OAuth Endpoint Reference

This section is an overview over the endpoints that can be published on the Token server. All endpoints can be published in many instances, which can be useful when needing different token procedures to execute in different scenarios. Typically some endpoints are published only on machines that are facing internal services, while others are published on machines that are facing the Internet.


The anonymous endpoint is defined by the type oauth-anonymous. It is an unauthenticated endpoint that is used to publish metadata about the token service. Currently the Json Web Key Service is published on this endpoint.


The OAuth Authorize endpoint is defined in RFC 6749#section-3.1 and is used as an unauthenticated endpoint for the front channel flows, such as the code flow and the implicit flow. It is defined by the endpoint configuration type oauth-authorize.

Assisted Token

The Assisted Token endpoint is a custom endpoint that publishes the Assisted Token Flow. This is a convenience flow for single page applications. It is defined by the endpoint configuration type oauth-assisted-token.


The Introspection endpoint implements RFC 7662. This is an endpoint used for token introspection and is often useful to have in more than one variant. Typically an external that allows some clients to introspect tokens, and an internal that both introspects and issues an internal Json web token.


The Revoke endpoint RFC 7009 is used for clients to revoke access tokens and refresh tokens. It is defined by the endpoint configuration type oauth-revoke.


The Token endpoint RFC 6749#section-3.2 is the largest OAuth endpoint. It supports multiple flows and in Curity the following are supported.

It is defined by the endpoint configuration type oauth-token.