Token handling

The Token handling endpoints implement the core OAuth 2.0 and OpenID Connect protocol flows, comprising the Authorization endpoint and the Token endpoint. The Authorization endpoint (RFC 6749, OIDC Core 1.0) is the entry point for browser-based flows. It validates the client's request, authenticates the resource owner if required, and redirects the user-agent back to the client's redirect_uri with an authorization code (Authorization Code flow), tokens in the fragment (Implicit and Hybrid flows), or an error response. PKCE (RFC 7636) is supported; Pushed Authorization Requests (RFC 9126) allow clients to pre-register request parameters and reference them by request_uri. The Token endpoint exchanges authorization codes, refresh tokens, or client credentials for access tokens, and optionally ID tokens in OpenID Connect deployments. Supported grant types are Authorization Code, Refresh Token, Client Credentials, and JWT Bearer Token Grant (RFC 7523). The concrete URLs of these endpoints are deployment-specific and are published in the authorization server's discovery document under authorization_endpoint and token_endpoint.

📄️ Initiate an authorization request

Initiates the authorization flow by redirecting the resource owner's user-agent through

📄️ Submit an authorization request

Alternative to the GET form that accepts authorization request parameters as a

📄️ Issue an OAuth 2.0 access token

Exchanges an authorization code, refresh token, or client credentials for an access token