OAuth Provider and Apps
Provider endpoints
OAuth app management endpoints
Permissions
Key lifecycle behavior
UserInfo and revoke
Common errors

OAuth Provider and Apps

This module includes two surfaces:

OAuth provider endpoints used by third-party clients
Workspace OAuth app management endpoints

Provider endpoints

GET /api/oauth/authorize
POST /api/oauth/authorize
POST /api/oauth/token
GET /api/oauth/userinfo
POST /api/oauth/revoke

Provider flow supports Authorization Code and PKCE patterns.

OAuth app management endpoints

GET /api/oauth/apps
POST /api/oauth/apps
GET /api/oauth/apps/:id
PATCH /api/oauth/apps/:id
DELETE /api/oauth/apps/:id
POST /api/oauth/apps/:id/rotate-secret

Permissions

integrations:read: list/get OAuth apps
integrations:manage: create/update/delete/rotate app secret

Key lifecycle behavior

New clientSecret is returned only on create and rotate.
Redirect URI allowlist is enforced during authorize flow.
Scope requests are validated at authorize/token stages.

UserInfo and revoke

/userinfo requires valid bearer access token and proper scopes.
/revoke follows OAuth revocation behavior and invalidates token material.

Common errors

400: malformed authorize/token payload
401: invalid client credentials
403: insufficient scopes
404: OAuth app not found in workspace scope

Identity and Provisioning APIs