Quickstart

From zero to a working tenant and first token in five minutes.

oauth.work is a standards-native identity platform — an OIDC provider, a multi-tenant management API, and a Verifiable Credentials rail. This guide takes you from nothing to a working authorization-code flow.

1. Provision a tenant

Each tenant is host-addressed (<slug>.oauth.work) and gets its own Ed25519 signing key, OIDC discovery document, JWKS, and did:web issuer.

npx oauth-work init --tenant acme
# → https://acme.oauth.work/.well-known/openid-configuration

2. Authorize a user

Standard OAuth 2.1 authorization-code flow with PKCE. Auth codes are single-use and stored in a Durable Object (atomic read-then-delete) so they can’t be replayed.

GET /authorize
  ?response_type=code
  &client_id=acme-web
  &code_challenge=<S256>
  &scope=openid profile
# → 302 /callback?code=… (single-use)

3. Exchange the code for tokens

POST /token
  grant_type=authorization_code
  code=<code>
  code_verifier=<verifier>
# → { "access_token": "…", "id_token": "…", "token_type": "DPoP" }

ID tokens are signed EdDSA with the tenant’s key; verify them against the tenant’s JWKS at https://acme.oauth.work/.well-known/jwks.json.

Next

• MCP authorization — connect agents to tools
• DPoP — sender-constrain your tokens
• Multi-tenancy — per-tenant keys and the management API