Skip to content
/public

Login with Unstoppable API

For more information on adding Login With Unstoppable to your applications, see the Login Integration Pathways.

Overview
E-mail
partnerengineering@unstoppabledomains.com
License
Apache 2.0
Languages
Servers
https://auth.unstoppabledomains.com/

public

Operations

JSON Web Keys Discovery

Request

This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like node-jwks-rsa among others.

curl -i -X GET \
  https://auth.unstoppabledomains.com/.well-known/jwks.json

Responses

JSONWebKeySet

Bodyapplication/json
keysArray of objects(JSONWebKey)

The value of the "keys" parameter is an array of JWK values. By default, the order of the JWK values within the array does not imply an order of preference among them, although applications of JWK Sets can choose to assign a meaning to the order for their purposes, if desired.

Response
application/json
{
  "keys": [
    {}
  ]
}

OpenID Connect Discovery

Request

The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html .

Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others. For a full list of clients go here: https://openid.net/developers/certified/

curl -i -X GET \
  https://auth.unstoppabledomains.com/.well-known/openid-configuration

Responses

wellKnown

Bodyapplication/json
authorization_endpointstringrequired

URL of the OP's OAuth 2.0 Authorization Endpoint.

Example: "https://playground.ory.sh/ory-hydra/public/oauth2/auth"
backchannel_logout_session_supportedboolean

Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP

backchannel_logout_supportedboolean

Boolean value specifying whether the OP supports back-channel logout, with true indicating support.

claims_parameter_supportedboolean

Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.

claims_supportedArray of strings

JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.

code_challenge_methods_supportedArray of strings

JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported by this authorization server.

end_session_endpointstring

URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.

frontchannel_logout_session_supportedboolean

Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP.

frontchannel_logout_supportedboolean

Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.

grant_types_supportedArray of strings

JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.

id_token_signing_alg_values_supportedArray of stringsrequired

JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.

issuerstringrequired

URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier. If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.

Example: "https://playground.ory.sh/ory-hydra/public/"
jwks_uristringrequired

URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.

Example: "https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json"
registration_endpointstring

URL of the OP's Dynamic Client Registration Endpoint.

Example: "https://playground.ory.sh/ory-hydra/admin/client"
request_object_signing_alg_values_supportedArray of strings

JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter).

request_parameter_supportedboolean

Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.

request_uri_parameter_supportedboolean

Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.

require_request_uri_registrationboolean

Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter.

response_modes_supportedArray of strings

JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.

response_types_supportedArray of stringsrequired

JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.

revocation_endpointstring

URL of the authorization server's OAuth 2.0 revocation endpoint.

scopes_supportedArray of strings

SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used

subject_types_supportedArray of stringsrequired

JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.

token_endpointstringrequired

URL of the OP's OAuth 2.0 Token Endpoint

Example: "https://playground.ory.sh/ory-hydra/public/oauth2/token"
token_endpoint_auth_methods_supportedArray of strings

JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0

userinfo_endpointstring

URL of the OP's UserInfo Endpoint.

userinfo_signing_alg_values_supportedArray of strings

JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].

Response
application/json
{
  "authorization_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/auth",
  "backchannel_logout_session_supported": true,
  "backchannel_logout_supported": true,
  "claims_parameter_supported": true,
  "claims_supported": [
    "string"
  ],
  "code_challenge_methods_supported": [
    "string"
  ],
  "end_session_endpoint": "string",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "grant_types_supported": [
    "string"
  ],
  "id_token_signing_alg_values_supported": [
    "string"
  ],
  "issuer": "https://playground.ory.sh/ory-hydra/public/",
  "jwks_uri": "https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json",
  "registration_endpoint": "https://playground.ory.sh/ory-hydra/admin/client",
  "request_object_signing_alg_values_supported": [
    "string"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "string"
  ],
  "response_types_supported": [
    "string"
  ],
  "revocation_endpoint": "string",
  "scopes_supported": [
    "string"
  ],
  "subject_types_supported": [
    "string"
  ],
  "token_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/token",
  "token_endpoint_auth_methods_supported": [
    "string"
  ],
  "userinfo_endpoint": "string",
  "userinfo_signing_alg_values_supported": [
    "string"
  ]
}

OpenID Connect Userinfo

Request

This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 Access Token.

For more information please refer to the spec.

In the case of authentication error, a WWW-Authenticate header might be set in the response with more information about the error. See the spec for more details about header format.

Security
oauth2
curl -i -X GET \
  https://auth.unstoppabledomains.com/userinfo \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

userinfoResponse

Bodyapplication/json
birthdatestring

End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.

emailstring

End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.

email_verifiedboolean

True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.

family_namestring

Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.

genderstring

End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.

given_namestring

Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.

localestring

End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.

middle_namestring

Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.

namestring

End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.

nicknamestring

Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.

phone_numberstring

End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.

phone_number_verifiedboolean

True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.

picturestring

URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.

preferred_usernamestring

Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.

profilestring

URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.

substring

Subject - Identifier for the End-User at the IssuerURL.

updated_atinteger(int64)

Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

websitestring

URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.

zoneinfostring

String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.

Response
application/json
{
  "birthdate": "string",
  "email": "string",
  "email_verified": true,
  "family_name": "string",
  "gender": "string",
  "given_name": "string",
  "locale": "string",
  "middle_name": "string",
  "name": "string",
  "nickname": "string",
  "phone_number": "string",
  "phone_number_verified": true,
  "picture": "string",
  "preferred_username": "string",
  "profile": "string",
  "sub": "string",
  "updated_at": 0,
  "website": "string",
  "zoneinfo": "string"
}

metadata

Operations