API Reference
Exhaustive endpoint reference, grouped by purpose. For the why of each surface, see Concepts — the reference pages are deliberately terse and contract-focused.
OAuth / OIDC
- OAuth Endpoints —
/connect/*and/.well-known/*: authorize, token, userinfo, introspection, discovery, JWKS, end-session, device-code, dynamic registration.
Authentication
- Auth Endpoints —
/api/account/*and friends: login, register, magic-link, 2FA enrolment, password reset, change-request submission, bootstrap-invite consumption.
Administration
- Admin Endpoints — the tenant-admin surface under
/api/admin/*: users, groups, roles, OAuth client/scope/API CRUD, login providers, IdP config, auth log, change-request review. - Realm Endpoints — Control-Plane-only:
/api/admin/realms/*. Realm CRUD withInitialAdminbootstrap invite issuance.
Conventions
All endpoints return JSON. Paginated lists wrap their items in { "Items": [...], "TotalCount": N }. Errors follow RFC 7807 problem-detail format. Authentication is either a session cookie (/api/admin/*, /api/account/* after login) or a Bearer token (/api/v1/distribution/*, resource-server-shaped endpoints) — each page calls out which.