API docs by Redocly

SlideRule Authenticator API (v5.4.2)

Download OpenAPI specification:

License: BSD 3-Clause

OAuth 2.1 Authorization Server for SlideRule. Supports authorization code flow with PKCE (for web clients), device flow (for CLI/Python clients), and PAT-based login. Acts as an intermediary to GitHub OAuth while issuing its own JWTs.

Dynamic Client Registration (RFC 7591)

Register a new OAuth client. Returns a client_id that must be used in subsequent authorization requests. Supports PKCE with S256 only.

Request Body schema: application/json
required
redirect_uris
required
Array of strings <uri> non-empty [ items <uri > ]

Array of allowed redirect URIs. Must be https or http://localhost.

client_name
string <= 200 characters

Human-readable name for the client.

grant_types
Array of strings
Default: ["authorization_code"]
Items Enum: "authorization_code" "refresh_token"
response_types
Array of strings
Default: ["code"]
Items Value: "code"
token_endpoint_auth_method
string
Default: "none"
Value: "none"

Only 'none' is supported (PKCE is used instead of client_secret).

code_challenge_method
string
Default: "S256"
Value: "S256"

Only S256 is supported.

scope
string

Space-separated list of requested scopes.

Responses

Request samples

Content type
application/json
{
  • "redirect_uris": [],
  • "client_name": "My MCP Client",
  • "grant_types": [
    ],
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "none",
  • "code_challenge_method": "S256",
  • "scope": "mcp:tools mcp:resources"
}

Response samples

Content type
application/json
{
  • "client_id": "5b3fa7ba-57d3-4017-a65b-d57dcd2db643",
  • "client_id_issued_at": 0,
  • "client_name": "string",
  • "redirect_uris": [],
  • "grant_types": [
    ],
  • "response_types": [
    ],
  • "token_endpoint_auth_method": "string",
  • "code_challenge_method": "string",
  • "scope": "string"
}

OAuth 2.1 Authorization endpoint

Initiates the authorization code flow with PKCE. Validates the client session, stores the code challenge, and redirects the user to GitHub for authentication.

query Parameters
response_type
required
string
Value: "code"
client_id
required
string <uuid>

Client ID obtained from registration.

redirect_uri
required
string <uri>

Must match one of the URIs registered during client registration.

state
required
string

Opaque value for CSRF protection, returned unchanged in the callback.

scope
string
Example: scope=mcp:tools mcp:resources

Space-separated list of scopes. Must be subset of registered scopes.

code_challenge
required
string

PKCE code challenge (BASE64URL(SHA256(code_verifier))).

code_challenge_method
required
string
Value: "S256"
resource
string <uri>

Optional resource indicator (RFC 8707). Must be https and under the service domain.

Responses

Response samples

Content type
application/json
{
  • "error": "internal_error",
  • "error_description": "Error processing request"
}

OAuth callback from GitHub

Handles the redirect from GitHub after user authorization. Validates the HMAC-signed state parameter (CSRF protection), generates an authorization code, and redirects back to the client's redirect_uri with the code and state.

query Parameters
code
required
string

Authorization code from GitHub.

state
required
string

HMAC-signed state parameter for CSRF validation.

error
string
error_description
string

Responses

Response samples

Content type
application/json
{
  • "error": "internal_error",
  • "error_description": "Error processing request"
}

Exchange authorization code for access token

Final stage of the OAuth 2.1 authorization code flow. Exchanges the authorization code for a JWT access token. Requires PKCE code_verifier to prove possession of the original code_challenge.

Request Body schema: application/x-www-form-urlencoded
required
grant_type
required
string
Value: "authorization_code"
code
required
string

Authorization code received from the callback.

redirect_uri
required
string <uri>

Must match the redirect_uri used in the authorization request.

client_id
required
string <uuid>
code_verifier
required
string

PKCE code verifier (original random string).

Responses

Response samples

Content type
application/json
{
  • "access_token": "string",
  • "token_type": "Bearer",
  • "expires_in": 43200,
  • "refresh_token": "string",
  • "scope": "mcp:tools mcp:resources",
  • "info": {
    }
}

Initiate device authorization flow

Initiates the OAuth device flow for CLI/Python clients. Returns a device code, user code, and verification URI. The user must visit the verification URI and enter the user code to authorize the device.

Responses

Response samples

Content type
application/json
{}

Poll for device authorization completion

Client polls this endpoint with the device_code to check if the user has completed authorization. Returns 202 while pending, 200 on success with token and metadata, or 400 on terminal failure.

Request Body schema: application/json
required
device_code
required
string

The device_code received from the device code request.

Responses

Request samples

Content type
application/json
{
  • "device_code": "string"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "token": "string",
  • "metadata": {
    }
}

Authenticate with GitHub Personal Access Token

Authenticate using a GitHub PAT. The PAT is verified against the GitHub API, and if valid, a SlideRule JWT is issued.

Request Body schema: application/json
required
pat
required
string

GitHub Personal Access Token with read:org scope.

Responses

Request samples

Content type
application/json
{
  • "pat": "string"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "token": "string",
  • "metadata": {
    }
}

Initiate basic GitHub OAuth 2.0 flow

Simple OAuth 2.0 flow for trusted internal services (HAProxy, Grafana). Redirects to GitHub for authentication and returns a JWT in a cookie. Only trusted redirect hosts are allowed.

query Parameters
redirect_uri
required
string <uri>

Must point to a trusted redirect host.

Responses

Response samples

Content type
application/json
{
  • "error": "internal_error",
  • "error_description": "Error processing request"
}

Refresh an access token

Refresh token endpoint. Currently not supported and returns 401.

Responses

Response samples

Content type
application/json
{
  • "error": "internal_error",
  • "error_description": "Error processing request"
}

Get public key in PEM format

Returns the RSA public key used for JWT verification in PEM format. Used by HAProxy for token validation.

Responses

Response samples

Content type
application/json
"-----BEGIN PUBLIC KEY-----\nMIIBI..."

JSON Web Key Set (JWKS)

Returns the public key in JWKS format for JWT signature verification. Standard endpoint for OIDC/JWT key discovery.

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

OpenID Connect Discovery

Returns the OpenID Connect discovery document with issuer, JWKS URI, and supported algorithms.

Responses

Response samples

Content type
application/json
{}

OAuth 2.0 Authorization Server Metadata (RFC 8414)

Returns the authorization server metadata document describing endpoints, supported grant types, scopes, and PKCE configuration.

Responses

Response samples

Content type
application/json
{
  • "issuer": "http://example.com",
  • "authorization_endpoint": "http://example.com",
  • "token_endpoint": "http://example.com",
  • "response_types_supported": [
    ],
  • "scopes_supported": [
    ],
  • "token_endpoint_auth_methods_supported": [
    ],
  • "code_challenge_methods_supported": [
    ],
  • "registration_endpoint": "http://example.com",
  • "jwks_uri": "http://example.com",
  • "id_token_signing_alg_values_supported": [
    ],
  • "grant_types_supported": [
    ]
}