GetAppCredentialsResponse

Response from GET /applications/1.0/{appId}/credentials. The credential fields are wrapped under productionCredentials so a future sandboxCredentials sibling envelope can be added without breaking this response.

clientSecret is intentionally absent: Cognito does not allow reading the secret back after creation. It is surfaced exactly once on the POST /applications/1.0/drafts response; if you did not save it then, contact TimeBack support.

The clientId is stable across draft→active promotion: developers do NOT need to rotate credentials when their App is approved. Scopes expand on promotion; client identity does not.

applicationId
Type: stringFormat: uuid
required

Unique identifier of the App whose credentials are returned.
appUrn
Type: string Pattern: ^urn:uuid:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
required

Canonical URN identifying your registered application.

Format: urn:uuid:{applicationId} (RFC 4122). Use this value as Caliper edApp.id when emitting events from your app.
productionCredentials
Type: object
required

OAuth credentials for the App on the production Cognito user pool. The same client is used in both draft and active App states — scopes expand on promotion but clientId, tokenUrl, and shape do not change. A future sandboxCredentials sibling envelope will carry sandbox-pool credentials when the sandbox Cognito pool exists.
- clientId
  Type: string
  required
  
  OAuth client ID for authenticating your application (client credentials flow). Stable across draft→active promotion.
- scopes
  Type: array string[]
  required
  
  OAuth scopes currently authorized on this client. Expands on promotion; today's list reflects the draft scope only.
- tokenUrl
  Type: stringFormat: uri
  required
  
  Cognito token endpoint. POST client_id + client_secret here with grant_type=client_credentials to mint an access token.