Overview

In support of OAuth 2.0 IETF RFC 6749, OAuth 2.0 IETF RFC 8628, JWK IETF RFC 7517, and OAuth 2.0 IETF RFC 7662, the following endpoints are provided.

In support of OpenID Connect, the following endpoints are provided:

Error responses to the OAuth endpoints are described in the following section.

Additional information about common parameters are described in this section:

If present in a query string, request parameters must be URL encoded.

Authorize

This is an implementation of the Authorization endpoint as defined by the IETF RFC 6749 Section 3.1.

Authorization Code Grant Request

To begin the Authorization Code Grant you will redirect to the Authorization endpoint from your application.

GET /oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&tenantId={tenantId}

Request Parameters

client_idStringrequired

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

code_challengeStringAvailable since 1.8.0

The code_challenge parameter as described in the Proof Key for Code Exchange by OAuth Public Clients (PKCE) specification. When this parameter is provided during the Authorization request, a corresponding code_verifier parameter is required on the subsequent POST to the /oauth2/token endpoint.

code_challenge_methodStringAvailable since 1.8.0

The code_challenge_method parameter as described in the Proof Key for Code Exchange by OAuth Public Clients (PKCE) specification.

The possible values are:

  • S256 - SHA-256
idp_hintUUIDAvailable since 1.19.0

An optional unique Identity Provider Id that can allow you to bypass the FusionAuth login page.

Adding this request parameter will cause the FusionAuth login page to be skipped, and instead a 302 will be returned with a Location header of the IdP login URL. The end result is functionally equivalent to the end user clicking on the “Login with Pied Piper” button, or entering their email address when using the IdP configuration with managed domains.

localeString

The locale to be used to render the login page. This is useful if you already know the user’s preferred locale before redirecting the user to FusionAuth. See the Theme Localization documentation for more information.

login_hintStringAvailable since 1.19.0

An optional email address or top level domain that can allow you to bypass the FusionAuth login page when using managed domains.

If using managed domains, adding this request parameter will cause the FusionAuth login page to be skipped, and instead a 302 will be returned with a Location header of the IdP login URL. The end result is functionally equivalent to the end entering their email address when using the IdP configuration with managed domains.

If not using managed domains, providing an email address using this parameter prepopulates the email address in the login page.

metaData.device.descriptionString

A human readable description of the device used during login. This metadata is used to describe the refresh token that may be generated for this login request.

nonceStringAvailable since 1.5.0

The nonce parameter as described in the OpenID Connect core specification. When this parameter is provided during the Authorization request, the value will be returned in the id_token.

redirect_uriStringrequired

The URI to redirect to upon a successful request. This URI must have been configured previously in the FusionAuth Application OAuth configuration. See Applications in the FusionAuth User Guide for additional information on configuring the redirect URI.

response_modeStringAvailable since 1.11.0

Determines how the result parameters are to be returned to the caller. When this parameter is not provided the default response mode will be used based upon the response_type field.

The default when the response_type is set to code is query, the default when the response_type is set to token, token id_token or id_token is fragment.

The possible values are:

  • form_post
  • fragment
  • query - This response mode can only be used when the response_type is set to code.

In general, you only need to provide this parameter when you wish to use the form_post response mode.

response_typeStringrequired

The requested response type. For the Authorization Code Grant, this value must be set to code.

scopeString

If you are using OpenID Connect, the request must contain this parameter and at minimum it must contain openid. This parameter may contain multiple scopes space separated. For example, the value of openid offline_access provides two scopes on the request.

These scopes modify the behavior of the endpoint:

  • openid - This scope is used to request an id_token be returned in the response
  • offline_access - This scope is used to request a refresh_token be returned in the response
stateString

The optional state parameter. This is generally used as a Cross Site Request Forgery (CSRF) token or to provide deeplinking support. Any value provided in this field will be returned on a successful redirect. See OpenID Connect core specification for additional information on how this parameter may be utilized.

tenantIdUUIDrequiredAvailable since 1.8.0

The unique Tenant Id used for applying the proper theme.

user_codeStringAvailable since 1.11.0

The end-user verification code. This parameter is required on requests implementing the user-interaction of the Device Authorization Grant flow.

Response

Response Codes

CodeDescription
200The request was successful. The user is not logged in, the response will contain an HTML form to collect login credentials.
302The requested user is already logged in, the request will redirect to the location specified in the redirect_uri on the request.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors or errors on the redirect URI. The error responses are covered in the OAuth Error section of the API documentation.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

The following is an example HTTP 302 redirect, line breaks added to improve readability.

Example HTTP Redirect Response

HTTP/1.1 302 Found
Location: https://piedpiper.com/callback?
           code=pU2DHOWjSCVh6NJKi1ClhBYNKfuqbZVT
           &locale=fr
           &state=abc123
           &userState=Authenticated

Redirect Parameters

codeStringrequired
The authorization code.
localeString

The locale that was to render the login page, or a previously selected locale by the user during a previous session. This may be useful to know in your own application so you can continue to localize the interface for the language the user selected while on the FusionAuth login page. See the Theme Localization documentation for more information.

stateString

The state that was provided on the Authorization request. This parameter will be omitted if the state request parameter was not provided.

userStateString

The FusionAuth user state.

The possible values are:

  • Authenticated - The user is successfully authenticated for the requested application.
  • AuthenticatedNotRegistered - The user is successfully authenticated, but not registered for the requested application.
  • AuthenticatedNotVerified - The user is successfully authenticated, but the user’s email address has not been verified.
  • AuthenticatedRegistrationNotVerified - The user is successfully authenticated and registered, but the registration has not been verified for the requested application.

Implicit Grant Request

To begin the Implicit Grant you will redirect to the Authorization endpoint from your application.

GET /oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=token%20id_token&tenantId={tenantId}

Request Parameters

client_idStringrequired

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

idp_hintUUIDAvailable since 1.19.0

An optional unique Identity Provider Id that can allow you to bypass the FusionAuth login page.

Adding this request parameter will cause the FusionAuth login page to be skipped, and instead a 302 will be returned with a Location header of the IdP login URL. The end result is functionally equivalent to the end user clicking on the “Login with Pied Piper” button, or entering their email address when using the IdP configuration with managed domains.

localeString

The locale to be used to render the login page. This is useful if you already know the user’s preferred locale before redirecting the user to FusionAuth. See the Theme Localization documentation for more information.

login_hintStringAvailable since 1.19.0

An optional email address or top level domain that can allow you to bypass the FusionAuth login page when using managed domains.

If using managed domains, adding this request parameter will cause the FusionAuth login page to be skipped, and instead a 302 will be returned with a Location header of the IdP login URL. The end result is functionally equivalent to the end entering their email address when using the IdP configuration with managed domains.

If not using managed domains, providing an email address using this parameter prepopulates the email address in the login page.

nonceStringAvailable since 1.5.0

The nonce parameter as described in the OpenID Connect core specification. When this parameter is provided during the Authorization request, the value will be returned in the id_token if requested by the response_type parameter.

redirect_uriStringrequired

The URI to redirect to upon a successful request. This URI must have been configured previously in the FusionAuth Application OAuth configuration. See Applications in the FusionAuth User Guide for additional information on configuring the redirect URI.

response_modeStringAvailable since 1.11.0

Determines how the result parameters are to be returned to the caller. When this parameter is not provided the default response mode will be used based upon the response_type field.

