Documentation
Access Tokens
Access tokens authorize API calls to Radiant Auth (and your APIs when audience-bound).
Purpose
The access token is returned from the token endpoint after a successful authorization code or refresh grant. Send it as a Bearer token.
userinfo.ts
const res = await fetch("https://auth.rdnt.live/api/auth/oauth2/userinfo", {
headers: {
Authorization: `Bearer ${accessToken}`,
},
});Lifetime
Access tokens commonly expire in about 3600 seconds. Check expires_in from the token response and refresh before expiry (for example, within 60 seconds of expiration).
Audience / resource
You may pass a resource parameter when authorizing (and on some token requests) so JWT access tokens are issued for your API audience. The audience must be allowlisted by Radiant Auth (VALID_AUDIENCES on the server).
Warning
Only request audiences that Radiant Networks has configured for your client. Unknown audiences are rejected.
Storage
- Store access tokens on the server associated with your session.
- Never expose them to client-side JavaScript unless you are building a public native/SPA client with a deliberate threat model.
- Transmit only over HTTPS.
Note
Treat access tokens as credentials. Prefer short lifetimes plus refresh tokens over long-lived access tokens.