RegisterLogin
DocsPricing
RegisterLogin
  • Getting Started
  • Introduction
  • Quick Start
  • SDKs
  • React
  • TypeScript
  • Next.js
  • Express
  • NestJS
  • Python
  • API Reference
  • Support and Resources
  • FAQ
  • Contact Support
AuthSafe

Product

HighlightFeatureIntegrationPricingFAQ

Company

AboutBlogContactSitemap

Developer

DashboardDocumentation

Legal

Terms & ConditionsPrivacyComplianceShippingCancellation
© 2026 AuthSafe. All rights reserved.

We value your privacy

This website uses cookies for anonymous analytics to help us improve your experience. No personal information is stored or shared. You can allow or reject analytics tracking at any time. See our Privacy Policy.

We use cookies for anonymous analytics. No personal info is stored. See our Privacy Policy.

Authentication

Learn how AuthSafe implements OAuth 2.0 and OpenID Connect to provide secure, standards-compliant authentication for your applications.
OAuth 2.0
OpenID Connect
PKCE Required
JWT Tokens

What is Authentication?

Authentication is the process of verifying who a user is. AuthSafe handles authentication using industry-standard protocols to ensure your users can securely access your applications. When a user logs in through AuthSafe:
  1. They provide their credentials (email/password, social login, etc.)
  2. AuthSafe verifies their identity
  3. Your application receives proof of authentication
  4. The user gains access to protected resources

How AuthSafe Works

  • 1. User Initiates Login

    User clicks "Login" in your application. Your app redirects them to AuthSafe's authorization endpoint with your client ID and requested scopes.

  • 2. User Authenticates

    AuthSafe presents a login page where users enter credentials. We support password-based auth, social logins, and enterprise SSO.

  • 3. Authorization Code Issued

    After successful authentication, AuthSafe redirects back to your app with a secure authorization code. This code is short-lived and single-use.

  • 4. Tokens Exchanged

    Your backend exchanges the authorization code for access tokens and ID tokens. These tokens prove the user's identity and permissions.

OAuth 2.0 & OpenID Connect

AuthSafe implements both OAuth 2.0 (for authorization) and OpenID Connect (for authentication).

OAuth 2.0

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user resources without exposing credentials. Key Benefits:
  • Delegated access without sharing passwords
  • Fine-grained permissions through scopes
  • Secure token-based authentication
  • Industry-standard protocol

OpenID Connect (OIDC)

OpenID Connect is an identity layer built on top of OAuth 2.0. It adds user authentication and profile information. What OIDC Adds:
  • User identity verification (ID tokens)
  • Standardized user profile information
  • Session management
  • Discovery and dynamic client registration
Why Both?
OAuth 2.0 handles authorization (what you can access), while OpenID Connect handles authentication (who you are). Together, they provide complete identity and access management.

Token Types

AuthSafe issues different types of tokens for different purposes:
Access Token

JWT-based token used to access protected resources. Contains claims about the user and their permissions.

JWT Format
1 hour expiry
Signed with RS256
ID Token

JWT containing user identity information. Issued by OpenID Connect and contains claims like name, email, and profile picture.

JWT Format
User Info
OIDC Standard
Refresh Token

Long-lived opaque token used to obtain new access tokens without re-authenticating. Stored securely server-side.

Opaque Format
Long-lived
Revocable

Security Features

PKCE (Proof Key for Code Exchange)

PKCE is required for all authorization code flows in AuthSafe. It prevents authorization code interception attacks. How PKCE Works:
  1. Your app generates a random code_verifier
  2. Creates a code_challenge by hashing the verifier (SHA-256)
  3. Sends the challenge with the authorization request
  4. Sends the verifier when exchanging the code for tokens
  5. AuthSafe validates that the verifier matches the original challenge
PKCE is Mandatory
All authorization code flows must use PKCE with the S256 method. Requests without valid PKCE parameters will be rejected.

Token Security

  • RS256 Signing: All tokens are signed with RSA-256 using organization-specific keys
  • Token Validation: Always verify token signatures using our JWKS endpoint
  • HTTPS Only: All API endpoints require secure connections
  • Token Expiration: Access tokens expire after 1 hour by default
  • Token Revocation: Refresh tokens can be revoked at any time

Session Management

  • Secure Sessions: Sessions are stored server-side with encryption
  • Session TTL: Configurable time-to-live for user sessions
  • Single Logout: Support for RP-initiated logout across all sessions
  • Concurrent Sessions: Control how many active sessions a user can have

Authentication Flows

Authorization Code Flow

Best for web applications and mobile apps. Most secure flow with PKCE protection.

View Endpoint Documentation →

Client Credentials Flow

For machine-to-machine authentication. Backend services authenticate directly with client credentials.

View Endpoint Documentation →

Next Steps

API Endpoints

Explore all authentication endpoints including authorization, token exchange, and user info.

View API Reference →

Authorization

Learn about access control, scopes, permissions, and role-based authorization.

Learn About Authorization →

Quick Start

Get started with AuthSafe in minutes using our step-by-step integration guide.

Start Integrating →