> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stackone.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Jamf Pro with OAuth 2.0 (API Client Credentials) – StackOne Hub

> Link a Jamf Pro account in the StackOne Hub using OAuth 2.0 (API Client Credentials). End-user guide to authorize the integration and start using Jamf Pro actions.

<Warning>Requires Jamf Pro 10.49.0 or later. You must be a Jamf Pro administrator of the tenant.</Warning>

<section data-guide-section data-guide-scopes="">
  <h2>Create an API Role</h2>

  <p>An API Role groups one or more Jamf Pro privileges (e.g. "Read Computers", "Update Mobile Devices") that the API Client will be allowed to exercise. You can also reuse an existing role.</p>

  <Steps>
    <Step title="Sign in to your Jamf Pro web console">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Sign in as a Jamf Pro administrator at `https://<your-tenant>.jamfcloud.com` (Jamf Cloud) or your self-hosted Jamf Pro URL.</p>
      </div>
    </Step>

    <Step title="Navigate to API Roles">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Go to <strong>Settings > System > API Roles and Clients</strong> and click the <strong>API Roles</strong> tab.</p>
      </div>
    </Step>

    <Step title="Create the role">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>+ New</strong>, enter a Display Name (e.g. `StackOne Integration`), then select the Jamf Pro privileges that StackOne should be allowed to use. Common privileges:</p>

        <ul>
          <li>Read Computers, Create Computers, Update Computers, Delete Computers</li>
          <li>Read Mobile Devices, Update Mobile Devices, Send Mobile Device Mobile Device Wipe Command</li>
          <li>Read Smart Computer Groups, Create Smart Computer Groups, Update Smart Computer Groups, Delete Smart Computer Groups</li>
          <li>Read Static Computer Groups, Create Static Computer Groups, Update Static Computer Groups, Delete Static Computer Groups</li>
          <li>Read Users, Create Users, Update Users, Delete Users</li>
          <li>Read Scripts, Create Scripts, Update Scripts, Delete Scripts</li>
          <li>Read Categories, Create Categories, Update Categories, Delete Categories</li>
          <li>Read Buildings, Create Buildings, Update Buildings, Delete Buildings</li>
          <li>Read Departments, Create Departments, Update Departments, Delete Departments</li>
          <li>Send Computer Remote Command, Send Mobile Device Remote Command</li>
          <li>Read Policies, Create Policies, Update Policies, Delete Policies</li>
          <li>Read macOS Configuration Profiles, Read Mobile Device Configuration Profiles</li>
        </ul>
      </div>
    </Step>

    <Step title="Save the role">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>Save</strong>. The role is now available to be assigned to API Clients.</p>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Create an API Client</h2>

  <p>An API Client is the credential that StackOne will use to obtain access tokens.</p>

  <Steps>
    <Step title="Switch to API Clients tab">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>From <strong>Settings > System > API Roles and Clients</strong>, click the <strong>API Clients</strong> tab.</p>
      </div>
    </Step>

    <Step title="Create the client">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>+ New</strong> and configure:</p>

        <ul>
          <li>Display Name: `StackOne` (or similar identifying name)</li>
          <li>API Roles: assign the role you created in the previous section</li>
          <li>Access Token Lifetime: number of seconds tokens should be valid for (default 1800 — 30 minutes — is recommended for security)</li>
          <li>Enabled: ON</li>
        </ul>
      </div>
    </Step>

    <Step title="Save and capture Client ID">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>Save</strong>. The <strong>Client ID</strong> (a UUID) is shown — copy it.</p>
      </div>
    </Step>

    <Step title="Generate Client Secret">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>Generate Client Secret</strong>. The secret is shown <strong>only once</strong> — copy it immediately and store it securely. If you lose it you must regenerate (and update StackOne).</p>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Enter credentials in StackOne</h2>

  <p>Provide the tenant URL, Client ID, and Client Secret to StackOne to complete the connection.</p>

  <Steps>
    <Step title="Enter the Jamf Pro URL">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>The full base URL of your Jamf Pro instance — e.g. `https://acme.jamfcloud.com` (Jamf Cloud) or `https://jamf.example.com:8443` (self-hosted). No trailing slash.</p>
      </div>
    </Step>

    <Step title="Enter the Client ID">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Paste the <strong>Client ID</strong> from your API Client.</p>
      </div>
    </Step>

    <Step title="Enter the Client Secret">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Paste the <strong>Client Secret</strong>.</p>
      </div>
    </Step>
  </Steps>
</section>

<div data-whitelabel-hide>
  <h2>Linking the Account from the Hub</h2>

  <Steps>
    <Step title="Navigate to the Hub">
      Use one of the three <a href="/guides/accounts-section#linking-accounts">Linking Account Methods</a> to access the Hub.
    </Step>

    <Step title="Fill out the fields">
      Fill out the following fields using details from your provider:

      <ul>
        <li><strong>Jamf Pro URL</strong></li>
        <li><strong>Client ID</strong></li>
        <li><strong>Client Secret</strong></li>
      </ul>
    </Step>

    <Step title="Connect">
      <ul>
        <li>Click <strong>Connect</strong></li>
        <li>If applicable, the provider will redirect you to a sign-in or authorization page. Complete the provider's authorization flow.</li>
        <li>Once authorization is successful, you will see a confirmation popup</li>
      </ul>
    </Step>
  </Steps>

  <p>If the account linking is successful, you will see the newly linked account in your <a href="/guides/accounts-section">Accounts</a> page.</p>
</div>
