API Servers (API Resources)

API Servers (also called API Resources) define the APIs that your applications can request access to. When your app includes an audience parameter in the authorization or token request, AuthAction validates it against the configured API servers.

What Are API Servers?

An API Server represents a protected resource (e.g. your backend API) that issues access tokens for. The audience claim in the JWT identifies which API the token is intended for.

Creating an API Server

Log in to the AuthAction Dashboard.
Select your tenant.
Navigate to APIs or API Servers in the sidebar.
Click Create API Server.
Enter:
- Name: A display name for the API.
- Identifier: A unique identifier (e.g. https://api.myapp.com or my-api-resource). This is the value clients use as the audience parameter.

Granting Application Access

After creating an API server, grant your applications permission to request tokens for it:

Open the API server settings.
Go to the Applications tab (or equivalent).
Enable the applications that should be able to obtain tokens for this API.
Save the changes.

Dynamic Client Access

For scenarios like MCP servers where clients register dynamically:

Open the API server settings.
Go to the Dynamic Clients tab.
Enable Dynamic Client Access so dynamically registered clients can obtain tokens for this API.

See MCP Server Authorization and Dynamic Client Registration for details.

Using the Audience

Clients request tokens for a specific API by including audience in the authorization or token request:

GET /oauth2/authorize?
  response_type=code&
  client_id=...&
  redirect_uri=...&
  scope=openid&
  audience=https://api.myapp.com&
  ...

The resulting access token will include aud (audience) set to the requested value, which your API can use to validate the token.

Applications: Grant applications access to API servers.
MCP Server Authorization: Dynamic clients and MCP use cases.