Documentation

Getting Started

Radiant Auth is the central identity provider for Radiant Networks. This guide explains how authentication works and what you need to integrate.

What is Radiant Auth?

Radiant Auth (https://auth.rdnt.live) is a hosted OAuth 2.1 and OpenID Connect (OIDC) provider. Your application registers as an OAuth client and never stores user passwords. Users sign in on Radiant Auth (email/password or Discord), then return to your app with an authorization code.

Architecture

Your App (RP)

Confidential / public client

Radiant Auth

auth.rdnt.live

User

Login / consent

  1. App redirects to /api/auth/oauth2/authorize with PKCE (S256)
  2. User authenticates on Radiant Auth (email or Discord)
  3. Auth redirects back with ?code=…&state=…
  4. App exchanges code + code_verifier at /api/auth/oauth2/token
  5. App verifies tokens (JWKS) and creates a local session

How authentication works

Radiant Auth is the authorization server (IdP). Your app is the relying party (RP / client). The recommended flow is Authorization Code with PKCE:

  1. Your app redirects the user to the authorize endpoint with a PKCE challenge.
  2. The user authenticates (and consents, if required).
  3. Radiant Auth redirects to your registered redirect URI with a short-lived code.
  4. Your backend exchanges the code + code_verifier for tokens.
  5. You verify the ID token / access token and create a local app session.

Required redirect URIs

Every OAuth client must register exact redirect URIs. Typical patterns:

  • Production: https://your-app.example/api/auth/callback
  • Local development: http://localhost:3000/api/auth/callback
Warning
The redirect_uri sent at authorize and token time must match a registered value exactly (scheme, host, path, and trailing slash).

Environment variables

Client credentials are provided by Radiant Networks. Use placeholders in code and docs — never commit real secrets.

.env
# Provided by Radiant Networks — do not invent credentials
AUTH_ISSUER=https://auth.rdnt.live/api/auth
AUTH_CLIENT_ID=YOUR_CLIENT_ID
AUTH_CLIENT_SECRET=YOUR_CLIENT_SECRET
AUTH_REDIRECT_URI=https://your-app.example/api/auth/callback
AUTH_AUDIENCE=https://your-app.example
VariablePurpose
AUTH_ISSUEROIDC issuer — usually https://auth.rdnt.live/api/auth
AUTH_CLIENT_IDYour OAuth client ID (YOUR_CLIENT_ID)
AUTH_CLIENT_SECRETConfidential client secret (YOUR_CLIENT_SECRET)
AUTH_REDIRECT_URIRegistered callback URL
AUTH_AUDIENCEOptional JWT audience / resource for your API
Tip
Discover endpoints dynamically from https://auth.rdnt.live/.well-known/openid-configuration (redirects to the canonical discovery document under the issuer).

Login flow

  1. Generate PKCE + state

    Create a high-entropy code_verifier, derive the S256 code_challenge, and generate state (and preferably nonce). Store verifier/state in a short-lived, httpOnly cookie or server session.
  2. Redirect to authorize

    Send the browser to https://auth.rdnt.live/api/auth/oauth2/authorize with response_type=code, your client ID, redirect URI, scopes, PKCE params, and state.
  3. User signs in

    The user authenticates on Radiant Auth. Unauthenticated users are sent to the login UI first; some first-party clients skip consent.

Callback flow

  1. Validate the callback

    Confirm state matches what you stored. Read code from the query string. Reject on error parameters.
  2. Exchange the code

    POST to https://auth.rdnt.live/api/auth/oauth2/token with grant_type=authorization_code, the code, code_verifier, redirect URI, and client credentials.
  3. Establish a session

    Verify the id_token (and access token if JWT) using JWKS at https://auth.rdnt.live/api/auth/jwks. Persist tokens server-side and set your own opaque session cookie.
Note
Scopes typically used: openid profile email offline_access. Include offline_access when you need refresh tokens.

Next steps