Back to Documentation

API Reference

Complete reference documentation for all OAuth42 REST APIs and WebSocket events. Build secure authentication and user management features with our comprehensive API.

Getting Started

Base URL

https://auth.oauth42.com

All API requests should be made to this base URL. In development, use your local instance URL.

Authentication

Management API endpoints require authentication using an access token:

Authorization: Bearer <access_token>

API Endpoints

Authentication & Authorization

OAuth 2.0 and OpenID Connect endpoints for user authentication and authorization

GET/oauth/authorize-Start OAuth 2.0 authorization flow
POST/oauth/token-Exchange authorization code for tokens
POST/oauth/revoke-Revoke access or refresh tokens
POST/oauth/introspect-Validate and inspect tokens
GET/oauth/userinfo-Get authenticated user information
View detailed documentation

Discovery & Metadata

OpenID Connect discovery endpoints for dynamic configuration

GET/.well-known/openid-configuration-OpenID Connect discovery document
GET/.well-known/jwks.json-JSON Web Key Set for token validation
View detailed documentation

User Management

Endpoints for managing user accounts, profiles, and sessions

GET/api/users-List users in your organization
POST/api/users-Create a new user account
GET/api/users/:id-Get user details
PATCH/api/users/:id-Update user information
DELETE/api/users/:id-Delete user account
GET/api/users/:id/sessions-List active user sessions
View detailed documentation

Multi-Factor Authentication

Manage TOTP-based two-factor authentication for users

POST/api/mfa/setup-Initialize TOTP setup for user
POST/api/mfa/verify-Verify and enable TOTP
POST/api/mfa/disable-Disable MFA for user
GET/api/mfa/backup-codes-Generate backup codes
View detailed documentation

OAuth Clients

Manage OAuth 2.0 client applications and their configurations

GET/api/clients-List OAuth clients
POST/api/clients-Create new OAuth client
GET/api/clients/:id-Get client details
PATCH/api/clients/:id-Update client configuration
DELETE/api/clients/:id-Delete OAuth client
POST/api/clients/:id/secret-Rotate client secret
View detailed documentation

Real-Time Events

WebSocket connection for real-time authentication and session events

WS/ws-WebSocket connection endpoint
View detailed documentation

Response Format

All API responses use JSON format with consistent structure. Successful responses include the requested data, while errors follow a standard error format.

Success Response

{
  "data": {
    "id": "user_123",
    "email": "[email protected]",
    "name": "John Doe"
  }
}

Error Response

{
  "error": "invalid_request",
  "error_description": "Missing required parameter",
  "status": 400
}

HTTP Status Codes

200

OK

Request succeeded

201

Created

Resource created successfully

400

Bad Request

Invalid request parameters

401

Unauthorized

Missing or invalid authentication

403

Forbidden

Insufficient permissions

404

Not Found

Resource does not exist

429

Too Many Requests

Rate limit exceeded

500

Internal Server Error

Server error occurred

Rate Limiting

API requests are rate limited to ensure fair usage and system stability. Rate limits are applied per API key and IP address.

Rate Limit Headers

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1609459200

Default Limits: 100 requests per minute for authenticated requests, 20 requests per minute for unauthenticated requests.

Official SDKs

We provide official SDKs that handle API authentication, error handling, and best practices for you.

🟨

JavaScript/TypeScript

For Node.js and browser applications

🐍

Python

For Python web frameworks and CLIs

🐹

Go

For Go services and microservices