AM
EN
Get Started Free
Menu
API

OAuth

OAuth2 authorization

api oauth

Contents

OAuth2 authorization

Authorize

GET/oauth2/authorize

OAuth2 authorization endpoint for the Authorization Code Flow with PKCE.

Use this to:

  • Show login/register UI
  • Handle seamless sign-in
  • Redirect with authorization code

Flow:

  1. Client → /oauth/authorize (this endpoint)
  2. User logs in → redirect to redirect_uri with code
  3. Client → /oauth/token → access token

Tip: Use prompt=none + seamless sign-in for silent auth.

More

Responses
302text/plain
Redirect to client with `code` or error
schema
defaultapplication/jsonOAuth2Error
Standard OAuth 2.0 / OpenID Connect error response. Used by: token endpoint, introspection, revocation, device authorization, etc.
schemaOAuth2Error
errorstringrequired
The error code as defined in RFC 6749 §5.2 and extensions.
error_descriptionstring
Human-readable text providing additional information.
error_uristring · uri
A URI identifying a human-readable web page with information about the error.

Device Authorization

POST/oauth2/device_authorization

Request device and user codes for the device authorization flow (RFC 8628). The device displays the user_code and directs the user to verification_uri. More

Body application/json
client_idstring
Unique identifier for a client application.
client_secretstring
scopestring
audiencestring
Responses
200application/json
Device authorization initiated successfully
schemaobject
device_codestringrequired
user_codestringrequired
verification_uristringrequired
verification_uri_completestringrequired
expires_innumberrequired
intervalnumberrequired
defaultapplication/jsonOAuth2Error
Standard OAuth 2.0 / OpenID Connect error response. Used by: token endpoint, introspection, revocation, device authorization, etc.
schemaOAuth2Error
errorstringrequired
The error code as defined in RFC 6749 §5.2 and extensions.
error_descriptionstring
Human-readable text providing additional information.
error_uristring · uri
A URI identifying a human-readable web page with information about the error.

Introspect Token

POST/oauth2/introspect

Introspect an access token or refresh token.

Since refresh tokens are opaque, they can only be introspected with this endpoint.

This endpoint is primarily used for:

  • Building admin dashboards (“Active Sessions” page)
  • Implementing “Sign out everywhere” / per-device revocation
  • Auditing active tokens for compliance
  • Supporting legacy or gateway-based architectures

Ideally, resource servers should validate access tokens locally using the public JWKS endpoint (/.well-known/jwks.json) instead of this endpoint.

Clients with client_secret configured must provide client_secret. Client ID is optional when resolving by hostname.

More

Body application/json
tokenstringrequired
token_type_hint
client_idstring
Unique identifier for a client application.
client_secretstring
Responses
200application/json
Token introspection response.
schemaobject
Variant
Option 1object
activerequired
Option 2object
activerequired
token_typerequired
client_idstringrequired
Unique identifier for a client application.
substringrequired
Variant
Unique identifier for a user.
Option 1string
Unique identifier for a user.
Unique identifier for a client application.
Option 2string
Unique identifier for a client application.
issstringrequired
appstringrequired
Unique identifier for an application.
accstring
Unique identifier for an account.
uidstring
Unique identifier for a user.
cidstringrequired
Unique identifier for a client application.
audstringrequired
iatnumberrequired
expnumberrequired
scopestringrequired
rolestring
kidstring
jtistring
actobject
defaultapplication/problem+jsonProblemDetails
HTTP Error
schemaProblemDetails
typestring · urirequired
titlestringrequired
statusintegerrequired
detailstring
instancestring · uri
codestring

Revoke Token

POST/oauth2/revoke

Revoke an OAuth2 token (RFC 7009). Use in logout flows to invalidate tokens. Refresh tokens are revoked immediately; access tokens (JWTs) cannot be server-side invalidated but are acknowledged. Per RFC 7009, always returns 200 OK. More

Body application/json
tokenstringrequired
token_type_hint
client_idstring
Unique identifier for a client application.
client_secretstring
Responses
200application/json
Token revoked successfully
schemaobject
defaultapplication/jsonOAuth2Error
Standard OAuth 2.0 / OpenID Connect error response. Used by: token endpoint, introspection, revocation, device authorization, etc.
schemaOAuth2Error
errorstringrequired
The error code as defined in RFC 6749 §5.2 and extensions.
error_descriptionstring
Human-readable text providing additional information.
error_uristring · uri
A URI identifying a human-readable web page with information about the error.

Token

POST/oauth2/token

POST endpoint to get an access token.

Supports multiple OAuth2 types:

Grant TypeUse Case
authorization_codeAuthorization code flow (PKCE). Most secure and common.
client_credentialsMachine-to-machine auth using shared secret / API key. No user. Meant for IoT, sensors, CI/CD or infrastructure.
urn:ietf:params:oauth:grant-type:device_codeDevice Code Exchange. Device presents a code, user enters code in browser or phone.
urn:ietf:params:oauth:grant-type:jwt-bearerJWT Exchange. Public/private asymmetric shared secrets.
urn:ietf:params:oauth:grant-type:saml2-bearerSAML2. Common for Enterprise SSO.
urn:ietf:params:oauth:grant-type:token-exchangeUse current access_token to get more specific token to access resources of a particular membership or different audience.
refresh_tokenRefresh an access token, same as /oauth/refresh
passwordLegacy username/password (disabled by default)

Security:

  • Public clients → client_secret optional
  • Confidential clients → client_secret required
  • client_id is optional when resolving by hostname

