Resource Server Record

An Resource Server is an oAuth Client which represent a server protecting your APIs

General Settings

NameYesThe application name. Maps to the client_name on Dynamic Client Registration
Realm__cYesThe Realm under which the application lives
ApplicationType__cYesApplciation type. Possible values: resource_server
Contacts__cNoList of email addresses for the contacts of this application
ExternalAuthServer__cNoA reference to the External Auth Server responsible for generating access_tokens for this resource_server

Client credentials

ClientId__cYesA unique identifier for the application. You must ensure that this value is generated by your administrator or through the DCR. Must not be allowed to the end user to choose this value

oAuth Settings

ResponseTypes__cYesOnly accepted value is none. A Resource Server will never be allowed to login a user.
GrantTypes__cYesgrant_types which the resource_server commits to use. All other grant_types will be rejected. Only possible value is client_credentials
RedirectUris__cYesredirect_uris which the client commits to use. All other redirect_uris will be rejected
AccessTokenExpirationTime__cYesExpiration time for access_tokens when this resource_server is the audience. The value is defined by an adminsitration
AccessTokenSigningAlgValue__cYesAlgorithm to sign the access_token when this resource server is the audience. A JWK with this algorithm must be available at the Realm JWKS
RefreshTokenExpirationTime__cYesExpiration time for refresh_tokens when this resource_server is the audience. The value is defined by an adminsitration
TokenEndpointAuthMethod__cYesAuthentication method used when calling the token_endpoint
TokenEndpointAuthSigning__cNoRequired only when token_endpoint_auth_method is one of private_key_jwt or client_secret_jwt
RevocationEndpointAuthMethod__cYesAuthentication method used when calling the revocation_endpoint
RevocationEndpointAuthSigning__cNoRequired only when revocation_endpoint_auth_method is one of private_key_jwt or client_secret_jwt
IntrospectionEndpointAuthMethod__cYesAuthentication method used when calling the introspection_endpoint
IntrospectionEndpointAuthSigning__cNoRequired only when introspection_endpoint_auth_method is one of private_key_jwt or client_secret_jwt


Jwks__cNoRequired if token_endpoint_auth_methods, revocation_endpoint_auth_method or introspection_endpoint_auth_method has value private_key_jwt.


Since the scopes are used for authorization, they are stored in an encrypted field (cymscopesc). You can use the UI provided by the CYM-Identity application to assign scopes to ResourceServers

Assigned scopes

You can assign scopes to a ResourceServer which will allow the ResourceServer to receive the user claims in the introspection_endpoint response.

Default scopes (audience scopes)

The scopes which will be assigned to access_tokens when this resource_server is used as an audience of a request.
The default_scopes are a subset of the ResourceServer's assigned scopes.
If the resource server is to be used as an audience, this field is mandatory or all requests will fail.

Protected Resources

A Protected Resource reprensent an API endpoint which applications and other resource_servers can request access to.

General Settings

NameYesName of the protected resource. Useful to search for protected resources
ResourceServer__cYesThe resource_server to which this protected resource belongs to.
ResourceUri__cYesA URL which can be referenced by Applications when requesting access to this Protected Resource
MaxAge__cNoMaximum age for a user authentication beyond which an access_token will not be generated. e.g. If max age is 3600, only users who have successfully authenticated in the last 1h will receive an access_token.
The refresh_token requests for the resource will also be rejected if the auth_time is older than max_age
Scopes__cNoScopes required to have access to this resource