Endpoint summary
| Endpoint | Method | Auth | Purpose |
|---|---|---|---|
/.well-known/openid-configuration | GET | None | OIDC discovery metadata |
/oauth/authorize | GET | User session | Start login + consent, redirect with code |
/oauth/token | POST | Client credentials | Exchange code or refresh token for tokens |
/oauth/userinfo | GET | Bearer access token | Fetch user profile claims |
/oauth/revoke | POST | Client credentials | Revoke access or refresh token |
/oauth/jwks | GET | None | JSON Web Key Set (empty — ID tokens use HS256) |
Discovery
Authorization
redirect_uri with query parameters:
| Parameter | Required | Description |
|---|---|---|
client_id | Yes | Application client ID |
redirect_uri | Yes | Must match a registered URI exactly |
response_type | Yes | Must be code |
scope | Yes | Space-separated scopes, e.g. openid profile email |
state | Recommended | CSRF protection — validate on callback |
code_challenge | Yes* | PKCE challenge (base64url SHA-256 of verifier) |
code_challenge_method | Yes* | Must be S256 |
Token
Authorization code grant
| Parameter | Required | Description |
|---|---|---|
grant_type | Yes | authorization_code |
code | Yes | Code from authorize redirect |
redirect_uri | Yes | Same URI used in authorize step |
client_id | Yes | Via body or Basic auth |
client_secret | Yes | Via body or Basic auth |
code_verifier | Yes | Original PKCE verifier |
Refresh token grant
| Parameter | Required | Description |
|---|---|---|
grant_type | Yes | refresh_token |
refresh_token | Yes | Current refresh token |
client_id | Yes | Via body or Basic auth |
client_secret | Yes | Via body or Basic auth |
Userinfo
Revoke
| Parameter | Required | Description |
|---|---|---|
token | Yes | Access or refresh token to revoke |
client_id | Yes | Via body or Basic auth |
client_secret | Yes | Via body or Basic auth |
200 even if the token is unknown (RFC 7009).
JWKS
{ "keys": [] }. ID tokens are signed with HS256 using the server secret — validate iss, aud, and exp in your backend instead of fetching JWKS for now.
OpenAPI spec
Machine-readable schemas for every endpoint.
Token lifecycle
Expiry, rotation, and revocation details.