TryMellon
Navigation

Applications management

Create and configure tryMellon applications — origins, webhook URL, lifecycle.

Applications management

A tryMellon application represents one logical client (a web app, a mobile app, a backend service). It owns the client_id / client_secret pair, the allowed origins for browser SDK calls, and the optional webhook URL.

Create an application

  1. Dashboard → Applications → New application.
  2. Pick a name (free text, shown only in the dashboard).
  3. Add at least one allowed origin (e.g. https://app.example.com). Browser SDK requests from any other origin are rejected with INVALID_ARGUMENT.
  4. Optional: webhook URL for receiving auth events (see Webhook events).
  5. Create. The response includes client_id (publishable) and client_secret (one-time display — copy it now).

Lifecycle states

stateDiagram-v2
  [*] --> active : created
  active --> suspended : tenant or admin suspend
  suspended --> active : reinstate
  active --> deleted : delete
  suspended --> deleted : delete
  deleted --> [*]
  • active — accepts auth requests.
  • suspendedclient_secret rejected; useful for temporary lockout without losing config.
  • deleted — irreversible. Existing user records survive; new auth attempts fail with application_not_found.

Allowed origins

Origins are validated per request with strict equality (scheme + host + port). Wildcards are rejected. Localhost requires the explicit http://localhost:PORT.

cURL to update origins:

curl -X PATCH https://api.trymellonauth.com/v1/applications/$APP_ID \
  -H "Authorization: Bearer $TENANT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "allowed_origins": ["https://app.example.com", "https://staging.example.com"] }'

Webhook URL

A single HTTPS URL per application receives all subscribed events. Default subscription includes the full event catalog — fine-grained per-event subscription is on the F0 follow-up roadmap (see Webhook events).

curl -X PATCH https://api.trymellonauth.com/v1/applications/$APP_ID \
  -H "Authorization: Bearer $TENANT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "webhook_url": "https://api.example.com/trymellon/webhook" }'

Troubleshooting

SymptomCauseFix
INVALID_ARGUMENT: origin not allowedThe browser made a request from an origin not in allowed_origins.Add the origin (exact scheme + host + port).
application_not_foundApp was deleted or client_id is wrong.Recreate the app or fix the env var.
Webhook never firesURL not reachable / TLS invalid.Inspect deliveries: GET /v1/webhooks/deliveries?application_id=….