Authentication API
Last updated
Last updated
Quasr as an OAuth2 authorization server implementation provides an OAuth2 (and OpenID Connect) API according to specs.
The API endpoint is https://{tenant_id}.api.quasr.io
The OpenID Connect Discovery document is at
API documentation and a Postman collection are available at
To offload the API we cache the below - generally highly static - API responses using a global CDN.
GET factors (without session)
200
1 day
GET controls (without session)
200
1 day
GET accounts/{account_id}
200
1 day
GET .well-known/openid-configuration
200
1 month
GET .well-known/jwks.json
200
1 month
GET oidc1/userinfo
200
5 min
GET *
400 / 401
5 min
The API is rate limited per individual endpoint to assure bandwidth availability across all endpoints.
GET .well-known/openid-configuration
GET .well-known/jwks.json
GET controls
GET factors
POST controls ("signup")
POST factors ("login")
GET controls (session)
GET factors (session)
POST controls (session)
POST factors (session)
GET oauth2/authorize
POST oauth2/token
GET oauth2/callback
POST oauth2/callback
GET oidc1/userinfo
POST oidc1/userinfo
If you exceed 300 requests in 5 min from a single IP address it will be temporarily blocked until you reduce your rate (this can sometimes take a couple minutes). This limitation can be relevant for large shared networks or back-end integrations that operate via fixed IP.
We block IPs that are listed as either malicious or actively engaged in reconnaissance or DDOS activities (AWS IP reputation list).