---
title: "Setting up a Tenant IDP"
slug: "tenant-settings"
updated: 2026-05-20T12:29:26Z
published: 2026-05-20T12:29:26Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Tenant Settings

## About Tenant Settings

A Tenant represents a customer space. Within each Tenant, you can maintain one or more Environments, each representing a significant stage or aspect of your organization. For example, different stages in your development cycle. Alternatively, you can use different Environments in any way you feel it would benefit your organization. Each Tenant is associated with an IDP (**ID**entity **P**rovider). The following options are offered on the Tenant Settings screen:

- [Tenant IDP Settings](/v1/docs/configuring-an-idp-for-the-tenant)
- [API Client Credentials](/v1/docs/tenant-settings#api-client-credentials)
- [Hybrid Agent Key Settings](/v1/docs/customer-hosted-settings-3)
- [Policy Authorization Agent](/docs/policy-authorization-agent-user) (PAA)
  - A Tenant Admin manages global PAA Groups available for use in all Environments within the Tenant, promoting consistency and simplifying the process of configuring and maintaining Policies across your organization. This global configuration allows Tenant Admins to manage numerous Environments without requiring changes to individual modifications.

***Note:** Global PAAs exclusively function with Environments that are set up to collaborate with Global PAAs.*

- [Policy Information Point](https://docs.plainid.io/docs/pips) (PIP)
  - Tenant Admins can control the global aspects of PAAs and PIP Settings, which allows for wider control over a number of Environments and oversee PIP settings for PAAs within the framework of Global PAA Groups. Global PIP settings serve to centralize the integration of Data Sources and the retrieval of information and Attributes globally. This streamlines the access to essential data while ensuring all policies draw from the same Data Sources.

*Note: Environments can employ either a Global PAA and PIP Settings or Environment-specific PAA and PIP Settings.*

##### To access the Tenant Settings screen:

- Click the Tenant settings icon  on the left navigation bar ![Screenshot 2025-07-01 at 16.20.09.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/Screenshot%202025-07-01%20at%2016.20.09.png)
- The **Tenant IDP Settings** screen opens with the currently defined IDP source displayed.

When an External IDP is used, the screen also displays the IDP Application Settings (ClientID, Client Secret, Client Authentication), as well as IDP General Settings and Tenant Authorization Settings.

## API Client Credentials

API Client Credentials allow administrators to **create** and **manage** credentials at the Tenant and/or Environment Level. These credentials facilitate integration and automation for Management **APIs** without the need for traditional IDP accounts by leveraging a standard OAuth2 Flow. Key features include:

- **Secure interactions** and **operations** across your **Tenant** and **Environment** and **Workspaces**.
- **Centralized control** over management activities and automation flows.
- **Enhanced overall security posture** of the Platform.

**To create API Client Credentials:**

1. Open the **Tenant or Environment Settings**.
  - Environment Settings can be found under the Environment drop-down in the side panel. If the side panel is collapsed, click on the arrow icon next to the left side panel.
  - Tenant Settings can be found in the left side panel ![Screenshot 2025-07-01 at 16.20.09.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/Screenshot%202025-07-01%20at%2016.20.09.png)
2. From the **Tenant or Environment Settings** screen, click **API Client Credentials** to see a list of **Clients**.
3. Click **Create Client**. The Details side panel opens.
4. In the **Name** field, enter the API Client Name.
5. Add a **Description** for your API Client Credential (optional).
6. Set a **Token Duration**. The duration can range from 15 minutes to 24 hours (1440 minutes).
7. Select a **Permission Type** - either Viewer or Admin.
8. Click **Generate Client**. A **Client ID** and **Secret** are automatically assigned and copied as needed.
9. Click **Save**.

*Note: While the API Client ID and Permissions cannot be changed, you can regenerate the Secret.*

**To regenerate a Secret:**

1. Open the **Tenant or Environment Settings** screen and click **API Client Credentials**.
2. Select the **Client Credentials** you want to regenerate a secret for. The Details side panel opens.
3. Next to the **Secret** field, click **Regenerate**. You can now copy the new **Secret**.

Refer to the API Client Key documentation in the Developer Portal for more information and methods on how you can use your API Client Credentials.