Platform OAuth API
Reference for the Platform OAuth endpoint group — 10 endpoints.
Generated from the live OpenAPI spec. Re-run _generate_api_reference.py after backend changes.
Authentication#
All endpoints require a Bearer JWT in the Authorization header unless noted otherwise. See Concepts → Tokens and scopes and Reference → OAuth endpoints for how to obtain one.
Endpoints#
GET /api/v1/platform/.well-known/jwks.json#
Platform Jwks
Platform-level JSON Web Key Set endpoint.
Returns the public keys used to verify platform token signatures. These are the same keys used for tenant-level tokens.
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
GET /api/v1/platform/oauth/.well-known/openid-configuration#
Platform Openid Configuration
Platform-level OpenID Configuration.
Returns minimal configuration for platform-level OAuth.
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
GET /api/v1/platform/oauth/authorize#
Platform Authorize
Platform-level OAuth 2.0 Authorization endpoint.
This endpoint is for GLOBAL-scoped applications that need to authenticate users across any tenant. It redirects to a tenant-agnostic login page where the user enters their email, and the system determines the appropriate tenant.
Flow:
- Application redirects user here with OAuth params
- We validate the client_id is a GLOBAL app
- Redirect to auth UI login page (without tenant context)
- User enters email -> system identifies tenant
- Continue with tenant-scoped OAuth flow
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
response_type |
query | yes | string |
|
client_id |
query | yes | string |
|
redirect_uri |
query | yes | string |
|
scope |
query | yes | string |
|
state |
query | no | string | null |
|
nonce |
query | no | string | null |
|
code_challenge |
query | no | string | null |
|
code_challenge_method |
query | no | string | null |
|
prompt |
query | no | string | null |
|
login_hint |
query | no | string | null |
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
POST /api/v1/platform/oauth/device/authorize#
Device Authorize
Device Authorization Request (RFC 8628 Section 3.1).
The device calls this to get a device_code and user_code.
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
authorization |
header | no | string | null |
Request body:
Required.
application/x-www-form-urlencoded→Body_device_authorize_api_v1_platform_oauth_device_authorize_post
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
GET /api/v1/platform/oauth/device/verify#
Device Verify Info
Get info about a device code for the verification page. Returns the application name and requested scopes.
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
user_code |
query | yes | string |
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
POST /api/v1/platform/oauth/device/verify#
Device Verify Complete
User approves or denies the device authorization request. Requires the user to be authenticated (via SSO cookie or session).
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
GET /api/v1/platform/oauth/logout#
Platform Logout
Platform-level OIDC End Session endpoint (RP-initiated logout).
Tenant-agnostic counterpart to /api/v1/auth/tenants/{slug}/oauth/logout — used by GLOBAL-scoped apps that don't have a tenant slug to put in the path. Resolves the SSO session by cookie and terminates it.
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
id_token_hint |
query | no | string | null |
|
post_logout_redirect_uri |
query | no | string | null |
|
state |
query | no | string | null |
|
client_id |
query | no | string | null |
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
POST /api/v1/platform/oauth/token#
Platform Token
Platform-level OAuth 2.0 Token endpoint.
Supports both authorization_code and client_credentials grants for GLOBAL-scoped applications.
Args: grant_type: "authorization_code" or "client_credentials" client_id: The application's client ID client_secret: The application's client secret code: Authorization code (for authorization_code grant) redirect_uri: Redirect URI (for authorization_code grant) code_verifier: PKCE code verifier (for authorization_code grant) scope: Requested scopes (for client_credentials grant) authorization: Basic auth header (alternative to client_id/secret in body)
Returns: TokenResponse with access_token
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
authorization |
header | no | string | null |
Request body:
Required.
application/x-www-form-urlencoded→Body_platform_token_api_v1_platform_oauth_token_post
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
GET /api/v1/platform/oauth/userinfo#
Platform Userinfo
Platform-level OIDC UserInfo endpoint.
Returns claims about the authenticated user.
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
authorization |
header | yes | string |
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
POST /api/v1/platform/oauth/userinfo#
Platform Userinfo
Platform-level OIDC UserInfo endpoint.
Returns claims about the authenticated user.
Parameters:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
authorization |
header | yes | string |
Responses:
| Status | Body |
|---|---|
200 |
application/json → any |
422 |
application/json → HTTPValidationError |
Schemas#
Definitions for every type referenced by the endpoints above. Schema-to-schema references on this page link within the page; cross-page references would require visiting the linked page.
Body_device_authorize_api_v1_platform_oauth_device_authorize_post#
| Field | Type | Required | Description |
|---|---|---|---|
client_id |
string |
yes | |
scope |
string |
no | Default: openid |
Body_platform_token_api_v1_platform_oauth_token_post#
| Field | Type | Required | Description |
|---|---|---|---|
grant_type |
string |
yes | |
client_id |
string | null |
no | |
client_secret |
string | null |
no | |
code |
string | null |
no | |
device_code |
string | null |
no | |
refresh_token |
string | null |
no | |
redirect_uri |
string | null |
no | |
code_verifier |
string | null |
no | |
scope |
string | null |
no | |
subject_token |
string | null |
no | |
subject_token_type |
string | null |
no | |
audience |
string | null |
no | |
requested_token_type |
string | null |
no |
HTTPValidationError#
| Field | Type | Required | Description |
|---|---|---|---|
detail |
array of ValidationError |
no |
ValidationError#
| Field | Type | Required | Description |
|---|---|---|---|
loc |
array of string | integer |
yes | |
msg |
string |
yes | |
type |
string |
yes |