API Reference
Aero2 exposes a REST API for OIDC operations and administration. All endpoints return JSON unless otherwise noted.
Base URL
https://{app-slug}.yourdomain.comEach application has its own subdomain. All API requests are scoped to the application determined by the hostname. For example, requests to swift-maple.aero2.dev only see users, clients, and data belonging to that application.
Authentication
Endpoints use one of four authentication levels:
| Level | Description | How to authenticate |
|---|---|---|
| No Auth | Public endpoints | No authentication needed |
| Session | Requires active session | Session cookie (set after login) |
| Bearer | Requires access token | Authorization: Bearer <token> header |
| Admin | Requires admin/operator role | Bearer token from a user with admin or operator role |
Error Format
All errors follow this structure:
{
"error": "Human-readable error message"
}Common HTTP status codes:
| Code | Meaning |
|---|---|
200 | Success |
201 | Created |
302 | Redirect |
400 | Bad request (invalid parameters) |
401 | Unauthorized (missing or invalid auth) |
403 | Forbidden (insufficient permissions) |
404 | Not found |
500 | Internal server error |
Pagination
Paginated endpoints accept page and limit query parameters and return a pagination object:
{
"pagination": {
"page": 1,
"limit": 50,
"total": 100,
"total_pages": 2
}
}Content Type
- Request body:
application/x-www-form-urlencodedfor OAuth endpoints,application/jsonfor admin API - Response: Always
application/json
Sections
- Discovery — OpenID configuration and JWKS
- Authorization — OAuth2 authorization endpoint
- Token — Token exchange and refresh
- UserInfo — User claims endpoint
- Revocation — Token revocation
- Relying Party — External IdP login flows
- Sessions — Session management
- Users — User management
- Identity Providers — IdP configuration
- OAuth Clients — Client registration
- Roles & Permissions — RBAC management
- Audit — Audit trail
- Health — Health checks