Skip to main content

OAuth + OIDC

Token grants, userinfo, discovery, and delegation management endpoints.

Signing

Signature request lifecycle, verification, and key management.

Security

Hardening checklist for token handling, claims validation, and key safety.

Base URL

https://api.aveid.net
Use api.aveid.net for all API calls. Use aveid.net for user-facing auth pages (sign-in, Connector consent). Never mix the two.

Request conventions

All request bodies are JSON. The token endpoint accepts both OAuth-standard snake_case fields and legacy camelCase fields. 
curl -X POST https://api.aveid.net/api/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "AUTHORIZATION_CODE",
    "redirect_uri": "https://yourapp.com/callback",
    "client_id": "YOUR_CLIENT_ID",
    "code_verifier": "PKCE_VERIFIER"
  }'

Authentication by endpoint family

These endpoints are public and require no credentials:
  • GET /.well-known/openid-configuration — OIDC discovery metadata
  • GET /.well-known/jwks.json — JWT verification keys
  • GET /.well-known/webfinger — issuer discovery
  • GET /api/oauth/app/:clientId — app public metadata
  • GET /api/oauth/resource/:resourceKey — Connector resource metadata
  • POST /api/oauth/token — token grants (credentials validated in request body)
Userinfo requires a bearer token:
  • GET /api/oauth/userinfo — requires Authorization: Bearer <access_token>
These require an authenticated Ave session (bearer session token or Ave session cookie):
  • POST /api/oauth/authorize — grant authorization and produce a redirect URL
  • GET /api/oauth/authorizations — list active authorizations
  • GET /api/oauth/authorization/:clientId — get authorization for a specific app
  • GET /api/oauth/delegations — list active Connector grants
  • DELETE /api/oauth/delegations/:delegationId — revoke a Connector grant
App-facing signing endpoints authenticate with clientId + clientSecret in the request body:
  • POST /api/signing/request — create a signing request
  • GET /api/signing/request/:requestId/status — poll request status
  • GET /api/signing/public-key/:handle — look up an identity’s public key
  • POST /api/signing/verify — verify a signature
User-facing signing endpoints require a session token:
  • GET /api/signing/keys — list the user’s signing keys
  • POST /api/signing/keys/:identityId — create a signing key
  • PUT /api/signing/keys/:identityId — rotate a signing key
  • POST /api/signing/requests/:requestId/sign — approve a request
  • POST /api/signing/requests/:requestId/deny — deny a request
Identity keys are now the same keypair concept used by signing.Public lookup endpoints:
  • GET /api/signing/public-key/:handle — canonical identity public key lookup
  • GET /api/encryption/public-key/:handle — compatibility alias
Session-authenticated key envelope endpoints:
  • GET /api/signing/keys/:identityId
  • POST /api/signing/keys/:identityId
  • PUT /api/signing/keys/:identityId
  • GET /api/encryption/keys/:identityId (alias)
  • POST /api/encryption/keys/:identityId (alias)
  • PUT /api/encryption/keys/:identityId (alias)

CORS behavior

OAuth and OIDC paths are CORS-enabled with controlled origin resolution. Session-protected mutating endpoints with cookies enforce origin allowlisting.
If you use cookie-based session auth for mutating endpoints, requests from disallowed origins are rejected.
Last modified on April 10, 2026