OAuth
The ledger supports standard OAuth 2.0 authentication using the Client Credentials Grant. Applications can exchange a client ID and secret for a signed JWT, providing a simple alternative to cryptographic key management for API access.
Endpoints
| Method | Path | Description |
|---|---|---|
| POST | /oauth/token | Exchange OAuth 2.0 client credentials for a signed JWT Bearer token. |
Related
- About Authentication — how the ledger verifies identity
- Keys and Signatures — cryptographic signing as an alternative to OAuth
Get domain change GET
Returns a single change by its sequence number. The change includes a full record snapshot as it existed at that point.
Create access token POST
Creates an access token by exchanging OAuth 2.0 client credentials, following RFC 6749 Section 4.4 (Client Credentials Grant). **Authentication:** Provide credentials via HTTP Basic Auth (`Authorization: Basic base64(client_id:client_secret)`) or as `client_id` and `client_secret` form parameters in the request body. **Response:** Returns a signed JWT (RS256) that can be used as a Bearer token for API access. Use the `kid` header in the JWT to look up the corresponding public key from the provider signer's `key-pair` factor for verification. **Note:** This endpoint follows the RFC 6749 standard. It accepts `application/x-www-form-urlencoded` bodies, returns an RFC 6749 token response, and uses standard error codes (`invalid_client`, `invalid_request`, etc.).