docs / concepts / oauth-endpoints
OAuth 2.0 endpoints
Standard flows your apps already speak.
Standard flows: authorization_code with PKCE, refresh tokens, introspection, and revocation. Access tokens are short-lived JWTs signed with rotatable keys and verified by relying parties through published JWKS.
| Endpoint | Purpose |
|---|---|
GET /connect | Authorization page — wallet challenge and consent happen here. |
POST /api/oauth/token | Code + PKCE exchange, refresh-token grants. |
POST /api/oauth/introspect | Token introspection (RFC 7662) for resource servers. |
POST /api/oauth/revoke | Token revocation (RFC 7009). |
/.well-known/ouropass/jwks.json | Public signing keys — verify JWTs anywhere, offline. |
Found an issue in these docs? Edit this page on GitHub ↗