The default when the response_type is set to code is query, the default when the response_type is set to token, token id_token or id_token is fragment.

The possible values are:

  • form_post
  • fragment
  • query - This response mode can only be used when the response_type is set to code.

In general, you only need to provide this parameter when you wish to use the form_post response mode.

response_typeStringrequired

The requested response type, this value determines which tokens will be returned in the redirect URL.

For the Implicit Grant, this value must be set to one of the following values:

  • token - Return an access_token
  • token id_token - Return both the access_token and the id_token
  • id_token - Return an id_token

The token response type is not supported when using OpenID Connect. This means that if you specify the openid scope the token response type is not allowed.

nonceStringAvailable since 1.5.0

The nonce parameter as described in the OpenID Connect core specification. When this parameter is provided during the Authorization request, the value will be returned in the id_token if requested by the response_type parameter.

scopeString

If you are using OpenID Connect, the request must contain this parameter and at minimum it must contain openid.

These scopes modify the behavior of the endpoint:

  • openid - This scope is used to request an id_token be returned in the response
stateString

The optional state parameter. This is generally used as a Cross Site Request Forgery (CSRF) token or to provide deeplinking support. Any value provided in this field will be returned on a successful redirect. See OpenID Connect core specification for additional information on how this parameter may be utilized.

tenantIdUUIDrequiredAvailable since 1.8.0

The unique Tenant Id.

user_codeStringAvailable since 1.11.0

The end-user verification code. This parameter is required on requests implementing the user-interaction of the Device Authorization Grant flow.

Response

Response Codes

CodeDescription
200The request was successful. The user is not logged in, the response will contain an HTML form to collect login credentials.
302The requested user is already logged in, the request will redirect to the location specified in the redirect_uri on the request.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors or errors on the redirect URI. The error responses are covered in the OAuth Error section of the API documentation.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Example HTTP Redirect Response

HTTP/1.1 302 Found
Location: https://piedpiper.com/callback#
           access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo
           &expires_in=3599
           &id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo
           &locale=fr
           &scope=openid
           &state=abc123
           &token_type=Bearer
           &userState=Authenticated

Redirect Parameters

access_tokenString

The OAuth access token as described by RFC 6749 Section 1.4. This request parameter will be omitted if an access token was not requested in the response_type request parameter. See the OAuth Tokens documentation for more information.

expires_inString

The number of seconds the access token will remain active. This request parameter will be omitted if an access token was not requested in the response_type request parameter.

id_tokenString

The OpenID Id Token. This token is represented as a JSON Web Token (JWT). This request parameter will be omitted if an id token was not requested in the response_type request parameter. See the OAuth Tokens documentation for more information.

localeString

The locale that was used to render the login page, or a previously selected locale by the user during a previous session. This may be useful to know in your own application so you can continue to localize the interface for the language the user selected while on the FusionAuth login page. See the Theme Localization documentation for more information.

stateString

The state that was provided on the Authorization request. This parameter will be omitted if the state request parameter was not provided.

token_typeString

The token type. The value will be Bearer if an access token was requested in the response_type request parameter, this request parameter will otherwise be omitted.

userStateString

The FusionAuth user state.

The possible values are:

  • Authenticated - The user is successfully authenticated for the requested application.
  • AuthenticatedNotRegistered - The user is successfully authenticated, but not registered for the requested application.
  • AuthenticatedNotVerified - The user is successfully authenticated, but the user’s email address has not been verified.
  • AuthenticatedRegistrationNotVerified - The user is successfully authenticated and registered, but the registration has not been verified for the requested application.

Logout

This endpoint provides a mechanism to invalidate the user’s session held by FusionAuth, this effectively logs the user out of the FusionAuth SSO. Calling this endpoint does not revoke refresh tokens or JWTs. You can revoke the former by using the Revoke Refresh Tokens API. To revoke JWTs, implement a revocation strategy.

Since 1.10.0 The logout behavior follows that of the OpenID Connect Front-Channel Logout specification.

The Logout URL used for each application is determined using the following precedence:

  1. The logoutURL of the Application if defined.
  2. The logoutURL configured on the Tenant if defined.
  3. /

You can learn more about logout in the Logout And Session Management guide.

Request

Log the User out of the FusionAuth SSO session using a GET request
GET /oauth2/logout?client_id={client_id}&tenantId={tenantId}

Request Parameters

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are requesting to logout, this value is used to identify the correct redirect URI.

Generally speaking this parameter is required, if you are using the id_token_hint , this parameter becomes redundant because the application can be identified based upon the id_token.

If you do not provide the id_token_hint and you also omit this parameter, the request will not fail, but the logout URL defined in the Tenant configuration will be utilized. If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.

id_token_hintStringAvailable since 1.10.0

The id_token_hint parameter as described in the OpenID Connect Session Management specification.

This is the previously issued id_token passed to the logout endpoint as a hint about the End-User’s current authenticated session with the Client.

This parameter is only used if client_id is not provided.

Note that prior to version 1.37.0 this parameter would only work if it was not expired. This was corrected in version 1.37.0 and as long as the token is signed by FusionAuth, even if expired, the token can be used to identify the user and application during the logout request.

post_logout_redirect_uriStringAvailable since 1.10.0

The URI to redirect to upon a successful logout. This URI must have been configured previously in the FusionAuth Application OAuth configuration as an Authorized Redirect URL . See the Core Concepts OAuth section for additional information on configuring redirect URIs.

If this parameter is omitted, the logout URL defined in the Application OAuth configuration will be utilized. If an Application OAuth logout URL is not defined, the logout URL defined in the Tenant configuration will be utilized. If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.

stateStringAvailable since 1.10.0

The state parameter as described in the OpenID Connect Session Management specification. This is an opaque value used to maintain state between the logout request and the callback.

tenantIdUUIDrequiredAvailable since 1.8.0

The unique Tenant Id used for applying the proper theme.

Available since version 1.37.0

Log the User out of the FusionAuth SSO session with a POST request
POST /oauth2/logout

Request Body

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are requesting to logout, this value is used to identify the correct redirect URI.

Generally speaking this parameter is required, if you are using the id_token_hint , this parameter becomes redundant because the application can be identified based upon the id_token.

If you do not provide the id_token_hint and you also omit this parameter, the request will not fail, but the logout URL defined in the Tenant configuration will be utilized. If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.

id_token_hintString

The id_token_hint parameter as described in the OpenID Connect Session Management specification.

This is the previously issued id_token passed to the logout endpoint as a hint about the End-User’s current authenticated session with the Client.

This parameter is only used if client_id is not provided.

Note that prior to version 1.37.0 this parameter would only work if it was not expired. This was corrected in version 1.37.0 and as long as the token is signed by FusionAuth, even if expired, the token can be used to identify the user and application during the logout request.

post_logout_redirect_uriString

The URI to redirect to upon a successful logout. This URI must have been configured previously in the FusionAuth Application OAuth configuration as an Authorized Redirect URL . See the Core Concepts OAuth section for additional information on configuring redirect URIs.

