Clients & API

To access the API, you first create an XWMS account, activate a client plan, and then create a client application in the dashboard to receive credentials.

API credentials are your client ID and client secret, used to identify and authorize your application when communicating with XWMS.

You can find the client ID in the Clients section of your XWMS Client dashboard.

A client secret is generated automatically when you create a new client application.

Yes. You can regenerate the secret in client settings. After rotation, update your application immediately to avoid authentication failures.

A client is an application registration that connects to the XWMS API and defines credentials, redirects, and permissions.

Go to the Clients section in the dashboard and create a new client with the required settings.

Yes. You can create multiple clients for separate apps, teams, or environments such as development and production.

Redirect URLs can be managed in each client's settings. Use exact callback URLs that your application actually handles.

Exact URI matching prevents open redirect abuse and ensures authorization responses are only sent to trusted endpoints.

Yes. You can register multiple redirect URIs for a client, for example for local, staging, and production environments.

Yes. You can temporarily disable a client to block authentication and API usage without permanently deleting it.

Deleting a client invalidates associated credentials and tokens, so existing integrations stop working.

Yes. Client names can be updated in the dashboard for clearer management.

Yes, as long as they have the required account permissions for client management.

No. Client secrets must never be exposed in frontend code and should only exist on secure server-side infrastructure.

Domain restrictions may be available depending on your client configuration and security settings.

Most secured API endpoints require X-Client-Id, X-Client-Secret, and X-Client-Domain headers. These identify the client, authenticate the secret, and let XWMS verify that the request is coming from an allowed domain configuration.

XWMS resolves the client and domain from the request headers, verifies that the client secret is active, checks that the domain is allowed, and enforces domain settings such as active status, authentication access, API access, server IP allowlists, and test or live mode rules.