Authentication
AuthAction provides secure, standards-compliant authentication built on OAuth 2.0 and OpenID Connect. This section documents the authentication mechanisms available for your tenant.
Available Guides
Section titled “Available Guides”- OAuth 2.0 & OIDC Endpoints: Complete reference for all tenant-specific endpoints including authorization, token, userinfo, JWKS, and logout.
- PKCE Authorization Flow: How AuthAction enforces the Authorization Code Flow with PKCE (S256) for secure public client authentication.
- Passkey Authentication: Enable passwordless login using device-bound passkeys with WebAuthn.
- OIDC Prompt: Control whether users see login or signup first using the
promptparameter.
Key Concepts
Section titled “Key Concepts”- PKCE is mandatory: AuthAction only supports the Authorization Code Flow with PKCE using the S256 challenge method. This eliminates the need for client secrets in public clients.
- OpenID Connect Discovery: Client SDKs can auto-configure by fetching your tenant’s
/.well-known/openid-configurationdocument. - RS256 signing: All tokens are signed with RS256 and can be verified via the JWKS endpoint.