Storyden
Auth

O Auth User Info

Return OpenID Connect UserInfo claims for the account represented by a valid bearer access token. Claims are scope-gated: - `openid` identifies the subject. - `profile` enables profile claims such as display name. - `email` enables email claims when the account has an email address. Storyden accounts do not always have email addresses, so email claims may be absent even when the `email` scope is present.

Return OpenID Connect UserInfo claims for the account represented by a valid bearer access token.

Claims are scope-gated:

  • openid identifies the subject.
  • profile enables profile claims such as display name.
  • email enables email claims when the account has an email address.

Storyden accounts do not always have email addresses, so email claims may be absent even when the email scope is present.

GET/oauth/userinfo

Authorization

oauth_token
AuthorizationBearer <token>

In: header

Response Body

application/json

application/json

curl -X GET "https://loading/api/oauth/userinfo"
{
  "sub": "string",
  "email": "string",
  "email_verified": true,
  "name": "string",
  "preferred_username": "string",
  "error": "string"
}
Empty
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Token POST

Exchange an OAuth authorisation code, device code, refresh token, or client credentials grant for tokens. Supported grants are advertised by `/.well-known/openid-configuration`. Public clients authenticate with `client_id` only and must use grants suitable for public clients, such as device code or authorisation code with PKCE. Confidential clients must provide `client_secret` for authorisation-code, refresh-token, and client-credentials exchanges. Storyden access tokens are short-lived JWTs containing the issued `scope`. Revoking a refresh token or changing account permissions does not revoke an already-issued access token; permission changes are applied on the next token issuance or refresh. Device-code polling returns OAuth-compatible errors such as `authorization_pending`, `slow_down`, `expired_token`, `access_denied`, and `invalid_grant`.

Phone Request Code POST

Start the authentication flow with a phone number. The handler will send a one-time code to the provided phone number which must then be sent to the other phone endpoint to verify the number and validate the account.