UniAuth
Quick Start
Getting StartedQuick StartOIDC Feature MatrixIntegration ChecklistAccount SetupConfigurationAuthenticationMulti-Factor AuthBackup CodesPassword PolicyRoles & PermissionsGroups & RBACSessionsOAuth2 / OIDCDevice FlowLogout & PropagationTokensIntegrationsWebhooksSCIM ProvisioningSDKsReactNext.jsPHPLaravelDjangoRailsSpring BootExpressMigratingFrom Auth0From OktaFrom KeycloakAPI ReferenceError ReferenceRate LimitsSecurityRecovery PhraseOperationsDeploymentChangelog

Quick Start

UniAuth is a standards-compliant OpenID Connect provider. If you've integrated Google, Okta, or Auth0 before, this will feel familiar. Every endpoint is discoverable — no hard-coding.

Start here

Point your OIDC library at the discovery URL. It returns every endpoint, supported scopes, and signing keys:

https://uniauth.id/.well-known/openid-configuration

If your OIDC library supports this (auth.js, next-auth, passport, mozilla-django-oidc, spring-security-oauth2, etc.), you're 80% done.

What UniAuth Supports

Full OIDC Core 1.0 + the modern security profile. See the OIDC Feature Matrix for the complete list.

Discovery (RFC 8414)
JWKS signing keys
RS256 ID tokens
PKCE S256 (RFC 7636)
Pairwise subjects
end_session + backchannel logout
PAR (RFC 9126)
CIBA (OIDC CIBA)
DPoP (RFC 9449)
Token Exchange (RFC 8693)
Device Flow (RFC 8628)
Dynamic Registration (RFC 7591)

Step 1: Register an Application

Go to the Developer Console and create an OAuth client. You'll get a client_id and client_secret. Set your redirect URI (e.g.https://yourapp.com/callback).

Step 2: Fetch the Discovery Document

Any OIDC library will do this for you. Here's what it returns, abbreviated:

$ curl https://uniauth.id/.well-known/openid-configuration | jq
{
  "issuer": "https://uniauth.id",
  "authorization_endpoint": "https://uniauth.id/api/oauth/authorize",
  "token_endpoint": "https://uniauth.id/api/oauth/token",
  "userinfo_endpoint": "https://uniauth.id/api/oauth/userinfo",
  "jwks_uri": "https://uniauth.id/.well-known/jwks.json",
  "end_session_endpoint": "https://uniauth.id/api/oauth/end-session",
  "revocation_endpoint": "https://uniauth.id/api/oauth/revoke",
  "introspection_endpoint": "https://uniauth.id/api/oauth/introspect",
  "registration_endpoint": "https://uniauth.id/api/oauth/register",
  "pushed_authorization_request_endpoint": "https://uniauth.id/api/oauth/par",
  "backchannel_authentication_endpoint": "https://uniauth.id/api/oauth/backchannel-authenticate",
  "scopes_supported": ["openid","profile","email","phone","address","groups"],
  "claims_supported": ["sub","email","email_verified","name","groups","trust_tier",...],
  "id_token_signing_alg_values_supported": ["RS256"],
  "code_challenge_methods_supported": ["S256"],
  "subject_types_supported": ["pairwise"],
  "backchannel_logout_supported": true,
  "frontchannel_logout_supported": true
}

Step 3: The Full OIDC Flow

Here's the complete flow using our JS SDK. Verify the ID token locally — don't round-trip to /userinfo on every request. (/userinfo is the right choice when you need fresh profile data — e.g. after a user updated their avatar or display name — just don't call it in the hot path of every request.)

import { UniAuth } from '@uniauth/js'
// CDN alternative: import from 'https://uniauth.id/sdk/uniauth.esm.js'

const auth = new UniAuth({
  issuer: 'https://uniauth.id',       // SDK fetches discovery from issuer
  clientId: 'your-client-id',
  redirectUri: 'https://yourapp.com/callback',
  scopes: ['openid', 'profile', 'email', 'groups'],
})

// 1. Kick off login (PKCE + state + nonce generated automatically)
await auth.login({ mode: 'popup' })

// 2. On the callback page — verifies ID token signature via JWKS,
//    checks nonce, exp, iss, aud. No /userinfo call needed.
const tokens = await auth.handleCallback()
// { access_token, id_token, refresh_token, expires_in }

// 3. Decoded + verified ID token claims are cached
const user = auth.getIdTokenClaims()
// { sub, email, email_verified, name, groups, trust_tier, ... }

// 4. Use email_verified for trust decisions
if (!user.email_verified) {
  throw new Error('Email not verified — do not grant access')
}

// 5. Use groups for RBAC — NO env-var allowlist needed
if (user.groups?.includes('admin')) {
  // grant admin
}

Step 4: Logout (RP-Initiated)

Don't just clear your local session — propagate logout to UniAuth so other apps know too. Full details in the Logout Guide.

// Redirect user to end_session_endpoint with their id_token
await auth.logout({
  postLogoutRedirectUri: 'https://yourapp.com/',
})
// UniAuth revokes the session, notifies all other apps via
// backchannel_logout_uri if you registered one.

Why PKCE Is Required (Even With a Client Secret)

UniAuth enforces PKCE on every flow — public and confidential clients. This aligns with RFC 9700 §2.1.1 (OAuth 2.0 Security Best Current Practice, 2024), which recommends PKCE for all authorization code flows regardless of client type. It defends against authorization code injection attacks that a stolen secret alone doesn't.

If you're using our SDKs or any mainstream OIDC library, PKCE is handled automatically.

Framework-Specific Quickstarts

React
@uniauth/react — Provider + hooks
Next.js
App Router + auth.js config
PHP
league/oauth2-client preset + UniAuth SDK
Express
passport-openidconnect config

Next Steps