Public key and discovery endpoints used by any RP that needs to validate Descope-issued session JWTs without calling the API. Includes the project JWKS endpoints (`/v1/keys`, `/v2/keys`), OIDC discovery (`/.well-known/oauth-authorization-server`, `/{projectId}/.well-known/...`), and project configuration metadata. These are unauthenticated and cache-friendly.
openapi: 3.0.3
info:
title: Descope API
description: Descope API
contact:
name: Descope
url: https://descope.com
email: [email protected]
version: 0.0.1
servers:
- url: https://api.descope.com
description: Descope Production
- url: '{customUrl}'
description: Custom server URL
variables:
customUrl:
default: https://api.descope.com
description: Your Descope API base URL
paths:
/oauth2/v1/apps/agentic/{project_id}/{mcp_server_id}/authorize:
get:
tags: []
description: Third Party application authorization GET endpoint by MCP server ID
operationId: ThirdPartyApplicationAuthorizeGetByMcpServerID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
- name: mcp_server_id
in: path
required: true
schema:
type: string
- name: response_type
in: query
description: >-
RFC 9101 §6.3: when a JAR `request` parameter is present,
response_type and
redirect_uri may be omitted from the outer query and carried inside the JWT.
The controller validates the resolved values after JAR processing.
schema:
type: string
- name: scope
in: query
schema:
type: string
- name: client_id
in: query
schema:
type: string
- name: state
in: query
schema:
type: string
- name: redirect_uri
in: query
schema:
type: string
- name: code_challenge_method
in: query
description: PKCE
schema:
type: string
- name: code_challenge
in: query
schema:
type: string
- name: nonce
in: query
schema:
type: string
- name: loginHint
in: query
schema:
type: string
- name: prompt
in: query
schema:
type: string
- name: flow
in: query
schema:
type: string
- name: flow_token
in: query
schema:
type: string
- name: resource
in: query
description: RFC 8707 - OAuth 2.0 Resource Indicators
schema:
type: array
items:
type: string
- name: tenant
in: query
schema:
type: string
- name: style
in: query
schema:
type: string
- name: dpop_jkt
in: query
schema:
type: string
- name: request
in: query
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application authorization GET endpoint by MCP server ID
keywords: api, third party apps
post:
tags: []
description: Third Party application authorization POST endpoint by MCP server ID
operationId: ThirdPartyApplicationAuthorizePOSTByMcpServerID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
- name: mcp_server_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationAuthZEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application authorization POST endpoint by MCP server ID
keywords: api, third party apps
/oauth2/v1/apps/agentic/{project_id}/{mcp_server_id}/token:
post:
tags: []
description: Third Party application token endpoint by MCP server ID
operationId: ThirdPartyApplicationTokenEndpointByMcpServerID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
- name: mcp_server_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationTokenEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCTokenEndpointResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application token endpoint by MCP server ID
keywords: api, third party apps
/oauth2/v1/apps/authorize:
get:
tags: []
description: Third Party application authorization GET endpoint
operationId: ThirdPartyApplicationAuthorizeGet
parameters:
- name: response_type
in: query
description: >-
RFC 9101 §6.3: when a JAR `request` parameter is present,
response_type and
redirect_uri may be omitted from the outer query and carried inside the JWT.
The controller validates the resolved values after JAR processing.
