Quickstart

You will register an application, start a login, and read the user. This takes a few minutes.

1. Create a developer account

Open the Authly dashboard. Sign up, then open the developer area. Register your application. You receive three values.

| Value | Purpose | | --- | --- | | client_id | Public. It names your application in every flow. | | api_key | Identifies your servers on direct API calls. | | api_secret | Signs your requests. Authly shows it once. Store it safely. |

2. Add your redirect URI

Open your application settings. Add the URL where Authly returns the user after login. Use https in production. You may use http on localhost during development.

https://yourapp.com/auth/callback

3. Start a login

Send the user to the authorize endpoint. Authly shows the hosted login and consent screen.

GET https://api.authly.example/oauth/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/auth/callback
  &response_type=code
  &scope=openid profile email
  &state=RANDOM_STRING

4. Exchange the code

Authly returns the user to your redirect URI with a code. Your server exchanges it for tokens.

curl -X POST https://api.authly.example/oauth/token \
  -d grant_type=authorization_code \
  -d code=THE_CODE \
  -d redirect_uri=https://yourapp.com/auth/callback \
  -d client_id=YOUR_CLIENT_ID \
  -d client_secret=YOUR_API_SECRET

You get back an access_token, a refresh_token, and an id_token.

5. Read the user

Call the userinfo endpoint with the access token.

curl https://api.authly.example/oauth/userinfo \
  -H "Authorization: Bearer ACCESS_TOKEN"
{
  "sub": "1042",
  "name": "Alice Rahman",
  "email": "[email protected]",
  "email_verified": true
}

The sub value is the stable Authly user id. Store it. It stays the same for this user across every application.

Single page apps

A single page app has no place to keep a secret. Use PKCE instead. You generate a code verifier, send its hash as code_challenge, and send the plain verifier at the token step. Read Login with Authly for the full PKCE flow.