OAuth-capable applications must send requests to various OAuth endpoints to obtain authorization grants, access tokens, refresh tokens, and ID tokens if applicable. Additional endpoints exist for other purposes, including for clients to validate access and refresh tokens, for developers to submit client registrations using the OAuth 2.0 Dynamic Client Registration protocol, and for clients to retrieve OpenID Connect metadata.

Each endpoint extends from the runtime server at the base URL. If you configure virtual host names, the endpoints are also accessible at those locations.


If the base URL is https://www.example.com:9031 and the configured virtual host names are www.example.org and www.example.info, the authorization and token endpoints are accessible at the following locations:

Authorization endpoint /as/authorization.oauth2
  • https://www.example.com:9031/as/authorization.oauth2
  • https://www.example.org:9031/as/authorization.oauth2
  • https://www.example.info:9031/as/authorization.oauth2
Token endpoint /as/token.oauth2
  • https://www.example.com:9031/as/token.oauth2
  • https://www.example.org:9031/as/token.oauth2
  • https://www.example.info:9031/as/token.oauth2