OAuth Discovery
The OAuth discovery endpoints provide machine-readable metadata about the Snapbooks authorization server and protected resources. These follow the well-known URI convention defined in RFC 5785 and are used by OAuth clients to automatically configure themselves.
These endpoints are public, require no authentication, and are located at the domain root (not under /v2).
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /.well-known/oauth-authorization-server | Authorization server metadata (RFC 8414) |
| GET | /.well-known/oauth-protected-resource | Protected resource metadata (RFC 9728) |
Authorization Server Metadata
GET /.well-known/oauth-authorization-server
Returns metadata about the Snapbooks OAuth 2.0 authorization server per RFC 8414. Clients use this endpoint to discover available grant types, supported scopes, and the locations of authorization, token, and registration endpoints.
Response
{
"issuer": "https://snapbooks.no",
"authorization_endpoint": "https://api.snapbooks.no/v2/oauth/authorize",
"token_endpoint": "https://api.snapbooks.no/v2/oauth/token",
"registration_endpoint": "https://api.snapbooks.no/v2/oauth/register",
"revocation_endpoint": "https://api.snapbooks.no/v2/oauth/revoke",
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token"
],
"response_types_supported": ["code"],
"response_modes_supported": ["query"],
"scopes_supported": [
"read:profile",
"write:profile",
"read:accounting",
"write:accounting"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"code_challenge_methods_supported": ["plain", "S256"],
"resource_indicators_supported": true,
"service_documentation": "https://developer.snapbooks.no/authentication"
}
Response Fields
| Field | Type | Description |
|---|---|---|
| issuer | string | Authorization server issuer identifier |
| authorization_endpoint | string | URL of the authorization endpoint |
| token_endpoint | string | URL of the token endpoint |
| registration_endpoint | string | URL of the dynamic client registration endpoint (RFC 7591) |
| revocation_endpoint | string | URL of the token revocation endpoint |
| grant_types_supported | array | Supported OAuth grant types |
| response_types_supported | array | Supported response types. Only code is supported |
| response_modes_supported | array | Supported response modes |
| scopes_supported | array | Available OAuth scopes |
| token_endpoint_auth_methods_supported | array | Supported client authentication methods at the token endpoint |
| code_challenge_methods_supported | array | Supported PKCE code challenge methods |
| resource_indicators_supported | boolean | Whether RFC 8707 resource indicators are supported |
| service_documentation | string | URL to human-readable documentation |
Protected Resource Metadata
GET /.well-known/oauth-protected-resource
Returns metadata about the Snapbooks protected resource (MCP server) per RFC 9728. Clients use this endpoint to discover which authorization server protects a given resource.
Response
{
"resource": "https://api.snapbooks.no/mcp",
"authorization_servers": ["https://api.snapbooks.no"],
"bearer_methods_supported": ["header"],
"resource_documentation": "https://developer.snapbooks.no/mcp"
}
Response Fields
| Field | Type | Description |
|---|---|---|
| resource | string | The protected resource identifier (MCP endpoint URL) |
| authorization_servers | array | Authorization servers that can issue tokens for this resource |
| bearer_methods_supported | array | Supported methods for presenting bearer tokens. header means the Authorization: Bearer header |
| resource_documentation | string | URL to human-readable resource documentation |
Usage
OAuth clients can use these endpoints for automatic configuration. For example, an MCP client connecting to the Snapbooks API can:
- Fetch
/.well-known/oauth-protected-resourceto discover which authorization server to use. - Fetch
/.well-known/oauth-authorization-serverto discover the authorization, token, and registration endpoints. - Register a client via the
registration_endpoint. - Complete an authorization code flow using the discovered endpoints.
This eliminates the need to hard-code endpoint URLs in client applications.
Related Resources
- OAuth2 Authentication — complete OAuth2 flow documentation
- OAuth Clients — register and manage OAuth client applications
- OAuth Admin — admin endpoints for listing and revoking tokens