OAuth Endpoint Reference

This section is an overview over the endpoints that can be published on the Token server. All endpoints can be published in many instances, which can be useful when needing different token procedures to execute in different scenarios. Typically some endpoints are published only on machines that are facing internal services, while others are published on machines that are facing the Internet.


The anonymous endpoint is defined by the type oauth-anonymous. It is an unauthenticated endpoint that is used to publish metadata about the token service. Currently the Json Web Key Service is published on this endpoint.


The OAuth Authorize endpoint is defined in RFC 6749#section-3.1 and is used as an unauthenticated endpoint for the front channel flows, such as the code flow and the implicit flow. It is defined by the endpoint configuration type oauth-authorize.

Assisted Token

The Assisted Token endpoint is a custom endpoint that publishes the Assisted Token Flow. This is a convenience flow for single page applications. It is defined by the endpoint configuration type oauth-assisted-token.


The Introspection endpoint implements RFC 7662. This is an endpoint used for token introspection and is often useful to have in more than one variant. Typically an external that allows some clients to introspect tokens, and an internal that both introspects and issues an internal Json web token.


The Revoke endpoint RFC 7009 is used for clients to revoke access tokens and refresh tokens. It is defined by the endpoint configuration type oauth-revoke.


The Token endpoint RFC 6749#section-3.2 is the largest OAuth endpoint. It supports multiple flows and in Curity the following are supported.

It is defined by the endpoint configuration type oauth-token.

User Info

Defined in the OpenId Connect Core Specification, The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User.

Dynamic Client Registration

The Dynamic Client Registration Endpoint RFC 7591 allows dynamically registering OAuth clients with the the Curity Identity Server.

A GraphQL API can also be enabled, which works similarly to the REST API defined by the RFC.

See Architectural Overview of Dynamic Client Registration for details.

Database Client Management

A GraphQL API that allows managing OAuth clients with the Curity Identity Server.

See Database Client Management for details and differences between Dynamic Client Registration and Database Clients.

Device Authorization

The Device Authorization Grant Endpoint RFC 8628 is designed for Internet- connected devices that either lack a browser to perform a user-agent- based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical.

See the Device Authorization Grant Tutorial for more information.

OpenID Connect Sessions

The OpenID Connect Session Management Endpoint allows managing sessions for OpenID Connect, including when to log out the End-User.

See OpenID Connect for details.

Backchannel Authentication

Endpoint that enables the OpenID Connect Client-Initiated Backchannel Authentication Flow (also known as CIBA).

See the Client Initiated Backchannel Authentication Tutorial for more information.

Verifiable Credentials

Endpoint that enables OpenID for Verifiable Credential Issuance.

See Verifiable Credential Issuance for more information, and our blog post Decentralized Identifiers and Verifiable Credentials: The Building Blocks for Self-Controlled Identities for context around Curity’s take on decentralized identity.