Authorization Server

An authorization server is the OAuth 2.0 component that authenticates the resource owner, obtains their consent, and issues access tokens (and optionally refresh tokens and ID tokens) to clients. It is the central identity authority in any OAuth or OIDC system.

Core endpoints

• /authorize : where the user-agent is sent for login and consent
• /token : exchanges authorization codes (or refresh tokens, or client credentials) for access tokens
• /userinfo : returns identity claims about the authenticated user (OIDC)
• /jwks : publishes the public keys used to sign tokens
• /.well-known/openid-configuration : discovery document listing all endpoints and capabilities
• /introspect : lets resource servers check whether a token is still valid
• /revoke : lets clients invalidate access or refresh tokens

Common implementations

• Hosted: Auth0, Okta, Clerk, Stytch, WorkOS, AWS Cognito, Azure Entra ID
• Self-hosted: Keycloak, Ory Hydra, Authentik, Zitadel, Authelia

🔗

Related Terms OAuth 2.0, OIDC, JWT, JWS, Bearer Token, Refresh Token, PKCE, SAML.