schema:
type: string
- name: scope
in: query
schema:
type: string
- name: client_id
in: query
schema:
type: string
- name: state
in: query
schema:
type: string
- name: redirect_uri
in: query
schema:
type: string
- name: code_challenge_method
in: query
description: PKCE
schema:
type: string
- name: code_challenge
in: query
schema:
type: string
- name: nonce
in: query
schema:
type: string
- name: loginHint
in: query
schema:
type: string
- name: prompt
in: query
schema:
type: string
- name: flow
in: query
schema:
type: string
- name: flow_token
in: query
schema:
type: string
- name: resource
in: query
description: RFC 8707 - OAuth 2.0 Resource Indicators
schema:
type: array
items:
type: string
- name: project_id
in: query
schema:
type: string
- name: tenant
in: query
schema:
type: string
- name: mcp_server_id
in: query
schema:
type: string
- name: style
in: query
schema:
type: string
- name: dpop_jkt
in: query
schema:
type: string
- name: request
in: query
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
title: Get Authorization
summary: Get Authorization Endpoint
x-meta:
title: Get Authorization Endpoint | Third Party Apps
description: Third Party application authorization GET endpoint
keywords: api, third party apps
post:
tags: []
description: Third Party application authorization POST endpoint
operationId: ThirdPartyApplicationAuthorize
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationAuthZEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
title: Post Authorization
summary: Post Authorization Endpoint
x-meta:
title: Post Authorization Endpoint | Third Party Apps
description: Third Party application authorization POST endpoint
keywords: api, third party apps
/oauth2/v1/apps/bc-authorize:
post:
tags: []
description: Third Party application CIBA backchannel authentication endpoint
operationId: ThirdPartyApplicationCIBAEndpoint
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/CIBAAuthRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/CIBAAuthResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application CIBA backchannel authentication endpoint
keywords: api, third party apps
/oauth2/v1/apps/device:
post:
tags: []
description: Third Party application device endpoint
operationId: ThirdPartyApplicationDeviceEndpoint
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCDeviceEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCDeviceEndpointResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application device endpoint
keywords: api, third party apps
/oauth2/v1/apps/finish-authorize:
post:
tags: []
description: Third Party application authorization finish endpoint
operationId: ThirdPartyApplicationFinish
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationFinishEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
title: Finish Authorization
summary: Finish Authorization Endpoint
x-meta:
title: Finish Authorization Endpoint | Third Party Apps
description: Third Party application authorization finish endpoint
keywords: api, third party apps
/oauth2/v1/apps/revoke:
post:
tags: []
description: OIDC revoke endpoint
operationId: ThirdPartyApplicationRevocationEndpoint
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationRevocationEndpointRequest
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
title: OIDC revoke endpoint
summary: OIDC revoke endpoint
x-meta:
title: OIDC revoke endpoint | Third Party Apps
description: OIDC revoke endpoint
keywords: api, third party apps
/oauth2/v1/apps/token:
post:
tags: []
description: Third Party application token endpoint
operationId: ThirdPartyApplicationTokenEndpoint
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationTokenEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCTokenEndpointResponse'
x-publishYaml: thirdPartyApps
security: []
title: Third Party application token endpoint
summary: Third Party application token endpoint
x-meta:
title: Third Party application token endpoint | Third Party Apps
description: Third Party application token endpoint
keywords: api, third party apps
/oauth2/v1/apps/userinfo:
get:
tags: []
description: Third Party application Get UserInfo endpoint
operationId: ThirdPartyApplicationUserInfoEndpointGet
parameters:
- name: project_id
in: query
description: Can be empty as data arrived on the Authorization header token
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse
x-publishYaml: thirdPartyApps
security: []
title: Get UserInfo
summary: Third Party application Get UserInfo endpoint
x-meta:
title: Third Party application Get UserInfo endpoint | Third Party Apps
description: Third Party application Get UserInfo endpoint
keywords: api, third party apps
post:
tags: []
description: Third Party application Post UserInfo endpoint
operationId: ThirdPartyApplicationUserInfoEndpointPost
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationUserInfoEndpointRequest
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse
x-publishYaml: thirdPartyApps
security: []
title: Post UserInfo
summary: Third Party application Post UserInfo endpoint
x-meta:
title: Third Party application Post UserInfo endpoint | Third Party Apps
description: Third Party application Post UserInfo endpoint
keywords: api, third party apps
/oauth2/v1/apps/{project_id}/authorize:
get:
tags: []
description: Third Party application authorization GET endpoint
operationId: ThirdPartyApplicationAuthorizeGetByProjectID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
- name: response_type
in: query
description: >-
RFC 9101 §6.3: when a JAR `request` parameter is present,
response_type and
redirect_uri may be omitted from the outer query and carried inside the JWT.
