REST API Reference
The Descope REST API lets you implement every authentication method, every management function, and more directly in your own application. Endpoints are grouped by feature under the navigation on the left. This page highlights the conventions that apply to all APIs.
OpenAPI Specification
You can download the full OpenAPI file and import it into Postman or any other API client:
Making Requests
- All requests are sent over HTTPS to Descope's API endpoints
- Request and response bodies use JSON unless stated otherwise
- Standard HTTP status codes indicate success or errors
Feel free to copy the curl examples provided under each endpoint section or use the embedded request runner on each endpoint page.
Authentication
Most endpoints require an Authorization header with a bearer token:
- Sign-up / Sign-in endpoints: use your Project ID as the bearer token (
Authorization: Bearer <ProjectID>) - User-scoped endpoints: use the format
Authorization: Bearer <ProjectID>:<RefreshJWT> - Management endpoints: use a Management Key or Access Key as described in the specific endpoint docs
Check the authentication notes above the endpoint you are calling—each page states exactly which credential is required.
Rate Limits
Descope services are rate-limited to maintain stable performance. If you exceed the allowed rate, the response returns HTTP 429 along with a Retry-After header indicating when you can retry. Design your integration to avoid unnecessary retries and to back off when a 429 is received.
Trying the APIs
Each endpoint page in this documentation includes an interactive request runner. Provide the required parameters, supply the appropriate credentials, and send the request directly from the docs to see the response. This is the fastest way to validate payloads before integrating them into your code.