Up and running in three steps
From API key to first authenticated request in under five minutes.
Create an account and register an OAuth client in the developer console. You will receive a client_id and client_secret.
# Developer console
https://uniauth.id/account/developer
# Or via Admin API
POST /api/admin/oauth-clients
{
"name": "My App",
"redirect_uris": ["https://app.example/cb"]
}Use the token endpoint to exchange an authorization code for an access token and ID token.
curl -X POST https://uniauth.id/api/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=AUTH_CODE" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_SECRET" \
-d "redirect_uri=https://app.example/cb" \
-d "code_verifier=PKCE_VERIFIER"The token endpoint returns an access token, ID token, and refresh token. Use the access token to call protected endpoints.
{
"access_token": "eyJhbGci...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBh...",
"id_token": "eyJhbGci...",
"scope": "openid profile email"
}API endpoints by category
24 endpoints organized into five groups. Every endpoint enforces rate limiting, validates Content-Type, and returns consistent error objects.
Authentication
6 endpoints/api/auth/loginAuthenticate a user with email and password. Returns session token and triggers 2FA if enabled.
/api/auth/registerCreate a new user account with email, password, and optional profile fields.
/api/auth/logoutTerminate the current session, revoke tokens, and trigger backchannel/frontchannel logout for OAuth clients.
/api/auth/forgot-passwordSend a password reset email with a SHA-256 hashed, time-limited token.
/api/auth/reset-passwordReset password using the token from forgot-password. Enforces password history and strength checks.
/api/auth/verify-emailConfirm email ownership using the verification token sent during registration.
OAuth 2.0 / OIDC
6 endpoints/api/oauth/authorizeStart the OAuth 2.0 authorization code flow with PKCE. Redirects to login then consent screen.
/api/oauth/tokenExchange authorization code for tokens, refresh tokens, or handle device/client-credentials grants.
/api/oauth/userinfoReturn OIDC claims for the authenticated user. Supports GET and POST per OIDC Core section 5.3.1.
/api/oauth/revokeRevoke an access token or refresh token. Supports token_type_hint parameter.
/api/oauth/introspectInspect a token to determine its active status, scopes, and metadata (RFC 7662).
/.well-known/openid-configurationOIDC Discovery document with all endpoints, supported scopes, claims, and algorithms.
User Management
4 endpoints/api/user/profileRetrieve the authenticated user's full profile including OIDC standard claims and preferences.
/api/user/profileUpdate profile fields: display name, bio, locale, social links, address, and more.
/api/user/sessionsList all active sessions for the authenticated user with device info and last activity.
/api/user/sessionsRevoke a specific session by ID or all other sessions (password change invalidation).
SCIM 2.0 Provisioning
4 endpoints/api/scim/v2/UsersList or search users with SCIM filter syntax. Supports pagination and attribute projection.
/api/scim/v2/UsersProvision a new user via SCIM. Maps SCIM user resource schema to the UniAuth users table.
/api/scim/v2/GroupsList or search groups. Includes member references and supports filter queries.
/api/scim/v2/BulkExecute multiple SCIM operations in a single request. Max 100 operations per batch.
Admin
4 endpoints/api/admin/usersList all users with pagination, search, role filter, and sort. Admin or moderator role required.
/api/admin/analyticsRetrieve platform analytics: DAU/WAU/MAU, login trends, 2FA adoption, auth method breakdown.
/api/admin/audit-eventsQuery the tamper-proof audit trail. Filter by category, actor, target, date range, and event type.
/api/admin/webhooksRegister a webhook endpoint with event subscriptions and HMAC-SHA256 signing secret.
API authentication methods
Four ways to authenticate API requests, depending on the endpoint and use case.
Pass the access token in the Authorization header. Used for OAuth-protected endpoints like userinfo, token introspection, and client-to-client API calls.
GET /api/oauth/userinfo
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Accept: application/jsonFirst-party requests use an HttpOnly, Secure, SameSite=Lax cookie set after login. Used for user-facing pages and the account/admin APIs.
GET /api/user/profile
Cookie: auth_token=eyJhbGci...
# HttpOnly — not accessible via JS
# SameSite=Lax — CSRF protectionRFC 9449 DPoP binds tokens to a specific client key. Send the DPoP proof JWT alongside the access token. Prevents token theft and replay.
GET /api/oauth/userinfo
Authorization: DPoP eyJhbGci...
DPoP: eyJ0eXAiOiJkcG9wK2p3dCIs...
# Proof JWT includes htm, htu, iat, jtiSCIM provisioning endpoints authenticate via a dedicated SCIM token per OAuth client. The token is stored as a SHA-256 hash and scoped to an organization.
GET /api/scim/v2/Users
Authorization: Bearer scim_token_abc123...
Content-Type: application/scim+jsonOfficial client libraries
Typed SDKs for JavaScript and React with PKCE, token lifecycle, and logout built in.
JavaScript / TypeScript SDK
@uniauth/js
Vanilla JS client with PKCE, OIDC discovery, automatic token refresh, typed errors, and logout with revocation. Works in Node.js and the browser.
npm install @uniauth/jsReact SDK
@uniauth/react
React provider, hooks, and pre-built components: UniAuthProvider, useUser, LoginButton, LogoutButton, ProtectedRoute, and UserProfile.
npm install @uniauth/reactPer-endpoint rate limits
All endpoints are rate-limited to protect the platform. Limits reset on a 15-minute sliding window.
POST /api/auth/loginPOST /api/auth/registerPOST /api/auth/forgot-passwordPOST /api/auth/verify-*POST /api/scim/v2/BulkAll other endpointsRate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After) are included in every response. When Redis is configured, limits are enforced across all server instances.