Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mgpass.net/llms.txt

Use this file to discover all available pages before exploring further.

Overview

mgPass implements OAuth 2.0 and OpenID Connect (OIDC) for authentication and authorization. Choose the flow that matches your application type.
FlowUse Case
Authorization CodeTraditional web apps with a backend
Authorization Code + PKCESPAs and mobile/native apps
Client CredentialsMachine-to-machine (M2M)
Refresh TokenRenewing expired access tokens

Discovery Endpoint

The OIDC discovery document provides all endpoint URLs and supported features: 
GET https://auth.mgpass.net/.well-known/openid-configuration
The JWKS endpoint for token verification: 
GET https://auth.mgpass.net/.well-known/jwks.json

Authorization Code Flow

Best for traditional web applications with a server-side backend.
1

Redirect to authorize

Redirect the user to the authorization endpoint:
GET https://auth.mgpass.net/oidc/auth?
  response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &scope=openid profile email
  &state=random_state_value
ParameterRequiredDescription
response_typeYesMust be code
client_idYesYour application’s client ID
redirect_uriYesMust match a registered redirect URI
scopeYesSpace-separated scopes (include openid for OIDC)
stateRecommendedCSRF protection value
2

User authenticates

mgPass displays the sign-in screen. The user authenticates with email/password or a social connector. If consent is required, a consent screen is shown.
3

Receive authorization code

After successful auth, mgPass redirects to your redirect_uri with a code:
https://yourapp.com/callback?code=AUTH_CODE&state=random_state_value
4

Exchange code for tokens

Exchange the authorization code for tokens:
curl -X POST https://auth.mgpass.net/api/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE" \
  -d "redirect_uri=https://yourapp.com/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"
Response:
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "rt_abc123...",
  "id_token": "eyJhbGciOiJSUzI1NiIs...",
  "scope": "openid profile email"
}

Authorization Code + PKCE

Required for SPAs and mobile apps that cannot securely store a client secret.
1

Generate PKCE values

Generate a random code_verifier and derive the code_challenge:
function generateCodeVerifier() {
  const array = new Uint8Array(32);
  crypto.getRandomValues(array);
  return btoa(String.fromCharCode(...array))
    .replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
}

async function generateCodeChallenge(verifier) {
  const hash = await crypto.subtle.digest(
    "SHA-256",
    new TextEncoder().encode(verifier)
  );
  return btoa(String.fromCharCode(...new Uint8Array(hash)))
    .replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
}
2

Redirect with PKCE parameters

GET https://auth.mgpass.net/oidc/auth?
  response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &scope=openid profile email
  &state=random_state_value
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256
3

Exchange code with verifier

Include code_verifier instead of client_secret:
const response = await fetch("https://auth.mgpass.net/api/token", {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body: new URLSearchParams({
    grant_type: "authorization_code",
    code: "AUTH_CODE",
    redirect_uri: "https://yourapp.com/callback",
    client_id: "YOUR_CLIENT_ID",
    code_verifier: "ORIGINAL_CODE_VERIFIER",
  }),
});

Client Credentials Flow

For server-to-server (M2M) communication where no user is involved. 
curl -X POST https://auth.mgpass.net/api/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_M2M_CLIENT_ID" \
  -d "client_secret=YOUR_M2M_CLIENT_SECRET" \
  -d "scope=api:read api:write"
Response: 
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "api:read api:write"
}
Client credentials tokens do not include a refresh_token or id_token since there is no user context.

Refresh Token Rotation

When an access token expires, use the refresh token to get a new pair: 
curl -X POST https://auth.mgpass.net/api/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=rt_abc123..." \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"
mgPass uses refresh token rotation. Each refresh returns a new refresh token and invalidates the old one. If a previously-used refresh token is submitted, all tokens for that session are revoked (replay detection).

Silent Authentication (prompt=none)

The prompt=none parameter lets you check if a user has an active mgPass session without showing any login UI. This is the foundation of cross-domain SSO and a fallback mechanism for token refresh. Request: 
GET https://auth.mgpass.net/oidc/auth?
  prompt=none
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=openid+profile+email
  &state=RANDOM_STATE
Possible responses:
OutcomeRedirectNext Step
User has active session and has authorized the app?code=AUTH_CODE&state=...Exchange code for tokens
No active session?error=login_required&state=...Show login button or redirect without prompt=none
Active session but first-time app?error=consent_required&state=...Redirect without prompt=none to show consent
When to use prompt=none:
  • SSO check on page load — silently check if the user is already logged in on another MG Digital property
  • Token renewal fallback — when a refresh token has expired, try silent auth before showing a login screen
  • Session validation — periodically confirm the user’s mgPass session is still active
The prompt=none request is a browser redirect, not a background API call. The user briefly sees a redirect to mgPass and back, but no login UI is shown.

Remember Me

The mgPass login screen includes a “Remember me for 30 days” checkbox that controls session persistence:
SettingCookie TypeBehavior
Checked (default)Persistent cookie (30-day expiry)User stays logged in across browser restarts. Session extends on each use (sliding window).
UncheckedSession cookieSession ends when the browser is closed. User must sign in again next time.
This affects the SSO session, not individual access tokens. Even with “Remember me” unchecked, access and refresh tokens work normally until the browser is closed.
The “Remember me” preference only applies to the mgPass session cookie. It does not change access token or refresh token lifetimes, which are configured per-application.

Scopes

ScopeDescription
openidRequired for OIDC, returns an ID token
profileUser profile claims (name, avatar, etc.)
emailEmail address and verification status
phonePhone number and verification status
offline_accessInclude a refresh token
Custom scopesDefined per API resource (e.g., stream:live)