Skip to main content

Application Registration

Before integrating, you must register your application with the Visual Passcodes service to obtain the necessary credentials.

Tenant provisioning

Start by requesting and configuring your dedicated tenant. The tenant is an isolated environment for your users and authentication settings. During tenant creation, provide:

  • Tenant name: A unique, descriptive name to identify your environment.
  • User self‑registration: Whether users can self‑register for accounts within your tenant. If enabled, users can create accounts during the auth flow. (This can be changed later.)
  • Tenant type (cannot be changed):
    • 2FA tenant: Use Visual Passcodes as a second factor alongside an existing primary authenticator.
    • Regular tenant: Use Visual Passcodes as the primary authenticator for your application.
  • Additional PIN requirement: Whether an extra PIN is required as part of the authentication process. (This can be changed later.)
  • Admin credentials: Email and username for the initial admin user.

After provisioning, you can register applications within the tenant.

Application registration

Register your application to integrate with Visual Passcodes.

1. Provide application details

During registration, provide:

  • Application name and description: For identification.
  • Redirect URIs: Full, absolute URLs Visual Passcodes may redirect to after successful authentication. This is a critical security control against phishing and code interception.
  • Client type: Declare the app as a Confidential client or a Public client. This determines how you handle credentials and secure the flow.

2. Receive credentials

Upon successful registration, Visual Passcodes issues:

  • client_id: A unique public identifier for your application (for both client types).
  • client_secret: A confidential secret used to authenticate at the token endpoint (only for confidential clients).
Secure credential storage

The client_secret is highly sensitive. It must be stored securely on your server’s backend and never exposed in client‑side code (e.g., browser JavaScript or mobile binaries).