🆔Passji
Get Your Emoji

OIDC Endpoints

Complete reference for Passji's OpenID Connect endpoints, parameters, and response formats.

Base URL

All endpoints are served from:

https://passji.com

Discovery
GET

/.well-known/openid-configuration

Returns the OpenID Connect discovery document. Use this to dynamically configure your OIDC client.

Response
{
  "issuer": "https://passji.com",
  "authorization_endpoint": "https://passji.com/authorize",
  "token_endpoint": "https://passji.com/token",
  "userinfo_endpoint": "https://passji.com/userinfo",
  "jwks_uri": "https://passji.com/jwks",
  "registration_endpoint": "https://passji.com/clients/register",
  "scopes_supported": ["openid", "emoji", "profile", "trust"],
  "response_types_supported": ["code"],
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "code_challenge_methods_supported": ["S256"]
}

JSON Web Key Set
GET

/.well-known/jwks.json

Returns the public keys used to sign ID tokens. Use these to verify token signatures.

Response
{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "passji-key-1",
      "alg": "RS256",
      "n": "0vx7agoebGcQSuu...",
      "e": "AQAB"
    }
  ]
}

Authorization
GET

/authorize

Initiates the authorization flow. Redirect users here to start authentication.

Request
GET https://passji.com/authorize?
  client_id=your_client_id
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=openid emoji trust
  &state=random_state_value
  &code_challenge=abc123...  // PKCE
  &code_challenge_method=S256

Parameters

ParameterRequiredDescription
client_idYesYour application's client ID
redirect_uriYesURL to redirect after auth (must be registered)
response_typeYesMust be "code"
scopeYesSpace-separated scopes (must include "openid")
stateRecommendedRandom string for CSRF protection
nonceOptionalIncluded in ID token for replay protection
code_challengeOptional*PKCE challenge (recommended for SPAs)
code_challenge_methodOptional*Must be "S256" if using PKCE

Token
POST

/token

Exchange authorization codes for tokens, or refresh existing tokens.

Authorization Code Grant

Request
POST https://passji.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=authorization_code_from_callback
&redirect_uri=https://yourapp.com/callback
&client_id=your_client_id
&client_secret=your_client_secret
&code_verifier=pkce_verifier  // If using PKCE
Response
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "refresh_abc123def456...",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "scope": "openid emoji trust"
}

Refresh Token Grant

Request
POST https://passji.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=refresh_abc123def456...
&client_id=your_client_id
&client_secret=your_client_secret

Token Rotation: Refresh tokens are rotated on use. Each refresh returns a new refresh token with a 30-day TTL. The old token is invalidated.

UserInfo
GET

/userinfo

Returns claims about the authenticated user. Requires a valid access token.

Request
GET https://passji.com/userinfo
Authorization: Bearer <access_token>
Response
{
  "sub": "usr_abc123",
  "emoji_id": "🦊🌸🎯",
  "emoji_length": 3,
  "trust_score": 0.85,
  "account_age_days": 45
}

ID Token Claims

The ID token is a signed JWT containing identity claims. Always verify the signature before trusting the claims.

Claims
// Standard OIDC claims
{
  "iss": "https://passji.com",      // Issuer
  "sub": "usr_abc123",               // Subject (unique user ID)
  "aud": "your_client_id",           // Audience
  "exp": 1709859600,                 // Expiration time
  "iat": 1709856000,                 // Issued at
  "auth_time": 1709855990,           // When user authenticated
  "nonce": "your_nonce",             // If provided in authorize

  // Passji-specific claims
  "emoji_id": "🦊🌸🎯",              // Emoji sequence
  "emoji_length": 3,                 // Number of emoji
  "trust_score": 0.85,               // 0.0 to 1.0
  "account_age_days": 45,            // Days since registration
  "auth_method": "webauthn"          // Always "webauthn" for humans
}

Scopes Reference

ScopeClaimsDescription
openidsubRequired. Returns unique user identifier.
emojiemoji_id, emoji_lengthThe user's emoji identity.
profileemoji_id, emoji_lengthAlias for emoji (OIDC standard name).
trusttrust_score, account_age_daysTrust score and account metadata.

Error Responses

Errors follow the OAuth 2.0 error response format:

Error Response
{
  "error": "invalid_request",
  "error_description": "Missing required parameter: redirect_uri"
}

Common Error Codes

ErrorDescription
invalid_requestMissing or invalid parameter
invalid_clientUnknown client_id or invalid credentials
invalid_grantInvalid or expired authorization code
access_deniedUser denied consent
invalid_tokenAccess token is invalid or expired