OAuth App Authorization (Server-to-Server)
For third-party integrations, an OAuth 2.0-style authorization code flow is supported for server-to-server communication.
Authorization Code Generationโ
- Codes are HMAC-SHA256 signed with a
codeSecret(versioned format:v1.<payload>.<signature>). - Codes contain:
jti,userId,tenantId,clientId,redirectUri,scope,exp. - Single-use enforcement via Redis
GETDEL(atomic get-and-delete, race-condition safe). - Codes are short-lived with configurable TTL.
- Pending requests are cached in Redis with automatic expiry.
Token Exchangeโ
- Timing-safe client secret comparison (
timingSafeEqual). - Redirect URI validation against allowlist.
- Single-use codes โ already-used codes are rejected (
Authorization code already used). - Signature and expiry are validated before any token exchange.
Flow Diagramโ
Related Pagesโ
- Token Lifecycle โ JWT token management
- Authentication Flows โ user-facing auth flows
- Security Overview โ architecture overview