Skip to main content

Backend / Service Track

Use this track when you are protecting a REST or GraphQL API, a background worker, or a service-to-service call. By the end you will be issuing and validating tokens and making authorization decisions from your service.

Prerequisites

  • A LumoAuth organization — sign up
  • A confidential OAuth client (client ID + client secret). "Confidential" means the client can safely hold a secret — unlike a browser or mobile app — so it is allowed to use client-credential based grants.

1. Learn the model

2. Get an access token (Client Credentials)

The client_credentials grant is defined in RFC 6749 (the OAuth 2.0 core spec). It issues a token to the service itself, with no end user involved — useful for cron jobs, server-to-server calls, and background workers.

curl -X POST https://app.lumoauth.dev/orgs/YOUR_ORG/api/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=read:users"

The response is a JWT access_token scoped to your app. See the Token Endpoint reference for all supported grants (authorization_code, refresh_token, token-exchange, CIBA, device).

3. Validate tokens in your service

Pick one of two strategies:

StrategyWhen to useEndpoint
Local JWT validationHigh-throughput services; no network hop per request.well-known/jwks.json
Opaque token introspectionYou need instant revocation to take effect/oauth/introspect — defined in RFC 7662

Local validation means your service fetches the public keys from jwks.json (cached), then verifies the JWT signature offline. Introspection means calling LumoAuth on every request — slower, but LumoAuth can deny a revoked token immediately.

4. Make authorization decisions

Your service now has an authenticated caller. Decide what they are allowed to do.

5. Production checklist

Next track