Skip to main content
Authlete logo

Overview

Authlete provides the OAuth 2.0 and OpenID Connect logic your authorization server needs. You run the endpoints, control the UX, manage user data, and decide how authentication and consent work. Authlete supplies the protocol-correct behavior through Web APIs that your server calls during each step of the OAuth/OIDC flow.
Authlete is built for teams that want to operate their own identity layer without re-implementing OAuth and OpenID Connect.

Authlete tools

  • APIs - REST endpoints that perform OAuth/OIDC validation, generate tokens, manage client metadata, introspect access tokens, and enforce security profiles. These APIs act as the protocol engine behind your authorization server.
  • Console - A management UI to configure services, register clients, define policies, review logs, and monitor traffic. The Console gives you operational control without changing your application code.
  • SDKs & Client Libraries - Official SDKs and client libraries for popular languages including TypeScript, Java, and Go. See the SDK documentation for language-specific guides and code examples.

Why use Authlete

Full control

You define endpoints, UX, and branding. Authlete provides only the protocol engine behind your system.

No OAuth/OIDC implementation

Authlete handles validation, tokens, and security rules through APIs. No custom security code needed.

Broad standards coverage

PKCE, PAR, JARM, CIBA, RAR, DPoP, FAPI, and more—all implemented behind Authlete’s APIs.

AI-ready

Register OAuth clients programmatically for agent workflows with lightweight metadata.

How Authlete fits into your system

Your Application

Exposes public endpoints:

  • /authorize
  • /token
  • Additional OAuth/OIDC endpoints

Handles:

  • User authentication and sessions
  • Consent screens and UX
  • Business logic and access decisions
  • Final HTTP responses to clients

Authlete API

Sits behind your endpoints. Your server calls Authlete to:

  • Validate authorization and token requests
  • Decide next action (authenticate, consent, error)
  • Issue authorization codes and tokens
  • Validate access tokens via introspection
  • Enforce scopes, permissions, and security profiles
Authlete never communicates directly with end users or client applications. Your server defines the behavior; Authlete ensures it follows the specifications.

Architecture at a glance

Flow overview

A typical authorization code flow with Authlete looks like this:
  1. Client → /authorize
    The client sends an authorization request to your authorization endpoint.
  2. /authorizePOST /auth/authorization
    Your server forwards the request parameters to Authlete for validation.
  3. Authlete → your server
    Authlete returns a ticket and an action (e.g. authenticate user, ask for consent, or return an error).
  4. Your server: authenticate + consent
    You authenticate the user and present a consent screen according to your UX and policy.
  5. /authorizePOST /auth/authorization/issue
    After consent is granted, your server asks Authlete to issue an authorization code.
  6. Authlete → your server → client
    Authlete returns the code; your server includes it in the redirect back to the client.
  7. Client → /token
    The client exchanges the authorization code at your token endpoint.
  8. /tokenPOST /auth/token
    Your server forwards the token request to Authlete.
  9. Authlete → your server → client
    Authlete returns access, refresh, and (optionally) ID tokens. Your server formats the HTTP response.
  10. Resource server → POST /auth/introspection
    When an API receives an access token, it sends it to Authlete for introspection (via your backend) and decides whether to honor the request.
This pattern generalizes across all supported flows such as PKCE, PAR, JARM, Device Flow, and CIBA.

Responsibilities

You implement

  • Public OAuth/OIDC endpoints (e.g. /authorize, /token)
  • Login, consent, and session management flows
  • User and application data models
  • Business-specific logic and policies
  • Final HTTP responses and error formats

Authlete provides

  • OAuth/OIDC parameter and request validation
  • Token generation and lifecycle management
  • Scope, client, and policy enforcement
  • Token introspection and revocation
  • Standards-compliant protocol behavior as specifications evolve

Supported standards

Authlete provides API-level support for a wide range of OAuth 2.0, OpenID Connect, identity federation, credential issuance, and modern security extensions. All capabilities are accessed through a unified Web API surface.

OAuth 2.0 & OIDC Core

  • Authorization Code, Hybrid, Implicit flows
  • PKCE
  • ID Token and UserInfo handling
  • Token introspection & revocation
  • Native SSO

Modern OAuth Extensions

  • PAR, JARM, DPoP, RAR
  • Device Flow
  • CIBA
  • Dynamic Client Registration

Federation & Credentials

  • OIDC Federation 1.0
  • Verifiable Credentials (OID4VCI)
  • AI agent client registration

Financial-Grade

  • FAPI 1.0 & 2.0
  • mTLS
  • Regulated environment profiles

Signing & Keys

  • JWK, JWKS, key rotation
  • HSM-backed signing
  • Algorithm enforcement

OpenID Certified

  • Basic, Implicit, Hybrid OP
  • Config, Dynamic, Form Post OP
  • FAPI-aligned certifications

Enterprise

  • SAML 2.0 for SSO
Authlete integrates with your HSM or signing backend rather than hosting your keys.
Learn more For flow-by-flow details, see the Flows & Protocol Guides.

Next steps

  • Start with the Quickstart to implement a minimal OAuth 2.0 authorization server.
  • Explore the API Reference for endpoint-by-endpoint integration details.
  • Review the Flows & Protocol Guides to see how Authlete supports specific profiles such as PKCE, FAPI, and CIBA.