← Back to products
🔐

OAuth 2.1 Authorization

Authorization Code + PKCE, zero secret leakage

Open platform standard OAuth 2.1 authorization code flow. SPA / mobile / iframe all use PKCE, no client secret exposure. state prevents CSRF, 5-minute code cache prevents replay.

example.http
# 1. 引导用户授权
GET /oauth/authorize?
  response_type=code&
  client_id=YOUR_APP_KEY&
  redirect_uri=https://yourapp.com/callback&
  scope=openid%20profile&
  state=RANDOM_STATE&
  code_challenge=BASE64URL(SHA256(verifier))&
  code_challenge_method=S256

# 2. 回调接收 code,换 token
POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=AUTH_CODE&
redirect_uri=https://yourapp.com/callback&
client_id=YOUR_APP_KEY&
code_verifier=ORIGINAL_VERIFIER

# 3. 调用 API(Bearer JWT)
GET /oauth/userinfo
Authorization: Bearer <access_token>

Core Features

6 core features, each works standalone

OAuth 2.1 security

Deprecates implicit / password, enforces PKCE per latest RFC

Auth Code + PKCE

Unified secure flow for SPA / mobile / iframe

CSRF protection

Random state returned as-is

JWT (RFC 9068)

access_token is JWT, iss=UM, locally verifiable

Refresh Token

Long-session scenarios, refresh_token renews access_token

5-minute code cache

Same code consumed once within 5 minutes

API Endpoints

Via /api/* call the following endpoints

MethodPathDescription
GET/oauth/authorizeAuthorization endpoint
POST/oauth/tokenToken endpoint (code-for-token / refresh)
GET/oauth/userinfoOIDC UserInfo
POST/oauth/revokeRevoke token

Other Products