Tibber LogoData API

Managing clients

Create and maintain OAuth2 clients for the Data API

An OAuth2 client represents an application that will access the Data API on behalf of a Tibber user. You must create at least one client before you can run the Authorization Code Flow.

Where

Use the management UI at Manage clients. Everything on this page requires you to be authenticated as a Tibber customer.

Creating a client

You provide:

  • Name: display name for your reference
  • Redirect URIs: one or more exact HTTPS URIs (a variant of http://localhost is customary for local development)
  • Scopes: the category scopes your application actually needs (see Scopes)

On success, you receive:

  • clientId
  • clientSecret (displayed once; make sure to copy it straight away)

Secrets are never shown again. If lost, you have to create a new client and delete the old one.

  • Separate clients per environment (prod, staging, local) to isolate redirect URIs and scope experiments
  • Use the smallest scope set initially; request more only when needed, but be aware that users must re-authorize
  • Delete the client and create a new one if you suspect exposure

Deleting a client

Delete it from the list. Effects:

  • Existing access tokens continue until they expire (normally ~1 hour)
  • New refresh operations fail (treat as revoked)

Security notes

  • Keep secrets server‑side only; do not embed in mobile apps, SPAs, or public repos
  • Prefer PKCE for browser / mobile initiated flows (optional for strictly server-side)
  • Treat refresh tokens like credentials (store encrypted / database, not in logs)

Next

Proceed to Quick start or review Authentication.

Scopes

OAuth2 scopes used by the Data API

API Usage

Overview of operational guidance for calling the API

On this page

WhereCreating a clientRecommended patternsDeleting a clientSecurity notesNext