If this parameter is omitted, the logout URL defined in the Application OAuth configuration will be utilized. If an Application OAuth logout URL is not defined, the logout URL defined in the Tenant configuration will be utilized. If the Tenant logout URL is not defined, the request will result in a redirect to the current base URL at the root path of /.

stateString

The state parameter as described in the OpenID Connect Session Management specification. This is an opaque value used to maintain state between the logout request and the callback.

tenantIdUUIDrequired

The unique Tenant Id used for applying the proper theme.

Response

Response Codes

CodeDescription
302The request was successful and the redirect location will be determined by using the configuration values in the following precedence:
* The post_logout_redirect_uri request parameter if present
* The logoutURL defined in the Application OAuth configuration
* The logoutURL defined in the Tenant OAuth configuration
* /
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Token

This is an implementation of the Token endpoint as defined by the IETF RFC 6749 Section 3.2.

Complete the Authorization Code Grant Request

Authorization Code Grant : Exchange the Authorization Code for a Token

If you will be using the Authorization Code grant, you will make a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token.

POST /oauth2/token

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Body

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required. Prior to version 1.3.1 this parameter was always required.

client_secretStringAvailable since 1.5.0

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

codeStringrequired

The authorization code returned on the /oauth2/authorize response.

code_verifierStringAvailable since 1.8.0

The code_verifier parameter as described in the https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange by OAuth Public Clients (PKCE)] specification.

This parameter is required to complete this request when the code_challenge parameter was provided on the initial Authorize request.

grant_typeStringrequired

The grant type to be used. This value must be set to authorization_code

redirect_uriStringrequired

The URI to redirect to upon a successful request. This URI must have been configured previously in the FusionAuth Application OAuth configuration. See Applications in the FusionAuth User Guide for additional information on configuring the redirect URI.

Example HTTP Request

POST /oauth2/token HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&code=+WYT3XemV4f81ghHi4V+RyNwvATDaD4FIj0BpfFC4Wzg&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fwww.piedpiper.com%2Flogin

Resource Owner Password Credentials Grant Request

Resource Owner Password Credentials Grant : Exchange User Credentials for a Token

If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s email and password for an access token.

POST /oauth2/token

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Body

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required. Prior to version 1.3.1 this parameter was always required.

client_secretStringAvailable since 1.5.0

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

grant_typeStringrequired

The grant type to be used. This value must be set to password

metaData.device.descriptionStringAvailable since 1.20.1

A human readable description of the device used during login. This metadata is used to describe the refresh token that may be generated for this login request.

For example:

Erlich’s iPhone

metaData.device.nameStringAvailable since 1.20.1

A human readable description of the device used during login. This metadata is used to name the refresh token that may be generated for this login request.

For example:

iOS Safari

metaData.device.typeStringAvailable since 1.20.1

The type of device represented by the device parameter. This metadata is used to describe the type of device represented by the refresh token that may be generated for this login request.

Prior to version 1.46.0, this value was restricted to the following types:

  • BROWSER
  • DESKTOP
  • LAPTOP
  • MOBILE
  • OTHER
  • SERVER
  • TABLET
  • TV
  • UNKNOWN

In version 1.46.0 and beyond, this value can be any string value you’d like, have fun with it!

usernameStringrequired

The login identifier of the user. The login identifier can be either the email or the username.

passwordStringrequired

The user’s password.

scopeString

The optional scope you are requesting during this grant. This parameter may contain multiple scopes space separated. For example, the value of openid offline_access provides two scopes on the request.

Available grant types:

  • openid - This scope is used to request an id_token be returned in the response
  • offline_access - This scope scope is used to request a refresh_token be returned in the response
user_codeStringAvailable since 1.11.0

The end-user verification code. This parameter is required on requests implementing the user-interaction of the Device Authorization Grant flow.

Example HTTP Request

POST /oauth2/token HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&grant_type=password&loginId=bishop%piedpiper.com&password=Setec+Astronomy

Complete the Device Authorization Grant Request

This API has been available since 1.11.0

This is the Device Access Token Request portion of the Device Authorization Grant Specification.

POST /oauth2/token

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Body

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required.

client_secretString

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

device_codeStringrequired
grant_typeStringrequired

The grant type to be used. This value must be set to urn:ietf:params:oauth:grant-type:device_code

Example HTTP Request

POST /oauth2/token HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 166
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&device_code=GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code

Response

The following response applies to the Complete the Authorization Code Grant Request , Refresh Token Grant Request and Complete the Device Authorization Grant Request examples.

Response Codes

CodeDescription
200The request was successful.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The client could not be verified. Verify your client_id and client_secret are valid and authorized for this request.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

access_tokenString

The OAuth access token as described by RFC 6749 Section 1.4. See the OAuth Tokens documentation for more information.

expires_inInteger

The time in seconds the token will expire from the time the response was generated.

id_tokenString

The OpenID Id Token. This token is represented as a JSON Web Token (JWT). See the OAuth Tokens documentation for more information.

This field will be returned in the response when openid scope was requested.

refresh_tokenString

The refresh token as described by RFC 6749 Section 1.5

This field will be returned in the response when offline_access scope was requested unless refresh tokens have been disabled for this application. Whether a refresh token is allowed for an application can be controlled by the oauthConfiguration.generateRefreshTokens field in the Application API or the Generate refresh tokens toggle in the FusionAuth admin UI.

refresh_token_idUUIDAvailable since 1.37.0

The unique Id of the refresh token. This Id can be used to retrieve or revoke a specific refresh token using the Refresh Token API.

This field will be returned when the offline_access scope was requested and refresh tokens are allowed for this application. Whether a refresh token is allowed for an application can be controlled by the oauthConfiguration.generateRefreshTokens field in the Application API or the Generate refresh tokens toggle in the FusionAuth admin UI.

scopeStringAvailable since 1.5.0

The space-separated list of scopes allowed by the user during the grant which generated this access token. This will only be present for Authorization Code and Password grants.

token_typeString

The token type as defined by RFC 6749 Section 7.1. This value will always be Bearer.

userIdString

The unique Id of the user that has been authenticated. This user Id may be used to retrieve the entire user object using the /api/user API.

Example JSON Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo",
  "refresh_token": "ze9fi6Y9sMSf3yWp3aaO2w7AMav2MFdiMIi2GObrAi-i3248oo0jTQ",
  "refresh_token_id": "4c8927f1-95cd-4bf8-9534-066389ffff5e",
  "scope": "openid offline_access",
  "token_type": "Bearer",
  "userId": "3b6d2f70-4821-4694-ac89-60333c9c4165"
}

Refresh Token Grant Request

If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token.

In version 1.50.0 and later a refresh token containing unknown scopes will be revoked when used for a Refresh Token Grant if the oauthConfiguration.unknownScopePolicy value of the associated application is Reject.

POST /oauth2/token

Request Cookies

access_tokenStringAvailable since 1.16.0

The previously issued encoded access token. When provided on the request, this value will be relayed in the related JWT Refresh webhook event within the original field. If both the cookie and request parameter are provided, the cookie will take precedence.

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

access_tokenStringAvailable since 1.16.0

The previously issued encoded access token. When provided on the request, this value will be relayed in the related JWT Refresh webhook event within the original field.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required. Prior to version 1.3.1 this parameter was always required.

client_secretStringAvailable since 1.5.0

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

grant_typeStringrequired

The grant type to be used. This value must be set to refresh_token

refresh_tokenStringrequired

The refresh token that you would like to use to exchange for an access token.

scopeString

This parameter is optional and if omitted, the same scope requested during the authorization request will be used. If provided, the scopes must be a space-delimited subset of those requested during the initial authorization request. The refresh token maintains the set of scopes from the initial authorization request even if a subset of scopes is requested during a Refresh Token Grant.

