OAuth2 & OIDC

Authalla implements OAuth2 and OpenID Connect for standards-based authentication. For the high-level flow and security model, start with Authentication overview.

Create a client

If you have an Authalla account, you already have a default tenant. Create your client in OAuth Clients → Create Client, add redirect URIs, and save the client ID (and client secret for confidential clients, shown once).

For browser-based apps, configure tenant Allowed origins in Tenants → (select tenant) → API → Allowed origins.

After creating the client, use the AI Integration Assistant prompt in the post-create screen or Clients → (select client) → Integration. It includes the discovery URL and client ID (but not the client secret) and generates OAuth 2.1-compliant setup code.

Common endpoints

• https://{tenant-id}.authalla.com/oauth2/authorize
• https://{tenant-id}.authalla.com/oauth2/token
• https://{tenant-id}.authalla.com/oauth2/userinfo

Authorization request (PKCE)

import * as client from 'openid-client'

const issuer = new URL('https://{tenant-id}.authalla.com')
const clientId = 'client_123'
const redirectUri = 'https://app.example.com/oauth/callback'

const config = await client.discovery(issuer, clientId)

// Generate per-login and store these in the user session
const codeVerifier = client.randomPKCECodeVerifier()
const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier)
const state = client.randomState()

const authorizationUrl = client.buildAuthorizationUrl(config, {
  response_type: 'code',
  client_id: clientId,
  redirect_uri: redirectUri,
  scope: 'openid profile email',
  state,
  code_challenge: codeChallenge,
  code_challenge_method: 'S256',
})

console.log(authorizationUrl.href)

Authalla requires the openid scope and a state parameter. Public clients must use PKCE.