> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Application Credentials

> Read one application's full record including `client_id` and `api_key`. Use this to recover a lost `api_key`.

export const AgentPromptAccordion = ({prompt, title = "AI Agent Integration Prompt"}) => {
  const [copied, setCopied] = React.useState(false);
  const handleCopy = e => {
    e.stopPropagation();
    if (!prompt) return;
    navigator.clipboard.writeText(prompt.trim()).then(() => {
      setCopied(true);
      setTimeout(() => setCopied(false), 2000);
    });
  };
  const agents = ["Claude Code", "Codex", "Cursor", "Devin", "Windsurf", "GitHub Copilot"];
  return <div className="didit-agent-card">
      {}
      <div className="didit-agent-titlebar">
        <div className="didit-agent-dots" aria-hidden="true">
          <span className="didit-agent-dot didit-agent-dot-red"></span>
          <span className="didit-agent-dot didit-agent-dot-yellow"></span>
          <span className="didit-agent-dot didit-agent-dot-green"></span>
        </div>
        <span className="didit-agent-filename">{title}</span>
        <button type="button" className={`didit-agent-copy ${copied ? "didit-agent-copy-copied" : ""}`} onClick={handleCopy} title="Copy prompt to clipboard" aria-label={copied ? "Copied!" : "Copy prompt to clipboard"}>
          {copied ? <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <path d="M3 8.5l3.5 3.5L13 4" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" />
              </svg>
              <span>Copied</span>
            </> : <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <rect x="5" y="5" width="9" height="9" rx="1.5" stroke="currentColor" strokeWidth="1.5" />
                <path d="M11 5V3.5A1.5 1.5 0 0 0 9.5 2h-6A1.5 1.5 0 0 0 2 3.5v6A1.5 1.5 0 0 0 3.5 11H5" stroke="currentColor" strokeWidth="1.5" />
              </svg>
              <span>Copy</span>
            </>}
        </button>
      </div>

      {}
      <pre className="didit-agent-body"><code>{prompt.trim()}</code></pre>

      {}
      <div className="didit-agent-footer">
        <span className="didit-agent-footer-label">Paste into</span>
        <div className="didit-agent-chips">
          {agents.map(name => <span key={name} className="didit-agent-chip">{name}</span>)}
        </div>
      </div>
    </div>;
};

<AgentPromptAccordion
  title="Get Application Credentials Prompt"
  prompt={`Read one application's full record — including its client_id and api_key (client_secret). Use this to RECOVER an api_key you've misplaced.

Endpoint:
GET https://apx.didit.me/auth/v2/organizations/me/{org_id}/applications/{app_id}/

Authentication:
Authorization: Bearer <access_token>
Get a token via POST /programmatic/login/.

Path parameters:
- org_id (UUID, required) — Organization that owns the application. Get via GET /organizations/me/.
- app_id (UUID, required) — Application UUID. Returned by POST /programmatic/verify-email/ (in the application.uuid field), by POST /organizations/me/{org_id}/applications/, or visible in the Didit console.

curl example:
curl "https://apx.didit.me/auth/v2/organizations/me/<ORG_ID>/applications/<APP_ID>/" \\
-H "Authorization: Bearer <ACCESS_TOKEN>"

Response (200 OK):
{
"uuid": "b2c3d4e5-6789-...",
"name": "My App",
"client_id": "S9LIYGSoWNuGMLHsvEt9dQ",
"api_key": "05mHcOWL8GathLZlz8oIDawYj9qFAcoSHtz-75PAkuo",
"website_url": "https://example.com",
"redirect_uris": ["https://example.com/callback"],
"terms_url": "https://example.com/terms",
"privacy_url": "https://example.com/privacy",
"description": "Production application",
"created_at": "2025-06-01T10:00:00Z"
}

How to use the response:
- api_key → set as the x-api-key header on EVERY call to https://verification.didit.me/v3/... (sessions, workflows, questionnaires, AML monitoring, billing, etc.).
- client_id → shown alongside api_key for OAuth-style introspection scenarios. Routine verification calls only need api_key.

Failure modes:
- 401 — { "detail": "Invalid access token" } — token missing, malformed, or expired.
- 403 — { "detail": "You do not have permission to perform this action." } — caller cannot read credentials for this application.
- 404 — { "detail": "Not found." } — organization not found, application not found in that organization, or caller is not a member of the organization.