Prior to version 1.50.0 the scopes must match those requested during the initial authorization request if provided.

user_codeStringAvailable since 1.11.0

The end-user verification code. This code is required if using this endpoint to approve the Device Authorization.

Example HTTP Request

POST /oauth2/token HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Cookie: access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkFuYV91STRWbWxiMU5YVXZ0cV83SjZKZFNtTSJ9.eyJleHAiOjE1ODgzNTM0NjAsImlhdCI6MTU4ODM1MzQwMCwiaXNzIjoiZnVzaW9uYXV0aC5pbyIsInN1YiI6IjAwMDAwMDAwLTAwMDAtMDAwMS0wMDAwLTAwMDAwMDAwMDAwMCIsImF1dGhlbnRpY2F0aW9uVHlwZSI6IlBBU1NXT1JEIiwiZW1haWwiOiJ0ZXN0MEBmdXNpb25hdXRoLmlvIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6InVzZXJuYW1lMCJ9.ZoIHTo3Pv0DpcELeX_wu-ZB_rd988jefZc2Ozu9_p59kttwqMm5PV8IDbgxJw9xcq9TFoNG8e_B6renoc11JC54UbiyeXBjF7EH01n9LDz-zTGqu9U72470Z4E7IPAHcyvJIBx4Mp9sgsEYAUm9Tb8ChudqNHhn6ZnXYI7Sew7CtGlu62f10wdBYGX0soYARHBv9CwhJC3-gsD2HLmqHAP_XhrpaYPNr5EAvmCHlM-JlTiEQ9bXwSc4gv-XbPQWamwy8Kcdb-g0EEAml_dC_b2CduwwYg0EoPQB3tQxzTUQzADi7K6q0CtQXv2_1VrRi6aQ4lt7v7t-Na39wGry_pA
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&grant_type=refresh_token&refresh_token=ze9fi6Y9sMSf3yWp3aaO2w7AMav2MFdiMIi2GObrAi-i3248oo0jTQ

Response

Response Codes

CodeDescription
200The request was successful.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The client could not be verified. Verify your client_id and client_secret are valid and authorized for this request.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

access_tokenString

The OAuth access token as described by RFC 6749 Section 1.4. See the OAuth Tokens documentation for more information.

expires_inInteger

The time in seconds the token will expire from the time the response was generated.

id_tokenString

The OpenID Id Token. This token is represented as a JSON Web Token (JWT). See the OAuth Tokens documentation for more information.

This field will be returned in the response when openid scope was requested during the initial authentication request when the refresh token was generated.

token_typeString

The token type as defined by RFC 6749 Section 7.1. This value will always be Bearer.

userIdString

The unique Id of the user that has been authenticated. This user Id may be used to retrieve the entire user object using the /api/user API.

Example JSON Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo",
  "token_type": "Bearer",
  "userId": "3b6d2f70-4821-4694-ac89-60333c9c4165"
}

Client Credentials Grant Request

FusionAuth Reactor logo

This feature is only available in paid plans. Please visit our pricing page to learn more.

This functionality has been available since version 1.26.

If you will be using the Client Credentials grant, you will make a request to the Token endpoint to exchange the client credentials for an access token.

POST /oauth2/token

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body. Do not send these parameters in a query string or as JSON.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Entity in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is required.

client_secretString

The client secret of the Entity. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

grant_typeStringrequired

The grant type to be used. This value must be set to client_credentials

scopeString

This parameter is optional. This is a space delimited set of the requested scopes for this grant request.

You will typically provide a scope specifying the target entity:

target-entity:92dbded-30af-4149-9c61-b578f2c72600

You may provide append a comma separated list of permissions as well:

target-entity:92dbded-30af-4149-9c61-b578f2c72600:read,write

You may combine multiple entities and permissions in the same scope parameter:

target-entity:92dbded-30af-4149-9c61-b578f2c72600:read,write target-entity:119a84d9-06c5-4d1f-a0d4-a60490b70ac5:read

Permissions associated with the grant from the target entity to the recipient entity will be available in the permissions claim in the token. If specific permissions are requested, the recipient entity must have previously been granted all of those permissions for a successful access request. If specific permissions are requested, only the requested permissions will be in the permissions claim, otherwise all permissions will be available in that claim.

Example HTTP Request

POST /oauth2/token HTTP/1.1
Host: piedpiper.fusionauth.io
Authorization: Basic MDkyZGJkZWQtMzBhZi00MTQ5LTljNjEtYjU3OGYyYzcyZjU5OitmY1hldDlJdTJrUWk2MXlXRDlUdTRSZVoxMTNQNnlFQWtyMzJ2NldLT1E9
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436

grant_type=client_credentials
    &scope=target-entity%3Ae13365f1-a270-493e-bd1b-3d239d753d53%3Aread

Response

Response Codes

CodeDescription
200The request was successful.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The client could not be verified. Verify your client_id and client_secret are valid and authorized for this request.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

access_tokenString

The OAuth access token as described by RFC 6749 Section 1.4. See the OAuth Tokens documentation for more information.

expires_inInteger

The time in seconds the token will expire from the time the response was generated.

scopeString

The scope value from the request.

token_typeString

The token type. The value will be Bearer.

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjM0ZjE3ZDdiNzIifQ.eyJhdWQiOiJlMTMzNjVmMS1hMjcwLTQ5M2UtYmQxYi0zZDIzOWQ3NTNkNTMiLCJleHAiOjE2MjAyMzc3MjksImlhdCI6MTYyMDIzNDEyOSwiaXNzIjoiaHR0cHM6Ly9sb2NhbC5mdXNpb25hdXRoLmlvIiwic3ViIjoiMjkzNGY0MWYtZDI3Ny00YTMyLWIwZDUtMTZlNDdkYWQ5NzIxIiwianRpIjoiMGIwMmY1MDktYmNmMy00YjhkLWEzZGItMDNmOThhY2U5ZDlmIiwicGVybWlzc2lvbnMiOnsiZTEzMzY1ZjEtYTI3MC00OTNlLWJkMWItM2QyMzlkNzUzZDUzIjpbInJlYWQiXX19.1BR367JxpWp33HuHEY0_zHuVDmnYrgi7CzzjlIYwtqQ",
  "expires_in": 3599,
  "scope": "target-entity:e13365f1-a270-493e-bd1b-3d239d753d53:read",
  "token_type": "Bearer"
}

Device

This endpoint been available since 1.11.0

This is an implementation of the Device Authorization endpoint as defined by the IETF RFC 8628 Section 3.1.

Device Authorize

To begin the Device Authorization Grant you will make a request to the Device Authorization endpoint from the device.

POST /oauth2/device_authorize

Request Headers

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idStringrequired

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

scopeString

This parameter may contain multiple scopes space separated. For example, the value of openid offline_access provides two scopes on the request.

