Skip to content

Backend Integration

Integration Base URL

https://api.openasa.com

Required Service Metadata

  • client_id
  • trusted redirect_uri list
  • allowed scopes
  • token handling policy on your backend
  • local user mapping strategy keyed by stable OpenASA subject

Provider-side Contract

Treat OpenASA as exposing the oauth agreement provider-side surfaces:

  • authorize
  • token
  • userinfo
  • jwks
  • revoke

Server-side Requirements

  • Your runtime redirect_uri must exactly match the registered client metadata.
  • Authorization code exchange must run only on a trusted backend.
  • Token validation should rely on OpenASA-issued subject, token metadata, and when applicable JWKS verification.
  • Local sessions should be derived from OpenASA identity, not from browser callback parameters alone.

Security Checklist

  • Keep any client secret or backend credential in secure config management, not in source code.
  • Restrict callback handling to your own trusted business domains.
  • Use HTTPS only in production and shared test environments.
  • Treat OpenASA sub as the external identity anchor and keep your own authorization model separate.