> Markdown version of https://authpi.com/docs/reference/idp-api/discovery/ — fetch the complete AuthPI docs index at https://authpi.com/llms.txt to discover all available pages.

# Discovery — AuthPI Identity Provider API

Discovery endpoints for OpenID Connect and OAuth 2.0 configuration. These endpoints provide metadata about the authorization server, including supported features, endpoints, and cryptographic keys.

## GET /{issuer_id}/jwks.json

**Issuer JSON Web Key Set**

Returns the JSON Web Key Set (JWKS) for a specific issuer.

This is the issuer-specific JWKS endpoint referenced in the OpenID Connect Discovery document (`jwks_uri`). Currently, AuthPI uses the same signing keys across all issuers, but this may change in the future.

**Recommendation:** Always use the `jwks_uri` from the discovery document rather than constructing the URL manually.

### Path parameters

| Name | Type | Required | Description |
| --- | --- | --- | --- |
| `issuer_id` | string | Required | The unique identifier for the issuer/tenant |

### Responses

| Code | Description | Schema |
| --- | --- | --- |
| 200 | JSON Web Key Set containing public signing keys for this issuer | `IssuerJWKS` |
| 404 | **Not Found** - The requested resource does not exist. | `OAuthError` |
| 405 |  | — |
| 429 | **Too Many Requests** - Rate limit exceeded. | `OAuthError` |
| 500 | **Internal Server Error** - An unexpected error occurred. | `OAuthError` |

## GET /{issuer_id}/.well-known/openid-configuration

**OpenID Connect Discovery**

Returns the OpenID Connect Discovery document (OpenID Connect Discovery 1.0).

This endpoint provides metadata about the OpenID Provider, including:
- **Endpoints**: Authorization, token, userinfo, and JWKS URIs
- **Supported features**: Grant types, response types, scopes, and claims
- **Authentication methods**: Supported client authentication mechanisms
- **Cryptographic capabilities**: Signing algorithms and PKCE support

Clients SHOULD cache this document and refresh it periodically (recommended: every 24 hours).

**Specification**: [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)

### Path parameters

| Name | Type | Required | Description |
| --- | --- | --- | --- |
| `issuer_id` | string | Required | The unique identifier for the issuer/tenant |

### Responses

| Code | Description | Schema |
| --- | --- | --- |
| 200 | OpenID Connect Discovery document with provider metadata | `OpenIDConfiguration` |
| 404 | **Not Found** - The requested resource does not exist. | `OAuthError` |
| 405 |  | — |
| 429 | **Too Many Requests** - Rate limit exceeded. | `OAuthError` |
| 500 | **Internal Server Error** - An unexpected error occurred. | `OAuthError` |

## GET /{issuer_id}/.well-known/oauth-authorization-server

**OAuth 2.0 Authorization Server Metadata**

Returns the OAuth 2.0 Authorization Server Metadata document (RFC 8414).

This endpoint provides metadata about the OAuth 2.0 authorization server, including endpoints and supported features. Use this for OAuth 2.0 clients that don't require OpenID Connect features.

For full OIDC functionality, use the `/.well-known/openid-configuration` endpoint instead.

**Specification**: [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://tools.ietf.org/html/rfc8414)

### Path parameters

| Name | Type | Required | Description |
| --- | --- | --- | --- |
| `issuer_id` | string | Required | The unique identifier for the issuer/tenant |

### Responses

| Code | Description | Schema |
| --- | --- | --- |
| 200 | OAuth 2.0 Authorization Server Metadata document | `OAuth2Metadata` |
| 404 | **Not Found** - The requested resource does not exist. | `OAuthError` |
| 405 |  | — |
| 429 | **Too Many Requests** - Rate limit exceeded. | `OAuthError` |
| 500 | **Internal Server Error** - An unexpected error occurred. | `OAuthError` |