OAuth 2.0 + OpenID Connect — Now GA

One identity.
Every service.

The authentication layer your users deserve

Iris is a secure, standards-compliant identity platform built on OAuth 2.0 and OpenID Connect. Drop-in auth for any application — tokens in under 50ms, zero configuration hell.

Start building Read the docs
// PKCE Authorization Code Flow
GET https://iris.auth/authorize
  ?client_id=your_client_id
  &response_type=code
  &scope=openid profile email
  &code_challenge_method=S256
  &redirect_uri=https://your.app/callback
 
// ← Tokens signed & issued in <50ms ✓
<50ms
Token latency
Global edge nodes, P99 guaranteed.
99.99%
Uptime SLA
Active-active multi-region failover.
SOC2
Type II certified
Independently audited annually.
Applications
Unlimited apps per tenant, isolated.
Platform

Built on standards.
Trusted by design.

Every primitive you need — PKCE flows, scoped tokens, consent screens, JWKS rotation — production-ready and interoperable with any OIDC client library.

🔐
PKCE Authorization

Code exchange with a cryptographic challenge. Prevents interception attacks for public clients by design.

RFC 7636
🪪
OpenID Connect

Full OIDC Core 1.0. ID tokens, UserInfo endpoint, discovery document, and JWKS — all standard, all interoperable.

OIDC Core 1.0
🌐
Multi-tenant

Complete per-tenant isolation. User pools, branding, config — all scoped. Zero noisy-neighbour risk.

Isolated namespaces
Edge-fast Tokens

Globally distributed signing nodes issue tokens close to your users. Auth is never your bottleneck.

Global edge
🔑
Scope & Consent

Granular scope definitions with polished consent screens. Users see exactly what they authorise.

OAuth Scopes
🛡️
SOC 2 Type II

Independently audited security, availability, and confidentiality controls. Enterprise trust, day one.

Annual audit
Integration flow

Ship auth in
four steps.

01
Register your app

Create a client on the Iris console. Set redirect URIs, allowed scopes, grant types. Get credentials instantly.

client_id issued
02
Redirect to Iris

Send users to /authorize with your client ID, PKCE challenge, scopes, and redirect URI.

GET /authorize
03
User authenticates

Iris handles login UI and consent. A short-lived auth code is issued and returned to your redirect URI.

code returned
04
Exchange for tokens

Server exchanges code for signed JWTs — ID token, access token, refresh token. Verify with JWKS.

POST /token
OIDC Protocol

Standards-compliant
by design.

Authorization Code + PKCE — full flow
ClientGET /authorize?code_challenge=…
BrowserRedirect → Iris login UI
UserAuthenticates + approves scopes
Iris302 → redirect_uri?code=auth_xyz
ServerPOST /token + code_verifier
Iris{ id_token, access_token, refresh_token }
ServerGET /userinfo Bearer access_token
Iris{ sub, email, name, picture }
01
Authorization request

Client sends PKCE challenge and scopes to /authorize. Iris validates the client registration before proceeding.

02
Authentication & consent

Iris presents the login UI. User authenticates and reviews the requested scope. A short-lived authorization code is issued.

03
Token exchange

Your server posts the code and PKCE verifier to /token. Iris verifies the challenge and issues signed JWTs in under 50ms.

04
UserInfo & refresh

Access token unlocks /userinfo. Refresh tokens rotate on use. JWKS at /.well-known/jwks.json for JWT verification.

Auth should be invisible to your users and effortless for your team.

The Iris Principle
Trusted by engineering teams
Acme CorpVertexNovalabStratumQuorumMeridian

Ready to
integrate?

Register your first application in minutes. No credit card required.

Create free account → View documentation