Skip to main content

Quick Start

Copy page Get up and running with Authlete API in minutes

Quick Start Guide

Get started with Authlete API in just a few minutes. This guide walks you through creating a service, registering a client, installing the SDK, and wiring the five key OAuth endpoints with real payloads.

Prerequisites

  • An Authlete account (Sign up here)
  • Basic understanding of OAuth 2.0 concepts
  • Node.js 18+, TypeScript, and curl

Step 1: Create a Service (Console)

  1. Go to console.authlete.com
  2. Sign up or log in
  3. Click Create Service
  4. Fill in the form:
    • Service Name: e.g., Customer Portal
    • Description: Internal OAuth server for customer apps
    • Service Profile: Pick the region/profile that matches your data residency and regulatory needs
  5. Save the service

Step 2: Get Your API Credentials

After saving, Authlete shows:
  • Service API Key (serviceId)
  • Service API Secret (serviceSecret)
  • Service Access Token (create under Service Settings → Access Tokens, scope: service.manage, client.manage, authserver.*)
Keep secrets server-side only. For this guide we’ll assume: 
SERVICE_ID=715948317
SERVICE_SECRET=5t5CO9JsNiBNXVdnjMzMf6jlx6gxSPTL9E9zhXiFyto
SERVICE_ACCESS_TOKEN=xk1Cnyy9O-7b5q9a6-98g2oYO0trF9IS0ERi0iOGMqQ
Store them in .env: 
AUTHLETE_BASE_URL=https://us.authlete.com
AUTHLETE_SERVICE_ID=715948317
AUTHLETE_SERVICE_SECRET=5t5CO9JsNiBNXVdnjMzMf6jlx6gxSPTL9E9zhXiFyto
AUTHLETE_BEARER=xk1Cnyy9O-7b5q9a6-98g2oYO0trF9IS0ERi0iOGMqQ

Step 3: Make Your First API Call (Get Service)

Install the official SDK and call service.get to verify connectivity. 
npm install @authlete/typescript-sdk

// get-service.ts
import 'dotenv/config';
import { Authlete } from '@authlete/typescript-sdk';

const authlete = new Authlete({
  bearer: process.env.AUTHLETE_BEARER ?? '',
  serverURL: process.env.AUTHLETE_BASE_URL ?? 'https://us.authlete.com'
});

async function main() {
  const service = await authlete.service.get({
    serviceId: process.env.AUTHLETE_SERVICE_ID ?? ''
  });
  console.log('✅ Service loaded:', service.serviceName);
}

main().catch(console.error);
Run with npx tsx get-service.ts. Equivalent cURL 
curl -X GET "https://us.authlete.com/api/service/get/715948317" \
  -H "Authorization: Bearer xk1Cnyy9O-7b5q9a6-98g2oYO0trF9IS0ERi0iOGMqQ" \
  -H "Content-Type: application/json"

Step 4: Create Your First Client

TypeScript

// create-client.ts
import 'dotenv/config';
import { Authlete } from '@authlete/typescript-sdk';

const authlete = new Authlete({
  bearer: process.env.AUTHLETE_BEARER ?? '',
  serverURL: process.env.AUTHLETE_BASE_URL ?? 'https://us.authlete.com'
});

async function main() {
  const client = await authlete.client.create({
    serviceId: process.env.AUTHLETE_SERVICE_ID ?? '',
    client: {
      clientName: 'Demo SPA',
      description: 'Local React application',
      clientType: 'CONFIDENTIAL',
      redirectUris: ['http://localhost:3000/callback'],
      grantTypes: ['AUTHORIZATION_CODE', 'REFRESH_TOKEN'],
      applicationType: 'WEB',
      defaultMaxAge: 3600
    }
  });

  console.log('Client ID:', client.clientId);
  console.log('Client Secret:', client.clientSecret);
}

main().catch(console.error);

cURL

curl -X POST "https://us.authlete.com/api/client/create/715948317" \
  -H "Authorization: Bearer xk1Cnyy9O-7b5q9a6-98g2oYO0trF9IS0ERi0iOGMqQ" \
  -H "Content-Type: application/json" \
  -d '{
    "client": {
      "clientName": "Demo SPA",
      "description": "Local React application",
      "clientType": "CONFIDENTIAL",
      "redirectUris": ["http://localhost:3000/callback"],
      "grantTypes": ["AUTHORIZATION_CODE", "REFRESH_TOKEN"],
      "applicationType": "WEB"
    }
  }'
Write down the returned clientId and clientSecret (e.g., 3737820648 / dETX4AAyQh7s0CSq...).

