OAUTH 2.0 · OIDC

OAuth 2.0 / OIDC

ZKey works as a complete login provider for any app that supports standard OAuth or OpenID Connect. Plug it into Notion, Slack, a custom dashboard, or a mobile app — no custom code required. Every login flow is protected against token interception, and refresh tokens that get stolen trigger immediate automatic revocation across all sessions.

PKCERefresh rotation.well-knownUserInfoBackchannel logoutIntrospection
01
Auto-discover
Your app reads ZKey configuration automatically from a standard discovery URL. Zero setup.
02
Redirect to login
The user is sent to ZKey to log in, with a tamper-proof code attached to the request.
03
User logs in
ZKey handles login via wallet, OTP, or password and returns a short-lived code.
04
Exchange for tokens
Your app trades the code for access and refresh tokens. ZKey confirms the code was yours.
05
Rotate on use
Every time a refresh token is used, a new one is issued and the old one is revoked.
06
Instant logout
When a user logs out, every connected app is notified immediately — no redirect loop.

PKCE Authorization Flow

ZKey implements RFC 7636 Proof Key for Code Exchange. The client generates a random code_verifier, hashes it to code_challenge (SHA-256), and includes it in the authorization request. The server stores the challenge and verifies the verifier at token exchange — preventing authorization code interception attacks even on public clients (SPAs, mobile apps).

Refresh Token Rotation

Every refresh token use issues a new refresh token and invalidates the old one. Refresh token reuse is detected and triggers immediate session revocation for the entire family — a stolen refresh token cannot be silently abused. Rotation windows, absolute lifetimes, and grace periods are configurable per application.

Discovery & Standard Endpoints

A fully compliant /.well-known/openid-configuration endpoint lists all supported scopes, grant types, response types, and endpoint URLs per tenant. Standard endpoints: /authorize, /token, /userinfo, /introspect, /revoke, and /logout. Any OIDC-certified library connects without configuration beyond the discovery URL.

All Features
NFT-Encrypted IdentityWallet-Based LoginOAuth 2.0 / OIDCOTP AuthenticationOrganizations & Sub-OrganizationsImmutable Audit Trail

Ready to implement?

ZKey deploys on Railway in minutes. Postgres + Redis included.

Sign in to admin
← Previous
Wallet-Based Login
Next →
OTP Authentication
© 2026 ZKey — Dishub TechnologiesSystem Admin →