OIDC Endpoints

These are the OpenID Connect endpoints your applications need to know about. All endpoints are relative to your Permiso instance URL (https://[your-company].permisolabs.eu).

Discovery document

GET /.well-known/openid-configuration

The discovery document is the recommended starting point for configuring any OIDC-compatible application. It lists all the endpoints, supported scopes, and supported signing algorithms in a standard format. Most OIDC libraries accept just this URL and auto-configure the rest.

Authorization endpoint

GET /oauth/authorize

This is where users are redirected to log in. Your application sends users here with the appropriate query parameters (client_id, redirect_uri, scope, response_type, etc.). Permiso handles authentication and redirects back to your app.

Token endpoint

POST /oauth/token

Used by your application to exchange an authorization code for tokens (ID token, access token, refresh token). This is a server-to-server call: your application's backend makes this request, not the user's browser.

UserInfo endpoint

GET /oauth/userinfo

Returns information about the currently authenticated user. Your application can call this endpoint with an access token to get the user's profile data. The response includes the same claims that are in the ID token.

JWKS endpoint

GET /.well-known/jwks.json

Contains the public keys used to verify the signatures on Permiso's JWTs. Most OIDC libraries fetch this automatically and cache it, so you usually don't need to interact with it directly.

End session endpoint

GET /oauth/logout

Logs the user out of Permiso. If you've configured logout callback URLs on your OIDC client, the user will be redirected there after logout.

Device authorization endpoint

POST /oauth/device/code

Used for the OAuth 2.0 Device Authorization Grant flow. This lets users authorize a device (like a CLI tool or TV app) by visiting a URL on a separate device and entering a code.