Documentation

OpenID Connect

OIDC sits on top of OAuth 2.1 and adds identity: ID tokens, UserInfo, and discovery.

Issuer

The OIDC issuer is https://auth.rdnt.live/api/auth. Prefer discovering endpoints rather than hard-coding paths.

discovery.ts
const res = await fetch("https://auth.rdnt.live/.well-known/openid-configuration", { redirect: "follow" });
const discovery = await res.json();

// Useful fields:
// discovery.authorization_endpoint
// discovery.token_endpoint
// discovery.userinfo_endpoint
// discovery.jwks_uri
// discovery.end_session_endpoint
// discovery.revocation_endpoint
Tip
GET /.well-known/openid-configuration on the site origin redirects to the canonical document at https://auth.rdnt.live/api/auth/.well-known/openid-configuration.

ID tokens

When you request the openid scope, the token endpoint returns an id_token JWT. Verify it with keys from https://auth.rdnt.live/api/auth/jwks and check at least:

  • iss matches the issuer
  • aud includes your YOUR_CLIENT_ID
  • exp is in the future
  • nonce matches the value you sent (if used)

Standard claims

ClaimNotes
subStable user identifier
name / pictureVia profile scope
email / email_verifiedVia email scope
discord_user_idCustom claim when Discord is linked

UserInfo

Call GET or POST https://auth.rdnt.live/api/auth/oauth2/userinfo with Authorization: Bearer <access_token>. The access token must include the openid scope.

RP-initiated logout

Use https://auth.rdnt.live/api/auth/oauth2/end-session with an id_token_hint (and optionally post_logout_redirect_uri) when your client has end-session enabled. Always revoke local tokens as well — see Logging Out.

Note
Radiant Auth also publishes authorization server metadata at https://auth.rdnt.live/api/auth/.well-known/oauth-authorization-server.