Skip to content
Sudomimus

Overview

Token exchange API for the Sudomimus authentication platform.

Sudomimus Connect 1.0.0

Section titled “Sudomimus Connect 1.0.0”

The Connect API is the public entry point for integrating applications. Clients use it to establish an authentication inquiry, poll its status, redeem the realized inquiry for application tokens, refresh access tokens, and fetch localized application metadata. Applications can also introspect whether a session is still valid and revoke sessions — a single session via /logout, or every session of an account via /revoke-all.

Information

  • License: MIT
  • OpenAPI version: 3.1.0

Operations

Section titled “ Operations ”
GET
/health
POST
/establish
POST
/status-poll
POST
/redeem
POST
/refresh
POST
/info
POST
/introspect
POST
/logout
POST
/revoke-all

Authentication

Section titled “ Authentication ”

SudomimusClientJWT

Section titled “SudomimusClientJWT ”

Client-auth JWT carried via Authorization: SudomimusClientJWT <jwt>.

The JWT MUST be signed (RS256) with the application’s client-auth private key (paired public key registered server-side at application creation). Required body claims:

  • iss: the application anchor (must match applicationAnchor in the request body).
  • aud: literal string "sudomimus-connect".
  • iat: UNIX seconds. Future-dated claims are tolerated up to a 30-second clock skew.
  • exp: UNIX seconds. Lifetime (exp - iat) MUST be at most 60.
  • jti: per-request unique identifier (UUID v4 recommended). Replay is detected atomically server-side; the same jti is honored exactly once.
  • body_sha256: standard base64 of SHA-256(rawHttpBody) where the input is the UTF-8 bytes of the exact JSON body sent on the wire.

Security scheme type: http