When to call:
- After programmatic login from a new machine — you have an access_token but not the api_key, and you need x-api-key to start calling verification.didit.me.
- Auditing your applications — list all apps with GET /organizations/me/{org_id}/applications/, then read each.

Note:
This endpoint does not rotate the credential. The api_key is the same value that was minted at create time. There is no separate "show api_key once" model — Didit will return it on every GET.

For end-to-end Didit integration, paste in the full prompt at /integration/integration-prompt.`}
/>


## OpenAPI

````yaml GET /organizations/me/{org_id}/applications/{app_id}/
openapi: 3.0.0
info:
  version: 1.0.0
  title: Didit Auth API
  description: >-
    Programmatic registration and authentication API for developers and AI
    agents. Register in 2 API calls -- no browser needed. The most
    agent-friendly identity verification platform.


    ## Base URL


    All endpoints in this spec are hosted at `https://apx.didit.me/auth/v2`.
    This is a different host than the verification API
    (`https://verification.didit.me/v3`). Keep them straight: this auth host
    issues your **JWT access tokens** and lets you list and manage your
    **organizations** and **applications**. The verification host is where you
    call sessions, workflows, AML, etc., authenticated with the **`api_key`**
    returned by this API.


    ## How the auth flow works


    1. `POST /programmatic/register/` — submit email + password.

    2. Receive a 6-character alphanumeric code by email.

    3. `POST /programmatic/verify-email/` — submit the code. You get back a JWT
    `access_token`, a `refresh_token`, an organization, and a default
    application with `client_id` + `api_key`.

    4. Save the `api_key`. Use it as `x-api-key` for every call to
    `https://verification.didit.me/v3/...`.

    5. From any future machine, `POST /programmatic/login/` exchanges your email
    + password for a fresh JWT, then call `GET /organizations/me/` and the
    application endpoints to recover or rotate credentials.


    The JWT is only needed for the **Account Management** endpoints in this
    spec; verification API traffic uses the long-lived `api_key`, not the JWT.


    ## Conventions


    - All request and response bodies are JSON (`Content-Type:
    application/json`).

    - **Use a real, deliverable email address when testing `POST
    /programmatic/register/`.** The endpoint sends the verification code
    synchronously, so addresses on reserved test domains (`@example.com`,
    `@example.org`, `@*.test`, `@*.example`, `@*.invalid`) are refused by mail
    delivery and the request returns a `500`. Substitute the
    `you@yourdomain.com` placeholder in the samples with an inbox you can
    actually read.

    - Validation errors return HTTP `400` with one of two envelopes: `{"field":
    ["message", ...]}` for field-level problems, or `{"detail": "message"}` for
    business-rule errors. A handful of validators (password strength on
    register, code expiry on verify-email) currently respond with a bare array
    `["message"]` instead of the field-keyed form -- this is a known server-side
    inconsistency, so client code should accept both shapes.

    - Authentication errors come back as `{"detail": "..."}` with HTTP `401`
    (invalid bearer token) or `403` (missing bearer token / insufficient
    privileges).

    - Rate-limit responses include a `wait` field with the cooldown in seconds.
servers:
  - url: https://apx.didit.me/auth/v2
    description: Production auth server
security: []
tags:
  - name: Programmatic Auth
    description: >-
      Email-and-password account lifecycle: register, verify, login. Returns the
      JWT `access_token` you use against the Account Management endpoints, plus
      (on verify) your first application's `client_id` and `api_key`.
  - name: Account Management
    description: >-
      Authenticated endpoints (JWT bearer) that list organizations and create,
      fetch, or update applications. Use these to recover or rotate the
      `api_key` you authenticate verification API calls with.
paths:
  /organizations/me/{org_id}/applications/{app_id}/:
    get:
      tags:
        - Account Management
      summary: Get Application Credentials
      description: >-
        Read one application's full record including `client_id` and `api_key`.
        Use this to recover a lost `api_key`.
      operationId: get_application_credentials
      parameters:
        - name: org_id
          in: path
          required: true
          description: UUID of the organization that owns the application.
          schema:
            type: string
            format: uuid
            example: a1b2c3d4-5678-90ab-cdef-111111111111
        - name: app_id
          in: path
          required: true
          description: UUID of the application whose credentials you want to read.
          schema:
            type: string
            format: uuid
            example: b2c3d4e5-6789-01bc-defg-222222222222
      responses:
        '200':
          description: Application record including its `client_id` and `api_key`.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Application'
              examples:
                Success:
                  value:
                    uuid: b2c3d4e5-6789-01bc-defg-222222222222
                    name: My App
                    client_id: S9LIYGSoWNuGMLHsvEt9dQ
                    api_key: 05mHcOWL8GathLZlz8oIDawYj9qFAcoSHtz-75PAkuo
                    website_url: https://example.com