Step 5: Test the OAuth Flow (Five Endpoints)

Use the same credentials to stand up an Express API. Each endpoint uses @authlete/typescript-sdk and includes a matching curl invocation so you can test manually. 
// oauth-server.ts
import 'dotenv/config';
import express from 'express';
import { Authlete } from '@authlete/typescript-sdk';

const app = express();
app.use(express.json());

const authlete = new Authlete({
  bearer: process.env.AUTHLETE_BEARER ?? '',
  serverURL: process.env.AUTHLETE_BASE_URL ?? 'https://us.authlete.com'
});

const SERVICE_ID = process.env.AUTHLETE_SERVICE_ID ?? '';
const CLIENT_ID = process.env.AUTHLETE_CLIENT_ID ?? '3737820648';
const CLIENT_SECRET =
  process.env.AUTHLETE_CLIENT_SECRET ??
  'dETX4AAyQh7s0CSq-mX7EK5Vayq8TOp5RiumH7N_YBuj8pfAYZtmVLwFvvDUZRg8sUzgmajqmut282STbDZXMw';

1. Authorization Request (POST /oauth/authorize)

What happens? Authlete parses the raw authorization request and returns a ticket plus action for the next step. 
app.post('/oauth/authorize', async (req, res) => {
  const payload = new URLSearchParams({
    response_type: 'code',
    client_id: CLIENT_ID,
    redirect_uri: 'http://localhost:3000/callback',
    scope: 'openid profile email',
    state: 'demo123'
  }).toString();

  const result = await authlete.authorization.processRequest({
    serviceId: SERVICE_ID,
    authorizationRequest: { parameters: payload }
  });

  res.json(result);
});
cURL 
curl -X POST "http://localhost:3004/oauth/authorize" \
  -H "Content-Type: application/json" \
  -d '{}'
(The backend constructs the parameters string internally with demo values.)

2. Consent / Issue Authorization Code (POST /oauth/consent)

What happens? Exchange Authlete’s ticket plus a user subject for an authorization code. 
app.post('/oauth/consent', async (req, res) => {
  const { ticket } = req.body;

  const result = await authlete.authorization.issue({
    serviceId: SERVICE_ID,
    authorizationIssueRequest: {
      ticket,
      subject: 'user-123',
      authTime: Math.floor(Date.now() / 1000),
      scopes: ['openid', 'profile', 'email']
    }
  });

  res.json(result);
});
cURL 
curl -X POST "http://localhost:3004/oauth/consent" \
  -H "Content-Type: application/json" \
  -d '{ "ticket": "5d4f6c0a-authorization-ticket" }'

3. Token Exchange (POST /oauth/token)

What happens? Send the authorization code plus client credentials to Authlete; receive access/refresh tokens. 
app.post('/oauth/token', async (req, res) => {
  const params = new URLSearchParams({
    grant_type: 'authorization_code',
    code: req.body.code ?? 'AUTHZ_CODE_FROM_CONSENT_STEP',
    redirect_uri: 'http://localhost:3000/callback'
  }).toString();

  const result = await authlete.token.process({
    serviceId: SERVICE_ID,
    tokenRequest: {
      parameters: params,
      clientId: CLIENT_ID,
      clientSecret: CLIENT_SECRET
    }
  });

  res.json(result);
});
cURL 
curl -X POST "http://localhost:3004/oauth/token" \
  -H "Content-Type: application/json" \
  -d '{ "code": "AUTHZ_CODE_FROM_CONSENT_STEP" }'

4. Introspect Access Token (POST /oauth/introspect)

What happens? Verify if the access token is active and what scopes/subject it represents. 
app.post('/oauth/introspect', async (req, res) => {
  const result = await authlete.introspection.process({
    serviceId: SERVICE_ID,
    introspectionRequest: {
      token: req.body.token ?? 'ACCESS_TOKEN_FROM_TOKEN_STEP',
      scopes: ['openid']
    }
  });

  res.json(result);
});
cURL 
curl -X POST "http://localhost:3004/oauth/introspect" \
  -H "Content-Type: application/json" \
  -d '{ "token": "ACCESS_TOKEN_FROM_TOKEN_STEP" }'

5. Call a Protected API (GET /api/profile)

What happens? Your resource server calls /oauth/introspect; if active: true it returns private data. 
app.get('/api/profile', async (req, res) => {
  const token = req.headers.authorization?.replace('Bearer ', '');
  if (!token) {
    return res.status(401).json({ error: 'Missing Bearer token' });
  }

  const introspection = await authlete.introspection.process({
    serviceId: SERVICE_ID,
    introspectionRequest: { token, scopes: ['profile'] }
  });

  if (!introspection.active) {
    return res.status(403).json({ error: 'Token inactive' });
  }

  res.json({
    accountId: '12345',
    subject: introspection.sub,
    scopes: introspection.scope?.split(' '),
    email: '[email protected]'
  });
});
cURL 
curl -X GET "http://localhost:3004/api/profile" \
  -H "Authorization: Bearer ACCESS_TOKEN_FROM_TOKEN_STEP"
Start the server with: 
npx tsx oauth-server.ts

app.listen(3004, () => {
  console.log('Authlete quickstart running on http://localhost:3004');
});

Next Steps

GuideSummary
Authentication GuideLearn Authlete authentication models and token scopes
OAuth 2.0 FlowDeep dive into the full flow and consent UX
API ReferenceBrowse every management and runtime endpoint
Service ManagementAutomate service configuration and governance

Need Help?