# Jamf - API Roles & Clients The **API Roles and Clients** functionality in Jamf Pro provides a dedicated interface for controlling access to the **Jamf Pro API** and the **Classic API**.\ You can create **custom privilege sets** as API roles and assign them as needed, ensuring that API clients have only the necessary capabilities for their tasks. Roles can be: * Shared between clients, or * Assigned more than one to a single client This allows you to manage and reuse privilege sets conveniently and with greater granularity. *** ### Creating an API Role To grant privileges to an API client in Jamf Pro, you must first create an **API role** that defines a privilege set.\ One or more of these roles can then be assigned to a client to grant their cumulative privileges. **Steps** 1. In **Jamf Pro**, click **Settings** in the sidebar. 2. In the **System** section, click **API Roles and Clients**. 3. Click the **API Roles** tab at the top of the pane. 4. Click **New**. 5. Enter a **display name** for the API role. 6. In the **Jamf Pro API role privileges** field, begin typing the name of a privilege you want to assign, and select it from the pop-up menu. * Continue adding privileges until you are finished.
7. Click **Save**. {% hint style="info" %} If you are using **Jamf Setup**, **Jamf Reset**, **Jamf Parent**, or **Jamf Teacher** in your environment, you may notice that API roles have already been created and are in use by these applications.\ These roles can be reused safely with other API clients that require similar privileges.\ However, Jamf does **not** recommend editing these roles, as it could interfere with the functionality of those apps. Jamf Pro also does not allow any API roles to be deleted while they are in use. {% endhint %} *** ### Creating an API Client You can create an **API client** in Jamf Pro to generate a **client secret**, which can then be used by the Jamf Pro API to generate **access tokens**. #### Requirements * At least one API role created in Jamf Pro. **Steps** 1. In **Jamf Pro**, click **Settings** in the sidebar. 2. In the **System** section, click **API Roles and Clients**. 3. Click the **API Clients** tab at the top of the pane. 4. Click **New**. 5. Enter a **display name** for the API client. 6. In the **API Roles** field, add the roles you want to assign to the client. * The client will have the cumulative privileges of all assigned roles. 7. Under **Access Token Lifetime**, enter the time (in seconds) that you want access tokens to remain valid. {% hint style="info" %} Changing the Access Token Lifetime later does not affect access tokens that have already been generated. Similarly, deleting or disabling a client does not disallow access for previously generated tokens that are still valid. However, any changes made to the API roles assigned to a client will affect all tokens immediately. {% endhint %} 8. Click **Save**. 9. Click **Edit**. 10. Click **Enable API Client** to allow the client to be used for generating a client secret. 11. Click **Save**. *** ### Generating a Client Secret After you have created an API client and assigned it one or more roles, you can generate a **client secret**, which can then be used to generate access tokens. #### Requirements * An API client created in Jamf Pro with at least one role assigned to it. **Steps** 1. In **Jamf Pro**, navigate to the API client you want to generate an access token from. 2. Click **Generate Client Secret**. A confirmation dialog appears. 3. Click **Create Secret**. A pop-up window appears with the client secret. {% hint style="info" %} The client secret will only be displayed once. Make sure to save it to a secure location before closing the dialog. {% endhint %}