These scopes modify the behavior of the endpoint:

  • openid - This scope is used to request an id_token be returned in the response
  • offline_access - This scope is used to request a refresh_token be returned in the eventual Token response.
  • idp-link - This scope is used to begin a linking request from a game console.

Supported console links include Epic, Nintendo, Sony Playstation Network, Steam, and Xbox.

This scope format is as follows: idp-link:{identityProviderId}:{token}. When this scope is provided on the request, the token will be verified and when the device grant is complete, a link will be established between the FusionAuth user and the user represented by the provided token. If you need to send more than one token, separate each token using a colon character :. Here is an example format when more than one token is required: idp-link:{identityProviderId}:{token1}:{token2}.

Example HTTP Request

POST /oauth2/device_authorize HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&scope=offline_access

Response

Response Codes

CodeDescription
200The request was successful.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.

Response Body

device_codeString

The device verification code.

expires_inInteger

The number of seconds the device_code and user_code tokens returned in the response will remain active.

intervalInteger

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

user_codeString

The end-user verification code. This value will generally be displayed on the device for the user to read and enter into an activation form.

verification_uriString

The end-user verification URI on the authorization server. This value will generally be displayed on the device to instruct the user where to navigate in order to find the form where they may enter the provided user_code .

verification_uri_completeString

A verification URI that includes the user_code . This is the same value as returned in the verification_uri with the user_code appended as a request parameter. This can be used to build a QR code or provide a clickable link that may pre-populate a form with the user_code .

Example JSON Response

{
  "device_code": "e6f_lF1rG_yroI0DxeQB5OrLDKU18lrDhFXeQqIKAjg",
  "expires_in": 600,
  "interval": 5,
  "user_code": "FBGLLF",
  "verification_uri": "https://piedpiper.com/device",
  "verification_uri_complete": "https://piedpiper.com/device?user_code=FBGLLF"
}

Device User Code

This endpoint has been available since 1.46.0

This endpoint is intended to validate the end-user provided user_code and return meta-data useful when building your own interactive workflow.

This endpoint is equivalent to the Device Validate endpoint, but it will return meta-data for the user_code in a JSON body.

Validate and retrieve a user_code using client credentials
POST /oauth2/device/user-code

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required. Prior to version 1.46.0 this parameter was always required.

client_secretString

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

user_codeStringrequired

The end-user verification code. This is the code that a user entered during the Device Authorization grant which you are requesting to be validated.

API Key Authentication
Validate and retrieve a user_code using an API key
POST /oauth2/device/user-code

Request Headers

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

user_codeStringrequired

The end-user verification code. This is the code that a user entered during the Device Authorization grant which you are requesting to be validated.

Response

Response Codes

CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The provided client credentials are invalid, or the API key if provided is not valid.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.

Response Body

client_idString

The unique client identifier provided on the Device Authorize request.

deviceInfo.descriptionString

The optional device description provided on the Device Authorize request.

deviceInfo.nameString

The optional device name provided on the Device Authorize request.

deviceInfo.typeString

The optional device type provided on the Device Authorize request.

expires_inInteger

The number of seconds the device_code and user_code tokens will remain active.

This is how long you have to complete the Device grant.

pendingIdPLink.displayNameString

The human readable name of the user represented by the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

pendingIdPLink.identityProviderIdString

The unique Identity Provider Id associated with the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

pendingIdPLink.identityProviderNameString

The name of the Identity Provider associated with the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

pendingIdPLink.identityProviderTypeString

The type of the Identity Provider associated with the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

pendingIdPLink.identityProviderUserIdString

The unique user Id of the user represented by the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

This is the value that FusionAuth will use to uniquely link a FusionAuth User to a user in the 3rd party identity provider.

scopeStringAvailable since 1.50.0

The value that should be used for the scope parameter during the interactive portion of the Device Code Grant. The value contains the same scopes as the Device Authorize request with the following scopes excluded:

  • openid
  • offline_access
  • idp-link: prefixed scopes
tenantIdUUID

The unique Id of the Tenant.

user_codeString

The end-user verification code. This is the same value that was provided in the request body.

Example JSON Response

{
  "client_id": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
  "deviceInfo": {
    "description": "Johny's Xbox",
    "name": "Xbox",
    "type": "Console"
  },
  "expires_in": 600,
  "pendingIdPLink": {
    "displayName": "jmoney42",
    "identityProviderId": "af53ab21-34c3-468a-8ba2-ecb3905f67f2",
    "identityProviderName": "Xbox",
    "identityProviderType": "Xbox",
    "identityProviderUserId": "af53ab21-34c3-468a-8ba2-ecb3905f67f2"
  },
  "scope": "email profile",
  "tenantId": "5f35237d-d036-4aaa-a917-17039d4697e6",
  "user_code": "FBGLLF"
}

Device Validate

This endpoint has been available since 1.11.0

This endpoint validates the end-user provided user_code from the user-interaction of the Device Authorization Grant.

If you build your own activation form you should validate the user provided code prior to beginning the Authorization grant. If you choose to redirect to the FusionAuth provided form /oauth2/device then it is not necessary for you to validate the user_code .

GET /oauth2/device/validate?client_id={client_id}&user_code={user_code}

Request Parameters

client_idStringrequired

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

user_codeStringrequired

The end-user verification code. This is the code that a user entered during the Device Authorization grant which you are requesting to be validated.

Response

Response Codes

CodeDescription
200The request was successful. No response body will be returned on successful validation.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.

Device Approve

This endpoint has been available since 1.46.0

Approve a user_code returned from the Device Authorize . If you are using the FusionAuth themed page for /oauth2/device you do not need to use this because the grant will be automatically approved once the user has completed authentication and the OAuth2 Grant has completed.

If you are building your own integration to collect the user_code from the end user, and wish to approve the Device Grant after authenticating the user, use this API to approve the device code allowing the Device Grant to complete.

POST /oauth2/device/approve

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required. Prior to version 1.3.1 this parameter was always required.

client_secretString

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

tokenStringrequired

The access token returned by this OAuth provider as the result of a successful authentication. This token must contain a sub claim which will be used to identify the FusionAuth User.

user_codeStringrequired

The end-user verification code.

Response

Response Codes

CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The client could not be verified. Verify your client_id and client_secret are valid and authorized for this request.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.

Response Body

deviceGrantStatusString

The device grant status. This will always be Approved.

deviceInfo.descriptionString

The optional device description provided on the Device Authorize request.

deviceInfo.nameString

The optional device name provided on the Device Authorize request.

deviceInfo.typeString

The optional device type provided on the Device Authorize request.

identityProviderLink.displayNameString

The human readable name of the user represented by the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

identityProviderLink.identityProviderIdString

The unique Identity Provider Id associated with the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

identityProviderLink.identityProviderNameStringAvailable since 1.47.0

The name of the Identity Provider associated with the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

identityProviderLink.identityProviderTypeString

The type of the Identity Provider associated with the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

identityProviderLink.identityProviderUserIdString

The unique user Id of the user represented by the linking token provided in the idp-link: scope value optionally provided on the Device Authorize request.

This is the value that FusionAuth will use to uniquely link a FusionAuth User to a user in the 3rd party identity provider.

identityProviderLink.insertInstantLong

The instant when the identity provider link was created.

identityProviderLink.lastLoginInstantLong

The instant when the User logged in last using this identity provider.

tenantIdUUID

The unique Id of the Tenant.

userIdUUID

The unique Id of the User.

