Skip to main content

Generate Client ID and Secret in GitLab Self-Hosted

Follow these steps to create an OAuth application in GitLab Self-Hosted and obtain the Client ID and Client Secret.

1. Register an OAuth Application

  1. Log in to your GitLab Self-Hosted instance.
  2. Navigate to Admin AreaApplications (/admin/applications), Admin Page
  3. or go to User SettingsApplications (/-/profile/applications) for user-specific tokens. User Page
  4. Click “New application”. New Application
  5. Fill in the required details: Form Application
  • Scopes: The following scopes are required for different areas:
    • read_api: For basic API access to GitLab endpoints
    • read_user: For accessing user information
    • read_repository: For accessing repository data and branches, reading and accessing issues
    • write_repository: For creating merge requests and managing webhooks, creating and managing issues
    • api: For general API access to all repository endpoints, managing CI/CD variables and secrets. Creating, updating, and deleting webhooks
    • openid: Required for OpenID Connect authentication
    • profile: Access to basic profile information
    • email: Access to user email information
  • Trusted: Check this box for allowed Plexicus to use application credentials as a trusted first-party application.
  • Name: Enter a meaningful name for the application.
  • Redirect URI: Enter this callback URL: https://covulor.plexicus.com/api/callback/gitlab
  1. Click “Save application”.

2. Get Client ID and Client Secret

Ensure you select the required scopes (openid, profile, email, read_api, read_user, read_repository, write_repository, api). We follow the principle of least privilege and only request permissions that are essential for Plexicus’s functionality. These scopes provide the necessary access for authentication and repository operations while maintaining security.
Application Created After saving the application, GitLab will generate:
  • Application ID (Client ID): Used as the client_id.
  • Secret (Client Secret): Used as the client_secret.
These credentials will be used in the next step to obtain an access token.
Keep your Client Secret private and never expose it in public repositories or frontend applications.
Next, you can proceed to exchanging an authorization code for an access token. 🚀