Skip to content
AuthAction Documentation

AuthAction OAuth 2.0 & OpenID Connect (OIDC) Endpoints

AuthAction provides tenant-specific OAuth 2.0 and OpenID Connect (OIDC) endpoints using the base format:

https://{tenant-name}.{region}.authaction.com/

Client SDKs can automatically discover and integrate these endpoints using the OpenID Connect Discovery document located at:

https://{tenant-name}.{region}.authaction.com/.well-known/openid-configuration

There’s no need to manually implement each endpoint individually when using a compatible OIDC client library.

1. Issuer URL

Section titled “1. Issuer URL”
  • Endpoint: 
    https://{tenant-name}.{region}.authaction.com/
  • Description:
    • Identifies the OIDC provider.
    • Used in discovery and validation.

2. OIDC Discovery Document

Section titled “2. OIDC Discovery Document”
  • Endpoint: 
    https://{tenant-name}.{region}.authaction.com/.well-known/openid-configuration
  • Method: GET
  • Description:
    • Returns a JSON document describing all supported OIDC endpoints, scopes, claims, and other metadata.
    • Used by client SDKs to automatically configure integrations.

3. Authorization Endpoint

Section titled “3. Authorization Endpoint”

  • Endpoint:

    https://{tenant-name}.{region}.authaction.com/oauth2/authorize

  • Method: GET

  • Description:

    • Starts the Authorization Code flow with PKCE.

  • Query Parameters:

    NameRequiredDescription
    response_typeYesUse code
    client_idYesThe application’s client ID
    redirect_uriYesURL to redirect to after authorization
    scopeYesSpace-separated list (e.g. openid email profile)
    stateNoOpaque value to prevent CSRF
    audienceNoIdentifier of the target API
    code_challengeYesA Base64-URL-encoded SHA256 hash of the code_verifier
    code_challenge_methodYesMethod used for the challenge. Only S256 is supported
    nonceNoA string value to associate a client session with an ID Token

4. Token Endpoint

Section titled “4. Token Endpoint”

  • Endpoint:

    https://{tenant-name}.{region}.authaction.com/oauth2/token

  • Method: POST

  • Content-Type: application/x-www-form-urlencoded

  • Description:

    • Exchanges code for tokens. PKCE is required for authorization_code flow.

  • Form Parameters:

    NameRequiredDescription
    grant_typeYesauthorization_code or client_credentials
    client_idYesApp’s client ID
    client_secretRequired only for M2M flowApp’s secret (required for client_credentials)
    codeIf using authorization_codeAuthorization code from /authorize
    redirect_uriIf using authorization_codeMust match the one used in auth step
    code_verifierIf using authorization_codeRaw PKCE verifier string used to match the code_challenge
    audienceOptionalAPI identifier

5. User Info Endpoint

Section titled “5. User Info Endpoint”
  • Endpoint: 
    https://{tenant-name}.{region}.authaction.com/oauth2/user
  • Method: GET
  • Headers:
    • Authorization: Bearer {access_token}
  • Description:
    • Returns user profile info.

6. JWKS URI

Section titled “6. JWKS URI”
  • Endpoint: 
    https://{tenant-name}.{region}.authaction.com/.well-known/jwks.json
  • Description:
    • Used to validate JWT signatures.
    • Automatically used by libraries supporting OIDC.

7. End Session (Logout) Endpoint

Section titled “7. End Session (Logout) Endpoint”
  • Endpoint: 
    https://{tenant-name}.{region}.authaction.com/oauth2/logout
  • Method: GET
  • Query Parameters:
    NameRequiredDescription
    post_logout_redirect_uriYesURL to redirect to after logout
    id_token_hintYesPreviously issued ID Token to help identify the session

8. Token Revocation Endpoint

Section titled “8. Token Revocation Endpoint”
  • Endpoint: 
    https://{tenant-name}.{region}.authaction.com/oauth2/revoke
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Form Parameters:
    NameRequiredDescription
    tokenYesAccess or refresh token
    client_idYesApplication client ID
    client_secretYesApplication client secret

9. Supported Claims

Section titled “9. Supported Claims”

Included in ID and access tokens:

  • aud - Intended audience
  • created_at - User creation time
  • email - User’s email address
  • email_verified - Email verification status
  • exp - Expiration timestamp
  • iat - Issued at timestamp
  • iss - Issuer URL
  • name - Full name
  • sub - Subject (user ID)

Conclusion

Section titled “Conclusion”

To use AuthAction, applications must construct the correct URLs using their tenant name and region, and use the endpoints according to OAuth2/OIDC protocol flows. PKCE is mandatory for all Authorization Code flows. Make sure to handle tokens securely and validate them using the JWKS endpoint.