Client Configuration
API clients are created and configured from the API Access tab on account.diapstash.com. Each client represents an application that can authenticate users via OAuth 2.0 and access the DiapStash API on their behalf.
Client Name
The Client Name is a human-readable label to identify your client in the dashboard. It is set at creation time and must be at least 8 characters long.
Client ID
The Client ID is a public identifier for your application. It is generated automatically when the client is created and cannot be modified.
It must be included in every API request via the DS-API-CLIENT-ID header (see API Usage).
Client Secret
The Client Secret is used to authenticate your application at the OAuth 2.0 token endpoint.
API Server. For Javascript Web App clients, there is no client secret — PKCE must be used instead.The secret can be regenerated at any time from the client settings. Regenerating the secret immediately invalidates the previous one, which may cause existing access tokens to stop working.
Application Type
The Application Type defines the authentication model used by your application.
| Label | Description |
|---|---|
| Javascript Web App | Authentication is performed from the browser using PKCE (e.g. a Single Page App). No client secret is available. |
| API Server | Authentication is handled server-side. The client secret is required and must never be exposed to end users. |
Javascript Web App type for browser-based applications.Logo URL
The Logo URL is the URL of your application's logo. It is displayed on the OAuth 2.0 consent screen when users are asked to authorize your application.
Must be a valid URL pointing to an image file.
Redirect URLs
Redirect URLs are the callback URLs to which DiapStash will redirect users after they authorize (or deny) your application.
- At least one redirect URL is required
- Each entry must be a full URL (e.g.
https://myapp.com/callback) - Only URLs registered here will be accepted during the OAuth 2.0 flow
Allowed Origins (CORS)
Allowed Origins define which browser origins are permitted to make cross-origin requests to the OIDC endpoints (e.g. the token endpoint).
This is required when your application calls OIDC endpoints directly from the browser (e.g. a SPA exchanging an authorization code for tokens).
- Each entry must be a full origin in the format
scheme://host[:port]— without a trailing slash (e.g.https://myapp.com) - DiapStash domains are always allowed regardless of this setting
- If the field is left empty, a wildcard is applied to public OIDC endpoints only
Scopes
Scopes define the permissions your client is allowed to request when authenticating users.
| Scope | Description |
|---|---|
cloud-sync.history | Access to the user's change history |
cloud-sync.stock | Access to the user's diaper stock |
cloud-sync.types | Access to the user's custom diaper types |
cloud-sync.types scope to retrieve the user's custom types.At least one scope is required. The scopes configured here define the maximum set of permissions your client can request. Users will be shown the list of requested scopes on the consent screen before authorizing your application.
For information about how to request scopes during authentication, see the Authentication page.
Pre-filling the client creation form
If you maintain a third-party service that integrates with the DiapStash API, you can link directly to a pre-filled Create API client form on account.diapstash.com. This makes it easier for developers integrating your service to create a correctly configured client, without having to copy values by hand from your documentation.
The link target is:
https://account.diapstash.com/account/api/create
Pre-fill values are passed as query (GET) parameters:
| Application type | Allowed value |
|---|---|
| Javascript Web App | spa or javascript |
| API Server | backend or api-server |
redirectUri=A&redirectUri=B).scope=cloud-sync.history&scope=cloud-sync.types).All parameters are optional, and any unrecognized or invalid value is simply ignored (the corresponding field is left at its default).
Example
https://account.diapstash.com/account/api/create?clientName=My+Service&mode=backend&redirectUri=https://myservice.com/oauth/callback&allowedOrigin=https://myservice.com&scope=cloud-sync.history&scope=cloud-sync.types