Documentation

Complete guide to integrating Epsilon Auth into your applications

Getting Started

1. Create an Account

Register at /register with your email, username, and password.

2. Create an OAuth Application

Go to the Developer Console at /developer and create a new application. You'll receive a Client ID and Client Secret.

3. Implement OAuth2 Flow

Use the authorization code flow to authenticate users in your application.

OAuth2 Integration

Step 1: Authorization Request

Redirect users to the authorization endpoint:

GET /oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  response_type=code&
  scope=openid profile email&
  state=RANDOM_STATE

Step 2: Exchange Code for Token

Exchange the authorization code for an access token:

POST /api/oauth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "AUTHORIZATION_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "YOUR_REDIRECT_URI"
}

Step 3: Get User Info

Use the access token to retrieve user information:

GET /api/oauth/userinfo
Authorization: Bearer ACCESS_TOKEN

OpenID Connect

Discovery Endpoint

GET /api/oauth/.well-known/openid-configuration

Supported Scopes

  • openidRequired for OpenID Connect authentication
  • profileAccess to username and avatar
  • emailAccess to email address

ID Token Claims

The ID token includes the following claims:

  • sub - Subject identifier (user ID)
  • name - Username (with profile scope)
  • email - Email address (with email scope)
  • picture - Avatar URL (with profile scope)
  • aud - Audience (client ID)
  • iss - Issuer (Epsilon Auth URL)

API Reference

GET/oauth/authorize

Start OAuth2 authorization flow

POST/api/oauth/token

Exchange authorization code for access token

GET/api/oauth/userinfo

Get authenticated user information

GET/api/oauth/.well-known/openid-configuration

OpenID Connect discovery endpoint

Security Best Practices

  • Always use HTTPS in production
  • Keep your Client Secret confidential - never expose it in client-side code
  • Use the state parameter to prevent CSRF attacks
  • Validate redirect URIs to prevent open redirect vulnerabilities
  • Implement token refresh to maintain security