RegisterLogin
DocsPricing
RegisterLogin
  • Getting Started
  • Introduction
  • Quick Start
  • SDKs
  • React
  • TypeScript
  • Next.js
  • Express
  • NestJS
  • Python
  • API Reference
  • Support and Resources
  • FAQ
  • Contact Support
AuthSafe

Product

HighlightFeatureIntegrationPricingFAQ

Company

AboutBlogContactSitemap

Developer

DashboardDocumentation

Legal

Terms & ConditionsPrivacyComplianceShippingCancellation
© 2026 AuthSafe. All rights reserved.

We value your privacy

This website uses cookies for anonymous analytics to help us improve your experience. No personal information is stored or shared. You can allow or reject analytics tracking at any time. See our Privacy Policy.

We use cookies for anonymous analytics. No personal info is stored. See our Privacy Policy.

API Endpoints Reference

Complete reference for all AuthSafe OAuth 2.0 and OpenID Connect endpoints. All endpoints are hosted at https://identities.authsafe.in
REST API
HTTPS Only
OAuth 2.0

Base URL

All endpoints described below are relative to: 
https://identities.authsafe.in

Authorization Endpoint

GET /auth/authorize

Initiates the authorization flow by rendering the login page. This endpoint is used to authenticate end-users and obtain authorization codes.

Query Parameters

ParameterTypeRequiredDescription
client_idstringYesYour application's client identifier
redirect_uristringYesURI to redirect after authorization
response_typestringYesMust be code for authorization code flow
scopestringNoSpace-separated list of requested scopes (e.g., openid profile email)
statestringRecommendedOpaque value to maintain state between request and callback
code_challengestringYesPKCE code challenge (required for security)
code_challenge_methodstringYesMust be S256 (SHA-256)

Example Request

curl "https://identities.authsafe.in/auth/authorize?client_id=your_client_id&redirect_uri=https://yourapp.com/callback&response_type=code&scope=openid%20profile%20email&state=random_state_string&code_challenge=CODE_CHALLENGE&code_challenge_method=S256"

Response

Renders the login page where users can authenticate. Upon successful authentication, redirects to your redirect_uri with an authorization code: 
https://yourapp.com/callback?code=AUTHORIZATION_CODE&state=random_state_string

Token Endpoint

POST /auth/token

Exchanges authorization codes for access tokens, refreshes access tokens, or obtains tokens using client credentials.

Request Headers

Content-Type: application/x-www-form-urlencoded

Authorization Code Grant

Exchange an authorization code for tokens.

Request Body Parameters

ParameterTypeRequiredDescription
grant_typestringYesMust be authorization_code
codestringYesThe authorization code received from /auth/authorize
redirect_uristringYesMust match the redirect URI used in the authorize request
client_idstringYesYour application's client identifier
client_secretstringYesYour application's client secret
code_verifierstringYesPKCE code verifier

Example Request

curl -X POST https://identities.authsafe.in/auth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTHORIZATION_CODE" \
  -d "redirect_uri=https://yourapp.com/callback" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret" \
  -d "code_verifier=CODE_VERIFIER"

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "refresh_token_value",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "scope": "openid profile email"
}

Refresh Token Grant

Obtain a new access token using a refresh token.

Request Body Parameters

ParameterTypeRequiredDescription
grant_typestringYesMust be refresh_token
refresh_tokenstringYesThe refresh token received from a previous token request
client_idstringYesYour application's client identifier
client_secretstringYesYour application's client secret
scopestringNoRequested scopes (cannot exceed original grant)

Example Request

curl -X POST https://identities.authsafe.in/auth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=REFRESH_TOKEN" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret"

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid profile email"
}

Client Credentials Grant

Obtain an access token using client credentials (for machine-to-machine authentication).

Request Body Parameters

ParameterTypeRequiredDescription
grant_typestringYesMust be client_credentials
client_idstringYesYour application's client identifier
client_secretstringYesYour application's client secret
scopestringNoRequested scopes

Example Request

curl -X POST https://identities.authsafe.in/auth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret" \
  -d "scope=api:read"

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "api:read"
}

User Info Endpoint

GET /auth/user-info

Returns claims about the authenticated user. Requires a valid access token.

Request Headers

Authorization: Bearer ACCESS_TOKEN

Example Request

curl https://identities.authsafe.in/auth/user-info \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."

Response

{
  "sub": "user_unique_identifier",
  "name": "John Doe",
  "email": "john.doe@example.com",
  "email_verified": true,
  "picture": "https://example.com/profile.jpg",
  "updated_at": 1234567890
}
Scope-Dependent Claims
The exact claims returned depend on the scopes granted during authorization. Request the profile scope for name and picture, and email scope for email claims.

Token Introspection Endpoint

POST /auth/introspect

Introspects an access or refresh token to determine its current state and metadata. Implements RFC 7662.

Request Headers

Content-Type: application/x-www-form-urlencoded

Request Body Parameters

ParameterTypeRequiredDescription
tokenstringYesThe token to introspect
client_idstringYesYour application's client identifier
client_secretstringYesYour application's client secret

Example Request

curl -X POST https://identities.authsafe.in/auth/introspect \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=TOKEN_TO_INTROSPECT" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret"

Response (Active Token)

{
  "active": true,
  "scope": "openid profile email",
  "client_id": "your_client_id",
  "token_type": "Bearer",
  "exp": 1234567890,
  "iat": 1234564290,
  "sub": "user_unique_identifier"
}

Response (Inactive Token)

{
  "active": false
}

Token Revocation Endpoint

POST /auth/revoke

Revokes an access or refresh token. Implements RFC 7009.

