All examples use production endpoints on id.oakwall.mom.
ResourceURL
Developer portalid.oakwall.mom/developer
OAuth basehttps://id.oakwall.mom
Example redirect URIhttps://myapp.example.com/auth/callback
1

Create an application

Open the Developer Portal and click New application.Set at least one redirect URI — the exact URL your app receives the code on:
https://myapp.example.com/auth/callback
Copy client_id and client_secret when shown. The secret is only displayed once.
2

Build the authorize URL

Send the user to the authorization endpoint with PKCE:
# 1. Generate code_verifier (43–128 chars, base64url)
# 2. code_challenge = BASE64URL(SHA256(code_verifier))

open "https://id.oakwall.mom/oauth/authorize\
?client_id=YOUR_CLIENT_ID\
&redirect_uri=https%3A%2F%2Fmyapp.example.com%2Fauth%2Fcallback\
&response_type=code\
&scope=openid+profile+email\
&state=RANDOM_STATE\
&code_challenge=CHALLENGE\
&code_challenge_method=S256"
Do not open a bare authorize URL without code_challenge. Always generate fresh state and PKCE values per login — never reuse sample links from the Developer Portal.
3

Exchange the code

After the user approves, your redirect URI receives ?code=...&state=....
curl -X POST 'https://id.oakwall.mom/oauth/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code' \
  -d 'code=AUTH_CODE_FROM_REDIRECT' \
  -d 'redirect_uri=https%3A%2F%2Fmyapp.example.com%2Fauth%2Fcallback' \
  -d 'client_id=YOUR_CLIENT_ID' \
  -d 'client_secret=YOUR_CLIENT_SECRET' \
  -d 'code_verifier=YOUR_CODE_VERIFIER'
4

Use the access token

curl 'https://id.oakwall.mom/oauth/userinfo' \
  -H 'Authorization: Bearer ACCESS_TOKEN'

Next steps

PKCE

Required for browser-based clients.

Token lifecycle

Refresh tokens, rotation, and revocation.