zMesh DocsDashboard

OAuth 2.0 Provider

Turn your zMesh project into a full identity provider. Register OAuth clients, support Authorization Code flow with PKCE, issue JWTs, and expose OIDC discovery endpoints.

How It Works

Any zMesh project can act as an OAuth 2.0 / OpenID Connect provider — similar to Auth0. External applications register as OAuth clients, and your project's end-users authenticate through zMesh.

OIDC Discovery

// OpenID Configuration
GET /oauth/{project_id}/.well-known/openid-configuration

// JWKS (public keys for token verification)
GET /oauth/{project_id}/.well-known/jwks.json

Register an OAuth Client

POST /projects/{project_id}/oauth/clients

{
  "name": "My Mobile App",
  "redirect_uris": ["https://myapp.com/callback", "myapp://callback"],
  "grant_types": ["authorization_code"],
  "scopes": ["openid", "profile", "email"]
}

// Response
{
  "client_id": "zmesh_abc123...",
  "client_secret": "zms_secret...",
  "name": "My Mobile App",
  "redirect_uris": ["https://myapp.com/callback"]
}

Authorization Flow

// 1. Redirect user to authorize
GET /oauth/{project_id}/authorize
  ?client_id=zmesh_abc123
  &redirect_uri=https://myapp.com/callback
  &response_type=code
  &scope=openid+profile+email
  &state=random_state
  &code_challenge=abc123      // PKCE
  &code_challenge_method=S256

// 2. User logs in and approves → redirected to:
// https://myapp.com/callback?code=AUTH_CODE&state=random_state

// 3. Exchange code for tokens
POST /oauth/{project_id}/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTH_CODE
&redirect_uri=https://myapp.com/callback
&client_id=zmesh_abc123
&client_secret=zms_secret
&code_verifier=original_verifier  // PKCE

// Response
{
  "access_token": "eyJhbGciOi...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "rt_...",
  "id_token": "eyJhbGciOi...",
  "scope": "openid profile email"
}

UserInfo Endpoint

GET /oauth/{project_id}/userinfo
Authorization: Bearer access_token

// Response
{
  "sub": "user-uuid",
  "email": "user@example.com",
  "name": "Rahul",
  "email_verified": true
}

Revoke Token

POST /oauth/{project_id}/revoke
Content-Type: application/x-www-form-urlencoded

token=refresh_token
&client_id=zmesh_abc123
&client_secret=zms_secret

Manage Clients (Dashboard API)

MethodPathDescription
GET/projects/{id}/oauth/clientsList OAuth clients
POST/projects/{id}/oauth/clientsCreate client
GET/projects/{id}/oauth/clients/{cid}Get client details
PATCH/projects/{id}/oauth/clients/{cid}Update client
DELETE/projects/{id}/oauth/clients/{cid}Delete client