Inbound Apps (OAuth) APIs
These endpoints implement Descope's OAuth 2.0 / OpenID Connect authorization server for Inbound Apps. Third-party applications, backend services, and agentic clients use them to obtain access tokens scoped to your Resources.
For conceptual guidance, grant types, and example requests, see Authorization server endpoints.
Endpoints
| Route | Methods | Description |
|---|---|---|
/oauth2/v1/apps/authorize | GET, POST | Start user authentication and consent (GET, POST) |
/oauth2/v1/apps/token | POST | Issue, refresh, and exchange tokens (Token endpoint) |
/oauth2/v1/apps/revoke | POST | Revoke tokens (Revoke) |
/oauth2/v1/apps/userinfo | GET, POST | Read token claims (GET, POST) |
Base URL: https://api.descope.com (or your custom domain).
Configure Inbound Apps
Use the Management API to create Inbound Apps, rotate secrets, and manage consents programmatically.
Validate Session POST
### Validate and parse a user's session JWT. This endpoint is used to validate a users session using the Project ID and the user's session JWT. Upon successful validate of the user, you will receive the parsed JWT. When posting to this endpoint from an application, you get the JWT from local or cookie storage, and prepend it with project ID and use that as the bearer.
OAuth 2.0 authorize endpoint (GET) GET
Start the authorization code flow for an [Inbound App](/identity-federation/inbound-apps). Redirect the user-agent to this endpoint with `client_id`, `redirect_uri`, `response_type=code`, `scope`, `state`, and PKCE parameters. See [Authorization server endpoints](/identity-federation/inbound-apps/authorization-server) for the full flow.