Example JSON Response

{
  "deviceGrantStatus": "Approved",
  "deviceInfo": {
    "description": "Johny's Xbox",
    "name": "Xbox",
    "type": "Console"
  },
  "identityProviderLink": {
    "displayName": "jmoney42",
    "identityProviderId": "af53ab21-34c3-468a-8ba2-ecb3905f67f2",
    "identityProviderName": "Xbox",
    "identityProviderType": "Xbox",
    "identityProviderUserId": "af53ab21-34c3-468a-8ba2-ecb3905f67f2"
  },
  "tenantId": "5f35237d-d036-4aaa-a917-17039d4697e6",
  "userId": "3b6d2f70-4821-4694-ac89-60333c9c4165"
}

Introspect

This is an implementation of the Introspect endpoint as defined by the RFC 7662.

Request

Inspect an access token issued by this OAuth provider

POST /oauth2/introspect

Request Headers

AuthorizationString

This header is optional if you have provided the client_id in the request body. The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid. Please see the Client Secret section for more details. If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character. Here is an example of these two values concatenated.

463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892

This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.

Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=

The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.

Content-TypeStringrequired

This value must be set to application/x-www-form-urlencoded.

Request Parameters

Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.

client_idString

The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.

This parameter is optional when the Authorization header is provided. When the Authorization header is not provided, this parameter is then required. Prior to version 1.46.0 this parameter was always required.

client_secretStringAvailable since 1.46.0

The client secret. This parameter is optional when the Authorization header is provided. Please see the the Client Secret table for more details.

tokenStringrequired

The access token returned by this OAuth provider as the result of a successful authentication.

Starting in version 1.46.0 this endpoint will also accept a token generated by the Client Credentials Grant.

Example HTTP Request

POST /oauth2/introspect HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTM3MTM3NzIsImlhdCI6MTUxMzcxMDE3MiwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiI3MWMxZjE5Yy1kZTRlLTRiZDEtODc3My0zNThkYmIwNWYxNWEiLCJlbWFpbCI6ImRhbmllbEBpbnZlcnNvZnQuY29tIiwiYXBwbGljYXRpb 25JZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMSIsImF1dGhlbnRpY2F0aW9uVHlwZSI6IlBBU1NXT1JEIiwicm9sZXMiOltdfQ.KxfM37hlw-5mKXOP9bCm7O6qdQdleT4gJmudhFueiJA

Response

Response Codes

CodeDescription
200The request was successful.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The token provided in the request was not issued for the client_id provided on the request.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

This is an example response body when the provided access_token was issued on behalf of a user using the Authorization Code Grant, Implicit Grant ,Password Credentials Grant or Refresh Token Grant.

activeString

When this value is true the token is valid and additional claims will be provided in the response body. When this value is false no claims will be provided in the response body.

applicationIdUUID

The unique Id of the Application for which the User has been authenticated. The presence of this claim indicates the user is registered for this application.

audString

The client_id that was used to request the access token.

auth_timeLong

The time of the initial authentication request, expressed as UNIX time which is the number of seconds since Epoch. This claim will remain the same even when the token has been re-issued through the use of a Refresh Token.

authenticationTypeString

The method used to authenticate the User which resulted in this JWT being generated. The possible values are:

  • APPLE - The User was authenticated using Apple. Available since 1.17.0
  • APPLICATION_TOKEN - The User was authenticated using an Application Authentication Token.
  • FACEBOOK - The User was authenticated using Facebook.   Available since 1.1.0
  • FEDERATED_JWT - The User was authenticated using a JWT from an external Identity Provider.
  • GENERIC_CONNECTOR - The user was authenticated using a generic connector.   Available since 1.18.0
  • GOOGLE - The User was authenticated using Google. Available since 1.1.0
  • HYPR - The User was authenticated using HYPR provider. Available since 1.12.0
  • JWT_SSO - A valid JWT authorized to one Application was exchanged for another JWT authorized to a different Application.
  • LDAP_CONNECTOR - The user was authenticated using an LDAP connector.   Available since 1.18.0
  • LINKEDIN - The user was authenticated using LinkedIn.   Available since 1.23.0
  • ONE_TIME_PASSWORD The User was authenticated using a one time password.   Available since 1.5.0
  • OPENID_CONNECT - The User was authenticated using an external OpenID Connect provider. Available since 1.1.0
  • PASSWORD - The User was authenticated using a loginId and password combination.
  • PASSWORDLESS - The user was authenticated using a passwordless login link.   Available since 1.5.0
  • PING - The user was authenticated using a PUT request on the Login API. This is used to record a login event without prompting for credentials.
  • REGISTRATION - The user was created using the Registration API.   Available since 1.16.0
  • REFRESH_TOKEN - The User requested a new JWT using a Refresh Token.
  • SAMLv2 - The User was authenticated using an external SAMLv2 provider. Available since 1.6.0
  • TWITTER - The User was authenticated using Twitter. Available since 1.1.0
  • USER_CREATE - The user was created using the User API.   Available since 1.16.0
emailString

The email address of the User.

email_verifiedBoolean

Indicates if the User’s email has been verified.

expLong

The expiration instant of the access token, expressed as UNIX time which is the number of seconds since Epoch.

iatLong

The instant the access token was issued, expressed as UNIX time which is the number of seconds since Epoch.

issString

The issuer of the access token.

jtiString

The unique identifier of the access token.

preferred_usernameStringAvailable since 1.5.0

The username of the User whose claims are represented by this JWT.

rolesString

The roles assigned to the User in the authenticated Application.

scopeString

The scope of the access token. This will only be present if scope was requested during authentication.

subUUID

The subject of the access token. This value is equal to the User’s unique Id in FusionAuth.

tidUUIDAvailable since 1.36.0

The FusionAuth Tenant unique Id.

Example JSON Response for a valid token

{
  "active": true,
  "applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
  "aud": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
  "authenticationType": "PASSWORD",
  "email": "test0@fusionauth.io",
  "email_verified": true,
  "exp": 1487975407000,
  "iat": 1487971807000,
  "iss": "acme.com",
  "roles": [
    "admin"
  ],
  "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}

Example JSON Response for an invalid token

{
  "active": false
}

Response Body

Available Since Version 1.46.0

This is an example response body when the provided access_token was issued as the result of the Client Credentials Grant.

activeString

When this value is true the token is valid and additional claims will be provided in the response body. When this value is false no claims will be provided in the response body.

audObject

The intended audience of this access token. This value may be a string or an array of string values representing one to many intended entities.

expLong

The expiration instant of the access token, expressed as UNIX time which is the number of seconds since Epoch.

iatLong

The instant the access token was issued, expressed as UNIX time which is the number of seconds since Epoch.

issString

The issuer of the access token.

jtiString

The unique identifier of the access token.

permissions

The optional permissions requested for this access token. If no permissions were requested, this token represents all permissions allowed by the grant.

subUUID

The subject of the access token. This value is equal to the Entity unique Id in FusionAuth.

tidUUID

The FusionAuth Tenant unique Id.

