RegisterLogin
DocsPricing
RegisterLogin
  • Getting Started
  • Introduction
  • Quick Start
  • SDKs
  • React
  • TypeScript
  • Next.js
  • Express
  • NestJS
  • Python
  • API Reference
  • Support and Resources
  • FAQ
  • Contact

API Endpoints Reference

Complete reference for AuthSafe OAuth 2.0 and OpenID Connect endpoints.

REST API
HTTPS Only
OAuth 2.0

Base URL

All endpoints in this page are relative to:

https://identities.authsafe.in

Authorization Endpoint: GET /auth/authorize

Starts the user sign-in flow and returns an authorization code to your redirect URI.

Query Parameters

ParameterTypeRequiredDescription
client_idstringYesYour application client identifier
redirect_uristringYesWhere AuthSafe redirects after sign-in
response_typestringYesUse code for authorization code flow
scopestringNoSpace-separated scopes, for example openid profile email
statestringRecommendedOpaque value to bind request and callback
code_challengestringYesPKCE challenge value
code_challenge_methodstringYesMust be S256

Example Request

curl "https://identities.authsafe.in/auth/authorize?client_id=your_client_id&redirect_uri=https://yourapp.com/callback&response_type=code&scope=openid%20profile%20email&state=random_state&code_challenge=CODE_CHALLENGE&code_challenge_method=S256"

Response

https://yourapp.com/callback?code=AUTHORIZATION_CODE&state=random_state

Token Endpoint: POST /auth/token

Exchanges authorization codes, refreshes tokens, or issues client-credentials access tokens.

Request Body Parameters

ParameterTypeRequiredDescription
grant_typestringYesauthorization_code | refresh_token | client_credentials
codestringConditionalAuthorization code for authorization_code grant
refresh_tokenstringConditionalRefresh token for refresh_token grant
client_idstringYesYour application client identifier
client_secretstringYesClient secret for confidential clients
code_verifierstringConditionalPKCE verifier for authorization_code grant

Example Request

curl -X POST https://identities.authsafe.in/auth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTHORIZATION_CODE" \
  -d "redirect_uri=https://yourapp.com/callback" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret" \
  -d "code_verifier=CODE_VERIFIER"

Response

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "...",
  "id_token": "eyJ...",
  "scope": "openid profile email"
}

Additional Routes

GET /auth/user-info

Returns claims for the authenticated user when called with a valid access token.

POST /auth/introspect

Validates token state and metadata according to RFC 7662.

POST /auth/revoke

Revokes access or refresh tokens according to RFC 7009.

GET /auth/logout

Ends the user session and optionally redirects to a post-logout URI.

GET /auth/branding

Returns public branding configuration for a specific client.

/.well-known/*

Provides OIDC discovery metadata and JWKS public keys.

Scope-Dependent Claims

Returned user claims depend on granted scopes. Request profile and email scopes when needed.

Error Responses

AuthSafe returns standard OAuth 2.0 error structures:

{
  "error": "invalid_request",
  "error_description": "Missing required parameter: code_verifier"
}
Error CodeDescription
invalid_requestRequest is malformed or missing a required parameter
invalid_clientClient authentication failed
invalid_grantAuthorization code or refresh token is invalid or expired
unauthorized_clientClient is not allowed to use the requested grant
unsupported_grant_typeGrant type is not supported
invalid_scopeRequested scope is unknown or not allowed
access_deniedResource owner or authorization server denied the request

Security Considerations

PKCE Is Required

Authorization code flow must include a valid code_challenge and code_verifier pair.

Token Signature Validation

Validate JWT signatures using keys from /.well-known/jwks.json.

Secure Token Storage

Never expose tokens in URLs or logs. Store tokens using secure client and server patterns.

Token Lifetime

Access tokens are short-lived; use refresh tokens for session continuity.

All endpoints require HTTPS. Plain HTTP requests are rejected.

Rate Limiting

Responses include rate-limit headers to help clients throttle and retry safely.

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1234567890

If limits are exceeded, AuthSafe returns HTTP 429 Too Many Requests.

Next Steps

Quick Start Guide

Set up AuthSafe end-to-end with a guided integration path.

View Quick Start ->
Authorization & Access Control

Learn how scopes and role policies map to API access decisions.

Learn About Authorization ->
AuthSafe

Product

HighlightFeatureIntegrationPricingFAQ

Company

AboutBlogContact

Developer

DashboardDocumentation

Legal

Terms & ConditionsPrivacyComplianceShippingCancellationAI
© 2026 AuthSafe. All rights reserved.

We value your privacy

This website uses cookies for anonymous analytics to help us improve your experience. No personal information is stored or shared. You can allow or reject analytics tracking at any time. See our Privacy Policy.

We use cookies for anonymous analytics. No personal info is stored. See our Privacy Policy.