Already a NinjaOne customer? Log in to view more guides and the latest updates.

API OAuth Token Configuration

  • Last Updated March 9, 2026

Topic

The NinjaRMM Public API uses OAuth2 to authenticate requests. OAuth 2.0 allows applications to access NinjaRMM resources (such as monitoring information) made available via the API.

Environment

NinjaOne API 

Description

If you have any questions about API configuration, documentation, or OAuth Tokens, you can contact our API Team at [email protected]
Only system administrators may configure OAuth tokens for NinjaOne API. 

About

To start using the OAuth protocol for your app’s authentication with NinjaOne, you must first have an OAuth app credential from the NinjaOne system. The OAuth app will set up an authorization grant for you. OAuth 2.0 supports various grant types. However, NinjaOne Public API supports authorization code and implicit grant types.

Find your API settings under AdministrationAppsAPI

Generate an OAuth Client Application

  1. From the API page in NinjaOne, open the Client app IDs tab and click Add client app.

API_add client app.png
Figure 1: Add a new client app configuration in NinjaOne

  1. Select an option from the Application Platform drop-down list to generate more data fields.
Certain grant types may not be available depending on your selection in this step. 
  1. Use the following table to help you fill out the applicable fields. 
FieldDescription
NameEnter the title that will be displayed as the client application name in the consent screen.
This name will be displayed in the AdministrationAppsAPIOAuth Tokens in NinjaOne.
Redirect URLsEnter one or more URL(s) where NinjaOne will send OAuth responses.
This is not configurable when using the Native Application Platform. This will use a local host. 
ScopesThis allows access to all Public API Resources of a certain type: Monitoring, Management, and Control. Activate the checkbox next to the type to enable it. 
  • Monitoring: Grants read-only access to monitoring data and organization structure.
  • Management: Allows modification of device and organization information, including creating new organizations, adding new devices, running scripts, and others. 
  • Control: Enables remote access via API.
  • Refresh Token: For security purposes, access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token. That is, a refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again.
    • Select this option under Allowed grant types
Allowed Grant TypesOAuth 2.0 grant types are used for the client application acting on behalf of a user. To minimize security risks, limit the allowed grant types to Authorization Code, Refresh Token, and Implicit. 
  • Authorization Code: The Authorization Code is a temporary code the client will exchange for an access token. The code is obtained for the authorization server, where the user can see what information the client requests and approve or deny the request. 
  • Client Credentials: This flow bypasses the code exchange step and is an alternative to the Authorization Code. Instead, the access token is immediately returned to the client in the query string fragment. 

After the configuration is complete, click Save at the top of the page. You will see your Client ID, which you can copy and use when the app interacts with NinjaOne. 

To edit or delete a client app ID, move your cursor over the row and select the applicable option on the right side of the page. 

delete client app.png
Figure 3: Edit or delete a client app configuration in NinjaOne

Additional Resources

Refer to the following resource(s) to learn more about using API with NinjaOne: NinjaOne Public API Operations.

FAQ

Next Steps