# OIDC Discovery API > Inspect any OpenID Connect / OAuth 2.0 provider. Pass an issuer (a domain, an issuer URL, or the full discovery URL) and the service fetches the provider's discovery document at /.well-known/openid-configuration, parses every endpoint — authorization, token, userinfo, jwks, registration, end-session, introspection, revocation and device-authorization — together with the supported scopes, response types, grant types, ID-token signing algorithms, PKCE methods and claims, then fetches the JWKS and summarises its signing keys (count, algorithms, key types and key IDs), and reports a validity check with any issues. A second endpoint fetches and summarises any JSON Web Key Set on its own. The request is made server-side and private/internal targets are refused (SSRF-guarded). Built for SSO and OAuth/OIDC integration, identity-provider configuration debugging (Auth0, Okta, Keycloak, Azure AD, Google), security review and monitoring of signing-key rotation. An OIDC discovery / JWKS inspector — distinct from the JWT toolkit (jwt), the security.txt parser (securitytxt) and the HTTP security-header grader (secheaders). No upstream key, no cache. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/oidc-api/..." ``` ## Pricing - **Free** (Free) — 2,240 calls/Mo, 2 req/s - **Starter** ($7/Mo) — 44,000 calls/Mo, 8 req/s - **Pro** ($21/Mo) — 228,000 calls/Mo, 20 req/s - **Mega** ($55/Mo) — 850,000 calls/Mo, 50 req/s ## Endpoints ### OIDC #### `GET /v1/discover` — Discover an OIDC provider **Parameters:** - `issuer` (query, required, string) — Issuer URL, domain or discovery URL Example: `https://accounts.google.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/oidc-api/v1/discover?issuer=https%3A%2F%2Faccounts.google.com" ``` **Response:** ```json { "data": { "jwks": { "uri": "https://www.googleapis.com/oauth2/v3/certs", "kids": [ "06c7c47679b808fcedf7391d7b1e3657bca30dbb", "7b021671ede90ee5a375c022a523d490181a2c9d" ], "key_count": 2, "key_types": [ "RSA" ], "algorithms": [ "RS256" ] }, "valid": true, "issuer": "https://accounts.google.com", "issues": [], "endpoints": { "jwks": "https://www.googleapis.com/oauth2/v3/certs", "token": "https://oauth2.googleapis.com/token", "userinfo": "https://openidconnect.googleapis.com/v1/userinfo", "revocation": "https://oauth2.googleapis.com/revoke", "authorization": "https://accounts.google.com/o/oauth2/v2/auth", "device_authorization": "https://oauth2.googleapis.com/device/code" }, "discovery_url": "https://accounts.google.com/.well-known/openid-configuration", "claims_supported": [ "aud", "email", "email_verified", "exp", "family_name", "given_name", "iat", "iss", "name", "picture", "sub" ], "scopes_supported": [ "openid", "email", "profile" ], "grant_types_supported": [ …(truncated, see openapi.json for full schema) ``` #### `GET /v1/jwks` — Summarise a JWKS **Parameters:** - `url` (query, required, string) — JWKS (jwks_uri) URL Example: `https://www.googleapis.com/oauth2/v3/certs` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/oidc-api/v1/jwks?url=https%3A%2F%2Fwww.googleapis.com%2Foauth2%2Fv3%2Fcerts" ``` **Response:** ```json { "data": { "url": "https://www.googleapis.com/oauth2/v3/certs", "keys": [ { "alg": "RS256", "crv": null, "kid": "06c7c47679b808fcedf7391d7b1e3657bca30dbb", "kty": "RSA", "use": "sig" }, { "alg": "RS256", "crv": null, "kid": "7b021671ede90ee5a375c022a523d490181a2c9d", "kty": "RSA", "use": "sig" } ], "kids": [ "06c7c47679b808fcedf7391d7b1e3657bca30dbb", "7b021671ede90ee5a375c022a523d490181a2c9d" ], "key_count": 2, "key_types": [ "RSA" ], "algorithms": [ "RS256" ] }, "meta": { "timestamp": "2026-06-01T23:40:47.641Z", "request_id": "f18b997a-3211-40f0-b091-903cc7bd80df" }, "status": "ok", "message": "JWKS retrieved", "success": true } ``` ### Meta #### `GET /v1/meta` — Discovery path & notes **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/oidc-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Inspect any OpenID Connect / OAuth 2.0 provider. /v1/discover?issuer=https://accounts.google.com fetches the provider's discovery document at /.well-known/openid-configuration (pass an issuer, a bare domain, or the full discovery URL), parses every endpoint (authorization, token, userinfo, jwks, registration, end_session, introspection, revocation, device_authorization), the supported scopes, response types, grant types, signing algorithms, PKCE methods and claims, then fetches the JWKS and summarises its signing keys (count, algorithms, key types, key ids) and reports a validity check. /v1/jwks?url=... fetches and summarises any JSON Web Key Set on its own. The request is made server-side; private/internal targets are refused (SSRF-guarded). Ideal for SSO and OAuth/OIDC integration, IdP configuration debugging (Auth0, Okta, Keycloak, Azure AD, Google), security review and monitoring of signing-key rotation. An OIDC discovery/JWKS inspector — distinct from the JWT toolkit (jwt), the security.txt parser (securitytxt) and the HTTP security-header grader (secheaders). No key, no cache.", "endpoints": [ "/v1/discover", "/v1/jwks", "/v1/meta" ], "discovery_path": "/.well-known/openid-configuration" }, "meta": { "timestamp": "2026-06-01T23:40:47.736Z", "request_id": "9afea516-451b-4c86-8ecc-d1a1ed3d152d" }, "status": "ok", "message": "Meta retrieved", …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/oidc-api OpenAPI spec: https://www.oanor.com/api/oidc-api/openapi.json