Skip to content

Endpoints

All endpoints are hosted at https://id.littlexlittle.org. The discovery document at /.well-known/openid-configuration is the source of truth — read it at runtime rather than hardcoding paths.

Method Path Spec Auth
GET /.well-known/openid-configuration OIDC Discovery Public
GET /.well-known/jwks.json RFC 7517 Public
GET /sdk.js LXL custom Public
GET /oidc/authorize OAuth 2.0 §4.1 User session
POST /oidc/token OAuth 2.0 §4.1.3, §6 Client (Basic or POST)
GET /oidc/userinfo OIDC Core §5.3 Bearer access_token
POST /oidc/revoke RFC 7009 Client
POST /oidc/introspect RFC 7662 Confidential client
GET /oidc/logout OIDC RP-Logout 1.0 Optional id_token_hint
GET /oidc/iframe/check_session OIDC Session Mgmt 1.0 Cookie
GET /oidc/onetap LXL custom Cookie
GET /fedcm.json FedCM Public

GET /oidc/authorize

Start the authorization code flow. The user is shown a consent screen if they have not previously consented to the requested scopes for this client.

Query parameters

Name Required Description
response_type yes Must be code.
client_id yes Your registered client identifier.
redirect_uri yes Must match a pre-registered redirect URI exactly.
scope yes Space-separated scopes. Must include openid.
state recommended Opaque CSRF token; echoed back verbatim.
nonce recommended Bound into the id_token to prevent replay.
code_challenge required for public clients base64url(SHA256(verifier)).
code_challenge_method required if code_challenge set Must be S256.
prompt no none | login | consent | select_account.
login_hint no Account code or email to pre-fill.
id_token_hint no Previous id_token, used for silent re-auth.
max_age no Force re-auth if last login is older.
ui_locales no Space-separated BCP 47 locales.

Response

302 redirect to redirect_uri with either ?code=...&state=... on success or ?error=...&error_description=...&state=... on failure.

POST /oidc/token

Exchange a code or refresh token for tokens.

Body (form-encoded)

Authorization code

http grant_type=authorization_code code=AUTH_CODE redirect_uri=https://yoursite.org/cb client_id=YOUR_CLIENT_ID code_verifier=PKCE_VERIFIER (public clients) client_secret=YOUR_SECRET (confidential clients, alt: HTTP Basic)

Refresh

http grant_type=refresh_token refresh_token=REFRESH client_id=YOUR_CLIENT_ID client_secret=YOUR_SECRET (confidential clients) scope=openid profile email (optional, narrows scope)

Response

json { "access_token": "...", "refresh_token": "...", "id_token": "eyJ...", "token_type": "Bearer", "expires_in": 3600, "scope": "openid profile email" }

GET /oidc/userinfo

Returns the user claims authorized by the access token's scopes.

bash curl https://id.littlexlittle.org/oidc/userinfo \ -H "Authorization: Bearer ACCESS_TOKEN"

json { "sub": "Bootim", "email": "you@example.org", "email_verified": true, "name": "Jane Doe", "picture": "https://cdn.littlexlittle.org/u/Bootim.jpg", "lxl.app": "bootim", "lxl.access": ["Website:Media", "Donations:View"] }

POST /oidc/revoke

RFC 7009. Revoke an access or refresh token.

http token=THE_TOKEN token_type_hint=access_token | refresh_token (optional) client_id=YOUR_CLIENT_ID client_secret=YOUR_SECRET (confidential clients)

Always returns 200 with empty body. Revoking a refresh token revokes the entire chain.

POST /oidc/introspect

RFC 7662. Confidential clients only.

http token=THE_TOKEN token_type_hint=access_token

json { "active": true, "scope": "openid profile email", "client_id": "your-client-id", "username": "Bootim", "exp": 1714683600, "iat": 1714680000, "sub": "Bootim", "aud": "your-client-id", "iss": "https://id.littlexlittle.org" }

GET /oidc/logout

OIDC RP-Initiated Logout 1.0. See the logout guide.

Param Description
id_token_hint The user's id_token (recommended).
post_logout_redirect_uri Where to send them after sign-out. Must be registered.
state Echoed back.
client_id Required if id_token_hint is omitted.