---
title: Discovery & JWKS
---

# Discovery & JWKS

## `/.well-known/openid-configuration`

The discovery document advertises every supported feature and every endpoint. Always read it at runtime — paths and capabilities can change.

```bash
curl https://id.littlexlittle.org/.well-known/openid-configuration
```

Sample response:

```json
{
  "issuer": "https://id.littlexlittle.org",
  "authorization_endpoint": "https://id.littlexlittle.org/oidc/authorize",
  "token_endpoint":         "https://id.littlexlittle.org/oidc/token",
  "userinfo_endpoint":      "https://id.littlexlittle.org/oidc/userinfo",
  "revocation_endpoint":    "https://id.littlexlittle.org/oidc/revoke",
  "introspection_endpoint": "https://id.littlexlittle.org/oidc/introspect",
  "end_session_endpoint":   "https://id.littlexlittle.org/oidc/logout",
  "jwks_uri":               "https://id.littlexlittle.org/.well-known/jwks.json",
  "scopes_supported":       ["openid","profile","email","offline_access","lxl.access"],
  "response_types_supported": ["code"],
  "grant_types_supported":    ["authorization_code","refresh_token"],
  "subject_types_supported":  ["public"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "code_challenge_methods_supported": ["S256"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic","client_secret_post","none"],
  "claims_supported": [
    "sub","iss","aud","exp","iat","auth_time","nonce",
    "name","given_name","family_name","picture","email","email_verified",
    "lxl.app","lxl.access","lxl.master","lxl.role","lxl.links"
  ],
  "ui_locales_supported": ["en"],
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": false,
  "claims_parameter_supported": false
}
```

## `/.well-known/jwks.json`

Public keys for verifying `id_token` signatures.

```bash
curl https://id.littlexlittle.org/.well-known/jwks.json
```

```json
{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "alg": "RS256",
      "kid": "m-ipibEBWSvzmoTLYdygRA",
      "n":   "0vx7agoebGcQ...",
      "e":   "AQAB"
    },
    {
      "kty": "RSA",
      "use": "sig",
      "alg": "RS256",
      "kid": "previous-key-id",
      "n":   "...",
      "e":   "AQAB"
    }
  ]
}
```

## Key rotation

- Keys rotate every **90 days**.
- The previous key remains in JWKS until **all tokens it signed have expired** (refresh TTL + grace).
- Always look up the key by `kid` from the JWT header rather than picking the first one.
- Cache JWKS for 6h max; refresh on `kid` miss.

## `/fedcm.json`

The FedCM identity-provider manifest, served at the root for browser discovery.

```json
{
  "accounts_endpoint":         "/oidc/fedcm/accounts",
  "client_metadata_endpoint":  "/oidc/fedcm/metadata",
  "id_assertion_endpoint":     "/oidc/fedcm/assertion",
  "login_url":                 "/login",
  "branding": {
    "background_color":        "#5e35b1",
    "color":                   "#ffffff",
    "icons": [{
      "url": "https://cdn.littlexlittle.org/brand/icon-192.png",
      "size": 192
    }]
  }
}
```