> For the complete documentation index, see [llms.txt](https://docs.authcore.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.authcore.io/api/oauth.md).
# OAuth 2.0 / OpenID Connect
Authcore is complaint to [OAuth 2.0](http://oauth.net/documentation) and [OpenID Connect](http://openid.net/) standards. The OAuth 2.0 protocol provides API access control via scoped access tokens, and OpenID Connect provides user authentication and single sign-on (SSO) funcitonality.
## Endpoints
## Authorization
`POST` `https://auth.acme.com/oauth/authorize`
This is a starting point for browser-based OpenID Connect flows such as the implicit and authorization code flows. This request authenticates the user and returns tokens along with an authorization grant to the client application as a part of the callback response.
#### Query Parameters
| Name | Type | Description |
| ----------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| state | string | A value to be returned in the token. The client application can use it to remember the state of its interaction with the end user at the time of the authentication call. |
| scope | string | Currently empty. |
| response\_type | string | Any combination of `code`, `token`, and `id_token`. |
| redirect\_uri | string | Callback location where the authorization code or tokens should be sent. It must match the preset value in client application configuration. |
| code\_challenge\_method | string | Method used to derive the code challenge for PKCE. Valid value: S256 |
| code\_challenge | string | A challenge for PKCE. The challenge is verified in the access token request. |
| client\_id | string | The ID in client application configuration. |
{% tabs %}
{% tab title="200 " %}
```
```
{% endtab %}
{% endtabs %}
## Token
`POST` `https://auth.acme.com/oauth/token`
This endpoint returns access tokens, ID tokens, and refresh tokens, depending on the request parameters. For password, client credentials, and refresh token flows, calling `/token` is the only step of the flow. For the authorization code flow, calling `/token` is the second step of the flow.
#### Request Body
| Name | Type | Description |
| -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| code | string | Required if grant\_type is authorization\_code. The value is what was returned from the authorization endpoint. |
| code\_verifier | string | Required if grant\_type is authorization\_code and code\_challenge was specified in the original authorization request. This value is the code verifier for PKCE. |
| grant\_type | string | Can be one of the following: authorization\_code, or refresh\_token. |
| redirect\_uri | string | Required if grant\_type is authorization\_code. Specifies the callback location where the authorization was sent. |
| refresh\_token | string | Required if grant\_type is refresh\_token. |
{% tabs %}
{% tab title="200 " %}
```
{
"access_token": "access_token",
"token_type": "token_type",
"expires_in": 987654321,
"scope": "",
"refresh_token": "",
"id_token": "id_token"
}
```
{% endtab %}
{% endtabs %}
`GET` `https://auth.acme.com/.well-known/openid-configuration`
Returns OpenID Connect metadata about your authorization server.
{% tabs %}
{% tab title="200 " %}
```
{
"issuer": "https://auth.acme.com",
"authorization_endpoint": "https://auth.acme.com/oauth/authorize",
"token_endpoint": "https://auth.acme.com/oauth/token",
"jwks_uri": "https://auth.acme.com/.well-known/jwks.json",
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token"
]
}
```
{% endtab %}
{% endtabs %}
## JSON Web Key Set
`GET` `https://auth.acme.com/.well-known/jwks.json`
Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens that you receive from your authorization server.
{% tabs %}
{% tab title="200 " %}
```
{
"keys": [
{
"use": "sig",
"kty": "EC",
"kid": "hN351AH04N2BBba3N6PgNcVloRohu6KkDRDMcvr5k28",
"crv": "P-256",
"alg": "ES256",
"x": "KY6MShC7UrSkekyczKKvZQXuxFKDRd0DEgV6r9XeDAY",
"y": "aGDz074Md6DQU2rRSY0jif6kawW6r22Q4jzi6Se75Wk"
}
]
}
```
{% endtab %}
{% endtabs %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.authcore.io/api/oauth.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.