{origin}/oauth. Every request carries a JWT as
a Bearer token.
Quick token (server-to-server)
For backend services and scripts, exchange account credentials for a JWT:OAuth 2.0 (third-party apps)
Use the authorization-code + PKCE flow for clients that act on behalf of a user.Discovery
Clients discover the authorization server via standard metadata documents:| Document | Path |
|---|---|
| Authorization server metadata | /.well-known/oauth-authorization-server |
| Protected resource metadata (MCP) | /.well-known/oauth-protected-resource/mcp |
401 with a WWW-Authenticate header, so spec-compliant
MCP clients bootstrap the OAuth flow automatically.
Flow
GET /oauth/authorizewithresponse_type=code,client_id,redirect_uri,code_challenge,code_challenge_method=S256, andstate.- The user authenticates and approves; iZap redirects back with
code. POST /oauth/tokenwithgrant_type=authorization_code,code,redirect_uri, andcode_verifier→ returns anaccess_token(JWT) and arefresh_token.
POST /oauth/register. Refresh an expired
token with grant_type=refresh_token.
Token notes
- The access token is a JWT — treat it as a secret and read it from an environment variable, never hardcode it.
- Tokens expire. Refresh (re-login or the OAuth refresh grant) when a request
returns
401.