OAuth 2.0 endpoints
The Authorization Server provides a set of endpoints that client apps can use for different operations during the OAuth flows. An authorization endpoint lets client apps initialize an OAuth flow. A token endpoint facilitates an exchange of an authorization code for access and refresh tokens. A revocation endpoint provides a way to revoke a refresh token.
The Authorization Server provides the following OAuth-related endpoints:
- Authorization endpoint
- A client app may send a request to this endpoint to receive authorization to access a resource owner’s data residing on a resource server. This action initializes an OAuth flow.
- Token endpoint
- This endpoint is only applicable to the authorization code grant flow. A client app may send an initial request to this endpoint to exchange an authorization code for access and refresh tokens. Subsequently, a client app may use this endpoint to exchange a refresh token for a new access token, when the current access token is expired.
- Revocation endpoint
- This endpoint is currently only applicable to the authorization code grant flow where refresh tokens are present. A client app may send a request to this endpoint to revoke a refresh token that hasn’t expired but is no longer needed. A client app cannot use a revoked refresh token to obtain a new access token, but an access token that has already been issued via the revoked refresh token can still be used until its expiration.
- JSON Web Key Set endpoint
- A client app may send a request to this endpoint to receive a set of public keys that you can use to verify the integrity of JWTs issued by the Authorization Server.