OIDC
Hosted SSO — project as OIDC provider (Pro). Grant bridge uses Auth tag.
Complete OIDC authorization (grant bridge)
After your login UI receives `request_token` from `/api/oidc/{projectId}/authorize`, authenticate the user, then call this endpoint to get the final `redirectUrl` for the browser. **Requires Pro** (`feature_not_available` on lower tiers).
OIDC discovery document
Standard OpenID Provider Metadata for this project. **Pro plan** only (403 when gated).
JWKS
Public keys for verifying `id_token` JWTs for this project’s OIDC issuer.
OIDC authorize
Authorization endpoint. Valid `response_type` is `code` only. On success returns **302** to the OIDC application’s `loginUrl` with `request_token`, `scope`, and `app_name` query params.
OIDC token endpoint
OAuth 2.0 token endpoint (`grant_type=authorization_code`). Client auth via `Authorization: Basic` or form fields `client_id` + `client_secret`. Request body: `application/x-www-form-urlencoded` or `multipart/form-data`. Returns **OAuth-style JSON** (not `{ data: … }`) on success and on error.
OIDC UserInfo
`Authorization: Bearer` with the access token from the token endpoint. Returns JSON claims; failures use OAuth-style `{ error, error_description }`.