Skip to main content

Configuration

Default configuration keys for @quik/oauth-server, under the oauth.server namespace. See the generated Config Keys and Environment Variables tables for the full list.

  • oauth.server.enabled — enables OAuth server flows globally. Defaults to false.
  • oauth.server.issuer — issuer used in issued access tokens. Defaults to http://localhost:3000.
  • oauth.server.http.authenticationPrefix — API route prefix before the authentication /oauth segment. Defaults to /auth.
  • oauth.server.http.managementPrefix — API route prefix before the management /oauth/clients segment. Defaults to /.
  • oauth.server.authorizationCode.timeToLiveSeconds — authorization code lifetime. Defaults to 300.
  • oauth.server.accessToken.timeToLiveSeconds — access token lifetime. Defaults to 3600.
  • oauth.server.refreshToken.timeToLiveSeconds — refresh token lifetime. Defaults to 2592000.
  • oauth.server.refreshToken.rotateOnUse — rotates the refresh token on each exchange. Defaults to true.
  • oauth.server.pkce.requiredByDefault — requires PKCE for the authorization code flow when the client profile doesn't specify otherwise. Defaults to true.
  • oauth.server.jwks.keyIdentifier — key identifier exposed in JWKS responses.
  • oauth.server.jwks.rsaModulusLength — RSA key modulus length for generated signing keys. Defaults to 2048.
  • oauth.server.jwks.signing.privateKeyPem / publicKeyPem — PEM-encoded signing keys; leave empty to use the generated fallback.
  • oauth.server.jwks.signing.allowGeneratedFallback — allows ephemeral generated keys. Defaults to true only when NODE_ENV=development, otherwise false.

Built-in API endpoints

Default paths, given the defaults above:

  • POST /api/auth/oauth/authorize
  • POST /api/auth/oauth/token
  • POST /api/auth/oauth/introspect
  • POST /api/auth/oauth/revoke
  • GET /api/auth/oauth/.well-known/jwks.json
  • POST /api/oauth/clients/
  • GET /api/oauth/clients/
  • GET /api/oauth/clients/:clientId
  • PATCH /api/oauth/clients/:clientId
  • DELETE /api/oauth/clients/:clientId

Request parameters for these endpoints are typed entities under packages/oauth-server/src/entities/ (OAuthAuthorizeRequestBody, OAuthTokenRequestBody, OAuthIntrospectRequestBody, OAuthRevokeRequestBody).