Migration · Adding Public Client Support
As of logi v0.5, you can choose a client_type when registering an RP.
Impact on existing RPs — none
Every already-registered RP is automatically classified as client_type=confidential, and its behavior is unchanged.
| Item | Previous behavior | After the change |
|---|---|---|
client_id | Unchanged | Unchanged |
client_secret | Unchanged | Unchanged |
| Token endpoint authentication | HTTP Basic or form body | Same |
| PKCE | Enforced for every RP (S256, code_challenge presence required) | Same (no change) |
| Redirect URI | Exact match | Same |
| Refresh rotation | Enabled | Same |
logi's PKCE policy
logi enforces PKCE S256 from the authorization step for every RP, including confidential ones (it rejects requests missing code_challenge). This is existing behavior from before v0.5, not a change introduced by adding public clients.
No additional work is required. No code changes, no environment-variable changes, and no RP re-registration.
What changes when registering a new RP
A client type radio button has been added to the https://start.1pass.dev/developer/applications/new form.
- Confidential (default) — same as the existing behavior. Recommended for RPs that have a backend.
- Public — for mobile/SPA only. No
client_secretis issued, and PKCE S256 is enforced.
For a detailed decision guide, see Public vs Confidential.
New validation logic (common to all RPs)
Security-hardening changes that also affect existing RPs — there's no change under normal use, but non-standard calls are rejected:
1. Token endpoint method advertisement
none has been added to token_endpoint_auth_methods_supported in /.well-known/openid-configuration:
- "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
+ "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "none"],A confidential RP cannot use none (validation rejects it), so there's no change.
2. Public client downgrade defense
Newly introduced. If a public client sends a client_secret or an HTTP Basic header to the token endpoint, it's rejected with invalid_client. This applies only to new public RPs — existing confidential RPs are unaffected.
3. Public client redirect_uri policy
Newly introduced. A public RP's redirect_uri may only be https / loopback / custom-scheme (RFC 8252 §8.5). An external plaintext http URL is refused at registration. Confidential RPs are unaffected.
DB schema changes
New columns have been added to the internal DB schema — no work is required on the RP side:
ALTER TABLE oauth_applications
ADD COLUMN client_type VARCHAR DEFAULT 'confidential' NOT NULL,
ADD COLUMN token_endpoint_auth_method VARCHAR DEFAULT 'client_secret_basic' NOT NULL;
ALTER TABLE oauth_applications
ADD CONSTRAINT chk_client_type_secret_consistency
CHECK (
(client_type = 'confidential' AND client_secret_digest IS NOT NULL ...)
OR
(client_type = 'public' AND client_secret_digest IS NULL ...)
);Existing rows are assigned the confidential value via a raw SQL backfill.
Other changes
Automatic production-tier approval during the beta
While the LOGI_BETA_AUTO_APPROVE=true environment variable is active, new production-tier applications are auto-approved instantly. Removing the env var when the beta ends restores the existing manual-review flow.
Business registration certificate optional
When applying for the production tier, you can substitute a free-form identity/service description (50–5000 characters) for the business registration certificate PDF. This lowers the barrier to entry for solo developers and OSS projects.
Questions
If you find an issue, reach us at support@1pass.dev.