Discovery

The discovery endpoints expose Aero2's OIDC configuration and public keys. These are standard OpenID Connect endpoints that clients use to discover capabilities and verify token signatures.

GET/.well-known/openid-configurationNo Auth

Returns the OpenID Connect discovery document with all supported endpoints, scopes, and capabilities.

Response

{
  "issuer": "https://aero2.dev",
  "authorization_endpoint": "https://aero2.dev/oauth2/authorize",
  "token_endpoint": "https://aero2.dev/oauth2/token",
  "userinfo_endpoint": "https://aero2.dev/oauth2/userinfo",
  "jwks_uri": "https://aero2.dev/oauth2/jwks.json",
  "revocation_endpoint": "https://aero2.dev/oauth2/revoke",
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "authorization_code",
    "refresh_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ]
}

GET/oauth2/jwks.jsonNo Auth

Returns the public keys used to verify token signatures. Keys are rotated automatically.

Response

{
  "keys": [
    {
      "kty": "RSA",
      "n": "...",
      "e": "AQAB",
      "alg": "RS256",
      "use": "sig",
      "kid": "key-id-here"
    }
  ]
}

GET/oauth2/jwks/:kidNo Auth

Returns a specific public key by its key ID (kid).

Parameter	Type	Description
kid* path	string	The key ID to retrieve

Response

{
  "kty": "RSA",
  "n": "...",
  "e": "AQAB",
  "alg": "RS256",
  "use": "sig",
  "kid": "key-id-here"
}