Example JSON Response for an valid token

{
  "active": true,
  "aud": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
  "exp": 1487975407000,
  "iat": 1487971807000,
  "iss": "acme.com",
  "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}

Example JSON Response for an invalid token

{
  "active": false
}

UserInfo

This is an implementation of the OpenId Connect UserInfo endpoint as defined by the OpenId Connect Section 5.3. This endpoint may be called using the GET or the POST HTTP method.

In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.

Request

Returns the Claims about the authenticated End-User.

GET /oauth2/userinfo

Returns the Claims about the authenticated End-User.

POST /oauth2/userinfo

Request Headers

AuthorizationStringrequired

The access token issued by FusionAuth as a result of completing one of the supported authorization grants.

Example header:

Authorization: Bearer [access_token]

In version 1.50.0 and later, the aud claim is required for all tokens. The aud claim value, or the first value in the case where the claim contains a list, must correspond to an active Application.

If you have a token that was not obtained from an OAuth flow and does not contain the aud claim, consider adding the claim or using the JWT Validate API instead.

In version 1.50.0 and later when the application’s oauthConfiguration.scopeHandlingPolicy is set to Strict, to use a token with this endpoint, the token must:

  • Be an access token
  • Contain the openid scope in the scope claim

Response

In version 1.50.0 and later the UserInfo response changes based on the oauthConfiguration.scopeHandlingPolicy value of the application object.

  • In Strict mode the response claims are populated based on the scope values of the provided token and available information on the User object. This behavior more closely aligns with the OpenID Connect 1.0 specification recommendations.
  • In Compatibility mode the response claims are populated based on available information on the User object only and include some claims from the provided token. This is behavior allows for backwards compatibility with versions of FusionAuth before 1.50.0.

Response Codes

CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The Authorization header containing the access token is missing or malformed.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body

applicationIdUUID

The unique Id of the Application for which the User has been authenticated.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is not populated.

birthdateStringAvailable since 1.1.0

The birthDate of the User if available. Format will be in YYYY-MM-DD as defined by the OpenID Connect core specification.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

emailString

The email address of the User.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the email scope.

email_verifiedBoolean

Indicates if the User’s email has been verified.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the email scope.

family_nameStringAvailable since 1.1.0

The last name of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

given_nameStringAvailable since 1.1.0

The first name of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

nameStringAvailable since 1.1.0

The full name of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

middle_nameStringAvailable since 1.1.0

The middle name of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

phone_numberStringAvailable since 1.1.0

The phone number of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the phone scope.

pictureStringAvailable since 1.1.0

A URL to a picture of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

preferred_usernameStringAvailable since 1.1.0

The username of the User if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

rolesArray

The roles assigned to the User in the authenticated Application.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is not populated.

subUUID

The subject of the access token. This value is equal to the User’s unique Id in FusionAuth.

Example JSON Response With Compatibility Scope Handling

{
  "applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
  "birthdate": "1982-03-10",
  "email": "richard@piedpiper.com",
  "email_verified": true,
  "family_name": "Hendricks",
  "given_name": "Richard",
  "phone_number": "555-555-5555",
  "picture": "http://www.piedpiper.com/app/themes/pied-piper/dist/images/photo-richard.png",
  "roles": [
    "admin"
  ],
  "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}

Example JSON Response With Strict Scope Handling And The profile, email And phone Scopes In The Token

{
  "birthdate": "1982-03-10",
  "email": "richard@pipedpiper.com",
  "email_verified": true,
  "family_name": "Hendricks",
  "given_name": "Richard",
  "phone_number": "555-555-5555",
  "picture": "http://www.piedpiper.com/app/themes/pied-piper/dist/images/photo-richard.png",
  "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}

JSON Web Key Set (JWKS)

Available Since Version 1.4.0

Request

Returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format. You may also use the JWT Public Key API to retrieve these keys in PEM format.

GET /.well-known/jwks.json

You must add an asymmetric key to FusionAuth to have keys at this endpoint. Since version 1.50.0, default FusionAuth installations have a single RSA public/private key pair.

HMAC shared secret keys are not published by this endpoint. If they were, anyone would be able to retrieve these keys and then sign tokens with them. Those tokens would be indistinguishable from those created by FusionAuth. That would be bad.

You may add key pairs using the admin UI by navigating to Settings -> Key Master and generating or importing them. You may also use the Keys API to generate or import keys.

Response

The response for this request should always return a 200 with a JSON body.

Example JSON Response

{
  "keys": [
    {
      "alg": "ES384",
      "crv": "P-384",
      "kty": "EC",
      "use": "sig",
      "x": "cuu2_ua9Ma2KzV1oFO0barRxU4AlZUp0s3LVVC4REV_cZDHe7wnEE1oLCPteHMmZ",
      "y": "nm2tuXEaSKNwwZWsIdu-8Ne7k7ljdhERnzcz3YzeBM5DijBvkZGpA3jlfmq5S4rS"
    },
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "0a136009-80ca-4ba3-888b-2d8efb63ff56",
      "kty": "RSA",
      "n": "k1S0Jj5aiQqQJcdfAcLyEdeDcIT4dD7rrYd1wU9QOwO6tlm-6GELGh5EdabubIBW_6C02ZZ8ALxgSbfrf8sDnQNmff0ncPOZ09IceCQCNiDI8TVH8nG0mD3zM_Z_wsC4tQ1Kty_vvOmFso1UM_-S473i6bV5bGSCaq_iwjX9ot-eO_3GWtdmRtPn9hY7r_b4pcU7aHH6w_3KtAx0zc-LFM08AJd2Nl8VDdNwIfifsuNpyVaEuTwFASqlTgyOfcO32QPAg85pM3boH3hOQ_U4H4daCo7u8G2BJvRLSYlhs-O4x7LjdYQAguBfwCq3fE2OcuhzW048vQZuU2vDqMSefQ",
      "use": "sig"
    },
    {
      "alg": "ES256",
      "crv": "P-256",
      "kid": "474f5556-9589-4970-ab13-83cd5b231850",
      "kty": "EC",
      "use": "sig",
      "x": "XdUStYpfCtaxlya9xeRWezzRfmT9fhi5__xcnitdDcI",
      "y": "VS4o2yOPhss0-JHJR4pEukoRe0H-SuFo603AFP77VMk"
    },
    {
      "alg": "RS384",
      "e": "AQAB",
      "kid": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
      "kty": "RSA",
      "n": "nc1NzlB9OsT8CmnT9OPRQwdJlH5cyec2mCH5tL6q0MHQlokp5ERkKPAEoQOrLeXRXeRVhnuzp1TAOUsAhHKqor-JiJqTn2jeHeEmLvGonn4ik31FKP3OJ9qxsF_L3WBVmEnHMb8FoKi-1rImIzeny0R90E9MK5Mp8yvqHWSJIiOwRXzWEhXsmCHI86PA_0TyH7XsKFJjZat9wXOcueHr7C4ZS3lffaXiyYMo9fOs1vsxG8TCqdVCYVlxuZv0GrdToY3HRmif4CQ9AKXP4HU9d6p7XTRymvqlUp3iwCSCYbOlvQr-rwEe4RBf8ydPKPNUWXvpHRh1mo_hdhNusuXSJysSB02Q1stUp7Hy-aFd_3EYPI_uctluXnmlypG7HT3S-b_ZR1ha0Hwxr6ixA3hForq_HwTkX-ZIEqtufOhxU76M8p843RIRLcUZFYK_0bpOFaesph91X58DI-dPaWjlRMlvl3j-SoMtjczcjRF4TbLiCiw80JjbDfTf2MbBVBQD",
      "use": "sig"
    }
  ]
}

OpenID Configuration

The OpenID metadata describing the configuration as defined by Section 3. OpenID Provider Metadata.

