Skip to main content
POST
/
organizations
/
me
/
{org_id}
/
applications
cURL
curl -X POST "https://apx.didit.me/auth/v2/organizations/me/$ORG_ID/applications/" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Customer App",
    "website_url": "https://acme.example",
    "redirect_uris": ["https://acme.example/callback"]
  }'
{
  "uuid": "b2c3d4e5-6789-01bc-defg-222222222222",
  "name": "Acme Customer App",
  "client_id": "S9LIYGSoWNuGMLHsvEt9dQ",
  "api_key": "05mHcOWL8GathLZlz8oIDawYj9qFAcoSHtz-75PAkuo",
  "website_url": "https://acme.example",
  "redirect_uris": [
    "https://acme.example/callback"
  ],
  "terms_url": "https://acme.example/terms",
  "privacy_url": "https://acme.example/privacy",
  "description": null,
  "created_at": "2025-06-01T10:00:00Z"
}
Use this endpoint when you need to separate verification traffic, credentials, branding, or reporting inside the same organization. This is especially useful for resellers that create one application per customer. It also works well when your own company has multiple products, brands, regions, staging/production environments, or use cases that should not share the same API key and application-level settings.
All Auth API endpoints use https://apx.didit.me/auth/v2. Use the returned api_key as x-api-key when calling https://verification.didit.me/v3/... endpoints such as sessions and workflows.

Authorizations

Authorization
string
header
required

RS256-signed JWT access_token returned by POST /programmatic/login/ or POST /programmatic/verify-email/. Send as Authorization: Bearer <access_token>. Default lifetime is 86400 seconds (24h). This token is only valid against the Account Management endpoints on apx.didit.me/auth/v2. The verification API (verification.didit.me/v3) uses the long-lived api_key as x-api-key instead.

Path Parameters

org_id
string<uuid>
required

UUID of the organization. Look it up with GET /organizations/me/.

Example:

"a1b2c3d4-5678-90ab-cdef-111111111111"

Body

application/json

All fields are optional. Omitting the body creates an application with default name "<organization name> App" and no public URLs configured.

All fields are optional. Sending an empty body creates an application with a default name.

name
string

Application display name. Defaults to "<organization name> App".

Example:

"Acme Customer App"

website_url
string

Website or app URL associated with this application.

Example:

"https://acme.example"

redirect_uris
string[]

Allowed redirect URIs for OAuth-style and verification redirect flows.

Example:
["https://acme.example/callback"]
terms_url
string

Terms of service URL shown in the verification flow.

Example:

"https://acme.example/terms"

privacy_url
string

Privacy policy URL shown in the verification flow.

Example:

"https://acme.example/privacy"

description
string

Internal description for the application (not shown to end users).

Response

Application created. The response includes the long-lived api_key; persist it now and use it as the x-api-key header on every https://verification.didit.me/v3/... call.

Full application record. uuid, client_id, and api_key never change after creation.

uuid
string<uuid>

Application UUID. Use as {app_id} in subsequent calls.

Example:

"b2c3d4e5-6789-01bc-defg-222222222222"

name
string

Application display name shown in the Didit console.

Example:

"Acme Production App"

client_id
string

Public client identifier, safe to embed in OAuth-style flows.

Example:

"S9LIYGSoWNuGMLHsvEt9dQ"

api_key
string

Long-lived secret (also called client_secret). Use as the x-api-key header for every call to https://verification.didit.me/v3/... (sessions, workflows, AML, etc.). Treat as a credential; never expose client-side.

Example:

"05mHcOWL8GathLZlz8oIDawYj9qFAcoSHtz-75PAkuo"

website_url
string | null

Website or app URL associated with this application.

Example:

"https://acme.example"

redirect_uris
string[]

Allowed redirect URIs for OAuth-style and verification redirect flows.

Example:
["https://acme.example/callback"]
terms_url
string | null

Terms of service URL shown in the verification flow.

Example:

"https://acme.example/terms"

privacy_url
string | null

Privacy policy URL shown in the verification flow.

Example:

"https://acme.example/privacy"

description
string | null

Internal description for the application (not shown to end users).

created_at
string<date-time>
Example:

"2025-06-01T10:00:00Z"