> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC Discovery Endpoint

> Returns a JSON document containing the OpenID Provider's configuration metadata. OIDC-compliant clients use this endpoint to automatically discover the locations of the authorization, token, userinfo, and JWKS endpoints, as well as all supported capabilities.




## OpenAPI

````yaml /api/en/authentication.yaml get /.well-known/openid-configuration
openapi: 3.0.3
info:
  title: Altostrat Authentication API
  description: >
    This document provides a comprehensive guide to Altostrat's Authentication
    API. It leverages Auth0 to provide secure, stateless, JWT-based
    authentication for the Altostrat Single-Page Application (SPA). The
    authentication mechanism is built on the industry-standard **OAuth 2.0
    Authorization Code Flow with Proof Key for Code Exchange (PKCE)**, ensuring
    robust security for client-side applications.


    This documentation is a strategic blueprint designed for developers to
    accelerate integration. It details not only the API endpoints but also the
    underlying standards like **OpenID Connect (OIDC)** and the structure of the
    JSON Web Tokens (JWTs) used for authorization. Developers can use the OIDC
    discovery endpoint to auto-configure their clients.


    ### Authentication Flow Overview:

    1.  **Initiate Login:** The Altostrat web application initiates the
    authentication flow by redirecting the user's browser to the `/authorize`
    endpoint.

    2.  **User Authentication & Consent:** The user authenticates on the
    `signin.altostrat.io` domain and grants the application permission to access
    the requested scopes.

    3.  **Receive Authorization Code:** Auth0 redirects the user back to the
    Altostrat application's registered callback URL with a single-use
    `authorization_code`.

    4.  **Exchange Code for Tokens:** The Altostrat application's backend sends
    the `authorization_code` along with the `code_verifier` to the
    `/oauth/token` endpoint.

    5.  **Receive Tokens & Call APIs:** A successful exchange provides an
    `access_token` (JWT), an `id_token`, and a `refresh_token`. The
    `access_token` is then used as a Bearer token to make secure calls to
    Altostrat's resource APIs (e.g., `https://v1.api.altostrat.io`).
  version: 1.0.0
servers:
  - url: https://signin.altostrat.io
    description: Altostrat OAuth 2.0 & OpenID Connect Infrastructure
security: []
tags:
  - name: OAuth 2.0 & OIDC
    description: >-
      Core endpoints for the authentication, token management, and session
      flows.
  - name: Discovery
    description: >-
      Standard OpenID Connect discovery endpoints for automatic client
      configuration.
paths:
  /.well-known/openid-configuration:
    get:
      tags:
        - Discovery
      summary: OIDC Discovery Endpoint
      description: >
        Returns a JSON document containing the OpenID Provider's configuration
        metadata. OIDC-compliant clients use this endpoint to automatically
        discover the locations of the authorization, token, userinfo, and JWKS
        endpoints, as well as all supported capabilities.
      responses:
        '200':
          description: A JSON object listing the OIDC provider's configuration.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OIDCConfiguration'
components:
  schemas:
    OIDCConfiguration:
      type: object
      description: Metadata describing the OpenID Connect provider's configuration.
      properties:
        issuer:
          type: string
          format: uri
        authorization_endpoint:
          type: string
          format: uri
        token_endpoint:
          type: string
          format: uri
        device_authorization_endpoint:
          type: string
          format: uri
        userinfo_endpoint:
          type: string
          format: uri
        mfa_challenge_endpoint:
          type: string
          format: uri
        jwks_uri:
          type: string
          format: uri
        registration_endpoint:
          type: string
          format: uri
        revocation_endpoint:
          type: string
          format: uri
        end_session_endpoint:
          type: string
          format: uri
        scopes_supported:
          type: array
          items:
            type: string
        response_types_supported:
          type: array
          items:
            type: string
        code_challenge_methods_supported:
          type: array
          items:
            type: string
        response_modes_supported:
          type: array
          items:
            type: string
        subject_types_supported:
          type: array
          items:
            type: string
        token_endpoint_auth_methods_supported:
          type: array
          items:
            type: string
        claims_supported:
          type: array
          items:
            type: string

````