of the first result on which to begin the page. The default is 1.

startIndex

The number of results per page. The default is 100.

count

The request was invalid. An invalid query parameter was specified.

Creates a new client. Authorization: Bearer token with clients.write, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

A client object was created. The secret is masked in the response.

Returns the client that is specified in the request. Authorization: Bearer token with clients.read, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

Returns whether the client that is specified in the request exists. Authorization: Bearer token with clients.read, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

The request succeeded. The requested client exists.

Updates the existing client that is specified in the request. This method performs a full replacement of the client resource. The ID may not be changed. Authorization: Bearer token with clients.write, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

The request succeeded and the updated client object is returned. The secret is masked in the response.

No client exists at the requested path. The requested client could not be updated.

Changes the secret for the client that is specified in the request. Authorization: Bearer token with clients.write, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

The request succeeded. The secret was updated.

Obtains an access token on behalf of an end user, using an authorization code provided by the user along with the client identifier and the associated secret that have been registered with the SAS environment. The authorization code is validated and can be used only once. If it is valid, the SAS Logon API returns an access token. Obtaining access tokens on behalf of an end user is required for all SAS Viya APIs that support user and group authorization rules.

The basic authorization header containing the registered OAuth client identifier and secret. Optional if this information is passed as part of the form data.

Authorization

Obtains an access token based on client credentials that have been granted to the registered client application. The SAS Logon service verifies the supplied client credentials. If they are valid, an access token is returned. Obtaining access tokens via client credentials grant works only with SAS Viya APIs that do not enforce authorization.

Obtains an access token on behalf of an end user, using that user's authenticating credentials (such as username and password) along with the client identifier and the associated secret that have been registered with the SAS environment. The user credentials are validated. If they are valid, the SAS Logon API returns an access token. Obtaining access tokens on behalf of an end user is required for all SAS Viya APIs that support user and group authorization rules.

Status	Meaning	Description
200	OK	client deleted
404	Not Found	No client exists at the requested path. The requested client could not be found or was deleted successfully.

Delete client

Request Samples

Response Samples

Path Parameters

Responses