Authentication & Security OAuth 2.0

OAuth 2.0 REST API

Industry-standard protocol for API authorization

OAuth 2.0 is the industry-standard authorization framework that enables applications to obtain limited access to user accounts on HTTP services. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access that account. Developers use OAuth 2.0 to implement secure, delegated access to protected resources without exposing user credentials.

Base URL https://authorization-server.com

API Endpoints

Method	Endpoint	Description
GET	`/authorize`	Authorization endpoint for obtaining user consent and authorization code
POST	`/token`	Token endpoint for exchanging authorization codes, refresh tokens, or credentials for access tokens
POST	`/introspect`	Introspection endpoint to validate and retrieve metadata about an access token
POST	`/revoke`	Revocation endpoint to invalidate access tokens or refresh tokens
GET	`/.well-known/oauth-authorization-server`	Metadata endpoint providing OAuth 2.0 server configuration and capabilities
GET	`/userinfo`	UserInfo endpoint to retrieve authenticated user profile information
POST	`/device/code`	Device authorization endpoint for devices with limited input capabilities
GET	`/jwks`	JSON Web Key Set endpoint for retrieving public keys to verify token signatures
POST	`/par`	Pushed Authorization Request endpoint for securely passing authorization parameters
POST	`/register`	Dynamic client registration endpoint for programmatically registering OAuth clients
GET	`/register/{client_id}`	Retrieve registered client configuration and metadata
PUT	`/register/{client_id}`	Update registered client configuration and metadata
DELETE	`/register/{client_id}`	Delete a dynamically registered OAuth client

Code Examples

# Authorization Code Flow - Step 1: Get authorization code
curl -X GET 'https://authorization-server.com/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://yourapp.com/callback&scope=read:user&state=random_state_string'

# Step 2: Exchange authorization code for access token
curl -X POST 'https://authorization-server.com/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code' \
  -d 'code=AUTHORIZATION_CODE' \
  -d 'redirect_uri=https://yourapp.com/callback' \
  -d 'client_id=YOUR_CLIENT_ID' \
  -d 'client_secret=YOUR_CLIENT_SECRET'

# Step 3: Use access token to access protected resource
curl -X GET 'https://api.example.com/user' \
  -H 'Authorization: Bearer ACCESS_TOKEN'

// Authorization Code Flow with PKCE
const crypto = require('crypto');

// Generate code verifier and challenge
function base64URLEncode(str) {
  return str.toString('base64')
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=/g, '');
}

const codeVerifier = base64URLEncode(crypto.randomBytes(32));
const codeChallenge = base64URLEncode(
  crypto.createHash('sha256').update(codeVerifier).digest()
);

// Step 1: Redirect to authorization endpoint
const authUrl = new URL('https://authorization-server.com/authorize');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('client_id', 'YOUR_CLIENT_ID');
authUrl.searchParams.set('redirect_uri', 'https://yourapp.com/callback');
authUrl.searchParams.set('scope', 'read:user write:user');
authUrl.searchParams.set('state', crypto.randomBytes(16).toString('hex'));
authUrl.searchParams.set('code_challenge', codeChallenge);
authUrl.searchParams.set('code_challenge_method', 'S256');

// Redirect user: window.location.href = authUrl.toString();

// Step 2: Exchange code for token (server-side)
async function getAccessToken(authorizationCode) {
  const response = await fetch('https://authorization-server.com/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: new URLSearchParams({
      grant_type: 'authorization_code',
      code: authorizationCode,
      redirect_uri: 'https://yourapp.com/callback',
      client_id: 'YOUR_CLIENT_ID',
      code_verifier: codeVerifier
    })
  });
  
  const data = await response.json();
  return data.access_token;
}

// Step 3: Use access token
async function fetchUserData(accessToken) {
  const response = await fetch('https://api.example.com/user', {
    headers: {
      'Authorization': `Bearer ${accessToken}`
    }
  });
  return await response.json();
}

import requests
import base64
import hashlib
import secrets
from urllib.parse import urlencode

class OAuth2Client:
    def __init__(self, client_id, client_secret, authorization_url, token_url):
        self.client_id = client_id
        self.client_secret = client_secret
        self.authorization_url = authorization_url
        self.token_url = token_url
        self.code_verifier = None
        
