Scrydon as an Identity Provider
Use Scrydon as an OAuth 2.1 / OIDC identity provider for your own applications — sign users in with their Scrydon account and call Scrydon APIs on their behalf.
Scrydon is a full OAuth 2.1 / OpenID Connect identity provider. Any application you build — internal tools, customer-facing SaaS, AI copilots, mobile apps — can use Scrydon to sign users in and obtain scoped access tokens for Scrydon APIs (chat, workflows, storage, knowledge).
The IdP is exposed on the Identity tab of
Settings → Platform → Identity. That page shows the exact endpoint URLs for
your tenant.
Always copy the endpoint URLs from the Identity tab in the UI. The
hostname is tenant-specific — every deployment declares its own public auth
URL (PUBLIC_AUTH_URL), and the UI renders exactly that value. Typing
hostnames by hand (auth.<tenant>.scrydon.com, api-platform.<tenant>...)
will often hit the wrong host and return 404.
Endpoints
Scrydon implements the standard OIDC / OAuth 2.1 surface. All endpoints live
under /api/auth/ on the auth host.
| Purpose | Path |
|---|---|
| OIDC Discovery | /api/auth/.well-known/openid-configuration |
| JWKS (public signing keys) | /api/auth/.well-known/jwks |
| Authorization | /api/auth/oauth2/authorize |
| Token exchange | /api/auth/oauth2/token |
| Userinfo | /api/auth/oauth2/userinfo |
| Token introspection (RFC 7662) | /api/auth/oauth2/introspect |
| Token revocation (RFC 7009) | /api/auth/oauth2/revoke |
| Dynamic client registration (RFC 7591) | /api/auth/oauth2/register |
Most RP (relying-party) libraries only need the Discovery URL — they fetch everything else from the discovery document.
Supported flows
Scrydon supports the full OAuth 2.1 / OIDC feature set required for enterprise applications:
- Authorization Code + PKCE — recommended for all interactive apps (web, SPA, mobile, CLI).
- Client Credentials — for backend-to-backend automation where no user is present.
- Refresh tokens — long-lived offline access, rotation enforced.
- ID tokens — signed JWTs carrying user identity; decode with the JWKS.
- Custom claims — Scrydon injects tenant / workspace / environment context into ID tokens for the apps you register.
Register an OAuth client (Mini App)
Every application that wants to use Scrydon as an IdP needs a client ID. You create one from the UI — Scrydon calls these Mini Apps:
Open Registered Apps
Navigate to Settings → Organization → Registered Apps and click
Register Mini App.
Fill in the form
- App Name — any human-readable label.
- Workspace — the Scrydon workspace your app operates in. Every environment of that workspace gets its own client ID so you can issue separate credentials for dev / staging / prod.
- Redirect URI — the URL your app receives the authorization code at.
Defaults to
http://localhost:3000/callbackfor local development. - Allowed Scopes — pick what your app is allowed to request. Valid
values:
chat,workflows,storage,knowledge. You can always requestopenid,profile,emailin addition.
Copy the client IDs
After registration you'll see a client ID per environment. Store these like any other OAuth client credential. The plugin issues per-environment IDs so a leak in staging can't be replayed against production.
Scrydon uses PKCE for all public clients — you do not need (or receive) a client secret for SPAs, mobile apps, or CLIs. Backend apps that can keep a secret can use the client credentials grant; contact support to enable it on your tenant.
Where to go next
Test your setup with oidcdebugger.com
Five-minute smoke test that walks an end-to-end authorization code + PKCE exchange without writing a single line of code.
Flagship demo — sign in + call the Chat API
Build a tiny React app that signs users in with Scrydon and calls a chat deployment using the resulting access token.