Automation 360 Control Room can act as an OAuth 2.0 and OpenID Connect (OIDC) Authorization Server for Cloud deployments, allowing administrators to register up to 25 external OAuth clients per Control Room, and manage their lifecycle and access permissions.

After registration, these clients can obtain tokens from AAI authorization server using standard OAuth 2.0 and OIDC flows and use those tokens to securely access Automation 360 resources. Control Room supports the Authorization Code, Authorization Code with PKCE, and Refresh Token grant types for issuing and renewing these tokens. This capability enables standards‑based, inbound integrations with third‑party systems and internal applications, including MCP clients and other OAuth‑compatible clients.

AAI authorization server issues OAuth tokens with the following attributes:

  • Token format - It indicates whether issued tokens are JSON Web Tokens (JWT).
  • Access token expiration time - It indicates how long an access token remains valid before it expires.
  • Refresh token lifetime - It indicates how long a refresh token can be used to obtain new access tokens.
  • JWKS endpoint - It is the endpoint that exposes JSON Web Key Set (JWKS), containing the public keys used to verify JWT signatures.

These settings determine how long issued tokens remain valid and how external systems can validate or revoke tokens when integrating with Automation 360.

Note: To configure Control Room as an OAuth client for outbound connections to external services, see Configure OAuth connections in Control Room.

Prerequisites

Ensure that your user role includes one of the following Control Room permissions:
  • Application Registration View – to view existing OAuth clients.
  • Application Registration Manage – to create, update, and delete OAuth clients.

Procedure

  1. Log in to Automation 360 Control Room.
  2. From the left navigation, select Manage.
  3. Navigate to OAuth clients. It lists all existing OAuth clients registered in the Control Room, if any.View OAuth clients
  4. Click Create client to register a new OAuth client.Create new OAuth clients
  5. Enter a unique Application name to identify the OAuth client.
  6. Select an Application type from the drop-down list.
    • Regular Web - Use this Application type when you intend to use a client secret. It is typically used when your client resides on a secure web server that can protect the secret.
    • Single Page Application - Use this Application type when you intend to use PKCE and forego passing a client secret. It is typically used when your client resides in an unprotected environment that cannot ensure the protection of the secret.
  7. Optional: Enter a Description for the OAuth client.
  8. Enter one or more Redirect URIs to validate the client and click Add. Separate each redirect URI with a comma. Currently, you can add up to 10 redirect URIs.
    Note: When you save the OAuth client configuration, the system checks that all Redirect URIs use HTTPS. Once they are validated, client metadata is generated.
  9. Click Create client.

    The newly created client will be shown on the OAuth clients page. Click on the created Application name to view the OAuth client details, consisting of automatically generated client metadata. See View and manage OAuth clients.

    All generated values can be copied individually. Share the Client ID, Client secret, and endpoint URLs with the external application owner so they can configure them in their OAuth client application.

    Note:
    • Treat the Client secret like a password. It must only be shared with trusted administrators of the external application and stored in a secure location, such as a secret manager.
    • Authorized users can view the Client secret from the OAuth clients page at any time.