Skip to content
Kotauth

OIDC / OAuth2 Overview

Kotauth is a fully compliant OpenID Connect Provider (OP). This section documents the protocol-level endpoints — the raw HTTP surface that OAuth2/OIDC libraries interact with.

If you’re integrating an application, you likely don’t need to read these pages directly. Instead, point your OAuth2 library at the discovery document URL and let the library handle the protocol. These pages are useful when debugging, implementing a custom integration, or understanding what happens under the hood.

Endpoint overview

Section titled “Endpoint overview”

All protocol endpoints are scoped to a workspace:

/t/{workspaceSlug}/protocol/openid-connect/...
EndpointPath
OIDC Discovery Document/.well-known/openid-configuration
JWKS (Public Keys)/protocol/openid-connect/certs
Authorization/protocol/openid-connect/auth
Token/protocol/openid-connect/token
Userinfo/protocol/openid-connect/userinfo
Introspection/protocol/openid-connect/introspect
Revocation/protocol/openid-connect/revoke
End Session (Logout)/protocol/openid-connect/logout

Supported flows

Section titled “Supported flows”
FlowGrant typeUse case
Authorization Code + PKCEauthorization_codeUser-facing apps
Client Credentialsclient_credentialsService-to-service
Refresh Tokenrefresh_tokenToken renewal

Implicit flow and Password grant are not supported. Both are deprecated in OAuth 2.1.

Signing algorithm

Section titled “Signing algorithm”

All tokens are signed with RS256 (RSA-SHA256). Each workspace has its own RSA key pair, generated automatically on workspace creation. The private key never leaves the Kotauth instance. The public key is available at the JWKS endpoint.

Key rotation is currently manual — a new key pair can be generated from the admin console. Old tokens signed with the previous key remain valid until they expire.

Standards implemented

Section titled “Standards implemented”