Storyden
Auth

O Auth Token

Exchange an OAuth authorisation code, device code, refresh token, or client credentials grant for tokens. Supported grants are advertised by `/.well-known/openid-configuration`. Public clients authenticate with `client_id` only and must use grants suitable for public clients, such as device code or authorisation code with PKCE. Confidential clients must provide `client_secret` for authorisation-code, refresh-token, and client-credentials exchanges. Storyden access tokens are short-lived JWTs containing the issued `scope`. Revoking a refresh token or changing account permissions does not revoke an already-issued access token; permission changes are applied on the next token issuance or refresh. Device-code polling returns OAuth-compatible errors such as `authorization_pending`, `slow_down`, `expired_token`, `access_denied`, and `invalid_grant`.

Exchange an OAuth authorisation code, device code, refresh token, or client credentials grant for tokens.

Supported grants are advertised by /.well-known/openid-configuration. Public clients authenticate with client_id only and must use grants suitable for public clients, such as device code or authorisation code with PKCE. Confidential clients must provide client_secret for authorisation-code, refresh-token, and client-credentials exchanges.

Storyden access tokens are short-lived JWTs containing the issued scope. Revoking a refresh token or changing account permissions does not revoke an already-issued access token; permission changes are applied on the next token issuance or refresh.

Device-code polling returns OAuth-compatible errors such as authorization_pending, slow_down, expired_token, access_denied, and invalid_grant.

POST/oauth/token

Request Body

application/x-www-form-urlencoded

grant_type*string
client_id*string
client_secret?string
scope?string
device_code?string
code?string
redirect_uri?string
Formaturi
code_verifier?string
refresh_token?string

Response Body

application/json

application/json

application/json

curl -X POST "https://loading/api/oauth/token" \  -H "Content-Type: application/x-www-form-urlencoded" \  -d 'grant_type=string&client_id=string'
{
  "access_token": "string",
  "token_type": "string",
  "expires_in": 0,
  "scope": "string",
  "id_token": "string",
  "refresh_token": "string",
  "error": "string"
}
{
  "error": "string",
  "error_description": "string"
}
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Refresh Token List GET

List OAuth refresh tokens issued to the authenticated account. This is the member-facing "authorised applications" view: it lists apps the signed-in account has authorised and can revoke. In OAuth terms, these rows are grants/tokens, not application definitions. This may include grants for built-in first-party clients such as the default Storyden CLI. Those clients are not created by the member and therefore do not appear in the member OAuth client list.

O Auth User Info GET

Return OpenID Connect UserInfo claims for the account represented by a valid bearer access token. Claims are scope-gated: - `openid` identifies the subject. - `profile` enables profile claims such as display name. - `email` enables email claims when the account has an email address. Storyden accounts do not always have email addresses, so email claims may be absent even when the `email` scope is present.