The controller validates the resolved values after JAR processing.
schema:
type: string
- name: scope
in: query
schema:
type: string
- name: client_id
in: query
schema:
type: string
- name: state
in: query
schema:
type: string
- name: redirect_uri
in: query
schema:
type: string
- name: code_challenge_method
in: query
description: PKCE
schema:
type: string
- name: code_challenge
in: query
schema:
type: string
- name: nonce
in: query
schema:
type: string
- name: loginHint
in: query
schema:
type: string
- name: prompt
in: query
schema:
type: string
- name: flow
in: query
schema:
type: string
- name: flow_token
in: query
schema:
type: string
- name: resource
in: query
description: RFC 8707 - OAuth 2.0 Resource Indicators
schema:
type: array
items:
type: string
- name: tenant
in: query
schema:
type: string
- name: mcp_server_id
in: query
schema:
type: string
- name: style
in: query
schema:
type: string
- name: dpop_jkt
in: query
schema:
type: string
- name: request
in: query
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application authorization GET endpoint
keywords: api, third party apps
post:
tags: []
description: Third Party application authorization POST endpoint
operationId: ThirdPartyApplicationAuthorizePostByProjectID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationAuthZEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application authorization POST endpoint
keywords: api, third party apps
/oauth2/v1/apps/{project_id}/bc-authorize:
post:
tags: []
description: Third Party application CIBA backchannel authentication endpoint
operationId: ThirdPartyApplicationCIBAEndpoint
parameters:
- name: project_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/CIBAAuthRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/CIBAAuthResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application CIBA backchannel authentication endpoint
keywords: api, third party apps
/oauth2/v1/apps/{project_id}/device:
post:
tags: []
description: Third Party application device endpoint
operationId: ThirdPartyApplicationDeviceEndpoint
parameters:
- name: project_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCDeviceEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCDeviceEndpointResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application device endpoint
keywords: api, third party apps
/oauth2/v1/apps/{project_id}/revoke:
post:
tags: []
description: Third Party application revoke endpoint by project ID
operationId: ThirdPartyApplicationRevocationEndpointByProjectID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationRevocationEndpointRequest
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application revoke endpoint by project ID
keywords: api, third party apps
/oauth2/v1/apps/{project_id}/token:
post:
tags: []
description: Third Party application token endpoint by project ID
operationId: ThirdPartyApplicationTokenEndpointByProjectID
parameters:
- name: project_id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ThirdPartyApplicationTokenEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCTokenEndpointResponse'
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application token endpoint by project ID
keywords: api, third party apps
/oauth2/v1/apps/{project_id}/userinfo:
get:
tags: []
description: Third Party application Get UserInfo endpoint by project ID
operationId: ThirdPartyApplicationUserInfoEndpointGetByProjectID
parameters:
- name: project_id
in: path
description: Can be empty as data arrived on the Authorization header token
required: true
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application Get UserInfo endpoint by project ID
keywords: api, third party apps
post:
tags: []
description: Third Party application POST UserInfo endpoint by project ID
operationId: ThirdPartyApplicationUserInfoEndpointPostByProjectID
parameters:
- name: project_id
in: path
description: Can be empty as data arrived on the Authorization header token
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationUserInfoEndpointRequest
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: >-
#/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Third Party application POST UserInfo endpoint by project ID
keywords: api, third party apps
/v1/mgmt/inboundapp/app/{projectId}/register:
post:
tags: []
description: Register Third Party Application according to RFC 7591
operationId: RegisterThirdPartyApplication
parameters:
- name: projectId
in: path
description: Auto fill by proto from the requested URL
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/managementv1.RegisterThirdPartyApplicationRequest
