Back to Documentation

API Reference

Complete OAuth2 and REST API endpoint documentation

Base URL

All endpoints are relative to: https://your-thalamus-instance.com

OAuth2 Endpoints

GET
/oauth/authorize

OAuth2 authorization endpoint - redirects users to login and returns authorization code.

Parameters: response_type, client_id, redirect_uri, scope, state
POST
/oauth/token

Exchange authorization code, client credentials, or refresh token for access tokens.

Supports grant_type: authorization_code, client_credentials, refresh_token
POST
/oauth/introspect

Token introspection (RFC 7662) - validate token and retrieve metadata.

Returns: active, scope, client_id, user_id, organization_id, exp, iat
POST
/oauth/revoke

Token revocation (RFC 7009) - revoke access or refresh token.

GET
/oauth/userinfo

OpenID Connect userinfo endpoint - returns user profile information.

Requires: Authorization: Bearer token
POST
/oauth/agent-token

Generate agent token for AI agents in the agentic economy.

See Agent Tokens documentation for details

Public API Endpoints

GET
/api/public/health

Health check endpoint for monitoring and load balancers.

POST
/api/public/register

Create new user account.

Requires: email, password, full_name, organization_id
POST
/api/public/login

User login (returns JWT).

Authenticated API Endpoints

All endpoints require Authorization: Bearer <token> or Authorization: ApiKey <key>
POST
/api/clients

Create OAuth2 client application.

Requires: name, organization_id, client_type, redirect_uris, grant_types, scopes
GET
/api/clients

List all OAuth2 clients for organization.

GET
/api/users

List users in organization.

GET
/api/organizations

List organizations.

POST
/api/admin/api-keys

Create admin API key (super admin only).

Available Scopes

Scope Description
openid OpenID Connect authentication
profile User profile information
email User email address
offline_access Request refresh token
zea:read Read access to ZEA platform
zea:write Write access to ZEA platform
zea:admin Administrative access

Error Responses

All API errors return JSON with error and error_description fields.

HTTP Status Error Code Description
400 invalid_request Missing or invalid parameters
401 invalid_client Client authentication failed
401 invalid_token Token is invalid or expired
403 insufficient_scope Token lacks required permissions
400 invalid_grant Authorization code invalid

Next Steps

Integration Guide

Detailed code examples and OAuth2 flows

Getting Started

Quick start guide