    def generate_pkce_pair(self):
        """Generate PKCE code verifier and challenge"""
        self.code_verifier = base64.urlsafe_b64encode(
            secrets.token_bytes(32)
        ).decode('utf-8').rstrip('=')
        
        code_challenge = base64.urlsafe_b64encode(
            hashlib.sha256(self.code_verifier.encode()).digest()
        ).decode('utf-8').rstrip('=')
        
        return code_challenge
    
    def get_authorization_url(self, redirect_uri, scope, state=None):
        """Generate authorization URL"""
        code_challenge = self.generate_pkce_pair()
        
        params = {
            'response_type': 'code',
            'client_id': self.client_id,
            'redirect_uri': redirect_uri,
            'scope': scope,
            'state': state or secrets.token_urlsafe(16),
            'code_challenge': code_challenge,
            'code_challenge_method': 'S256'
        }
        
        return f"{self.authorization_url}?{urlencode(params)}"
    
    def exchange_code_for_token(self, authorization_code, redirect_uri):
        """Exchange authorization code for access token"""
        data = {
            'grant_type': 'authorization_code',
            'code': authorization_code,
            'redirect_uri': redirect_uri,
            'client_id': self.client_id,
            'client_secret': self.client_secret,
            'code_verifier': self.code_verifier
        }
        
        response = requests.post(self.token_url, data=data)
        response.raise_for_status()
        return response.json()
    
    def refresh_access_token(self, refresh_token):
        """Refresh an expired access token"""
        data = {
            'grant_type': 'refresh_token',
            'refresh_token': refresh_token,
            'client_id': self.client_id,
            'client_secret': self.client_secret
        }
        
        response = requests.post(self.token_url, data=data)
        response.raise_for_status()
        return response.json()
    
    def introspect_token(self, token, introspect_url):
        """Validate and get metadata about a token"""
        data = {
            'token': token,
            'client_id': self.client_id,
            'client_secret': self.client_secret
        }
        
        response = requests.post(introspect_url, data=data)
        response.raise_for_status()
        return response.json()

# Usage example
client = OAuth2Client(
    client_id='YOUR_CLIENT_ID',
    client_secret='YOUR_CLIENT_SECRET',
    authorization_url='https://authorization-server.com/authorize',
    token_url='https://authorization-server.com/token'
)

# Get authorization URL
auth_url = client.get_authorization_url(
    redirect_uri='https://yourapp.com/callback',
    scope='read:user write:user'
)

# After user authorizes and you receive the code
token_response = client.exchange_code_for_token(
    authorization_code='RECEIVED_CODE',
    redirect_uri='https://yourapp.com/callback'
)

access_token = token_response['access_token']
refresh_token = token_response.get('refresh_token')

# Use the access token
headers = {'Authorization': f'Bearer {access_token}'}
user_response = requests.get('https://api.example.com/user', headers=headers)
user_data = user_response.json()

Use OAuth 2.0 from Claude / Cursor / ChatGPT

Get a hosted MCP endpoint for OAuth 2.0. Paste your OAuth 2.0 API key, copy back one URL, drop it into Claude Desktop, Cursor, or any AI client that supports remote MCP. Your AI calls OAuth 2.0 directly with your credentials — no local install, works on mobile.

oauth2_authorize Generate OAuth 2.0 authorization URLs with PKCE for secure user authentication flows

oauth2_exchange_token Exchange authorization codes for access tokens or refresh expired tokens

oauth2_validate_token Introspect and validate OAuth 2.0 tokens to verify authenticity and retrieve metadata

oauth2_revoke_token Revoke access tokens or refresh tokens to terminate user sessions

oauth2_register_client Dynamically register new OAuth 2.0 clients with authorization servers

Connect in 60 seconds

Paste your OAuth 2.0 key → get an MCP URL → paste into Claude/Cursor. Hosted by IOX, encrypted at rest.

Connect OAuth 2.0 to your AI →

OAuth 2.0 REST API

API Endpoints

Sponsor this page

Code Examples

Use OAuth 2.0 from Claude / Cursor / ChatGPT

Connect in 60 seconds

Related APIs