Skip to content

OpenID Connect

OIDC stands for OpenID Connect, which is a widely-used authentication protocol built on top of OAuth 2.0. While OAuth 2.0 is primarily designed for granting access to APIs, OIDC focuses on user authentication. OIDC allows a user to authenticate with a provider (e.g., Google, Facebook, or your identity provider) and then receive an ID token containing information about the user. This information can be used to log the user into a web application, among other things.

OIDC defines a set of standard endpoints that the client application can use to authenticate a user and receive the ID token to interact with the identity provider. These endpoints include a discovery endpoint, an authorization endpoint, and a token endpoint. The discovery endpoint allows the client to discover the endpoints and configuration of the provider, while the authorization endpoint is used to initiate the authentication process. Finally, the token endpoint is used to exchange an authorization code for an ID token.

In summary, OIDC provides a standardized way to authenticate users and obtain information about them, making it easier to build secure and scalable web applications as well as implement Single Sign-On (SSO) with third-party applications.



You must be subscribed to the Enterprise plan to use this feature.


The following scopes are OpenID Connect (OIDC) specific and determine which claims will be included in the ID token when making a token request. The scopes also determine which attributes will be available when calling the userinfo endpoint.

openidMust be requested in order to retrieve an ID token
profileInclude a user's name, username and profile picture url
emailInclude a user's email and email verification status
tenantInclude a user's organization name and ID


Discovery Endpointhttps://{your-dashboard-url}/.well-known/openid-configurationGET
Authorization Endpointhttps://{your-dashboard-url}/oauth/authorizeGET
Token Endpointhttps://{your-dashboard-url}/oauth/tokenPOST
Logout Endpointhttps://{your-dashboard-url}/oauth/logoutPOST
User Info Endpointhttps://{your-dashboard-url}/oauth/userinfoGET

Discovery Endpoint


Returns OpenID Connect metadata about the authorization server. This information can be used by clients to programmatically configure their interactions with

curl -X GET \

Example Response

  "issuer": "http://localhost",
  "authorization_endpoint": "http://localhost/oauth/authorize",
  "token_endpoint": "http://localhost/oauth/token",
  "userinfo_endpoint": "http://localhost/oauth/userinfo",
  "grant_types_supported": ["authorization_code", "implicit", "refresh_token"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "scopes_supported": ["openid", "profile", "email"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
  "claims_supported": ["jti", "iat", "nbf", "exp", "sub", "scopes"],
  "end_session_endpoint": "http://localhost/oauth/logout"

User Info Endpoint


Returns information about the currently signed-in user.

The access token must have the openid scope. The endpoint also excepts the profile, email and tenant scopes that will return the respective fields in the response but is not required. The best practice would be to include all four scopes when requesting a token.

curl -X GET \
-H "Authorization: Bearer ${access_token}" \

Example Response

  "sub": 1,
  "email": "",
  "email_verified": true,
  "name": "User",
  "preferred_username": "",
  "picture": "",
  "tenant_name": "Organization Name",
  "tenant_sub": 1

Released under the MIT License.