Documentation
Authentication Concepts
A concise glossary of the ideas behind Radiant Auth integrations.
Identity provider (IdP)
Radiant Auth is the identity provider. It authenticates users, issues tokens, and exposes standard OAuth/OIDC endpoints under https://auth.rdnt.live/api/auth.
Relying party (client)
Your application is the relying party. It never handles passwords. Instead it redirects users to Radiant Auth and consumes tokens after a successful login.
Confidential vs public clients
- Confidential — server-side apps that can keep
YOUR_CLIENT_SECRETprivate (Next.js route handlers, Workers, Express, Hono). - Public — native or SPA clients that cannot keep a secret. Always use PKCE; do not embed client secrets in apps.
Authorization code
A short-lived code returned to your redirect URI after the user authenticates. It is useless without your code_verifier (PKCE) and, for confidential clients, your client secret.
PKCE
Proof Key for Code Exchange binds the token request to the original authorize request. Radiant Auth supports S256 only. Generate a random verifier, hash it with SHA-256, and send the challenge on authorize; send the verifier on token exchange.
Tokens
- Access token — call UserInfo or your APIs. Often a JWT with an audience when
resourceis requested. - ID token — OIDC identity assertion for the end user (
sub, profile claims, optionaldiscord_user_id). - Refresh token — obtain new access tokens when
offline_accesswas granted.
Scopes
| Scope | Effect |
|---|---|
openid | Required for OIDC; enables ID token and UserInfo |
profile | Name, picture, and related profile claims |
email | Email and email_verified |
offline_access | Issues a refresh token |
Sessions
Radiant Auth maintains its own cookie session for the login UI. Your app should maintain a separate local session after token exchange — typically an opaque cookie mapped to stored tokens server-side.