Integrate VoxKey
VoxKey is a standard OIDC provider. Any library or framework that supports OpenID Connect can integrate with it.
OIDC Discovery
Every realm exposes a discovery endpoint:
GET /oauth2/{realmUUID}/.well-known/openid-configuration
This returns all endpoints, supported grant types, and signing algorithms. Most OIDC client libraries can auto-configure from this URL.
Key endpoints
| Endpoint | Path | Description |
|---|---|---|
| Authorization | POST /oauth2/{realmUUID}/code | Start the login flow |
| Token | POST /oauth2/{realmUUID}/token | Exchange code for tokens |
| UserInfo | GET /oauth2/{realmUUID}/userinfo | Get authenticated user info |
| JWKS | GET /oauth2/{realmUUID}/oidc/jwks | Public keys for JWT verification |
| Introspection | POST /oauth2/{realmUUID}/introspect | Check token validity (RFC 7662) |
| Revocation | POST /oauth2/{realmUUID}/revoke | Revoke tokens (RFC 7009) |
Integration flow
- Register an application in the admin panel (Traditional Web, SPA, or M2M)
- Configure your OIDC client with the discovery URL and your client credentials
- Redirect users to the authorization endpoint for login
- Exchange the authorization code for tokens at the token endpoint
- Validate tokens in your API using JWKS or introspection
Grant types
| Grant | Use case | Client type |
|---|---|---|
| Authorization Code + PKCE | User login from SPAs | Public |
| Authorization Code | User login from server apps | Confidential |
| Client Credentials | M2M / backend services | Confidential |
| Refresh Token | Renew expired access tokens | Both |
Resource indicators
To get tokens scoped to a specific API, pass the resource parameter in the token request:
curl -X POST https://your-domain.com/oauth2/{realmUUID}/token \
-d grant_type=authorization_code \
-d code=AUTH_CODE \
-d resource=https://api.example.com
The resource value must match the indicator of an API Resource configured in the realm.
Next steps
- Protect your API -- validate tokens in your backend
- Quick Start -- end-to-end setup guide