OAuth 2.0v1.09.01pilot-root.1kosmos.net/oauth2OpenAPI
1Kosmos · OAuth 2.0 / OIDC

OAuth 2.0 API

Standards-based OAuth 2.0 / OpenID Connect — authorize, token, introspect.

Authentication → All products

The OIDC service is a standards-compliant OAuth 2.0 / OpenID Connect provider: authorization, token issuance and introspection, discovery and JWKS. Drop 1Kosmos into any OIDC-aware application as the identity provider.

14 endpoints

across 12 resource groups.

ECDSA-signed

every request is signed with your key pair.

JSON over HTTPS

predictable REST, conventional status codes.

OpenAPI 3.0

Download the spec →

Reference

Base URL

All OAuth 2.0 endpoints are relative to your environment host. Examples on this page use the 1Kosmos pilot environment — swap in your production root when you go live.

Pilot https://pilot-root.1kosmos.net/oauth2

Content type

Requests and responses use application/json.

GEThttps://pilot-root.1kosmos.net/oauth2/healthz
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/healthz' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
Security

Authentication

OAuth 2.0 uses ECDSA key-pair authentication. Each request carries your credentials as HTTP headers; verification-grade calls additionally sign the request body. Retrieve the system signing key from /publickeys.

Credentials
keyIdECDSA Public Keyheader
keySecretECDSA Private Keyheader
licenseLicense key from License Microserviceheader
GEThttps://pilot-root.1kosmos.net/oauth2/healthz
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/healthz' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
Reference

Errors

OAuth 2.0 uses conventional HTTP status codes: 2xx success, 4xx a problem with the request, 5xx a service-side error.

StatusMeaningDescription
200 / 204OKThe request succeeded.
400Bad RequestValidation failed.
401UnauthorizedMissing or invalid credentials.
403ForbiddenAuthenticated, but not permitted.
404Not FoundThe resource does not exist.
500Server ErrorSomething went wrong on our side.
4XXerror response
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Validation error"
}
OAuth 2.0

Authorize

Authorization endpoint.

GET/community/{community}/v1/authorize

Authorize

Used to request an authorization code.

Note:This api does not work on swagger, please use postman based on details on swagger

Note: this endpoint redirects

This end-point requires redirecting to OIDC consent end-point.

Path parameters
NameTypeDescription
communityrequiredstringcommunity name
Query parameters
NameTypeDescription
statestringOpaque value used to maintain state between the request and the callback
noncestringstring value used to associate a Client session with an ID Token
client_idrequiredstringOAuth 2.0 Client Identifier valid at the Authorization Server
response_typerequiredstringOAuth 2.0 Response Type value that determines the authorization processing flow
scoperequiredstringspecify the access privileges when issuing an Access Token
redirect_urirequiredstringRedirection URI to which the response will be sent
GEThttps://pilot-root.1kosmos.net/oauth2/community/{community}/v1/authorize
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/community/<community>/v1/authorize?state=<state>&nonce=<nonce>&client_id=<client_id>&response_type=<response_type>&scope=<scope>&redirect_uri=<redirect_uri>' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
303
Redirect to admin oidc redirect endpoints (oidc, oidc-authenticator) for consent input or redirect to redirect_uri with error if there is an error
// no response body
POST/community/{community}/v1/authorize

Authorize

Used to request an authorization code.

  • If the proof_of_authentication_jwt token is specified and the operation is successful, then the response contains a location header

containing a URL to the redirect_uri containing an authorization code parameter. If the operation fails, the then the response contains a

location header containing a URL to the redirect_uri and an error parameter.

  • If the proof_of_authentication_jwt is NOT specified then this API does not work correctly. It will redirect to the AdminX UI oidc consent endpoint page.

The AdminX returns the javascript code for the consent page in the response body panel.

Please use Postman for the non-proof_of_authentication_jwt use case.

Path parameters
NameTypeDescription
communityrequiredstringcommunity name
POSThttps://pilot-root.1kosmos.net/oauth2/community/{community}/v1/authorize
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/oauth2/community/<community>/v1/authorize' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
303
- If the **proof_of_authentication_jwt token** is specified then code or error is in the location header.
// no response body
OAuth 2.0

Service Key

Service Key endpoints.

