Modify an API Client

Endpoint URL: {identityDomain} /config/{appId} /clients/{apiClientId}


Updates permissions and settings for an existing API client.  To update an API client, you must specify the client properties in the request body of your API call. Those client properties include:

  • name. The only required property. If you do not specify a name your API call will fail.

  • ipWhitelist. JSON array of Classless Inter-Domain Routing IP addresses; only the addresses included on the whitelist will be able to interact with the client. If you do not include the ipWhitelist property then the value will automatically be set to, which allows any IP address to interact with the client.
  • features. Specifies the client feature(or features) associated with the API client. Available feature sets include:
    • access_issuer. Issues access tokens scoped for use will all API clients.
    • direct_access. Has read/write access to all user records.
    • direct_read_access. Has read-only access to all user records.
    • login_client. Has read/write access to the user record for the current user. Login_clients are typically used for login and registration. Clients with the login_client feature cannot be associated with any other feature; for example, you cannot have a client that has both the login_client and, say, the direct_access features.
    • owner. Has full administrative access to the application.
    • Metadata. Does not update the lastUpdated attribute when updating other attributes in a user profile. For example, suppose the lastUpdated attribute has a value of 7/5/2018. On 7/12/2018, you use a property that has the metadata attribute to change the displayName in a user profile from Bob Johnson to Robert Johnson. The displayName will now be set to Robert Johnson. However, the lastUpdated attribute will still be set to 7/5/2018.

You do not have to assign a feature when you update a client. However, doing so deletes all existing features from the client. In turn, that client will not have permission to do anything until it has been assigned a feature.

Both ipWhitelist and features must be passed as JSON arrays. In a JSON array, individual values are enclosed in double quote marks and separated by using commas. In addition, the entire set of values is surrounded square brackets:

["access_issuer", "direct_access"]

Your API call must have owner permissions in order to update a new client.

Respects the API Client Allow List:  Yes

API Client Permissions

The following table indicates the API clients that can (and the API clients that can't) be used to call this endpoint:



This endpoint supports Basic authentication. 

How to Create an Authentication String

Base URL

The base URL for this endpoint is your Configuration API domain followed by /config/ followed by your application ID. For example, if you are in the US region and your application ID is htb8fuhxnf8e38jrzub3c7pfrr, then your base URL would be:       

Allowed regions are:

  • us 
  • eu 
  • au 
  • sa 
  • cn
  • sg

Sample Request (curl)

This command updates the API client 3bchk5hsx6v58dkn288nbybmxfyk32u7. In this example, the client is renamed Documentation Login Client and is assigned the login_client feature. Because the ipWhitelist property is not included, that value will be reset to the default value of, which means that any IP address can interact with the client.

curl -X PUT \
  -H 'Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg' \ \
  -H 'Content-Type: application/json' \
  -d '{    
     "name": "Documentation Login Client", 
     "features": ["login_client"] 

      Running this command in Postman


200 OK

If your API call succeeds, you'll get back the new property values for the API client:

   "_id": "3bchk5hsx6v58dkn288nbybmxfyk32u7",
   "_secret": "j383npa9g4hfdye9t5es72x8r374tdfh",
   "_self": "/config/73jzx34tnr5ruhsze494ssgz2b/clients/3bchk5hsx6v58dkn288nbybmxfyk32u7",
   "_settings": "/config/73jzx34tnr5ruhsze494ssgz2b/clients/3bchk5hsx6v58dkn288nbybmxfyk32u7/settings",
   "features": [
   "ipWhitelist": [
   "name": "Documentation Login Client"

Error Codes

The following table includes information about some of the error codes that you could encounter when calling this endpoint.

Error Code



Error Message: Authentication required.

You either failed to provide credentials or provided invalid credentials. This endpoint requires Basic authentication.


Error Message: The metadata feature can only be applied to a client by Akamai.

Remove "metadata" from the list of features and try the API call again.


Error Message: Missing data for required field.

Error Message: Name not supplied


Error Message: Not a valid string.


Error Message: Not a valid CIDR address.

One of or more of the IP addresses on the IP whitelist has been incorrectly formatted.


Error Message: Not a valid feature name.


Error Message: Clients with the login_client feature cannot have any other features.

Remove all the features except login_client and try your API call again.


Error Message: Clients with the metadata feature can only be updated by Akamai.


Error Message: Owner feature cannot be removed from the client making the call.

After the owner feature has been added to a client, that feature can only by removed by Akamai.


Error Message: Client ID not found.

You did not provide a valid client ID.


Error Message: API client <name supplied> already exists.

Client names must be unique across an application.

If you encounter an error when calling this endpoint that error message will look similar to this:

   "errors": "Authentication required."