OIDC endpoints
NamoID exposes a standard OIDC provider. You discover every endpoint from the issuer's discovery document — don't hardcode paths. This page documents what that document contains and how each endpoint behaves, so you know what your library is doing under the hood.
Discovery
GET https://<issuer>/.well-known/openid-configuration
Returns the OpenID Provider metadata for that issuer. On a hosted
per-environment issuer (https://<slug>.id.namoid.in or a verified custom
domain), the browser authorization and logout pages are served under /oauth/*,
while token, userinfo, JWKS, and revocation are advertised by discovery. A
representative document:
{
"issuer": "https://acme.id.namoid.in",
"authorization_endpoint": "https://acme.id.namoid.in/oauth/authorize",
"token_endpoint": "https://acme.id.namoid.in/v1/oauth/token",
"userinfo_endpoint": "https://acme.id.namoid.in/v1/oauth/userinfo",
"revocation_endpoint": "https://acme.id.namoid.in/v1/oauth/revoke",
"jwks_uri": "https://acme.id.namoid.in/v1/oauth/jwks.json",
"end_session_endpoint": "https://acme.id.namoid.in/oauth/logout",
"scopes_supported": ["openid", "profile", "email", "phone", "offline_access"],
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code", "refresh_token"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"],
"code_challenge_methods_supported": ["S256"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"claims_supported": ["sub", "iss", "aud", "exp", "iat", "auth_time", "nonce",
"name", "email", "email_verified", "phone_number",
"phone_number_verified"]
}
Notes:
code_challenge_methods_supportedadvertises onlyS256—plainis not offered (OAuth 2.1).end_session_endpointis advertised only on hosted issuers (the ones with a browser session to end).
Authorization
GET https://<issuer>/oauth/authorize
Starts the flow. Standard parameters: response_type=code, client_id,
redirect_uri, scope, state, nonce, code_challenge,
code_challenge_method=S256. The user authenticates at the hosted login and is
redirected back to redirect_uri with code and state.
Token
POST <token_endpoint from discovery>
Exchanges an authorization code or refreshes tokens. Confidential clients
authenticate with client_secret_basic or client_secret_post.
grant_type=authorization_code— withcode,redirect_uri, and the PKCEcode_verifier. Returnsaccess_token,id_token,token_type,expires_in, and (withoffline_access)refresh_token.grant_type=refresh_token— withrefresh_token. Returns a fresh access token and a new refresh token, invalidating the one you sent. Replaying an old refresh token revokes the whole chain (security.refresh_replay).
The token endpoint also enforces the environment guard: a test client is
rejected at the live issuer and vice versa.
UserInfo
GET <userinfo_endpoint from discovery>
Authorization: Bearer <access_token>
Returns the user's claims consistent with the granted scopes (sub, and the
identity claims for profile / email / phone).
JWKS
GET <jwks_uri from discovery>
The RS256 public keys used to verify ID and access tokens. Keys rotate with
overlapping windows; resolve by the token header's kid rather than pinning.
Revocation
POST <revocation_endpoint from discovery>
Revokes a token (e.g. a refresh token), per RFC 7009.
End session (RP-Initiated Logout)
GET https://<issuer>/oauth/logout
Ends the hosted-login session. Parameters: id_token_hint and optional
post_logout_redirect_uri. See Sessions.
The global issuer
The product API at https://api.namoid.in also exposes discovery under
/v1/oauth/* for the global issuer. For customer app integrations you almost
always want your per-environment issuer (<slug>.id.namoid.in), not the
global one.