See: RFC 6749

More

Body application/json
bodyobject
Variant
Option 1object
grant_typerequired
codestringrequired
client_idstring
Unique identifier for a client application.
client_secretstring
redirect_uristringrequired
code_verifierstring
Option 2object
grant_typerequired
refresh_tokenstringrequired
client_idstring
Unique identifier for a client application.
client_secretstring
Option 3object
grant_typerequired
usernamestringrequired
passwordstringrequired
client_idstring
Unique identifier for a client application.
client_secretstring
scopestring
A space-separated list of scopes. An empty string means no scopes.
audiencestring
The intended audience.
Option 4object
grant_typerequired
client_idstring
Unique identifier for a client application.
client_secretstringrequired
scopestring
A space-separated list of scopes. An empty string means no scopes.
audiencestring
The intended audience.
Option 5object
grant_typerequired
device_codestringrequired
client_idstring
Unique identifier for a client application.
client_secretstring
scopestring
A space-separated list of scopes. An empty string means no scopes.
audiencestring
The intended audience.
Option 6object
grant_typerequired
assertionstringrequired
client_idstring
Unique identifier for a client application.
client_secretstring
scopestring
A space-separated list of scopes. An empty string means no scopes.
audiencestring
The intended audience.
Option 7object
grant_typerequired
assertionstringrequired
client_idstring
Unique identifier for a client application.
client_secretstring
scopestring
A space-separated list of scopes. An empty string means no scopes.
audiencestring
The intended audience.
Option 8object
grant_typerequired
client_idstring
Unique identifier for a client application.
client_secretstring
subject_tokenstringrequired
A JWT containing sub, iss, aud claims. In most cases, pass in the same access token as the Authentication header. It will be validated and exchanged for a different token based on the requested audience, scope, and resource.
subject_token_typerequired
The type of the subject token.
requested_token_type
The type of token being requested.
audiencestring
The intended audience.
scopestring
A space-separated list of scopes. An empty string means no scopes.
resourcestring · uri
The resource for which the token is being requested.
actor_tokenstring
Used in situations where you want a backend service to combine its token with a user's token to access a resource. It guarantees that both the actor and subject have been authorized to access the resource.
actor_token_type
The type of the actor token.
Responses
200application/jsonSessionTokens
Successful token response
schemaSessionTokens
The set of tokens issued to a client upon successful authentication or token refresh
access_tokenAccessTokenrequired
A short-lived JWT access token signed by the authentication service
refresh_tokenRefreshTokenrequired
An opaque long-lived refresh token used to obtain new access tokens. Can be revoked.
token_typeTokenTyperequired
Description of how the access token should be used
defaultapplication/jsonOAuth2Error
Standard OAuth 2.0 / OpenID Connect error response. Used by: token endpoint, introspection, revocation, device authorization, etc.
schemaOAuth2Error
errorstringrequired
The error code as defined in RFC 6749 §5.2 and extensions.
error_descriptionstring
Human-readable text providing additional information.
error_uristring · uri
A URI identifying a human-readable web page with information about the error.

User Info

GET/oauth2/userinfo

Returns claims about the authenticated user.

This is a standard OpenID Connect UserInfo endpoint (RFC 7662) that allows clients to retrieve user information after authentication using a valid access token.

The claims returned depend on the scopes granted in the access token:

  • openid: Required for OIDC, returns sub
  • profile: Returns name, given_name, family_name, picture, locale, zoneinfo, updated_at
  • email: Returns email, email_verified

More

Responses
200application/json
User information response.
schemaobject
substringrequired
Variant
Unique identifier for a user.
Option 1string
Unique identifier for a user.
Unique identifier for a client application.
Option 2string
Unique identifier for a client application.
namestring
given_namestring
family_namestring
preferred_usernamestring
picturestring
localestring
zoneinfostring
updated_atnumber
emailstring
email_verifiedboolean
appstring
Unique identifier for an account.
accstring
Unique identifier for an account.
401
Invalid or expired access token.
defaultapplication/jsonOAuth2Error
Standard OAuth 2.0 / OpenID Connect error response. Used by: token endpoint, introspection, revocation, device authorization, etc.
schemaOAuth2Error
errorstringrequired
The error code as defined in RFC 6749 §5.2 and extensions.
error_descriptionstring
Human-readable text providing additional information.
error_uristring · uri
A URI identifying a human-readable web page with information about the error.

Models

AccessToken
string
A short-lived JWT access token signed by the authentication service
OAuth2Error
errorstringrequired
The error code as defined in RFC 6749 §5.2 and extensions.
error_descriptionstring
Human-readable text providing additional information.
error_uristring · uri
A URI identifying a human-readable web page with information about the error.
ProblemDetails
typestring · urirequired
titlestringrequired
statusintegerrequired
detailstring
instancestring · uri
codestring
RefreshToken
string
An opaque long-lived refresh token used to obtain new access tokens. Can be revoked.
SessionTokens
access_tokenAccessTokenrequired
A short-lived JWT access token signed by the authentication service
refresh_tokenRefreshTokenrequired
An opaque long-lived refresh token used to obtain new access tokens. Can be revoked.
token_typeTokenTyperequired
Description of how the access token should be used
TimestampInSeconds
integer
A Unix timestamp in seconds since the epoch
TokenType
TokenType
Description of how the access token should be used

Related Features and Types

Features

Previous
Merchants

Merchant catalog, pricing, and provider configuration

Next
Payments

Payments and subscriptions