# Well Known

OAuth 2.0 discovery endpoints (JWKS and Authorization Server Metadata)

## /.well-known/jwks.json

> Returns the JSON Web Key Set (JWKS) containing public keys used to verify JWT tokens issued by Archera. This endpoint follows the RFC 7517 standard for JWK and is used by clients to validate JWT signatures. No authentication is required as this endpoint provides public cryptographic keys.

```json
{"openapi":"3.1.0","info":{"title":"Archera.ai API","version":"v1.0.0"},"tags":[{"name":"Well-Known","description":"OAuth 2.0 discovery endpoints (JWKS and Authorization Server Metadata)"}],"paths":{"/.well-known/jwks.json":{"get":{"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/JWKS"}}}},"400":{"description":"Bad request","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"403":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"404":{"description":"Not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"405":{"description":"Method not allowed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"409":{"description":"Conflict","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"500":{"description":"Failed to load keys"},"default":{"$ref":"#/components/responses/DEFAULT_ERROR"}},"tags":["Well-Known"],"summary":"/.well-known/jwks.json","description":"Returns the JSON Web Key Set (JWKS) containing public keys used to verify JWT tokens issued by Archera. This endpoint follows the RFC 7517 standard for JWK and is used by clients to validate JWT signatures. No authentication is required as this endpoint provides public cryptographic keys."}}},"components":{"schemas":{"JWKS":{"type":"object","properties":{"keys":{"type":"array","description":"Array of JSON Web Keys","items":{"$ref":"#/components/schemas/JWK"}}},"required":["keys"],"additionalProperties":false},"JWK":{"type":"object","properties":{"kty":{"type":"string","description":"Key type (e.g., 'RSA')"},"use":{"type":"string","description":"Public key use (e.g., 'sig' for signature)"},"kid":{"type":"string","description":"Key ID for identifying the key"},"alg":{"type":"string","description":"Algorithm (e.g., 'RS256')"},"n":{"type":"string","description":"RSA modulus (base64url encoded)"},"e":{"type":"string","description":"RSA public exponent (base64url encoded)"}},"required":["alg","e","kid","kty","n","use"],"additionalProperties":false},"ApiErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"detail":{},"code":{"type":["string","null"]},"url":{"type":["string","null"]},"timestamp":{"type":"string"},"type":{"type":"string"}},"required":["message","timestamp","type"]},"Error":{"type":"object","properties":{"code":{"type":"integer","description":"Error code"},"status":{"type":"string","description":"Error name"},"message":{"type":"string","description":"Error message"},"errors":{"type":"object","description":"Errors","additionalProperties":{}}},"additionalProperties":false}},"responses":{"DEFAULT_ERROR":{"description":"Default error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}
```

## /.well-known/oauth-authorization-server

> Returns OAuth 2.0 Authorization Server Metadata as specified in RFC 8414. This endpoint provides automatic discovery of the authorization server's configuration, including supported endpoints, grant types, response types, PKCE methods, and available scopes. OAuth client libraries can use this endpoint to automatically configure themselves without manual endpoint configuration. No authentication is required as this is a public discovery endpoint.

```json
{"openapi":"3.1.0","info":{"title":"Archera.ai API","version":"v1.0.0"},"tags":[{"name":"Well-Known","description":"OAuth 2.0 discovery endpoints (JWKS and Authorization Server Metadata)"}],"paths":{"/.well-known/oauth-authorization-server":{"get":{"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthMetadata"}}}},"400":{"description":"Bad request","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"403":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"404":{"description":"Not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"405":{"description":"Method not allowed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"409":{"description":"Conflict","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"500":{"description":"Internal server error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApiErrorResponse"}}}},"default":{"$ref":"#/components/responses/DEFAULT_ERROR"}},"tags":["Well-Known"],"summary":"/.well-known/oauth-authorization-server","description":"Returns OAuth 2.0 Authorization Server Metadata as specified in RFC 8414. This endpoint provides automatic discovery of the authorization server's configuration, including supported endpoints, grant types, response types, PKCE methods, and available scopes. OAuth client libraries can use this endpoint to automatically configure themselves without manual endpoint configuration. No authentication is required as this is a public discovery endpoint."}}},"components":{"schemas":{"OAuthMetadata":{"type":"object","properties":{"issuer":{"type":"string","description":"The authorization server's issuer identifier URL"},"authorization_endpoint":{"type":"string","description":"URL of the OAuth 2.0 authorization endpoint"},"token_endpoint":{"type":"string","description":"URL of the OAuth 2.0 token endpoint"},"revocation_endpoint":{"type":"string","description":"URL of the OAuth 2.0 token revocation endpoint (RFC 7009)"},"jwks_uri":{"type":"string","description":"URL of the JSON Web Key Set document"},"response_types_supported":{"type":"array","description":"OAuth 2.0 response_type values supported","items":{"type":"string"}},"grant_types_supported":{"type":"array","description":"OAuth 2.0 grant type values supported","items":{"type":"string"}},"code_challenge_methods_supported":{"type":"array","description":"PKCE code challenge methods supported","items":{"type":"string"}},"token_endpoint_auth_methods_supported":{"type":"array","description":"Client authentication methods supported at token endpoint","items":{"type":"string"}},"scopes_supported":{"type":"array","description":"OAuth 2.0 scope values supported","items":{"type":"string"}},"service_documentation":{"type":"string","description":"URL of service documentation for developers"}},"required":["authorization_endpoint","code_challenge_methods_supported","grant_types_supported","issuer","jwks_uri","response_types_supported","revocation_endpoint","scopes_supported","token_endpoint","token_endpoint_auth_methods_supported"],"additionalProperties":false},"ApiErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"detail":{},"code":{"type":["string","null"]},"url":{"type":["string","null"]},"timestamp":{"type":"string"},"type":{"type":"string"}},"required":["message","timestamp","type"]},"Error":{"type":"object","properties":{"code":{"type":"integer","description":"Error code"},"status":{"type":"string","description":"Error name"},"message":{"type":"string","description":"Error message"},"errors":{"type":"object","description":"Errors","additionalProperties":{}}},"additionalProperties":false}},"responses":{"DEFAULT_ERROR":{"description":"Default error response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}
```