OAuth 2.0 & OpenID Connect developer documentation — integrate Beezifi authentication into any application.
Beezifi Identity supports the OAuth 2.0 Authorization Code flow with OpenID Connect. Your application redirects users to Beezifi for authentication, receives a short-lived authorization code, and exchanges it for tokens.
codeclient_secret_postopenid profile emailRS256 (verified via JWKS)To get started, create a Beezifi account and register your application under My Apps.
client_id and client_secret.Redirect URI matching is strict — scheme, host, port, path, and trailing slash must all match exactly. Wildcards are not supported.
Redirect your user to Beezifi to begin authentication:
GET {{BASE_URL}}/api/oauth/authorize
?client_id=YOUR_CLIENT_ID
&redirect_uri=https://yourapp.com/auth/callback
&response_type=code
&scope=openid%20profile%20email
&state=RANDOM_CSRF_VALUE
&nonce=RANDOM_NONCE
If the user authenticates and grants consent, they are redirected to your
redirect_uri with ?code=AUTH_CODE&state=YOUR_STATE.
Always verify the state value matches what you sent.
Exchange the authorization code for tokens from your backend:
POST {{BASE_URL}}/api/oauth/token
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "AUTH_CODE",
"redirect_uri": "https://yourapp.com/auth/callback",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}Successful response:
{
"access_token": "eyJ...",
"id_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "openid profile email"
}client_secret is protected.Fetch the authenticated user's profile using the access token:
GET {{BASE_URL}}/api/oauth/userinfo
Authorization: Bearer ACCESS_TOKENResponse:
{
"sub": "user-uuid",
"email": "user@example.com",
"name": "Jane Doe",
"picture": null,
"email_verified": true
}When a user signs out of your third-party app, call Beezifi logout to end the account session at the identity provider. This revokes active access tokens and deactivates active Beezifi sessions for that account.
POST {{BASE_URL}}/api/oauth/logout
Authorization: Bearer ACCESS_TOKENSuccessful response:
{
"message": "Logged out successfully."
}ID tokens are signed with RS256 (asymmetric RSA). Your backend verifies them using Beezifi's public key — no shared secret required. Fetch the public key from the JWKS endpoint:
GET {{BASE_URL}}/.well-known/jwks.jsonResponse:
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"alg": "RS256",
"kid": "beezifi-1",
"n": "...",
"e": "AQAB"
}
]
}
Match the token's kid header claim to the correct key in the JWKS array,
then verify the signature. Most JWT libraries support JWKS natively:
// Node.js example using jose
import { createRemoteJWKSet, jwtVerify } from 'jose';
const JWKS = createRemoteJWKSet(
new URL('{{BASE_URL}}/.well-known/jwks.json')
);
const { payload } = await jwtVerify(idToken, JWKS, {
issuer: '{{BASE_URL}}',
audience: 'YOUR_CLIENT_ID',
algorithms: ['RS256'],
});
console.log(payload.sub); // user UUID
console.log(payload.email); // user emailAfter verifying the signature, always validate these claims:
iss — must equal the Beezifi Identity base URLaud — must equal your client_idexp — must be in the futurenonce — must match the value you sent in the authorization requestkid. Keys rotate infrequently but the endpoint is always authoritative.Authorization errors are returned as query parameters on the redirect URI:
access_denied — user denied consent or an access policy blocked sign-in.invalid_client — bad client credentials or inactive application.invalid_grant — expired, already-used, or mismatched authorization code / redirect URI.invalid_request — missing or malformed required parameters.invalid_token — access token is invalid, expired, or revoked (for example after logout).Token endpoint errors are returned as JSON with an error field.
state value and verify it exactly on callback to prevent CSRF.nonce and validate it in the ID token.client_secret only in backend environment variables — never in client-side code./.well-known/jwks.json — never skip signature verification.iss), audience (aud), expiration (exp), and nonce.kid to the correct key in the JWKS response.localStorage for sensitive tokens; prefer HttpOnly cookies.docs/sign-in-with-beezifi.md in the repository.