Configuration
Default configuration keys for @quik/oauth-server, under the oauth.server namespace. See the generated Config Keys and Environment Variables tables for the full list.
oauth.server.enabled— enables OAuth server flows globally. Defaults tofalse.oauth.server.issuer— issuer used in issued access tokens. Defaults tohttp://localhost:3000.oauth.server.http.authenticationPrefix— API route prefix before the authentication/oauthsegment. Defaults to/auth.oauth.server.http.managementPrefix— API route prefix before the management/oauth/clientssegment. Defaults to/.oauth.server.authorizationCode.timeToLiveSeconds— authorization code lifetime. Defaults to300.oauth.server.accessToken.timeToLiveSeconds— access token lifetime. Defaults to3600.oauth.server.refreshToken.timeToLiveSeconds— refresh token lifetime. Defaults to2592000.oauth.server.refreshToken.rotateOnUse— rotates the refresh token on each exchange. Defaults totrue.oauth.server.pkce.requiredByDefault— requires PKCE for the authorization code flow when the client profile doesn't specify otherwise. Defaults totrue.oauth.server.jwks.keyIdentifier— key identifier exposed in JWKS responses.oauth.server.jwks.rsaModulusLength— RSA key modulus length for generated signing keys. Defaults to2048.oauth.server.jwks.signing.privateKeyPem/publicKeyPem— PEM-encoded signing keys; leave empty to use the generated fallback.oauth.server.jwks.signing.allowGeneratedFallback— allows ephemeral generated keys. Defaults totrueonly whenNODE_ENV=development, otherwisefalse.
Built-in API endpoints
Default paths, given the defaults above:
POST /api/auth/oauth/authorizePOST /api/auth/oauth/tokenPOST /api/auth/oauth/introspectPOST /api/auth/oauth/revokeGET /api/auth/oauth/.well-known/jwks.jsonPOST /api/oauth/clients/GET /api/oauth/clients/GET /api/oauth/clients/:clientIdPATCH /api/oauth/clients/:clientIdDELETE /api/oauth/clients/:clientId
Request parameters for these endpoints are typed entities under packages/oauth-server/src/entities/ (OAuthAuthorizeRequestBody, OAuthTokenRequestBody, OAuthIntrospectRequestBody, OAuthRevokeRequestBody).