Documentation

Access Tokens

Access tokens authorize API calls to Radiant Auth (and your APIs when audience-bound).

Purpose

The access token is returned from the token endpoint after a successful authorization code or refresh grant. Send it as a Bearer token.

userinfo.ts
const res = await fetch("https://auth.rdnt.live/api/auth/oauth2/userinfo", {
  headers: {
    Authorization: `Bearer ${accessToken}`,
  },
});

Lifetime

Access tokens commonly expire in about 3600 seconds. Check expires_in from the token response and refresh before expiry (for example, within 60 seconds of expiration).

Audience / resource

You may pass a resource parameter when authorizing (and on some token requests) so JWT access tokens are issued for your API audience. The audience must be allowlisted by Radiant Auth (VALID_AUDIENCES on the server).

Warning
Only request audiences that Radiant Networks has configured for your client. Unknown audiences are rejected.

Storage

  • Store access tokens on the server associated with your session.
  • Never expose them to client-side JavaScript unless you are building a public native/SPA client with a deliberate threat model.
  • Transmit only over HTTPS.
Note
Treat access tokens as credentials. Prefer short lifetimes plus refresh tokens over long-lived access tokens.