Introduction
Gembok (Javanese: induk kunci — master key/padlock) is the Identity and Access Management server of the PandeLab ecosystem. It implements the OAuth 2.0 authorization framework and OpenID Connect (OIDC) on top of it, so your applications can authenticate users and obtain access tokens without ever handling their credentials.
This site documents Gembok as an authorization server: the protocol endpoints, the supported flows, and the discovery metadata your client needs to integrate. It is written against the running server — every endpoint and value listed here reflects the actual implementation.
What Gembok provides
- Authorization Code flow with PKCE — the recommended flow for web apps, SPAs, and mobile clients.
- Refresh tokens via the
offline_accessscope for long-lived sessions. - OpenID Connect — ID tokens and a UserInfo endpoint for user profile claims.
- JWT access tokens signed with keys published at a JWKS endpoint, so resource servers can verify them offline.
- Token revocation and introspection (RFC 7009 / RFC 7662).
- Discovery documents (OIDC Discovery and RFC 8414) for automatic configuration.
Endpoints at a glance
All paths are relative to the issuer (base URL) of your environment.
| Purpose | Method | Path |
|---|---|---|
| Authorization | GET / POST | /oauth/authorize |
| Token | POST | /oauth/token |
| UserInfo | GET / POST | /oauth/userinfo |
| Token revocation | POST | /oauth/revoke |
| Token introspection | POST | /oauth/introspect |
| JWKS (public keys) | GET | /.well-known/jwks.json |
| OIDC discovery | GET | /.well-known/openid-configuration |
| OAuth AS metadata | GET | /.well-known/oauth-authorization-server |
| Protected-resource metadata | GET | /.well-known/oauth-protected-resource |
Base URLs
| Environment | Issuer URL |
|---|---|
| Production | https://auth.pandelab.ahyalfan.dev |
| Local development | http://localhost:8080 |
Always start by fetching the discovery document — it lists the exact endpoint URLs, supported scopes, grant types, and signing algorithms for the environment you are targeting.
Core concepts
client_id. Confidential clients (with
a server backend) hold a client_secret; public clients (SPAs, mobile)
hold no secret and must use PKCE.openid profile email. See supported scopes.openid scope is requested.offline_access is granted.Next steps
- New here? Follow the Getting Started walkthrough.
- Building a web or mobile app? Read the Authorization Code + PKCE flow.
- Integrating a resource server? See JWKS and Introspection.