Documentation
Documentation
Bring Your Own Auth Server
If you use your own authorization server instead of the playground's, it must support the JWT Bearer grant flow and trust the playground IDP as an issuer.
Requirements
-
Expose discovery metadata at
/.well-known/oauth-authorization-server(RFC 8414) or/.well-known/openid-configuration. The playground tries RFC 8414 first and falls back to OIDC discovery. Include at minimum:token_endpoint: where the JWT Bearer grant is sentjwks_uri: where your public keys are published
-
Support JWT Bearer grant: accept
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer -
Validate the ID-JAG:
- Check
typheader isoauth-id-jag+jwt - Verify signature against the playground IDP's JWKS:
https://idp.xaa.dev/jwks
- Check
-
Validate issuer: the
issclaim in the ID-JAG must match the playground IDP:https://idp.xaa.dev -
Issue access tokens: return JWTs with the requested scopes, signed with your own keys
Token endpoint request
Your auth server's token endpoint will receive a request like:
Credentials are sent in the POST body (client_secret_post). Do not use an Authorization: Basic header.
ID-JAG Structure
The assertion parameter contains an ID-JAG (Identity Assertion Authorization Grant), a JWT with these characteristics:
| Field | Value |
|---|---|
Header typ | oauth-id-jag+jwt |
Header alg | RS256 |
iss | https://idp.xaa.dev (playground IDP) |
aud | Your auth server URL |
sub | User's email/identifier |
client_id | Target client ID (the client registered at your auth server) |
resource | Your resource server URL |
scope | Requested scopes |
exp | Expiration (short-lived, ~5 minutes) |
Expected response
Your token endpoint should return:
Minimal auth server examples
Next step
Once your auth server handles the JWT Bearer grant, set up your resource server to validate the access tokens it issues. See REST API Setup or MCP Server Setup, then run the flow via Test Your Resource App.
On this page