---
title: Adding OAuth client rules
description: Add an OAuth client rule to restrict access to API applications based on one or more OAuth client IDs.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_oauth_client_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_oauth_client_rules.html
revdate: February 6, 2023
section_ids:
  steps: Steps
---

# Adding OAuth client rules

Add an OAuth client rule to restrict access to API applications based on one or more OAuth client IDs.

## Steps

1. Click **Access**, then go to **Rules > Rules**.

2. Click **[icon: plus, set=fa]Add Rule**.

3. In the **Name** field, enter a unique name, up to 64 characters long.

   Special characters and spaces are allowed.

4. From the **Type** list, select **OAuth Client**.

5. In the **Client IDs** section, enter one or more Client IDs that allow access. To add additional fields, click **[icon: plus, set=fa]New Value**.

6. **Optional:** If you want to configure rejection handling, click **Show Advanced Settings**, and then from the **Rejection Handler** list, select an existing rejection handler that defines whether to display an error template or redirect to a URL.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | You can include information about missing Client IDs in the rejection response using the `$info` variable.For example, if you are using the Default application programming interface (API) *(tooltip: \<div class="paragraph">&#xA;\<p>A specification of interactions available for building software to access an application or service.\</p>&#xA;\</div>)* rejection handler, you could edit the `<PA_HOME>/conf/template/oauth.error.json` file and change this line: `{"$Encode.forJavaScriptSource($header)":""}`to`{"$Encode.forJavaScriptSource($header)":"#if($info)$Encode.forJavaScriptSource($info)#end"}` |

7. Click **Save**.