Skip to content
Autentico

API Endpoints

All endpoints use the base URL configured in AUTENTICO_APP_URL. The OAuth2 path prefix (/oauth2 by default) is configurable via AUTENTICO_APP_OAUTH_PATH.

Protocol endpoints (public)

Section titled “Protocol endpoints (public)”
MethodPathDescription
GET/.well-known/openid-configurationOIDC discovery document
GET/oauth2/.well-known/openid-configurationOIDC discovery document (alias)
GET/.well-known/jwks.jsonJSON Web Key Set
GET/oauth2/authorizeAuthorization endpoint — starts auth flow
POST/oauth2/loginLogin form submission
POST/oauth2/signupSelf-signup form submission
GET/POST/oauth2/mfaMFA challenge page
GET/oauth2/passkey/login/beginBegin WebAuthn authentication
POST/oauth2/passkey/login/finishFinish WebAuthn authentication
POST/oauth2/passkey/register/finishFinish WebAuthn registration (passkey-only mode)
POST/oauth2/tokenToken endpoint (authorization_code, refresh_token, password)
POST/oauth2/protocol/openid-connect/tokenToken endpoint (Keycloak alias)
GET/oauth2/userinfoUserInfo endpoint
GET/oauth2/protocol/openid-connect/userinfoUserInfo endpoint (Keycloak alias)
POST/oauth2/revokeToken revocation (RFC 7009)
POST/oauth2/introspectToken introspection (RFC 7662)
GET/oauth2/logoutLogout — deactivates SSO session

Self-service endpoint (public)

Section titled “Self-service endpoint (public)”
MethodPathDescription
POST/userCreate a user account (self-signup, if enabled)

Client registration (admin-authenticated)

Section titled “Client registration (admin-authenticated)”
MethodPathDescription
POST/oauth2/registerRegister a new client
GET/oauth2/register/{client_id}Get client info
PUT/oauth2/register/{client_id}Update client
DELETE/oauth2/register/{client_id}Delete client

Admin API (admin-authenticated)

Section titled “Admin API (admin-authenticated)”
MethodPathDescription
GET/admin/api/usersList all users
POST/admin/api/usersCreate a user
GET/admin/api/users/{id}Get user by ID
PUT/admin/api/users/{id}Update a user
DELETE/admin/api/users/{id}Delete a user
POST/admin/api/users/unlockUnlock a locked account
GET/admin/api/clientsList all clients
POST/admin/api/clientsCreate a client
GET/admin/api/clients/{id}Get client by ID
PUT/admin/api/clients/{id}Update a client
DELETE/admin/api/clients/{id}Delete a client
GET/admin/api/sessionsList sessions
DELETE/admin/api/sessions/{id}Revoke a session
GET/admin/api/statsDashboard statistics
GET/admin/api/settingsGet all settings
PUT/admin/api/settingsUpdate settings
GET/admin/api/onboardingCheck onboarding status (public)
POST/admin/api/onboardingComplete onboarding (public, one-time)

Authentication

Section titled “Authentication”

Admin-authenticated endpoints require:

Authorization: Bearer <AUTENTICO_ADMIN_TOKEN>

CSRF protection is applied to browser-facing form endpoints (/oauth2/authorize, /oauth2/login, /oauth2/mfa, /oauth2/signup, /oauth2/onboard). Passkey endpoints are exempt — the WebAuthn challenge is the anti-CSRF mechanism.