App management

Every command for creating and managing OAuth apps.

Create a new app

logi apps create \
  --name "My Awesome App" \
  --redirect-uri https://app.example.com/auth/callback

Example output:

✓ App created
  client_id:     logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
  client_secret: logi_secret_3f290948f9fa6a3cb24bbce... ← shown only once
  environment:   test
  organization:  personal-8

⚠️  client_secret cannot be shown again. Store it somewhere safe.

Options

Option	Default	Description
--name	(required)	The app name shown to users
--redirect-uri	(required)	OAuth callback URL. Repeat the option for multiple URLs
--scope	[] (server default)	Space-separated, multiple allowed. If omitted, the server-side default scopes apply
--webhook-url		URL to receive user change notifications

List apps

logi apps list

ID  NAME              CLIENT_ID                               STATUS    ENV
3   Demo Test App     logi_1ce2d868...                        sandbox   test
4   Production Site   logi_a39bc01f...                        approved  live

As JSON:

logi apps list --json | jq '.[] | select(.environment == "live")'

Show details

logi apps show 3

Demo Test App  (#3)
  client_id:      logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
  redirect_uris:  https://app.example.com/auth/callback
  scopes:         openid, profile
  status:         sandbox · test · free
  webhook_url:    —
  created:        2026-04-27 17:55

Add or remove a redirect URI

Redirect URIs are managed with separate, positional-argument commands (atomic):

logi apps add-redirect 3 https://staging.example.com/cb
logi apps remove-redirect 3 https://staging.example.com/cb

Editing metadata (name, webhook_url, and so on) is coming soon

The CLI does not yet provide a bulk metadata edit command (apps edit). For now, use the Developer Console or the PATCH /api/v1/applications/:id API.

Rotate client_secret

logi apps rotate-secret 3

The new secret is printed once. The old secret is invalidated immediately. Any in-flight token request that uses the old secret returns 401.

The more often you rotate, the safer you are. In CI/CD, we recommend automatic rotation once every three months.

⚠️ When client_secret is blank after re-registering an existing app

If you touch a previously registered app again (for example, by re-running with the same name), the create step returns an empty client_secret. The plaintext secret is exposed only at the moment of first creation; afterward, only a hash remains in the logi database and it cannot be recovered.

Symptom:

client_id=logi_xxxxxxxxxxxxx
client_secret=               ← empty

Fix: issue a new secret with rotate-secret:

logi apps rotate-secret <id>

Or do it directly from SSH or a Rails console:

app = OauthApplication.kept.find_by(name: "your_app")
new_secret = app.rotate_client_secret!
puts new_secret  # ← copy straight into the RP's env

This pitfall happens often when an automation script uses "create-or-update" logic (the app already exists, so create is a no-op, but the secret output is empty). Split your automation into two branches: "new creation → print secret" and "already exists → rotate explicitly."

Delete

logi apps delete 3

Deleted immediately

The CLI currently calls DELETE right away, with no confirmation prompt. Every issued token is invalidated, so run this carefully. An interactive confirm and trash recovery (apps restore) are coming soon.

Next

• Add scopes
• Invite team members
• Automatic secret rotation in CI/CD