OAuth 2.0 & OpenID Connect
Copy page
EntryBit is a full OAuth 2.0 authorization server and OpenID Connect provider — authorization-code flow with PKCE (S256) required for every client. The model, the flow, and the tokens you get.
Updated
EntryBit is a full OAuth 2.0 authorization server and OpenID Connect provider. Apps that sign users in — mobile apps, SPAs, server-rendered web apps — use the authorization-code flow with PKCE. There is no implicit grant, no password grant, and no plain PKCE: PKCE S256 is mandatory for every client, public or confidential.
- Issuer:
https://entrybit.net - Discovery:
GET /.well-known/openid-configuration— most OIDC libraries configure themselves from this one URL - Signing: RS256; public keys at
/.well-known/jwks.json
Why authorization-code + PKCE
The authorization code flow keeps tokens off the front channel: the browser only ever carries a short-lived, single-use code, which your app exchanges for tokens over a direct back-channel call. PKCE (RFC 7636) binds that code to a per-request secret (code_verifier) that only your app holds — so even if a hostile app on the device intercepts the redirected code, it cannot exchange it. This is why a public client (a mobile app or SPA with no secret) is safe: PKCE replaces the client secret.
The flow, step by step
- Discover. Fetch
/.well-known/openid-configurationto find the authorize, token, userinfo, and logout endpoints. - Generate PKCE. Create a random
code_verifier, thencode_challenge = BASE64URL(SHA-256(code_verifier)). - Authorize. Open
GET /api/oauth/authorizein the system browser withresponse_type=code, yourclient_id,redirect_uri,scope,state,code_challenge, andcode_challenge_method=S256. - User signs in. EntryBit runs login (password, passkey, Google, 2FA) and the consent screen — all inside the browser. Your app never sees the password.
- Redirect back. On success the browser is 302-redirected to your
redirect_uriwithcode,state, andiss(RFC 9207). - Exchange the code. Call
POST /api/oauth/tokenwithgrant_type=authorization_code, thecode, the sameredirect_uri, yourclient_id, and thecode_verifier. - Get tokens. Receive an access token (always), plus an
id_token(withopenid) and arefresh_token(withoffline_access). - Call the API. Send
Authorization: Bearer <access_token>to/api/v1/*. - Refresh. When the access token nears expiry, exchange the rotating refresh token for a fresh pair.
App System Browser EntryBit
│ authorize (S256) ──────►│───────────────────────────►│ login + 2FA + consent
│ │◄───────────────────────────│ 302 → redirect_uri?code&state&iss
│◄─────────────────────────│ deep link back
│ token (code + verifier) ───────────────────────────► │
│◄────────────────── { access_token, refresh_token?, id_token? }
│ GET /api/v1/* (Bearer access_token) ──────────────► │What you get back
| Token | Format | Lifetime | Purpose |
|---|---|---|---|
| access_token | RS256 JWT (typ: at+jwt) | ~15 min | Call /api/v1/* and /api/oauth/userinfo. aud = your client_id. |
| id_token | RS256 JWT (typ: JWT) | — | Who signed in and how (sub, amr, auth_time, identity claims). Issued with openid. |
| refresh_token | Opaque, rotating | 60 days | Obtain fresh access tokens without re-prompting. Issued with offline_access. |
Access tokens and id_tokens verify offline against the JWKS; refresh tokens are opaque and single-use — they rotate on every exchange, so always persist the newest.
Client types
- Public (mobile apps, SPAs) — no secret. PKCE is the proof. This is the common case.
- Confidential (web apps with a secure backend) — a
client_secretin addition to PKCE, enabling Introspection.
Register either in Settings → Team → OAuth apps. See Register an app.
Endpoint reference
| Page | Endpoint |
|---|---|
| Register an app | Self-service client registration |
| Scopes | What you can request at consent |
| Authorize endpoint | GET /api/oauth/authorize |
| Token endpoint | POST /api/oauth/token |
| ID token & UserInfo | id_token claims + GET|POST /api/oauth/userinfo |
| Introspection & Revocation | POST /api/oauth/introspect · POST /api/oauth/revoke |
| Logout | GET|POST /api/oauth/logout |
| Discovery & JWKS | /.well-known/* |
Building a mobile app? Jump straight to the Quickstart.