Hep.gg

Sign in with Hep.gg

Use Hep.gg as an OpenID Connect identity provider so your app can offer "Sign in with Hep.gg".

Sign in with Hep.gg

Hep.gg is an OpenID Connect (OIDC) and OAuth 2.0 identity provider. Your application sends users to Hep.gg to sign in, Hep.gg authenticates them, and your application receives standard ID and access tokens describing the user. Under the hood this is the authorization-code flow with PKCE, exactly as you would integrate any spec-compliant OIDC provider (Auth0, Okta, Keycloak, and so on).

Authentication summary

There are two distinct credentials, used in different places:

  • The client_secret authenticates your server to Hep.gg at the token and revoke endpoints. Keep it on your backend; never ship it to a browser or mobile client.
  • The issued tokens (access_token, id_token) are RS256 JWTs signed by Hep.gg. Your app verifies them against the public keys at /.well-known/jwks.json with issuer https://hep.gg.

The discovery and JWKS endpoints are public and unauthenticated. The authorization endpoint runs in the user's browser against their Hep.gg session.

Issuer and endpoints

The issuer is https://hep.gg. Most OIDC libraries auto-configure from the discovery document, so you usually only need to give them the issuer URL.

PurposeMethodURL
Discovery metadataGEThttps://hep.gg/.well-known/openid-configuration
JWKS (public keys)GEThttps://hep.gg/.well-known/jwks.json
AuthorizationGEThttps://hep.gg/api/v1/login/oauth/authorize
TokenPOSThttps://hep.gg/api/v1/login/oauth/token
UserInfoGEThttps://hep.gg/api/v1/login/oauth/userinfo
RevocationPOSThttps://hep.gg/api/v1/login/oauth/revoke
End sessionGEThttps://hep.gg/api/v1/login/oauth/end-session

Quickstart

The smallest working call is fetching the discovery document. Point any OIDC client library at the issuer and it will read this to learn every other endpoint.

curl
curl https://hep.gg/.well-known/openid-configuration

A successful response includes the issuer metadata:

{
  "issuer": "https://hep.gg",
  "authorization_endpoint": "https://hep.gg/api/v1/login/oauth/authorize",
  "token_endpoint": "https://hep.gg/api/v1/login/oauth/token",
  "userinfo_endpoint": "https://hep.gg/api/v1/login/oauth/userinfo",
  "jwks_uri": "https://hep.gg/.well-known/jwks.json",
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "refresh_token"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "scopes_supported": ["openid", "profile", "email", "groups", "offline_access"],
  "code_challenge_methods_supported": ["S256"]
}

Next steps

Integration walkthrough
End-to-end authorization-code + PKCE flow, copy-pasteable.
Scopes and claims
What each scope returns, and the preferred_username caveat.
Tokens and security
JWT verification, refresh rotation, revocation, end session.