API reference
The REST surface the SDKs wrap.
LoginWith’s public API is a standard OAuth 2.0 authorization server + a small REST surface for user and org metadata. Everything the SDKs do is just HTTP calls you can make directly.
Base URL
Every org gets three hosts:
https://<slug>.loginwith.dev— the REST API + OAuth token endpointhttps://<slug>.loginwith.app— the JWT issuer (issclaim), also serves the JWKShttps://<slug>.loginwith.page— the branded hosted login page
OAuth endpoints
| Endpoint | Purpose |
|---|---|
GET / on <provider>.loginwith.link | Starts the authorize flow for a given provider. |
GET /sso/:provider/callback | Internal callback — receives the code from the upstream provider. |
POST /oauth/token | Exchanges authorization_code + pkce_verifier for a bearer token. Also grant_type=refresh_token and grant_type=client_credentials. |
GET /oauth/authorize | Authorization code flow entry. |
GET /.well-known/jwks.json | The JWKS for signature verification. |
REST
| Endpoint | Purpose |
|---|---|
GET /users/me | The authenticated caller. |
GET /users/:id | Fetch a user by id. me is a valid alias. |
GET /users | Paginated list. Scoped to the caller’s org. |
GET /orgs | Orgs the caller can administer. |
GET /tenants | Tenants in the caller’s org. |
GET /pages/:domain | Branded login page metadata by hostname. |
Bearer token shape
Access tokens are RS256-signed JWTs. Typical user-token claims:
{
"typ": "user",
"iss": "https://acme.loginwith.app/",
"aud": "https://acme.loginwith.dev",
"azp": "https://app.acme.com/callback",
"sub": "uid_69e34a80eed7a391d8320c95",
"tnt": "tnt_6a0c2f9b8d4a1e3f7c5d0b2a",
"exp": 1776474000,
"nbf": 1776470400
}Client-credential tokens are the same shape minus sub and tnt, plus typ: "client" and azp set to the client id instead of a redirect URL.