Documentation

Authentication Concepts

A concise glossary of the ideas behind Radiant Auth integrations.

Identity provider (IdP)

Radiant Auth is the identity provider. It authenticates users, issues tokens, and exposes standard OAuth/OIDC endpoints under https://auth.rdnt.live/api/auth.

Relying party (client)

Your application is the relying party. It never handles passwords. Instead it redirects users to Radiant Auth and consumes tokens after a successful login.

Confidential vs public clients

  • Confidential — server-side apps that can keep YOUR_CLIENT_SECRET private (Next.js route handlers, Workers, Express, Hono).
  • Public — native or SPA clients that cannot keep a secret. Always use PKCE; do not embed client secrets in apps.

Authorization code

A short-lived code returned to your redirect URI after the user authenticates. It is useless without your code_verifier (PKCE) and, for confidential clients, your client secret.

PKCE

Proof Key for Code Exchange binds the token request to the original authorize request. Radiant Auth supports S256 only. Generate a random verifier, hash it with SHA-256, and send the challenge on authorize; send the verifier on token exchange.

Tokens

  • Access token — call UserInfo or your APIs. Often a JWT with an audience when resource is requested.
  • ID token — OIDC identity assertion for the end user (sub, profile claims, optional discord_user_id).
  • Refresh token — obtain new access tokens when offline_access was granted.

Scopes

ScopeEffect
openidRequired for OIDC; enables ID token and UserInfo
profileName, picture, and related profile claims
emailEmail and email_verified
offline_accessIssues a refresh token

Sessions

Radiant Auth maintains its own cookie session for the login UI. Your app should maintain a separate local session after token exchange — typically an opaque cookie mapped to stored tokens server-side.

Note
Do not reuse Radiant Auth session cookies in your application. Treat tokens as server secrets and expose only your own session cookie to the browser.