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: >-
#/components/schemas/managementv1.RegisterThirdPartyApplicationResponse
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Register Third Party Application according to RFC 7591
keywords: api, third party apps
/v1/mgmt/mcp/client/{projectId}/{mcpServerId}/register:
post:
tags: []
description: Register MCP Server client according to RFC 7591
operationId: RegisterMcpServerClient
parameters:
- name: projectId
in: path
description: Auto fill by proto from the requested URL
required: true
schema:
type: string
- name: mcpServerId
in: path
description: Auto fill by proto from the requested URL (only in agentic hub)
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/managementv1.RegisterThirdPartyApplicationRequest
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: >-
#/components/schemas/managementv1.RegisterThirdPartyApplicationResponse
x-publishYaml: thirdPartyApps
security: []
x-meta:
title: undefined | Third Party Apps
description: Register MCP Server client according to RFC 7591
keywords: api, third party apps
/oauth2/v1/authorize:
get:
tags: []
summary: OIDC Authorize
description: OIDC GET authorization endpoint start
operationId: OIDCAuthZEndpointGetStart
parameters:
- name: response_type
in: query
schema:
type: string
- name: scope
in: query
schema:
type: string
- name: client_id
in: query
schema:
type: string
- name: state
in: query
schema:
type: string
- name: redirect_uri
in: query
schema:
type: string
- name: code_challenge_method
in: query
description: PKCE
schema:
type: string
- name: code_challenge
in: query
schema:
type: string
- name: dynamic_val
in: query
schema:
type: string
- name: nonce
in: query
schema:
type: string
- name: ssoAppId
in: query
schema:
type: string
- name: loginHint
in: query
schema:
type: string
- name: prompt
in: query
schema:
type: string
- name: flow
in: query
schema:
type: string
- name: flow_token
in: query
schema:
type: string
- name: tenant
in: query
schema:
type: string
- name: style
in: query
schema:
type: string
- name: dpop_jkt
in: query
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: federatedApps
security: []
x-meta:
title: OIDC Authorize | Federated Apps
description: OIDC GET authorization endpoint start
keywords: api, federated apps
post:
tags: []
summary: OIDC Authorize
description: OIDC POST authorization endpoint start
operationId: OIDCAuthZEndpointPostStart
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCAuthZEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: federatedApps
security: []
x-meta:
title: OIDC Authorize | Federated Apps
description: OIDC POST authorization endpoint start
keywords: api, federated apps
/oauth2/v1/authorize/entramfa:
post:
tags: []
summary: OIDC Authorize Entra MFA
description: OIDC Entra MFA authorization endpoint
operationId: OIDCAuthZEndpointEntraMFA
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCAuthZEntraMFAEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: federatedApps
security: []
x-meta:
title: OIDC Authorize Entra MFA | Federated Apps
description: OIDC Entra MFA authorization endpoint
keywords: api, federated apps
/oauth2/v1/device:
post:
tags: []
summary: OIDC Device
description: OIDC device endpoint
operationId: OIDCDeviceEndpoint
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCDeviceEndpointRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCDeviceEndpointResponse'
x-publishYaml: federatedApps
security: []
x-meta:
title: OIDC Device | Federated Apps
description: OIDC device endpoint
keywords: api, federated apps
/oauth2/v1/finish-authorize:
get:
tags: []
summary: OIDC Finish Authorize
description: OIDC POST authorization endpoint finish
operationId: OIDCAuthZEndpointFinishPost
parameters:
- name: state_id
in: query
schema:
type: string
- name: sso_app_id
in: query
schema:
type: string
- name: error_redirect_uri
in: query
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/OperationResponse'
x-publishYaml: federatedApps
security: []
x-meta:
title: OIDC Finish Authorize | Federated Apps
description: OIDC POST authorization endpoint finish
keywords: api, federated apps
post:
tags: []
summary: OIDC Finish Authorize
description: OIDC GET authorization endpoint finish
operationId: OIDCAuthZEndpointFinishGet
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OIDCAuthZEndpointFinishRequest'
required: true
responses:
'200':
description: OK
content:
application/json:
# --- truncated at 32 KB (807 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/descope/refs/heads/main/openapi/descope-openapi.yml