Documentation
OpenID Connect
OIDC sits on top of OAuth 2.1 and adds identity: ID tokens, UserInfo, and discovery.
Issuer
The OIDC issuer is https://auth.rdnt.live/api/auth. Prefer discovering endpoints rather than hard-coding paths.
discovery.ts
const res = await fetch("https://auth.rdnt.live/.well-known/openid-configuration", { redirect: "follow" });
const discovery = await res.json();
// Useful fields:
// discovery.authorization_endpoint
// discovery.token_endpoint
// discovery.userinfo_endpoint
// discovery.jwks_uri
// discovery.end_session_endpoint
// discovery.revocation_endpointTip
GET /.well-known/openid-configuration on the site origin redirects to the canonical document at https://auth.rdnt.live/api/auth/.well-known/openid-configuration.ID tokens
When you request the openid scope, the token endpoint returns an id_token JWT. Verify it with keys from https://auth.rdnt.live/api/auth/jwks and check at least:
issmatches the issueraudincludes yourYOUR_CLIENT_IDexpis in the futurenoncematches the value you sent (if used)
Standard claims
| Claim | Notes |
|---|---|
sub | Stable user identifier |
name / picture | Via profile scope |
email / email_verified | Via email scope |
discord_user_id | Custom claim when Discord is linked |
UserInfo
Call GET or POST https://auth.rdnt.live/api/auth/oauth2/userinfo with Authorization: Bearer <access_token>. The access token must include the openid scope.
RP-initiated logout
Use https://auth.rdnt.live/api/auth/oauth2/end-session with an id_token_hint (and optionally post_logout_redirect_uri) when your client has end-session enabled. Always revoke local tokens as well — see Logging Out.
Note
Radiant Auth also publishes authorization server metadata at
https://auth.rdnt.live/api/auth/.well-known/oauth-authorization-server.