OIDC / OAuth provider

Qeet ID is a full OpenID Connect provider — discovery, JWKS, dynamic client registration, Authorization Code + PKCE, hosted login & consent, ES256 ID tokens, device grant, and M2M.

Qeet ID is a complete OpenID Connect / OAuth 2.0 provider — not just a login box. Your apps (and third parties) can integrate with it the way they'd integrate with any standards-compliant IdP.

Standards, implemented

Discovery, JWKS, dynamic client registration, Authorization Code + PKCE, hosted login

consent, ES256 ID tokens, userinfo, refresh rotation, RFC 7009 revoke, RFC 7662 introspect, RP-initiated logout, and the RFC 8628 Device Authorization Grant are all live. ID tokens are signed with ES256 and verified via the public JWKS.

Discovery & keys

Point any OIDC client at the discovery document; it advertises every endpoint and the JWKS URI.

GET/.well-known/openid-configurationOIDC discovery

GET/.well-known/jwks.jsonJWKS (verify ID/access tokens)

Bash

curl https://api.qeetid.com/.well-known/openid-configuration

What's in this section

Authorization Code + PKCE

The browser login flow with hosted login + consent.

Tokens

Token endpoint, ID tokens, userinfo, refresh rotation, introspect, and revoke.

Device grant

RFC 8628 for CLI / TV / IoT — user-code entry on a second screen.

Machine-to-machine

client_credentials for service principals.

RP-initiated logout

end_session with post-logout redirect.

Tokens are signed with ES256 (ECDSA P-256). Each key has an RFC 7638 kid; rotation publishes a new key while retiring the old one on a grace window so in-flight tokens still verify. The platform guards against alg-confusion, and the algorithm is a property of the key (crypto-agility for future PQC signing).

GET/v1/oidc/signing-keysSigning-key status (read-only)

Signing-key rotation is an operational action (config + runbook), not an admin-panel button — the dashboard shows key status read-only. KMS-backed key material is an external dependency (drops into the existing KeyProvider interface).