Request

Returns the well known OpenID Configuration JSON document

GET /{tenantId}/.well-known/openid-configuration

URL segment

tenantIdUUIDrequiredAvailable since 1.46.0

The tenant identifier.

GET /.well-known/openid-configuration

Request Parameters

tenantIdUUIDAvailable since 1.8.0

The tenant identifier. If provided then a specific issuer will be returned, when this property is not provided the default tenant Id will be used.

Response

The response for this request should always return a 200 with a JSON body.

Example JSON Response

{
  "authorization_endpoint": "https://piedpiper.fusionauth.io/oauth2/authorize",
  "backchannel_logout_supported": false,
  "claims_supported": [
    "applicationId",
    "at_hash",
    "aud",
    "authenticationType",
    "birthdate",
    "c_hash",
    "email",
    "email_verified",
    "exp",
    "family_name",
    "given_name",
    "iat",
    "iss",
    "jti",
    "middle_name",
    "name",
    "nbf",
    "nonce",
    "phone_number",
    "picture",
    "preferred_username",
    "roles",
    "sub"
  ],
  "device_authorization_endpoint": "https://piedpiper.fusionauth.io/oauth2/device_authorize",
  "end_session_endpoint": "https://piedpiper.fusionauth.io/oauth2/logout",
  "frontchannel_logout_supported": true,
  "grant_types_supported": [
    "authorization_code",
    "password",
    "implicit",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "id_token_signing_alg_values_supported": [
    "ES256",
    "ES384",
    "ES512",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "issuer": "piedpiper.fusionauth.io",
  "jwks_uri": "https://piedpiper.fusionauth.io/.well-known/jwks.json",
  "response_modes_supported": [
    "form_post",
    "fragment",
    "query"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid",
    "offline_access"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://piedpiper.fusionauth.io/oauth2/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "none"
  ],
  "userinfo_endpoint": "https://piedpiper.fusionauth.io/oauth2/userinfo",
  "userinfo_signing_alg_values_supported": [
    "ES256",
    "ES384",
    "ES512",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ]
}

OAuthError

Errors are either returned in a JSON response body, or as redirect parameters depending on expected response type.

JSON Response

When an error is returned from an OAuth endpoint as a JSON body the following structure can be expected in the response. The change_password_id field will only be present on the response if a password change is required.

Example JSON Response

{
  "change_password_id": "a65f7ac3-e4ce-4bf6-bbb0-576189c4d965",
  "error": "change_password_required",
  "error_description": "The user is required to change their password.",
  "error_reason": "change_password_breached"
}

Redirect Parameters

When an error is returned from an OAuth endpoint as a redirect, the errors are put on the redirect as query parameters.

Example HTTP Redirect

HTTP/1.1 302 Found
Location: https://piedpiper.com/callback?
           error=unsupported_response_type
           &error_reason=invalid_response_type
           &error_description=Parameter+response_type+must+be+set+to+code+or+token.
           &state=bEF7UItzlhNvE31Rf0_axShomu_vU30tMeJcqMZ9LfA0

Error Fields

Regardless of the way the error is returned to you, the field definitions are the same. Each possible value error and error_reason is documented below.

Error Parameters

errorString

The OAuth error response type. In most cases these values are defined or suggested by an RFC or other specification.

The possible values are:

  • access_denied
  • authorization_pending
  • change_password_required
  • expired_token
  • invalid_client
  • invalid_grant
  • invalid_request
  • invalid_scope
  • invalid_token
  • not_licensed
  • server_error
  • two_factor_required
  • unauthorized_client
  • unsupported_grant_type
  • unsupported_response_type
  • unsupported_token_type
error_descriptionString

The human-readable OAuth error description. This description should describe the error condition and it may contain a parameter value that caused the error.

error_reasonString

The OAuth error reason. These reason codes are defined by FusionAuth to provide you a specific reason code so that you may identify the specific reason the request failed. The defined error codes as defined by OAuth2 or OpenID Connect only provide general indications such as an invalid request that may be caused by more than one parameter. Each of the values returned in this field will represent a specific error.

The possible values are:

  • access_token_expired
  • access_token_failed_processing
  • access_token_invalid
  • access_token_malformed
  • access_token_required
  • access_token_unavailable_for_processing
  • auth_code_not_found
  • change_password_administrative
  • change_password_breached
  • change_password_expired
  • change_password_validation
  • client_authentication_missing
  • client_id_mismatch
  • consent_canceled
  • grant_type_disabled
  • invalid_additional_client_id
  • invalid_client_authentication
  • invalid_client_authentication_scheme
  • invalid_client_id
  • invalid_device_code
  • invalid_entity_permission_scope
  • invalid_grant_type
  • invalid_id_token_hint
  • invalid_origin
  • invalid_origin_opaque
  • invalid_pkce_code_challenge
  • invalid_pkce_code_challenge_method
  • invalid_pkce_code_verifier
  • invalid_post_logout_redirect_uri
  • invalid_redirect_uri
  • invalid_response_mode
  • invalid_response_type
  • invalid_target_entity_scope
  • invalid_user_code
  • invalid_user_credentials
  • invalid_user_id
  • login_prevented
  • missing_client_id
  • missing_client_secret
  • missing_code
  • missing_code_challenge,
  • missing_code_verifier,
  • missing_device_code
  • missing_grant_type
  • missing_redirect_uri
  • missing_refresh_token
  • missing_required_scope
  • missing_response_type
  • missing_token
  • missing_user_code
  • missing_user_id
  • missing_verification_uri
  • not_licensed
  • refresh_token_not_found
  • refresh_token_type_not_supported
  • unknown
  • unknown_scope
  • user_code_expired
  • user_expired
  • user_locked
  • user_not_found
stateString

The state that was provided on the Authorization request. This parameter is only returned during an HTTP redirect if it was provided on the initial request.

Client Secret

This table describes when the client_secret is required.

In each of the endpoint’s documentation, it describes when and how to use the client_secret in the request body or the Authorization header using HTTP Basic Auth.

Even when the client secret is not required, if it is provided it will be validated.

Previous to version 1.28.0, whether the client secret was required was controlled by the oauthConfiguration.requireClientAuthentication value of the application object. In that case, a value of true is equivalent to a clientAuthenticationPolicy of Required and a value of false is equivalent to a clientAuthenticationPolicy of NotRequired.

For versions 1.28.0 or later, use oauthConfiguration.clientAuthenticationPolicy to configure this functionality.

When Is the Client Secret Required

GrantclientAuthenticationPolicy valuePKCE UsedClient Secret Required
Authorization Code GrantRequired-Yes
Authorization Code GrantNotRequired-No
Authorization Code GrantNotRequiredWhenUsingPKCEYesNo
Authorization Code GrantNotRequiredWhenUsingPKCENoYes
Implicit GrantN/A--
Password Credentials GrantRequired-Yes
Password Credentials GrantNotRequired-No
Refresh Token GrantRequired-Yes
Refresh Token GrantNotRequired-No