Profiles
A profile is the runtime access contract for a client: auth type, method/IP constraints, and active state.
Profile guides
Creating a profile
-
Open a client and click Add Profile.
-
Fill in:
Field Description Name Descriptive label (e.g. production,sandbox,read-only)Active Toggle to enable or disable the profile Auth Type The authentication method for this profile Allowed Methods Optional — restrict to specific HTTP methods IP Restrictions Optional — restrict by IP address or CIDR -
Complete the auth-type specific fields (token is auto-generated; JWT/OIDC/mTLS require additional config).
-
Click Save. The profile credentials are displayed once — copy them immediately.
What profiles control (runtime)
| Setting | Description |
|---|---|
| Auth type | How the client authenticates (token, JWT, OIDC, mTLS, none) |
| Credential | Auth material (token/JWT/OIDC settings, or external mTLS posture) |
| Allowed methods | Optional: restrict to specific HTTP methods (e.g., GET only) |
| Allowed IPs | Optional: restrict to specific IP addresses or CIDR ranges |
| Status | Active or inactive |
IP address restrictions
Set a list of allowed IPs or CIDR ranges. Requests from any other IP are rejected with 403.
- CIDR notation:
192.168.1.0/24 - Exact IP:
10.0.0.5 - Multiple entries: one per line
- Empty list: no IP restriction (all IPs allowed)
IP checks run before authentication — an IP-blocked request is rejected before the token is even verified.
Method restrictions
Set the list of allowed HTTP methods. Requests using any other method return 405 Method Not Allowed.
Examples:
GETonly — read-only consumersGET, POST— consumers that can read and create- Empty / all — no restriction
Token expiry state
The profile detail page shows the current state of the issued token:
| Badge | Meaning | Action |
|---|---|---|
| Valid (green) | Token is active and will not expire soon | None needed |
| Expiring Soon (amber) | Token expires within 24 hours | Rotate before expiry |
| Expired (red) | Token has expired; all requests are rejected with 401 | Rotate immediately |
Credential management in the UI
From the profile detail page, you can:
| Action | Description |
|---|---|
| Show / Hide credentials | Toggle visibility of the token or secret |
| Copy credentials | Copy the raw token/secret to clipboard |
| Copy X-Client-ID | Copy the client's ID header value |
| Copy X-Profile-ID | Copy the profile's ID header value |
| Copy Authorization header | Copy the full Authorization: Bearer <token> string |
| Rotate credentials | Generate a new token; the old one is immediately invalidated |
| Change auth type | Switch to a different auth method (re-configures credential fields) |
| Remove auth | Switch to none — removes all auth from the profile |
Configuring rotation expiry: when rotating, you can set an expiry period in hours. After that period, the new token becomes invalid and must be rotated again.
Multiple profiles per client
A single client can have multiple profiles for different use cases:
| Profile | Auth type | Use case |
|---|---|---|
sandbox | Token | Development and testing, liberal limits |
production | mTLS | Live traffic, strict security |
readonly | OIDC | Authenticated but read-only access (GET only) |
internal | None | Internal services on trusted network |
Each profile is identified independently by its X-Profile-ID.
Disabling a profile
Toggle a profile to inactive to stop all requests using that profile without deleting it. Useful for temporarily revoking access.
Related docs
- Clients — manage the client that owns these profiles
- Authentication Methods — compare token, JWT, OIDC, mTLS, none