GET/servicekeys

Get service keys

This endpoint returns available service keys. The license you are using must be of authLevel 'system'

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 'environment.allowed_time_span' seconds from now

publickey (required)

Public key

Returns

Returns array with service keys

Headers
NameTypeDescription
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 'environment.allowed_time_span' seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
GEThttps://pilot-root.1kosmos.net/oauth2/servicekeys
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/servicekeys' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
400
401
500
Success
[
  {
    "tag": "xxxxx",
    "keyId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx",
    "keySecret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx",
    "type": "xxxxx"
  }
]
DELETE/servicekey/{keyId}

Reset Service Key

This endpoint resets service key for given keyId. Deletes current one and recreates a new one. The license you are using must be of authLevel 'system'

Parameters

keyId (required)

The keyId of service key to reset

Headers

licensekey (required)

License key encrypted with ECDSA

requestid (required)

JSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 'environment.allowed_time_span' seconds from now

publickey (required)

Public key

Returns

Returns re-created service key

Path parameters
NameTypeDescription
keyIdrequiredstringkeyId of service key to reset
Headers
NameTypeDescription
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) representing epoch timestamp in seconds - it shouldn't be more or less than 'environment.allowed_time_span' seconds from now / Try Authorize &#128274;
publickeyrequiredstringPublic Key / Try Authorize &#128274;
licensekeyrequiredstringLicense key encrypted with ECDSA / Try Authorize &#128274;
DELETEhttps://pilot-root.1kosmos.net/oauth2/servicekey/{keyId}
cURL
Node.js
Python
curl -X DELETE 'https://pilot-root.1kosmos.net/oauth2/servicekey/<keyId>' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'publickey: <public-key>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
204
// no response body
OAuth 2.0

Discovery

OIDC discovery document.

GET/community/{community}/.well-known/openid-configuration

Discovery

Get discovery

Returns

Returns a set of OpenID Connect values that can be retrieved by OIDC clients

Path parameters
NameTypeDescription
communityrequiredstringcommunity name
GEThttps://pilot-root.1kosmos.net/oauth2/community/{community}/.well-known/openid-configuration
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/community/<community>/.well-known/openid-configuration' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
default
OIDC discovery end-point
{
  "authorization_endpoint": "string",
  "claims_parameter_supported": "string",
  "claims_supported": "string",
  "code_challenge_methods_supported": "string",
  "end_session_endpoint": "string",
  "grant_types_supported": "string",
  "id_token_signing_alg_values_supported": "string",
  "issuer": "string",
  "jwks_uri": "string",
  "authorization_response_iss_parameter_supported": "string",
  "response_modes_supported": "string",
  "response_types_supported": "string",
  "scopes_supported": "string",
  "subject_types_supported": "string",
  "token_endpoint_auth_methods_supported": "string",
  "token_endpoint_auth_signing_alg_values_supported": "string",
  "token_endpoint": "string",
  "request_object_signing_alg_values_supported": "string",
  "request_parameter_supported": "string",
  "request_uri_parameter_supported": "string",
  "require_request_uri_registration": "string",
  "userinfo_endpoint": "string",
  "introspection_endpoint": "string",
  "introspection_endpoint_auth_methods_supported": "string",
  "introspection_endpoint_auth_signing_alg_values_supported": "string",
  "claim_types_supported": "string"
}
OAuth 2.0

EAM

EAM endpoints.

GET/community/{community}/v1/interaction/{uid}/eam-context

EAM Context

Fetch EAM pre-authentication context (oid/tid) from a server-side interaction record.

This endpoint is called by nodex-admin-api during the Entra EAM flow to retrieve the oid and tid extracted from the validated id_token_hint. These values are never sent to the browser.

Requires ECDSA service-to-service authentication (publickey, requestid, licensekey headers).

Path parameters
NameTypeDescription
communityrequiredstringCommunity name
uidrequiredstringOIDC interaction UID
Headers
NameTypeDescription
requestidrequiredstringJSON string encrypted with ECDSA which should contain "appid" (string), "uuid" (string) and "ts" (number) / Try Authorize &#128274;
GEThttps://pilot-root.1kosmos.net/oauth2/community/{community}/v1/interaction/{uid}/eam-context
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/community/<community>/v1/interaction/<uid>/eam-context' \
  -H 'requestid: <ecdsa-requestid>' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
401
404
EAM context retrieved successfully
{
  "oid": "string",
  "tid": "string"
}
OAuth 2.0

ECDSA Helper

ECDSA Helper endpoints.

POST/ecdsa_helper/{method}

Encrypt and decrypt the data string by public key and private key.

Encrypt and decrypt the data string by public key and private key.

Parameters

method (optional)

The method parameter is type of enum. Default value is encrypt.

This parameter only accepts following values

encrypt, decrypt

Request Body

dataStr (required)

The dataStr key is type of string.

publicKey (required)

The publicKey is type of string.

privateKey (required)

The privateKey is type of string.

Returns

Returns the encrypted/decrypted string.

This API throw an error if something goes wrong. A common source of error is public or private key is not valid.

Path parameters
NameTypeDescription
methodstring
Request body
FieldTypeDescription
dataStrstring
publicKeystring
privateKeystring
POSThttps://pilot-root.1kosmos.net/oauth2/ecdsa_helper/{method}
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/oauth2/ecdsa_helper/<method>' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"dataStr": "Hey, This is example data string.", "publicKey": "xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxx=", "privateKey": "xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxx="}'
RESPONSE
200
successful operation
{
  "data": "xxxxxxxxxxxxxxxxxxxx"
}
OAuth 2.0

Environment

Environment endpoints.

