White-Label Integration
Hide BlueNexus branding so your users see your brand throughout the authentication and connection management experience.
Overview
With the WHITELABEL_CUSTOMER client role, you get:
- Custom branding on the OAuth consent screen (your logo, colors, description)
- White-label frontend for connection management — users manage their service connections under your brand
- Full API access — including
agents-allscope (create/manage agents), whichTHIRD_PARTYdoesn't get - Domain restriction — lock your auth client to specific domains
White-label access is by invitation only. To request access, contact the BlueNexus team. Once approved, you can configure your white-label branding and settings in the Developer section of the BlueNexus application.
Setup
Step 1: Request White-Label Access
Contact BlueNexus to request white-label access for your account. The team will review your use case and enable the WHITELABEL_CUSTOMER role.
Step 2: Configure Branding
Once approved, configure your branding in the Developer section of the BlueNexus application:
| Field | Description | Constraints |
|---|---|---|
| Logo | Your logo displayed on consent screens | Max 2MB, PNG/JPG/SVG |
| Description | Shown on consent screen | Max 500 characters |
| Brand Color | Hex color for UI accents | e.g., #4F46E5 |
| Domains | Allowed domains for this client | Required for white-label |
You can also configure branding via the API:
curl -X PUT https://api.bluenexus.ai/api/v1/auth-clients/YOUR_CLIENT_ID \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"branding": {
"logo": "data:image/png;base64,YOUR_LOGO_BASE64",
"description": "Your App — AI-powered productivity",
"brandColor": "#4F46E5"
}
}'
Step 3: Implement the OAuth Flow
The OAuth flow is identical to standard OAuth — same PKCE flow, same endpoints. The difference is what the user sees:
- Consent screen shows your branding instead of BlueNexus branding
- Connection management UI is served by the white-label frontend under your domain context
- Users don't see "BlueNexus" anywhere in the flow
Step 4: Manage Connections
Your users manage their service connections through the white-label connection management interface. You can also manage connections programmatically:
# List user's connections
curl https://api.bluenexus.ai/api/v1/connections \
-H "Authorization: Bearer USER_ACCESS_TOKEN"
# Initiate a new service connection
curl -X POST https://api.bluenexus.ai/api/v1/connections/initiate \
-H "Authorization: Bearer USER_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"providerId": "google",
"redirectUrl": "https://yourapp.com/connections/callback"
}'
White-Label vs THIRD_PARTY
| Capability | THIRD_PARTY | WHITELABEL_CUSTOMER |
|---|---|---|
| MCP access | Yes | Yes |
| LLM API | Yes | Yes |
| Use agents (chat) | Yes | Yes |
| Create/manage agents | No | Yes |
| Custom branding | No | Yes |
| Domain restriction | No | Yes |
| White-label frontend | No | Yes |
Key Differences
Scopes
White-label clients have access to agents-all (create, update, delete agents), while THIRD_PARTY clients are limited to agents-use (chat with existing agents only).
User Experience
- THIRD_PARTY: Users see "BlueNexus" branding on consent screens and connection management
- WHITELABEL_CUSTOMER: Users see your branding. The BlueNexus name doesn't appear
Registration
White-label clients must be registered manually (dashboard or API). They cannot be created through Dynamic Client Registration — DCR always assigns THIRD_PARTY.
Next Steps
- OAuth for Your App — The OAuth flow (same for both roles)
- Scopes & Permissions — Complete scope/role matrix
- Multi-Tenant Setup — Recipe for multi-tenant white-label apps