Authentication OAuth 2.0

OAuth REST API

Open standard for secure API authorization

OAuth is an open standard protocol for secure authorization that enables applications to access user data without exposing passwords. It allows third-party services to exchange information on behalf of users through delegated access tokens. Developers use OAuth to implement secure authentication flows, integrate with social login providers, and build API authorization systems that protect user privacy while enabling seamless integrations.

Base URL https://authorization-server.com/oauth

API Endpoints

Method	Endpoint	Description
GET	`/authorize`	Initiates the authorization flow by redirecting users to login and grant permissions
POST	`/token`	Exchanges authorization code for access token and refresh token
POST	`/token/refresh`	Obtains a new access token using a refresh token without user interaction
POST	`/token/revoke`	Revokes an access token or refresh token to terminate access
POST	`/token/introspect`	Validates and retrieves metadata about an access token
GET	`/userinfo`	Retrieves authenticated user profile information using access token
GET	`/.well-known/oauth-authorization-server`	Returns OAuth 2.0 server metadata and configuration details
POST	`/device/code`	Initiates device authorization flow for input-constrained devices
POST	`/device/token`	Polls for access token during device authorization flow
GET	`/jwks`	Returns JSON Web Key Set for token signature verification
POST	`/client/register`	Dynamically registers a new OAuth client application
GET	`/client/{client_id}`	Retrieves OAuth client configuration and metadata
DELETE	`/client/{client_id}`	Deletes an OAuth client registration

Code Examples

# Step 1: Get authorization code (redirect user to this URL)
# https://authorization-server.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://yourapp.com/callback&scope=read write

# Step 2: Exchange code for token
curl -X POST https://authorization-server.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTHORIZATION_CODE" \
  -d "redirect_uri=https://yourapp.com/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

# Step 3: Use access token
curl -X GET https://api.example.com/resource \
  -H "Authorization: Bearer ACCESS_TOKEN"

// Step 1: Redirect to authorization endpoint
const authUrl = new URL('https://authorization-server.com/oauth/authorize');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('client_id', 'YOUR_CLIENT_ID');
authUrl.searchParams.set('redirect_uri', 'https://yourapp.com/callback');
authUrl.searchParams.set('scope', 'read write');
window.location.href = authUrl.toString();

// Step 2: Exchange authorization code for tokens (server-side)
const tokenResponse = await fetch('https://authorization-server.com/oauth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: 'AUTHORIZATION_CODE',
    redirect_uri: 'https://yourapp.com/callback',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET'
  })
});

const tokens = await tokenResponse.json();
// { access_token: '...', refresh_token: '...', expires_in: 3600 }

// Step 3: Use access token for API calls
const apiResponse = await fetch('https://api.example.com/resource', {
  headers: {
    'Authorization': `Bearer ${tokens.access_token}`
  }
});

const data = await apiResponse.json();

import requests
from urllib.parse import urlencode

# Step 1: Build authorization URL
auth_params = {
    'response_type': 'code',
    'client_id': 'YOUR_CLIENT_ID',
    'redirect_uri': 'https://yourapp.com/callback',
    'scope': 'read write'
}
auth_url = f"https://authorization-server.com/oauth/authorize?{urlencode(auth_params)}"
# Redirect user to auth_url

# Step 2: Exchange authorization code for tokens
token_data = {
    'grant_type': 'authorization_code',
    'code': 'AUTHORIZATION_CODE',
    'redirect_uri': 'https://yourapp.com/callback',
    'client_id': 'YOUR_CLIENT_ID',
    'client_secret': 'YOUR_CLIENT_SECRET'
}

token_response = requests.post(
    'https://authorization-server.com/oauth/token',
    data=token_data
)
tokens = token_response.json()
# {'access_token': '...', 'refresh_token': '...', 'expires_in': 3600}

# Step 3: Use access token for API requests
headers = {'Authorization': f"Bearer {tokens['access_token']}"}
api_response = requests.get('https://api.example.com/resource', headers=headers)
data = api_response.json()

# Step 4: Refresh token when expired
refresh_data = {
    'grant_type': 'refresh_token',
    'refresh_token': tokens['refresh_token'],
    'client_id': 'YOUR_CLIENT_ID',
    'client_secret': 'YOUR_CLIENT_SECRET'
}

refresh_response = requests.post(
    'https://authorization-server.com/oauth/token',
    data=refresh_data
)
new_tokens = refresh_response.json()

Connect OAuth to AI

Deploy a OAuth MCP server on IOX Cloud and connect it to Claude, ChatGPT, Cursor, or any AI client. Your AI assistant gets direct access to OAuth through these tools:

oauth_authenticate_user Initiates OAuth authorization flow and handles user authentication with automatic token management

oauth_refresh_token Automatically refreshes expired access tokens using stored refresh tokens to maintain persistent access

oauth_introspect_token Validates OAuth tokens and retrieves metadata including expiration, scopes, and user information

oauth_revoke_access Revokes OAuth tokens to terminate user sessions and remove application access permissions

oauth_register_client Dynamically registers new OAuth clients with custom configurations and callback URLs for multi-tenant applications

Deploy in 60 seconds

Describe what you need, AI generates the code, and IOX deploys it globally.

Deploy OAuth MCP Server →

OAuth REST API

API Endpoints

Code Examples

Connect OAuth to AI

Deploy in 60 seconds

Related APIs