Token Endpoint

This is an IndieAuth Token Endpoint that you can use to jump-start the development of your Micropub endpoint.

Use it on your site

No registration is required to begin using this endpoint.

On your home page, add a link tag pointing to the token endpoint.

<link rel="token_endpoint" href="https://tokens.indieauth.com/token">

Micropub clients will be able to obtain an access token from this endpoint after you have granted authorization. The Micropub client will then use this access token when making requests to your Micropub endpoint.

Verify Access Tokens

When your Micropub endpoint gets a request containing an access token, you can verify the access token and return info about the token by asking the token endpoint.

Your Micropub endpoint will get a request like the following:

POST https://example.com/micropub
Authorization: Bearer xxxxxxxx

h=entry&
content=Hello World!

Your Micropub endpoint can query the token endpoint to verify the access token given. To verify the access token, make a GET request to the token endpoint with the access token in the header:

GET https://tokens.indieauth.com/token
Accept: application/json
Authorization: Bearer xxxxxxxx

The token endpoint will verify the token and the response will include information about the user and scope of the token.

The scope value will be a space-separated list of strings representing all the scopes that were granted. It may also be blank or contain just one value.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "me": "https://aaronparecki.com/",
  "client_id": "https://ownyourgram.com",
  "scope": "post",
  "issued_at": 1399155608,
  "nonce": 501884823
}

Your Micropub endpoint can inspect the values and use them to determine whether to proceed with processing the request. For example, for a Micropub endpoint for posting notes to your own site, you would likely only accept requests where the "me" value is your own site.

Using with IndieAuth.com

It is likely that you will use this token endpoint in conjunction with the IndieAuth.com authorization endpoint. By doing so, you can focus on building your Micropub endpoint, and you can swap out the token endpoint or authorization server later.

To delegate the authorization and token endpoints to indieauth.com, use the following link tags on your site:

<link rel="authorization_endpoint" href="https://indieauth.com/auth">
<link rel="token_endpoint" href="https://tokens.indieauth.com/token">

Testing

To test your Micropub endpoint, you will need to find a Micropub client that you can try to sign in to.

OwnYourGram.com is a great resource for testing, as it includes documentation and debugging information throughout each step of the login process.

More Info

© 2024 by Aaron Parecki. This code is open source. Feel free to send a pull request, or file an issue.