All endpoint URLs are relative to the issuer. Fetch the live list from discovery:
GET /.well-known/openid-configuration

Endpoint summary

EndpointMethodAuthPurpose
/.well-known/openid-configurationGETNoneOIDC discovery metadata
/oauth/authorizeGETUser sessionStart login + consent, redirect with code
/oauth/tokenPOSTClient credentialsExchange code or refresh token for tokens
/oauth/userinfoGETBearer access tokenFetch user profile claims
/oauth/revokePOSTClient credentialsRevoke access or refresh token
/oauth/jwksGETNoneJSON Web Key Set (empty — ID tokens use HS256)

Discovery

GET /.well-known/openid-configuration
Returns issuer, endpoint URLs, supported scopes, response types, and PKCE methods. Cache this document; refresh when integration fails after a deploy.

Authorization

GET /oauth/authorize
Redirects the user to sign in and consent. On success, redirects to redirect_uri with query parameters:
?code=AUTH_CODE&state=YOUR_STATE
ParameterRequiredDescription
client_idYesApplication client ID
redirect_uriYesMust match a registered URI exactly
response_typeYesMust be code
scopeYesSpace-separated scopes, e.g. openid profile email
stateRecommendedCSRF protection — validate on callback
code_challengeYes*PKCE challenge (base64url SHA-256 of verifier)
code_challenge_methodYes*Must be S256
* Required for all browser-based clients.

Token

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

Authorization code grant

ParameterRequiredDescription
grant_typeYesauthorization_code
codeYesCode from authorize redirect
redirect_uriYesSame URI used in authorize step
client_idYesVia body or Basic auth
client_secretYesVia body or Basic auth
code_verifierYesOriginal PKCE verifier
Response:
{
  "access_token": "eyJ…",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "rt_…",
  "id_token": "eyJ…",
  "scope": "openid profile email"
}

Refresh token grant

ParameterRequiredDescription
grant_typeYesrefresh_token
refresh_tokenYesCurrent refresh token
client_idYesVia body or Basic auth
client_secretYesVia body or Basic auth
Each successful refresh rotates the refresh token. Store the new one immediately.

Userinfo

GET /oauth/userinfo
Authorization: Bearer ACCESS_TOKEN
Returns claims based on granted scopes:
{
  "sub": "user-uuid",
  "name": "Jane Doe",
  "picture": "https://…",
  "email": "jane@example.com",
  "email_verified": true
}

Revoke

POST /oauth/revoke
Content-Type: application/x-www-form-urlencoded
ParameterRequiredDescription
tokenYesAccess or refresh token to revoke
client_idYesVia body or Basic auth
client_secretYesVia body or Basic auth
Returns 200 even if the token is unknown (RFC 7009).

JWKS

GET /oauth/jwks
Returns { "keys": [] }. ID tokens are signed with HS256 using the server secret — validate iss, aud, and exp in your backend instead of fetching JWKS for now.

OpenAPI spec

Machine-readable schemas for every endpoint.

Token lifecycle

Expiry, rotation, and revocation details.