OAuth
How Epismo issues and manages access tokens for API and MCP clients.
Epismo uses standard OAuth 2.0 with OpenID Connect to authenticate applications. If you are building a product integration, you will obtain an access token through this flow and then send it as a bearer token on every API request. Most users never call these endpoints directly (the CLI and supported MCP clients handle the flow for you), but they are documented here for teams building their own integration.
How the flow works
- Discover endpoints. Fetch the well-known metadata documents below instead of hard-coding URLs. They list the authorization, token, and user-info endpoints and the supported capabilities.
- Register a client. Use
POST /oauth/registerfor dynamic client registration. Registered clients support theauthorization_codeandrefresh_tokengrants by default. - Authorize the user. Run the authorization-code flow (PKCE is supported) to obtain an authorization code.
- Exchange for tokens. Call
POST /oauth/tokento exchange the authorization code for an access token and a refresh token. - Refresh as needed. When the access token expires, exchange the refresh token at
POST /oauth/tokenwithgrant_type=refresh_tokenrather than sending the user through sign-in again.
The access token you receive is what authorizes your API calls. See Authentication for how to send it, and Tokens for the CLI- and MCP-specific token endpoints.
Endpoints
| Method | Path | Purpose |
|---|---|---|
| POST | /oauth/token |
Exchange an authorization code or refresh token for tokens |
| GET/POST | /oauth/userinfo |
OpenID Connect user info for the current token |
| POST | /oauth/register |
Dynamic client registration |
| POST | /oauth/revoke |
Revoke an access or refresh token |
| POST | /oauth/introspect |
Check whether a token is active and inspect its scopes |
| GET | /.well-known/oauth-authorization-server |
Authorization server metadata (endpoints and capabilities) |
| GET | /.well-known/openid-configuration |
OpenID Connect provider metadata |
Scopes
Tokens carry scopes that determine what they can do. Read endpoints require read scopes and mutation endpoints require write scopes; MCP clients additionally need the mcp scope. Request only the scopes your integration needs.
MCP clients
MCP clients use the same OAuth model, but discover metadata through the MCP server's own well-known endpoints. See MCP setup for that flow.