Skip to content

App management

Source: en/cli/apps.md · Live: https://docs.1pass.dev/en/cli/apps LLM-sanitized: internal links absolutized, VitePress containers → admonitions, line numbers in the Jump-to Index reference this rendered file (1-indexed).

📍 Jump-to Index

  • L27-L75: ## Create a new app
    • L58-L75: ### Options
  • L76-L93: ## List apps
  • L94-L109: ## Show details
  • L110-L121: ## Add or remove a redirect URI
  • L122-L154: ## Rotate client_secret
  • L155-L163: ## Delete
  • L164-L172: ## JSON output (automation)
  • L173-L181: ## Next

App management

Every command for creating and managing OAuth apps.

💡 Tip: Looking for one-pass CLI registration? Start with the step-by-step CLI RP registration guide (Korean) if you want one flow for developer registration → RP registration → secret capture → env injection → verification. This page is the reference for the apps subcommands.

Create a new app

bash
logi apps create \
  --name "My Awesome App" \
  --redirect-uri https://app.example.com/auth/callback

Example output:

✓ App created
  client_id:     logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
  status:        pending

  client_secret:     logi_secret_3f290948f9fa6a3cb24bbce...
  rp_health_secret:  logi_rphs_a71c9e0b4d2f...

Paste these into your RP's environment:
# secrets below are shown ONCE — store them now
LOGI_API_URL=https://api.1pass.dev
LOGI_CLIENT_ID=logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
LOGI_CLIENT_SECRET=logi_secret_3f290948f9fa6a3cb24bbce...
LOGI_RP_HEALTH_SECRET=logi_rphs_a71c9e0b4d2f...

  ⚠ The client_secret and rp_health_secret are only shown once. Store them somewhere safe.

⚠️ Warning: Secrets are shown once, only in the create response client_secret and rp_health_secret are exposed in plaintext only in the create response. logi apps list / logi apps show and other GET responses never include them (logi stores only a hash/encrypted value and cannot recover the plaintext). If you lose one, rotate it; see client_secret rotation.

Options

OptionDefaultDescription
--name(required)The app name shown to users
--redirect-uri(required)One OAuth callback URL. Add more after creation with logi apps add-redirect
--scope[] (server default)Space-separated valid scope names, for example --scope openid profile:basic email. A bare profile is invalid; use profile:basic. If omitted, the server-side default scopes apply
--client-typeconfidentialconfidential / public. Cannot be changed after registration (public vs confidential)
--webhook-urlURL to receive user change notifications
--backchannel-logout-uriOIDC Back-Channel Logout receiver URL (BCL guide). SSRF-checked at registration
--health-urlRP health check target host (RP Active Health Check). Use this when a mobile-only RP has a backend host. SSRF-checked at registration
--no-health-check(check enabled)Turns off RP Active Health Check (health_check_enabled=false). For pure mobile RPs with no backend, and similar cases

ℹ️ Note: Public clients do not get a client_secret Public (PKCE-only) clients are not issued a client_secret because mobile/SPA binaries cannot hide one. In that case, the client_secret / LOGI_CLIENT_SECRET line is blank or omitted. rp_health_secret is issued regardless of client type; keep it only in a server-side env.

SSRF validation for --backchannel-logout-uri and --health-url: private/loopback/link-local/metadata IPs (127.x, 10.x, 192.168.x, 169.254.169.254, ::1, and so on) and non-HTTP URLs are rejected with 422 at registration time.

List apps

bash
logi apps list
name              client_id                                status     redirect_uris
Demo Test App     logi_1ce2d868...                         pending    http://localhost:3000/cb
Production Site   logi_a39bc01f...                         approved   https://app.example.com/cb

As JSON (the response is wrapped as { "success": true, "data": { "applications": [...] } }):

bash
logi apps list --json | jq '.data.applications[] | select(.status == "approved")'

Show details

bash
logi apps show 3
Demo Test App  (#3)
  client_id:      logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
  redirect_uris:  https://app.example.com/auth/callback
  scopes:         openid, profile
  status:         sandbox · test · free
  webhook_url:    —
  created:        2026-04-27 17:55

Add or remove a redirect URI

Redirect URIs are managed with separate, positional-argument commands (atomic):

bash
logi apps add-redirect 3 https://staging.example.com/cb
logi apps remove-redirect 3 https://staging.example.com/cb

💡 Tip: Editing metadata (name, webhook_url, and so on) is coming soon The CLI does not yet provide a bulk metadata edit command (apps edit). For now, use the Developer Console or the PATCH /api/v1/applications/:id API.

Rotate client_secret

bash
logi apps rotate-secret 3

The new secret is printed once. The old secret is invalidated immediately. Any in-flight token request that uses the old secret returns 401.

The more often you rotate, the safer you are. In CI/CD, we recommend automatic rotation once every three months.

⚠️ Warning: ⚠️ When client_secret is blank after re-registering an existing app If you touch a previously registered app again (for example, by re-running with the same name), the create step returns an empty client_secret. The plaintext secret is exposed only at the moment of first creation; afterward, only a hash remains in the logi database and it cannot be recovered.

Symptom:

client_id=logi_xxxxxxxxxxxxx
client_secret=               ← empty

Fix: issue a new secret with rotate-secret:

bash
logi apps rotate-secret <id>

Or do it directly from SSH or a Rails console:

ruby
app = OauthApplication.kept.find_by(name: "your_app")
new_secret = app.rotate_client_secret!
puts new_secret  # ← copy straight into the RP's env

This pitfall happens often when an automation script uses "create-or-update" logic (the app already exists, so create is a no-op, but the secret output is empty). Split your automation into two branches: "new creation → print secret" and "already exists → rotate explicitly."

Delete

bash
logi apps delete 3

⚠️ Warning: Deleted immediately The CLI currently calls DELETE right away, with no confirmation prompt. Every issued token is invalidated, so run this carefully. An interactive confirm and trash recovery (apps restore) are coming soon.

JSON output (automation)

Use --json or LOGI_OUTPUT=json to get machine-readable output. The JSON create response includes client_secret and rp_health_secret once.

bash
logi apps create --name "App" --redirect-uri https://example.com/cb --json \
  | jq '{client_id, client_secret, rp_health_secret}'

Next

최종 수정:

Identity가 제품의 신뢰를 만듭니다.