Authentication
Overview
The VX API operates with two distinct authentication planes:
| Plane | Who | Endpoints | Method |
|---|---|---|---|
| RP Authentication | Relying Parties | OIDC/PAR endpoints | OAuth2 client authentication |
| Tenant Management | Tenant operators | Onboarding/management endpoints | JWT Bearer token |
Relying Party Authentication
RPs authenticate using standard OAuth2 client authentication at the PAR endpoint. Bearer tokens are not used.
Endpoint
POST /oidc/as/par
Content-Type: application/x-www-form-urlencoded
Supported Methods
Exactly one of the following methods must be used per request.
1. client_secret_basic
Credentials are base64-encoded and passed in the Authorization header.
Authorization: Basic base64(client_id:client_secret)
Example:
POST /oidc/as/par HTTP/1.1
Authorization: Basic bXlfY2xpZW50OnNlY3JldA==
Content-Type: application/x-www-form-urlencoded
response_type=code&scope=openid&redirect_uri=https://rp.example.com/cb&...
2. client_secret_post
Credentials are passed as form parameters in the request body.
POST /oidc/as/par HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=my_client&client_secret=secret&response_type=code&scope=openid&...
3. private_key_jwt
The RP signs a JWT with its private EC key and sends it as a client assertion. No shared secret is required.
Form parameters:
| Parameter | Value |
|---|---|
client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
client_assertion | Signed JWT (see below) |
client_id | The RP's client identifier |
JWT claims:
| Claim | Description |
|---|---|
sub | Must equal client_id |
iss | Must equal client_id |
aud | Must be the server issuer URL, /oidc/token, or /oidc/as/par |
jti | Unique token identifier |
iat | Issued-at time |
exp | Expiration time |
Supported algorithms:
| Algorithm | Curve |
|---|---|
| ES256 | P-256 |
| ES384 | P-384 |
| ES512 | P-521 |
The public key must be registered during RP onboarding (RequestObjectJwk field).
Example:
POST /oidc/as/par HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=my_client
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...
&response_type=code
&scope=openid
Public Endpoints
The following endpoints require no authentication:
| Endpoint | Description |
|---|---|
GET /.well-known/openid-configuration | OIDC discovery metadata |
GET /.well-known/jwks.json | Server public keys |