I’m working on a third-party application (“AipApp” - ri.third-party-applications.main.application.5e6b3bef-3dfd-42ec-b5fb-4373a567ca9f) in the AIP Developer Tier and am trying to implement the Authorization Code Grant flow for frontend authentication, as recommended by Palantir Support. This project is part of my assessment for a Forward Deployed Engineer (FDE) role at Palantir, and I aim to build it following best practices for integrating with the platform.
What I’m Building:
I’m developing a learning path generator. The frontend (React) allows users to input a goal, which is then sent to a backend. The backend calls an AIP Logic function to leverage a Large Language Model (GPT-4o) to generate a learning path, which is then displayed on the frontend. Now, I need to implement secure authentication for the frontend to potentially access broader Foundry APIs in the future.
The Issue:
I have enabled the Authorization Code Grant in the “OAuth & scopes” tab of my application settings and configured the necessary Redirect URI (http://localhost:5173/auth/callback). However, I am unable to locate the Client ID (also sometimes referred to as Application ID) for my application within the Developer Console. This Client ID is a crucial parameter for constructing the authorization URL to initiate the login flow.
My Questions:
Could someone please advise on how to obtain the Client ID for a third-party application within the AIP Developer Tier when using the Authorization Code Grant? I have looked in the “Overview” tab (under “Application metadata”) and the “OAuth & scopes” tab but haven’t found it displayed.
Are there any alternative authentication methods or workflows recommended for the AIP Developer Tier if the standard Client ID for Authorization Code Grant is not readily available? Given that this is for an FDE assessment project, understanding the limitations and potential workarounds within this tier is important.
Any guidance on where to find the Client ID or alternative authentication strategies would be greatly appreciated.
This approach works well in case the id/secret can be stored securely, e.g. in a backend.
If you were to want your frontend to directly perform the calls, then you can use the user authentication, where the user log-in via OAuth to Foundry “as themselves” and hence all the API calls are done with their own token. You likely configured your application in Developer Console this way, hence why you are not seeing the client id.
We’re fixing a UI bug that meant you created an app with the “Application permissions” grant despite not having access to create such an app on a DevTier instance. This creation didn’t actually go through, but it left your app in an inconsistent state.
While this fix rolls out, in the meantime you can create a new Developer Console app, and just don’t select “Backend service” when creating your app, stick to Client-facing application:
Thank you for your explanation. That makes sense regarding the “application permissions” and user authentication approaches. It seems I might have inadvertently been expecting the “application permissions” model. Your clarification on how the “Client-facing application” type works with user authentication is very helpful.
Thank you so much for clarifying the UI bug and the inconsistent state! That explains why I was struggling to find the Client ID.
I will proceed with your recommendation to create a new application and specifically select “Client-facing application: Connect directly to Foundry from a web, desktop, or mobile application.” I will make sure not to select “Backend service” during creation.
I appreciate you pointing out this workaround while the fix rolls out. This is exactly the information I needed to move forward.
I’ll report back on whether I can find the Client ID in the new application’s settings. Thanks again for your help!