GET/environment

/environment

Provide details regarding the environments.

Returns

Returns an environment object

GEThttps://pilot-root.1kosmos.net/oauth2/environment
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/environment' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
Success
// no response body
OAuth 2.0

Healthz

Healthz endpoints.

GET/healthz

Get healthz.

Get healthz

Returns

Returns a healthz object

  • ``version = <git-tag>.<commit-id>.<dob>``
  • ``git-tag``: When code is compiled from a git-tag, this must carry the tag name. This should match one of the git tags.
  • ``commit-id``: This is the git-commit-id. eg: When code is built from this, the hex code, in the end, is the commit it.
  • ``dob``: Date Of Build. This is epoc-time-in-se conds that tell the time when the build was created.
  • ​if the code is not built from a git-tag, then the ``version =<commit-id>.<dob>``
GEThttps://pilot-root.1kosmos.net/oauth2/healthz
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/healthz' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
Success ``` { "status": "all services operational", "publicKey": "string" //same as <service>/publickeys endpoint, "code": "200", "version": "<version>" //as defined above } ```
{
  "status": "all services operational",
  "publicKey": "//same as <service>/publickeys endpoint",
  "code": "200",
  "version": "xxxx.xxxx.xxxx"
}
OAuth 2.0

Introspection

Token introspection.

POST/community/{community}/v1/introspect

Introspection

Note: Requires basicAuth with client id as username and client secret as password

Returns

Returns the active state of an OAuth 2.0 Access token and to determine meta-information about this token

Path parameters
NameTypeDescription
communityrequiredstringcommunity name
POSThttps://pilot-root.1kosmos.net/oauth2/community/{community}/v1/introspect
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/oauth2/community/<community>/v1/introspect'
RESPONSE
200
default
OIDC introspection
{
  "active": "string",
  "sub": "string",
  "client_id": "string",
  "exp": "string",
  "iat": "string",
  "iss": "string",
  "scope": "string",
  "token_type": "string"
}
OAuth 2.0

JWKS

Public signing keys.

GET/community/{community}/v1/jwks

JWKS

Get jwks

Returns

Used to request the key(s) an OpenID client can use to sign and/or encrypt token

Path parameters
NameTypeDescription
communityrequiredstringcommunity name
GEThttps://pilot-root.1kosmos.net/oauth2/community/{community}/v1/jwks
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/community/<community>/v1/jwks' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
default
OIDC JWKS endpoint
[
  {
    "crv": "string",
    "x": "string",
    "y": "string",
    "d": "string",
    "kty": "string",
    "kid": "string",
    "alg": "string",
    "use": "string"
  }
]
OAuth 2.0

Public Key

Public Key endpoints.

GET/publickeys

Get system's public key.

Get system's public key.

Returns

Returns a public key object

GEThttps://pilot-root.1kosmos.net/oauth2/publickeys
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/publickeys' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
401
{
  "publicKey": ""
}
OAuth 2.0

Request Token

Token issuance.

POST/community/{community}/v1/token

Request Tokens

Used to request tokens. Note: Requires basicAuth with client id as username and client secret as password

Response

Returns access, id and refresh tokens.

Path parameters
NameTypeDescription
communityrequiredstringcommunity name
POSThttps://pilot-root.1kosmos.net/oauth2/community/{community}/v1/token
cURL
Node.js
Python
curl -X POST 'https://pilot-root.1kosmos.net/oauth2/community/<community>/v1/token'
RESPONSE
200
default
Tokens
{
  "access_token": "string",
  "id_token": "string",
  "refresh_token": "string",
  "scope": "string",
  "token_type": "string",
  "expires_in": 0
}
OAuth 2.0

Service Directory

Service Directory endpoints.

GET/sd

Get all service directories.

Get all service directories.

Returns

Returns all service directories.

GEThttps://pilot-root.1kosmos.net/oauth2/sd
cURL
Node.js
Python
curl -X GET 'https://pilot-root.1kosmos.net/oauth2/sd' \
  -H 'keyId: YOUR_KEY_ID' \
  -H 'keySecret: YOUR_KEY_SECRET' \
  -H 'license: YOUR_LICENSE_KEY'
RESPONSE
200
{
  "name1": "https://xxx.xxxxxx.xxx/xxxxx",
  "name2": "https://xxx.xxxxxx.xxx/xxxxx",
  "name3": "https://xxx.xxxxxx.xxx/xxxxx"
}
© 2026 1Kosmos · OIDC API Service v1.09.01Generated from the OpenAPI spec · oauth2.json