Documentation

Everything you need to know about Auth.io

Explore every screen, understand each flow, and learn how all the pieces connect — from creating your first realm to issuing tokens in production.

Explore screens Authentication flows

Platform architecture

How entities connect in Auth.io

RealmTenant boundary

ClientApp registration

Users / ConsumersIdentities & APIs

Roles & ScopesAuthorization

Keys & SecretsSecurity layer

Platform screens

Every screen explained

Click any entity below to explore its purpose, features, data model, and how it connects to the rest of the platform.

Realms

Multi-tenant isolation

A Realm is the top-level tenant boundary. It isolates users, clients, scopes, roles, keys, and all configurations. Everything starts with creating a realm.

Key features

Complete environment isolation per realm

Each realm has its own identity domain and policies

Realm-level statistics: total clients, total users

Enable or disable realms with status control

Define realm description and organizational context

Pro tip

Create separate realms for development, staging, and production environments to maintain complete isolation.

Connections

Clients belong to a realm

Users are scoped within a realm's client

Scopes and roles can be global or realm-specific

Fields

NameRealm ID (slug)DescriptionStatus (Active / Inactive)

Setup journey

From zero to the first issued token

Follow the recommended implementation order. Click each step to see details and the corresponding API call.

Create your Realm

Define the main environment for your application. The realm establishes tenant isolation, naming, and organizational context.

Checklist

Choose a unique realm identifier (slug)

Add a description for organizational clarity

The realm becomes your tenant boundary

API example

POST/api/admin/realms

{
  "name": "My Application",
  "realmId": "my-app",
  "description": "Production environment"
}

Authentication flows

Four flows for every integration

Auth.io supports the most important OAuth2 and OIDC flows. Select a flow to understand each step and see a code example.

Authorization Code + PKCE

SPAs, mobile apps, and any public client that needs interactive login with maximum security.

Initiate

Your app generates a code_verifier and code_challenge, then redirects the user to the Auth.io authorization endpoint.

Authenticate

The user authenticates on the Auth.io hosted login page with their credentials.

Consent

Scopes are evaluated. If consent is required, the user approves the requested permissions.

Callback

Auth.io redirects back to your app with an authorization code in the URL.

Exchange

Your app exchanges the code + code_verifier for access_token, refresh_token, and id_token.

Access

Use the access_token to call protected APIs. The id_token contains user identity claims.

Code example

// 1. Redirect to authorize
const params = new URLSearchParams({
  response_type: 'code',
  client_id: 'your-client-id',
  redirect_uri: 'https://app.example.com/callback',
  scope: 'openid profile email',
  code_challenge: codeChallenge,
  code_challenge_method: 'S256',
  state: randomState,
})
window.location.href = `${authUrl}/authorize?${params}`

// 2. Exchange code for tokens
const tokens = await fetch(`${authUrl}/token`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authorizationCode,
    redirect_uri: 'https://app.example.com/callback',
    client_id: 'your-client-id',
    code_verifier: codeVerifier,
  }),
})

Integration examples

Ready-to-use code snippets

Copy and adapt these examples to integrate Auth.io into your application.

TypeScript

import NextAuth from 'next-auth'

export default NextAuth({
  providers: [{
    id: 'authio',
    name: 'Auth.io',
    type: 'oauth',
    wellKnown: `${process.env.AUTHIO_URL}/realms/${realm}/.well-known/openid-configuration`,
    clientId: process.env.AUTHIO_CLIENT_ID,
    clientSecret: process.env.AUTHIO_CLIENT_SECRET,
    authorization: { params: { scope: 'openid profile email' } },
    idToken: true,
    profile(profile) {
      return {
        id: profile.sub,
        name: profile.name,
        email: profile.email,
      }
    },
  }],
  callbacks: {
    async jwt({ token, account }) {
      if (account) {
        token.accessToken = account.access_token
        token.refreshToken = account.refresh_token
      }
      return token
    },
  },
})

Ongoing operations

Beyond setup: governing the environment

Authentication is just the beginning. These areas require ongoing attention to maintain security and compliance.

Login branding

Customize the hosted login page: title, subtitle, colors, logo, background, and behavior per client.

Identity policies

Control password rules, username validation, lockout thresholds, email verification, and sender configuration.

Token & encryption

Configure JWS/JWE algorithms, token lifetimes, audience, key rotation, and signing strategies per client.

Observability

Monitor active sessions, consumer usage, client status, secret expiration, and security posture.

Frequently asked questions

Common questions answered

Users are human identities that authenticate through interactive login (Authorization Code flow). Consumers are machine credentials used for server-to-server API access (Client Credentials flow). Both can have roles and scopes, but they operate through different authentication patterns.

Ready to build?

Start building your authentication layer today

You now understand the full platform: realms, clients, users, consumers, roles, scopes, keys, and all authentication flows. Time to bring it to life.

Get started free Back to top