Documentation
Getting Started
Radiant Auth is the central identity provider for Radiant Networks. This guide explains how authentication works and what you need to integrate.
What is Radiant Auth?
Radiant Auth (https://auth.rdnt.live) is a hosted OAuth 2.1 and OpenID Connect (OIDC) provider. Your application registers as an OAuth client and never stores user passwords. Users sign in on Radiant Auth (email/password or Discord), then return to your app with an authorization code.
Architecture
Your App (RP)
Confidential / public client
Radiant Auth
auth.rdnt.live
User
Login / consent
- App redirects to /api/auth/oauth2/authorize with PKCE (S256)
- User authenticates on Radiant Auth (email or Discord)
- Auth redirects back with ?code=…&state=…
- App exchanges code + code_verifier at /api/auth/oauth2/token
- App verifies tokens (JWKS) and creates a local session
How authentication works
Radiant Auth is the authorization server (IdP). Your app is the relying party (RP / client). The recommended flow is Authorization Code with PKCE:
- Your app redirects the user to the authorize endpoint with a PKCE challenge.
- The user authenticates (and consents, if required).
- Radiant Auth redirects to your registered redirect URI with a short-lived
code. - Your backend exchanges the code +
code_verifierfor tokens. - You verify the ID token / access token and create a local app session.
Required redirect URIs
Every OAuth client must register exact redirect URIs. Typical patterns:
- Production:
https://your-app.example/api/auth/callback - Local development:
http://localhost:3000/api/auth/callback
redirect_uri sent at authorize and token time must match a registered value exactly (scheme, host, path, and trailing slash).Environment variables
Client credentials are provided by Radiant Networks. Use placeholders in code and docs — never commit real secrets.
# Provided by Radiant Networks — do not invent credentials
AUTH_ISSUER=https://auth.rdnt.live/api/auth
AUTH_CLIENT_ID=YOUR_CLIENT_ID
AUTH_CLIENT_SECRET=YOUR_CLIENT_SECRET
AUTH_REDIRECT_URI=https://your-app.example/api/auth/callback
AUTH_AUDIENCE=https://your-app.example| Variable | Purpose |
|---|---|
AUTH_ISSUER | OIDC issuer — usually https://auth.rdnt.live/api/auth |
AUTH_CLIENT_ID | Your OAuth client ID (YOUR_CLIENT_ID) |
AUTH_CLIENT_SECRET | Confidential client secret (YOUR_CLIENT_SECRET) |
AUTH_REDIRECT_URI | Registered callback URL |
AUTH_AUDIENCE | Optional JWT audience / resource for your API |
Login flow
Generate PKCE + state
Create a high-entropycode_verifier, derive the S256code_challenge, and generatestate(and preferablynonce). Store verifier/state in a short-lived, httpOnly cookie or server session.Redirect to authorize
Send the browser tohttps://auth.rdnt.live/api/auth/oauth2/authorizewithresponse_type=code, your client ID, redirect URI, scopes, PKCE params, and state.User signs in
The user authenticates on Radiant Auth. Unauthenticated users are sent to the login UI first; some first-party clients skip consent.
Callback flow
Validate the callback
Confirmstatematches what you stored. Readcodefrom the query string. Reject onerrorparameters.Exchange the code
POSTtohttps://auth.rdnt.live/api/auth/oauth2/tokenwithgrant_type=authorization_code, the code,code_verifier, redirect URI, and client credentials.Establish a session
Verify theid_token(and access token if JWT) using JWKS athttps://auth.rdnt.live/api/auth/jwks. Persist tokens server-side and set your own opaque session cookie.
openid profile email offline_access. Include offline_access when you need refresh tokens.Next steps
- Integration Guide — full code-level walkthrough
- SDK Examples — Next.js, Workers, Swift, and more
- API Reference — endpoint details