# OakID > OpenID Connect provider for OakWall — OAuth 2.0 authorization code flow, PKCE (S256), refresh token rotation, and API reference. OakID is a hosted identity service. All endpoints are on id.oakwall.mom. Self-hosting and local deployment are not available. Production issuer: https://id.oakwall.mom OIDC discovery: https://id.oakwall.mom/.well-known/openid-configuration Developer portal: https://id.oakwall.mom/developer Documentation: https://docs.oakwall.mom llms.txt: https://docs.oakwall.mom/llms.txt OpenAPI: https://docs.oakwall.mom/api-reference/openapi.yaml ## Get started - [OakID overview](https://docs.oakwall.mom/index): What OakID provides, production URLs, discovery document, supported flows. - [Quickstart](https://docs.oakwall.mom/quickstart): Register an OAuth app and complete the first authorization code exchange. ## Integration guides - [Developer Portal](https://docs.oakwall.mom/guides/developer-portal): Create OAuth apps, redirect URIs, client credentials, scope management. - [Authorization code flow](https://docs.oakwall.mom/guides/authorization-code): OAuth 2.0 authorization code grant — authorize and token request parameters. - [PKCE](https://docs.oakwall.mom/guides/pkce): Proof Key for Code Exchange (S256) — required for browser-based clients. - [Scopes & claims](https://docs.oakwall.mom/guides/scopes): openid, profile, email scopes and userinfo claims. - [Token lifecycle](https://docs.oakwall.mom/guides/token-lifecycle): Access tokens, refresh token rotation, ID token validation, revocation. - [Sign in with OakID (Panel)](https://docs.oakwall.mom/guides/sign-in-with-oakid): How OakWall Panel login works via OakID. ## Reference - [Endpoints](https://docs.oakwall.mom/guides/endpoints): Complete reference for discovery, authorize, token, userinfo, revoke, jwks. - [Errors & troubleshooting](https://docs.oakwall.mom/guides/errors): invalid_grant, PKCE failures, invalid OAuth state, refresh token rejection. ## API - [OpenAPI spec](https://docs.oakwall.mom/api-reference/openapi.yaml): Machine-readable OAuth API — authorize, token, userinfo, revoke, discovery. ## Key facts for LLM agents - OakID is hosted only — no self-host, no local instance. - Only response_type=code is supported (no implicit flow). - Browser clients MUST use PKCE with code_challenge_method=S256. - Authorization codes are single-use and expire within minutes. - Refresh tokens rotate on every use — persist the new refresh_token immediately. - Client credentials: client_id (oak_…) + client_secret sent via body or HTTP Basic auth on /oauth/token. - Default scopes: openid profile email - Panel OAuth callback: https://panel.oakwall.mom/login/oauth/callback - Do NOT open sample authorize URLs from Developer Portal in browser — always generate fresh state and PKCE per login. - ID tokens are HS256 JWTs — validate iss, aud, exp; or use /oauth/userinfo instead. - Support: https://discord.gg/oakwall