Authentication API
Complete reference for OAuth 2.0 and OpenID Connect authentication endpoints.
Base URL
https://auth.oauth42.com
All authentication endpoints are prefixed with this base URL. Ensure all requests use HTTPS.
Authorization Endpoint
/oauth/authorizeInitiates the OAuth 2.0 authorization code flow. Redirects user to login page, then back to your application with an authorization code.
Query Parameters
client_idrequiredYour application's client ID from the OAuth42 dashboard.
redirect_urirequiredURL where user will be redirected after authorization. Must exactly match a registered redirect URI.
response_typerequiredMust be code for authorization code flow.
scopeoptionalSpace-separated list of scopes. Example: openid profile email
staterecommendedRandom string to prevent CSRF attacks. Returned unchanged in callback.
code_challengerequiredPKCE code challenge. Base64-URL encoded SHA256 hash of code verifier.
code_challenge_methodrequiredMust be S256 for SHA256 hashing.
nonceoptionalRandom string included in ID token for replay attack prevention (OpenID Connect).
Example Request
GET /oauth/authorize?
client_id=your_client_id&
redirect_uri=https://yourapp.com/callback&
response_type=code&
scope=openid+profile+email&
state=random_state_string&
code_challenge=CODE_CHALLENGE&
code_challenge_method=S256&
nonce=random_nonce_stringSuccess Response
User is redirected to redirect_uri with authorization code:
HTTP/1.1 302 Found
Location: https://yourapp.com/callback?
code=AUTHORIZATION_CODE&
state=random_state_stringError Response
HTTP/1.1 302 Found
Location: https://yourapp.com/callback?
error=invalid_request&
error_description=Missing+required+parameter&
state=random_state_stringToken Endpoint
/oauth/tokenExchanges authorization code for access token, or refreshes an access token.
Authorization Code Grant
Exchange authorization code for tokens:
Request Body (application/x-www-form-urlencoded)
grant_type=authorization_code&
code=AUTHORIZATION_CODE&
redirect_uri=https://yourapp.com/callback&
client_id=your_client_id&
client_secret=your_client_secret&
code_verifier=CODE_VERIFIERSuccess Response (200 OK)
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "refresh_token_string",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"scope": "openid profile email"
}Refresh Token Grant
Obtain new access token using refresh token:
Request Body
grant_type=refresh_token&
refresh_token=REFRESH_TOKEN&
client_id=your_client_id&
client_secret=your_client_secretSuccess Response (200 OK)
{
"access_token": "new_access_token",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "new_refresh_token",
"scope": "openid profile email"
}Client Credentials Grant
Machine-to-machine authentication (no user context):
Request Body
grant_type=client_credentials&
client_id=your_client_id&
client_secret=your_client_secret&
scope=api:read api:writeSuccess Response (200 OK)
{
"access_token": "client_access_token",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "api:read api:write"
}Revoke Token
/oauth/revokeRevoke an access token or refresh token, invalidating it immediately.
Request Body
token=TOKEN_TO_REVOKE&
token_type_hint=access_token&
client_id=your_client_id&
client_secret=your_client_secrettoken_type_hint can be:
access_token- Revoke access tokenrefresh_token- Revoke refresh token (also revokes all associated access tokens)
Success Response (200 OK)
{
"success": true,
"message": "Token revoked successfully"
}Token Introspection
/oauth/introspectValidate and get metadata about an access token.
Request Body
token=ACCESS_TOKEN&
client_id=your_client_id&
client_secret=your_client_secretSuccess Response (200 OK)
{
"active": true,
"scope": "openid profile email",
"client_id": "your_client_id",
"username": "[email protected]",
"token_type": "Bearer",
"exp": 1735689600,
"iat": 1735686000,
"sub": "user_12345",
"aud": "your_client_id"
}Inactive Token Response
{
"active": false
}UserInfo Endpoint
/oauth/userinfoGet user information claims using an access token (OpenID Connect).
Request Headers
Authorization: Bearer ACCESS_TOKENSuccess Response (200 OK)
{
"sub": "user_12345",
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"email": "[email protected]",
"email_verified": true,
"picture": "https://example.com/avatar.jpg",
"updated_at": 1735686000
}Claims returned depend on the scopes requested during authorization.
Logout
/oauth/logoutEnd the user's session and revoke all associated tokens.
Request Body
{
"access_token": "ACCESS_TOKEN",
"refresh_token": "REFRESH_TOKEN"
}Success Response (200 OK)
{
"success": true,
"message": "Logged out successfully"
}MFA Challenge
/oauth/authorize/mfaComplete MFA challenge when multi-factor authentication is required.
Request Body
{
"mfa_token": "TEMPORARY_MFA_TOKEN",
"code": "123456"
}Or use a backup code:
{
"mfa_token": "TEMPORARY_MFA_TOKEN",
"backup_code": "1234-5678"
}Success Response
Redirects to redirect_uri with authorization code:
HTTP/1.1 302 Found
Location: https://yourapp.com/callback?
code=AUTHORIZATION_CODE&
state=random_state_stringError Codes
invalid_requestThe request is missing a required parameter or has invalid parameter values.
invalid_clientClient authentication failed (invalid client_id or client_secret).
invalid_grantThe authorization code or refresh token is invalid, expired, or revoked.
unauthorized_clientThe client is not authorized to use this grant type.
unsupported_grant_typeThe grant type is not supported by the authorization server.
invalid_scopeThe requested scope is invalid, unknown, or malformed.
access_deniedThe user or authorization server denied the request.
mfa_requiredMulti-factor authentication is required. Use the provided mfa_token to complete the challenge.