OIDC / OAuth2
Axowl is a standard OIDC/OAuth2 authorization server, scoped per organization. Any compliant client (with a custom SDK count of zero) can integrate by pointing Authority at the org’s issuer.
Issuer & discovery
Section titled “Issuer & discovery”Issuer: https://api.axowl.com/api/public/orgs/{slug}Discovery: {issuer}/.well-known/openid-configurationJWKS: published in discovery; tokens are RS256, per-org keysEndpoints
Section titled “Endpoints”| Method · Route | Purpose |
|---|---|
GET /authorize | Begin auth-code flow (redirects to hosted login). |
GET/POST /authorize/continue | Resume after login; issues the authorization code. |
POST /token | Exchange code (or refresh token) for tokens. PKCE S256 supported. Rotating refresh tokens. (PublicEndpoints.Oidc.cs:227) |
GET /userinfo | Identity claims for the bearer token. |
GET /end-session | RP-initiated logout. |
POST /token — body
Section titled “POST /token — body”| Field | Type | Notes |
|---|---|---|
grant_type | string (required) | authorization_code or refresh_token. |
code | string | The authorization code from /authorize. |
code_verifier | string | PKCE verifier (S256). |
refresh_token | string | Present when grant_type=refresh_token. Rotates on use. |
POST /token — 200 response
Section titled “POST /token — 200 response”| Field | Type | Notes |
|---|---|---|
access_token | string | RS256-signed access token. |
id_token | string | OIDC ID token. |
token_type | string | Bearer. |
expires_in | integer | Lifetime in seconds. |