Authentication API

The RitualOS ecosystem uses OAuth 2.0 with PKCE for secure authentication. All services authenticate through the central ID Service.

OAuth Endpoints

POST /api/oauth/authorize

Initiates the OAuth 2.0 authorization flow.

/api/oauth/authorize

Initialize OAuth authorization flow

Base URL

Headers (JSON)

Request Body (JSON)

POST /api/oauth/token

Exchange authorization code for access token.

/api/oauth/token

Exchange authorization code for access token

Base URL

Headers (JSON)

Request Body (JSON)

Using the API

1. Initialize OAuth Client

Example:

typescript

OAuth Integration

Initialize OAuth client and redirect to authorization

typescriptEdit the code below and click Run

2. Handle Callback

After user authorization, they'll be redirected to your redirect_uri with an authorization code:

// In your callback handler
export async function GET(request: Request) {
  const url = new URL(request.url);
  const code = url.searchParams.get('code');
  
  // Exchange code for access token
  const tokenResponse = await fetch('https://id.ritualos.com/api/oauth/token', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      grant_type: 'authorization_code',
      code,
      redirect_uri: 'https://yourapp.com/auth/callback',
      client_id: process.env.ID_SERVICE_CLIENT_ID,
      client_secret: process.env.ID_SERVICE_CLIENT_SECRET
    })
  });
  
  const { access_token } = await tokenResponse.json();
  
  // Store access_token securely
  // Redirect user to your app
}

3. Fetch User Claims

Once you have an access token, you can fetch user identity and claims:

Example:

typescript

OAuth Integration

Initialize OAuth client and redirect to authorization

typescriptEdit the code below and click Run

System Architecture

The authentication flow across the ecosystem:

OAuth 2.0 Authentication Flow

Complete authentication flow from user initiation to API access

Loading diagram...

Service Integration Map

All ecosystem services connect to the ID Service for authentication:

Identity

Action

Settlement

Narrative

Governance

ID Service

identity

Identity & OAuth provider

Port: 7000

Path Service

action

Quest & action engine

Port: 3003

Learn Service

action

Education platform

Port: 3005

Guild Service

action

Work coordination

Port: 3009

Scroll Service

narrative

Cultural chronicle

Port: 3004

Realm Service

narrative

Beta

3D spatial world

Governance Service

governance

Voting & proposals

Port: 3007

Market Service

settlement

Asset marketplace

Port: 3008

Scopes

Available OAuth scopes:

Scope	Description	Required For
`identity`	Basic user identity	All apps
`credentials`	Read user credentials	Advanced features
`wallet`	Access wallet addresses	Web3 features
`admin`	Administrative access	Internal tools

Security Best Practices

Always use PKCE for public clients (web, mobile)
Store tokens securely - use HttpOnly cookies for web apps
Validate redirect URIs - only allow whitelisted URLs
Use state parameter - prevent CSRF attacks
Rotate credentials - regularly refresh access tokens
Implement logout - clear tokens on user logout

Error Handling

Common error responses:

// Invalid client
{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}

// Invalid grant
{
  "error": "invalid_grant",
  "error_description": "Authorization code is invalid or expired"
}

// Invalid scope
{
  "error": "invalid_scope",
  "error_description": "Requested scope is not allowed"
}

Authentication API

Authentication API

OAuth Endpoints

POST /api/oauth/authorize

POST /api/oauth/token

Using the API

1. Initialize OAuth Client

OAuth Integration

2. Handle Callback

3. Fetch User Claims

OAuth Integration

System Architecture

OAuth 2.0 Authentication Flow

Service Integration Map

ID Service

Path Service

Learn Service

Guild Service

Scroll Service

Realm Service

Governance Service

Market Service

Scopes

Security Best Practices

Error Handling

Next Steps