When developing OAuth-capable applications, developers must follow the OAuth 2.0 Authorization Framework and OpenID Connect specifications (if applicable), which means that the applications must send requests to various OAuth endpoints to obtain authorization grants, access tokens, and (if applicable) refresh tokens and ID tokens. Furthermore, there are additional endpoints for other purposes, such as clients to validate access and refresh tokens, developers to submit client registrations using the OAuth 2.0 Dynamic Client Registration protocol, clients to retrieve OpenID Connect metadata, and more.

Each endpoint extends from the runtime server at the base URL. If virtual host names are configured, the endpoints are also accessible at those locations as well.

For example, if the base URL is https://www.example.com:9031 and the configured virtual host names are www.example.org and www.example.info, the authorization and token endpoints are accessible at the following locations:

Authorization endpoint /as/authorization.oauth2
  • https://www.example.com:9031/as/authorization.oauth2
  • https://www.example.org:9031/as/authorization.oauth2
  • https://www.example.info:9031/as/authorization.oauth2
Token endpoint /as/token.oauth2
  • https://www.example.com:9031/as/token.oauth2
  • https://www.example.org:9031/as/token.oauth2
  • https://www.example.info:9031/as/token.oauth2

The subsequent topics describe each endpoint in detail. Unless otherwise indicated, these endpoints and associated parameters are defined in the OAuth and OpenID Connect specifications.