docs / concepts / oauth-endpoints

OAuth 2.0 endpoints

Standard flows your apps already speak.

Standard flows: authorization_code with PKCE, refresh tokens, introspection, and revocation. Access tokens are short-lived JWTs signed with rotatable keys and verified by relying parties through published JWKS.

EndpointPurpose
GET /connectAuthorization page — wallet challenge and consent happen here.
POST /api/oauth/tokenCode + PKCE exchange, refresh-token grants.
POST /api/oauth/introspectToken introspection (RFC 7662) for resource servers.
POST /api/oauth/revokeToken revocation (RFC 7009).
/.well-known/ouropass/jwks.jsonPublic signing keys — verify JWTs anywhere, offline.
Found an issue in these docs? Edit this page on GitHub ↗