OIDC Endpoints
Complete reference of all Trousseau OIDC/OAuth2 endpoints.
Base URL
All endpoints are relative to the Trousseau base URL:
https://auth.trousseau.appDiscovery
Use the OpenID Connect Discovery endpoint to auto-configure your OIDC client:
GET https://auth.trousseau.app/application/o/{your-slug}/.well-known/openid-configurationThis returns a JSON document with all endpoint URLs, supported scopes, signing algorithms, and more.
Authorization
Initiates the authentication flow. Redirect the user's browser here.
GET https://auth.trousseau.app/application/o/authorize/| Parameter | Required | Description |
|---|---|---|
client_id | Yes | Your OIDC client ID |
response_type | Yes | code |
scope | Yes | Space-separated scopes (must include openid) |
redirect_uri | Yes | Registered callback URL |
state | Recommended | Random string for CSRF protection |
code_challenge | Yes | PKCE code challenge (S256) |
code_challenge_method | Yes | S256 |
Token
Exchange an authorization code for tokens, or refresh existing tokens.
POST https://auth.trousseau.app/application/o/token/
Content-Type: application/x-www-form-urlencodedAuthorization code exchange
| Parameter | Value |
|---|---|
grant_type | authorization_code |
code | Authorization code from callback |
redirect_uri | Same as in authorization request |
client_id | Your client ID |
client_secret | Your client secret |
code_verifier | PKCE code verifier |
Token refresh
| Parameter | Value |
|---|---|
grant_type | refresh_token |
refresh_token | Your refresh token |
client_id | Your client ID |
client_secret | Your client secret |
Response
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 300,
"refresh_token": "eyJ...",
"id_token": "eyJ...",
"scope": "openid email profile"
}UserInfo
Retrieve the authenticated user's claims.
GET https://auth.trousseau.app/application/o/userinfo/
Authorization: Bearer {access_token}Returns the same claims as the ID token. See Scopes & Claims for the full list.
JWKS
Retrieve the public keys used to sign tokens. Use this to validate ID token and logout token signatures.
GET https://auth.trousseau.app/application/o/{your-slug}/jwks/Returns a standard JWK Set:
{
"keys": [
{
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"kid": "...",
"n": "...",
"e": "AQAB"
}
]
}End Session (Logout)
Terminate the Trousseau SSO session and redirect the user.
GET https://auth.trousseau.app/application/o/{your-slug}/end-session/| Parameter | Required | Description |
|---|---|---|
id_token_hint | Recommended | The user's ID token |
post_logout_redirect_uri | Recommended | Where to redirect after logout (must be registered) |
See the SSO Logout guide for implementation details.
Token lifetimes
| Token | Default lifetime | Configurable |
|---|---|---|
| Access token | 5 minutes | Per partner (on request) |
| ID token | 5 minutes | Follows access token |
| Refresh token | 30 days | Per partner (on request) |
| Authorization code | 60 seconds | No |