                    redirect_uris:
                      - https://example.com/callback
                    terms_url: https://example.com/terms
                    privacy_url: https://example.com/privacy
                    description: Production application
                    created_at: '2025-06-01T10:00:00Z'
        '401':
          description: Access token missing, malformed, or expired.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthError'
              examples:
                InvalidToken:
                  value:
                    detail: Invalid access token
        '403':
          description: >-
            Bearer token is valid but the user does not have permission to read
            credentials for this application.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthError'
              examples:
                Forbidden:
                  value:
                    detail: You do not have permission to perform this action.
        '404':
          description: >-
            Organization not found, application not found in that organization,
            or the authenticated user is not a member of the organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthError'
              examples:
                NotFound:
                  value:
                    detail: Not found.
      security:
        - BearerAuth: []
      x-codeSamples:
        - lang: curl
          label: cURL
          source: >-
            curl
            "https://apx.didit.me/auth/v2/organizations/me/$ORG_ID/applications/$APP_ID/"
            \
              -H "Authorization: Bearer $ACCESS_TOKEN"
        - lang: python
          label: Python
          source: >-
            import requests


            resp = requests.get(
                f"https://apx.didit.me/auth/v2/organizations/me/{org_id}/applications/{app_id}/",
                headers={"Authorization": f"Bearer {access_token}"},
                timeout=10,
            )

            resp.raise_for_status()

            app = resp.json()

            api_key = app["api_key"]  # use as x-api-key on
            verification.didit.me
        - lang: javascript
          label: JavaScript
          source: >-
            const resp = await fetch(
              `https://apx.didit.me/auth/v2/organizations/me/${orgId}/applications/${appId}/`,
              { headers: { Authorization: `Bearer ${accessToken}` } },
            );

            if (!resp.ok) throw new Error(`Get app failed: ${resp.status}`);

            const app = await resp.json();

            const apiKey = app.api_key; // use as x-api-key on
            verification.didit.me
components:
  schemas:
    Application:
      type: object
      description: >-
        Full application record. `uuid`, `client_id`, and `api_key` never change
        after creation.
      properties:
        uuid:
          type: string
          format: uuid
          description: Application UUID. Use as `{app_id}` in subsequent calls.
          example: b2c3d4e5-6789-01bc-defg-222222222222
        name:
          type: string
          description: Application display name shown in the Didit console.
          example: Acme Production App
        client_id:
          type: string
          description: Public client identifier, safe to embed in OAuth-style flows.
          example: S9LIYGSoWNuGMLHsvEt9dQ
        api_key:
          type: string
          description: >-
            Long-lived secret (also called `client_secret`). Use as the
            `x-api-key` header for every call to
            `https://verification.didit.me/v3/...` (sessions, workflows, AML,
            etc.). Treat as a credential; never expose client-side.
          example: 05mHcOWL8GathLZlz8oIDawYj9qFAcoSHtz-75PAkuo
        website_url:
          type: string
          nullable: true
          description: Website or app URL associated with this application.
          example: https://acme.example
        redirect_uris:
          type: array
          items:
            type: string
          description: >-
            Allowed redirect URIs for OAuth-style and verification redirect
            flows.
          example:
            - https://acme.example/callback
        terms_url:
          type: string
          nullable: true
          description: Terms of service URL shown in the verification flow.
          example: https://acme.example/terms
        privacy_url:
          type: string
          nullable: true
          description: Privacy policy URL shown in the verification flow.
          example: https://acme.example/privacy
        description:
          type: string
          nullable: true
          description: Internal description for the application (not shown to end users).
        created_at:
          type: string
          format: date-time
          example: '2025-06-01T10:00:00Z'
    AuthError:
      type: object
      description: Authentication / authorization / not-found error envelope.
      properties:
        detail:
          type: string
          example: Invalid access token
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        RS256-signed JWT `access_token` returned by `POST /programmatic/login/`
        or `POST /programmatic/verify-email/`. Send as `Authorization: Bearer
        <access_token>`. Default lifetime is 86400 seconds (24h). This token is
        only valid against the Account Management endpoints on
        `apx.didit.me/auth/v2`. The verification API
        (`verification.didit.me/v3`) uses the long-lived `api_key` as
        `x-api-key` instead.

````