API Reference
Complete reference for all OAuth 2.0 endpoints.
Authorization Endpoint
GET /oauth/authorize
Initiates the authorization flow for user authentication.
Query Parameters
response_type |
Required. Must be code |
client_id |
Required. Your client ID |
redirect_uri |
Optional. Callback URL |
scope |
Optional. Space-separated scopes |
state |
Recommended. CSRF protection |
code_challenge |
Optional. PKCE challenge |
code_challenge_method |
Optional. S256 or plain |
Token Endpoint
POST /oauth/token
Exchange authorization code or credentials for tokens.
Authorization Code Grant
grant_type |
authorization_code |
code |
The authorization code |
redirect_uri |
Must match authorize request |
code_verifier |
PKCE verifier (if used) |
Refresh Token Grant
grant_type |
refresh_token |
refresh_token |
The refresh token |
Client Credentials Grant
grant_type |
client_credentials |
scope |
Optional. Requested scopes |
UserInfo Endpoint
GET /oauth/userinfo
Returns claims about the authenticated user.
GET /oauth/userinfo Authorization: Bearer <access_token>
Response
{
"sub": "user-id-123",
"email": "user@example.com",
"email_verified": true,
"name": "John Doe",
"given_name": "John",
"family_name": "Doe"
}
Revoke Endpoint
POST /oauth/revoke
Revoke an access or refresh token.
token |
The token to revoke |
token_type_hint |
access_token or refresh_token |
Error Responses
All errors follow the OAuth 2.0 error response format:
{
"error": "invalid_request",
"error_description": "Description of what went wrong"
}
Common Errors
invalid_request |
Missing or invalid parameter |
invalid_client |
Invalid client credentials |
invalid_grant |
Invalid or expired code/token |
invalid_scope |
Invalid or unknown scope |
access_denied |
User denied consent |