Request Headers

Content-Type: application/x-www-form-urlencoded

Request Body Parameters

ParameterTypeRequiredDescription
tokenstringYesThe token to revoke
client_idstringYesYour application's client identifier
client_secretstringYesYour application's client secret

Example Request

curl -X POST https://identities.authsafe.in/auth/revoke \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=TOKEN_TO_REVOKE" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret"

Response

Returns HTTP 200 for both successful revocations and already-revoked/invalid tokens (per RFC 7009 to prevent token scanning attacks). 
{
  "message": "Token revoked successfully"
}

Logout Endpoint

GET /auth/logout

Initiates RP-initiated logout to end the user's session.

Query Parameters

ParameterTypeRequiredDescription
id_token_hintstringRecommendedID token previously issued to the client
post_logout_redirect_uristringNoURI to redirect after logout (must be pre-registered)
statestringNoOpaque value to maintain state

Example Request

curl "https://identities.authsafe.in/auth/logout?id_token_hint=ID_TOKEN&post_logout_redirect_uri=https://yourapp.com/logged-out&state=random_state"

Response

Ends the user's session and redirects to the post_logout_redirect_uri if provided, otherwise to the default logout page.

Branding Endpoint

GET /auth/branding

Returns public branding information for a given client application.

Query Parameters

ParameterTypeRequiredDescription
client_idstringYesThe client identifier

Example Request

curl "https://identities.authsafe.in/auth/branding?client_id=your_client_id"

Response

{
  "logo_url": "https://example.com/logo.png",
  "brand_color": "#0066CC",
  "application_name": "Your Application",
  "privacy_policy_url": "https://example.com/privacy",
  "terms_of_service_url": "https://example.com/terms"
}

Discovery Endpoints

GET /.well-known/openid-configuration

Returns the OpenID Connect discovery document containing metadata about the authorization server.

Example Request

curl https://identities.authsafe.in/.well-known/openid-configuration

Response

{
  "issuer": "https://identities.authsafe.in",
  "authorization_endpoint": "https://identities.authsafe.in/auth/authorize",
  "token_endpoint": "https://identities.authsafe.in/auth/token",
  "userinfo_endpoint": "https://identities.authsafe.in/auth/user-info",
  "jwks_uri": "https://identities.authsafe.in/.well-known/jwks.json",
  "end_session_endpoint": "https://identities.authsafe.in/auth/logout",
  "introspection_endpoint": "https://identities.authsafe.in/auth/introspect",
  "revocation_endpoint": "https://identities.authsafe.in/auth/revoke",
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "scopes_supported": ["openid", "profile", "email", "offline_access"],
  "token_endpoint_auth_methods_supported": ["client_secret_post"],
  "code_challenge_methods_supported": ["S256"],
  "claims_supported": ["sub", "name", "email", "email_verified", "picture", "updated_at"]
}

GET /.well-known/jwks.json

Returns the JSON Web Key Set (JWKS) containing public keys for verifying ID tokens and access tokens.

Example Request

curl https://identities.authsafe.in/.well-known/jwks.json

Response

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "key_identifier",
      "alg": "RS256",
      "n": "modulus_value",
      "e": "AQAB"
    }
  ]
}

Error Responses

All endpoints return standard OAuth 2.0 error responses when applicable: 
{
  "error": "invalid_request",
  "error_description": "Missing required parameter: code_verifier"
}

Common Error Codes

Error CodeDescription
invalid_requestThe request is missing a required parameter or is otherwise malformed
invalid_clientClient authentication failed
invalid_grantThe authorization code or refresh token is invalid, expired, or revoked
unauthorized_clientThe client is not authorized to use this grant type
unsupported_grant_typeThe grant type is not supported
invalid_scopeThe requested scope is invalid or exceeds the granted scope
access_deniedThe user or authorization server denied the request

Security Considerations

PKCE Requirement

PKCE is Mandatory
AuthSafe requires PKCE (Proof Key for Code Exchange) for the authorization code flow to prevent authorization code interception attacks. You must generate a cryptographically random code_verifier (43-128 characters), create a code_challenge by SHA-256 hashing the verifier and base64url encoding it, send the challenge in the authorize request, and send the verifier in the token request.

Token Security

Access Tokens

JWT-based tokens signed with RS256. Verify signatures using the public keys from /.well-known/jwks.json

Refresh Tokens

Opaque tokens stored securely server-side

Token Storage

Store tokens securely. Never expose tokens in URLs or logs

Token Lifetime

Access tokens expire after 1 hour by default. Use refresh tokens to obtain new access tokens

HTTPS Only

All API endpoints require HTTPS. HTTP requests will be rejected.

Rate Limiting

API endpoints are rate-limited to prevent abuse. Rate limit headers are included in responses: 
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1234567890
If you exceed the rate limit, you'll receive a 429 Too Many Requests response.

Next Steps

Quick Start Guide

Get started with AuthSafe in minutes with our step-by-step integration guide.

View Quick Start →

Authorization & Access Control

Learn about scopes, permissions, and implementing fine-grained access control.

Learn About Authorization →