Create and manage an application
Bergur DavidsenUpdated 2026-07-14
Use an application record when an integration needs managed OAuth settings, user consent, install policies, marketplace visibility, or multiple administrators.
Start applications in draft. Registration is not publication, installation, or authorization.
Before creating
Prepare:
- a unique, user-facing name;
- an HTTPS icon URL from a controlled origin;
- short and extended descriptions;
- developer name and monitored contact email;
- categories and discovery tags;
- an application home URL where applicable;
- the application type and required grants;
- exact redirect URIs and allowed origins;
- consent permissions;
- install access policy;
- application administrators;
- token/session policy.
Do not include secrets, private callback hosts, internal diagrams, or customer data in marketplace metadata.
Create from the dashboard
- Open
/dashboard/applications. - Choose New application.
- Enter the required identity and developer fields.
- Configure the application type and grants.
- Add exact redirects and origins.
- Configure permissions and access policy.
- Review token and offline-access settings.
- Save as a draft.
- Store any generated credential only in an approved secret manager.
- Reopen the application and verify every field.
Available controls depend on the current account and app role.
Public metadata
The current application-management contract includes:
name;icon;- short
description; - optional Markdown
longDescription; - optional application home URL;
- developer name and contact email;
- one or more categories;
- discovery tags.
Write descriptions for users deciding whether to connect. State the purpose, expected access, supported environment, and limitations without making unverified security claims.
Administrators and ownership
Application administrators can manage sensitive configuration and lifecycle. Keep the list narrow.
- Use individual accountable identities.
- Remove administrators when responsibilities change.
- Do not grant app administration merely because someone owns a workspace.
- Require review for redirect, grant, scope, and status changes.
- Maintain a recovery owner and monitored developer contact.
Lifecycle statuses
Released application updates support:
draft— configuration and testing;beta— intentionally limited release;active— released and available under its access policy;deprecated— still present but scheduled for replacement/removal;archived— no longer offered for normal use.
beta and active can make the app visible in the marketplace. Review metadata, security, support, and connection flow before either transition.
Test before visibility
Test in a safe environment with non-sensitive data:
- Validate application and icon URLs.
- Test every configured grant.
- Confirm redirects reject unregistered destinations.
- Review the consent screen.
- Verify least-privilege workspace behavior.
- Test denial, expiry, revocation, and retry paths.
- Confirm secret rotation and support recovery.
- Verify Installed Apps behavior where exposed.
- Document known beta limitations.
Do not test by making an unfinished app broadly public.
Update safely
Before updating:
- Fetch or open the current application.
- Confirm its ID and environment.
- Review existing live connections.
- Change the smallest set of fields.
- Treat redirects, grants, scopes, administrators, and status as security-sensitive.
- Verify the saved result and run a connection smoke test.
- Communicate breaking changes before deprecation.
The current MCP management tool limits update fields to public metadata and lifecycle fields. Use the supported dashboard or REST contract for other configuration changes.
Deprecate and archive
When retiring an application:
- stop new installs where supported;
- mark it deprecated and provide a replacement path;
- notify affected users;
- revoke credentials and sessions deliberately;
- remove unused redirects and secrets;
- verify downstream automation;
- archive only after the transition period.
Archiving a record does not guarantee every external token or copied secret has been removed.
Troubleshooting
Create is rejected
Check required fields, URL formats, developer email, category, application type, grants, token policy, and app-management permission.
App remains invisible
Draft apps are not marketplace releases. Confirm status and access policy, but do not promote solely to bypass a test limitation.
An update is forbidden
The caller may list the app but lack administrator authority to modify it.
A redirect change breaks users
Restore the last reviewed exact URI if safe, then migrate clients deliberately. Avoid wildcard redirects.