[{"data":1,"prerenderedAt":501},["ShallowReactive",2],{"navigation":3,"docs-\u002F":72,"docs-\u002F-surround":498},[4,8,12,30,55,68],{"title":5,"path":6,"stem":7},"Introduction","\u002F","1.index",{"title":9,"path":10,"stem":11},"Getting Started","\u002Fgetting-started","2.getting-started",{"title":13,"path":14,"stem":15,"children":16,"page":29},"Flows","\u002Fflows","3.flows",[17,21,25],{"title":18,"path":19,"stem":20},"Authorization Code","\u002Fflows\u002Fauthorization-code","3.flows\u002F1.authorization-code",{"title":22,"path":23,"stem":24},"PKCE","\u002Fflows\u002Fpkce","3.flows\u002F2.pkce",{"title":26,"path":27,"stem":28},"Refresh Token","\u002Fflows\u002Frefresh-token","3.flows\u002F3.refresh-token",false,{"title":31,"path":32,"stem":33,"children":34,"page":29},"Endpoints","\u002Fendpoints","4.endpoints",[35,39,43,47,51],{"title":36,"path":37,"stem":38},"Authorization","\u002Fendpoints\u002Fauthorize","4.endpoints\u002F1.authorize",{"title":40,"path":41,"stem":42},"Token","\u002Fendpoints\u002Ftoken","4.endpoints\u002F2.token",{"title":44,"path":45,"stem":46},"UserInfo","\u002Fendpoints\u002Fuserinfo","4.endpoints\u002F3.userinfo",{"title":48,"path":49,"stem":50},"Revocation","\u002Fendpoints\u002Frevocation","4.endpoints\u002F4.revocation",{"title":52,"path":53,"stem":54},"Introspection","\u002Fendpoints\u002Fintrospection","4.endpoints\u002F5.introspection",{"title":56,"path":57,"stem":58,"children":59,"page":29},"Well Known","\u002Fwell-known","5.well-known",[60,64],{"title":61,"path":62,"stem":63},"Discovery","\u002Fwell-known\u002Fdiscovery","5.well-known\u002F1.discovery",{"title":65,"path":66,"stem":67},"JWKS","\u002Fwell-known\u002Fjwks","5.well-known\u002F2.jwks",{"title":69,"path":70,"stem":71},"Error Reference","\u002Ferrors","6.errors",{"id":73,"title":5,"badge":74,"body":75,"description":491,"extension":492,"icon":493,"meta":494,"navigation":495,"path":6,"seo":496,"stem":7,"__hash__":497},"docs\u002F1.index.md",null,{"type":76,"value":77,"toc":481},"minimark",[78,99,106,112,117,168,172,179,331,335,369,377,381,454,458],[79,80,81,85,86,90,91,94,95,98],"p",{},[82,83,84],"strong",{},"Gembok"," (Javanese: ",[87,88,89],"em",{},"induk kunci"," — master key\u002Fpadlock) is the Identity and\nAccess Management server of the PandeLab ecosystem. It implements the\n",[82,92,93],{},"OAuth 2.0"," authorization framework and ",[82,96,97],{},"OpenID Connect (OIDC)"," on top of\nit, so your applications can authenticate users and obtain access tokens\nwithout ever handling their credentials.",[79,100,101,102,105],{},"This site documents Gembok ",[82,103,104],{},"as an authorization server",": the protocol\nendpoints, the supported flows, and the discovery metadata your client needs to\nintegrate. It is written against the running server — every endpoint and value\nlisted here reflects the actual implementation.",[107,108,109],"note",{},[79,110,111],{},"The account management API (creating clients, managing sessions from your own\nbackend) is not part of this reference yet. For now, OAuth clients are\nprovisioned through your Gembok account. This documentation covers the public\nOAuth\u002FOIDC protocol surface only.",[113,114,116],"h2",{"id":115},"what-gembok-provides","What Gembok provides",[118,119,120,130,141,147,153,163],"ul",{},[121,122,123,126,127,129],"li",{},[82,124,125],{},"Authorization Code flow"," with ",[82,128,22],{}," — the recommended flow for web apps,\nSPAs, and mobile clients.",[121,131,132,135,136,140],{},[82,133,134],{},"Refresh tokens"," via the ",[137,138,139],"code",{},"offline_access"," scope for long-lived sessions.",[121,142,143,146],{},[82,144,145],{},"OpenID Connect"," — ID tokens and a UserInfo endpoint for user profile claims.",[121,148,149,152],{},[82,150,151],{},"JWT access tokens"," signed with keys published at a JWKS endpoint, so\nresource servers can verify them offline.",[121,154,155,158,159,162],{},[82,156,157],{},"Token revocation"," and ",[82,160,161],{},"introspection"," (RFC 7009 \u002F RFC 7662).",[121,164,165,167],{},[82,166,61],{}," documents (OIDC Discovery and RFC 8414) for automatic\nconfiguration.",[113,169,171],{"id":170},"endpoints-at-a-glance","Endpoints at a glance",[79,173,174,175,178],{},"All paths are relative to the ",[82,176,177],{},"issuer"," (base URL) of your environment.",[180,181,182,198],"table",{},[183,184,185],"thead",{},[186,187,188,192,195],"tr",{},[189,190,191],"th",{},"Purpose",[189,193,194],{},"Method",[189,196,197],{},"Path",[199,200,201,220,233,248,261,275,289,303,317],"tbody",{},[186,202,203,206,215],{},[204,205,36],"td",{},[204,207,208,211,212],{},[137,209,210],{},"GET"," \u002F ",[137,213,214],{},"POST",[204,216,217],{},[137,218,219],{},"\u002Foauth\u002Fauthorize",[186,221,222,224,228],{},[204,223,40],{},[204,225,226],{},[137,227,214],{},[204,229,230],{},[137,231,232],{},"\u002Foauth\u002Ftoken",[186,234,235,237,243],{},[204,236,44],{},[204,238,239,211,241],{},[137,240,210],{},[137,242,214],{},[204,244,245],{},[137,246,247],{},"\u002Foauth\u002Fuserinfo",[186,249,250,252,256],{},[204,251,157],{},[204,253,254],{},[137,255,214],{},[204,257,258],{},[137,259,260],{},"\u002Foauth\u002Frevoke",[186,262,263,266,270],{},[204,264,265],{},"Token introspection",[204,267,268],{},[137,269,214],{},[204,271,272],{},[137,273,274],{},"\u002Foauth\u002Fintrospect",[186,276,277,280,284],{},[204,278,279],{},"JWKS (public keys)",[204,281,282],{},[137,283,210],{},[204,285,286],{},[137,287,288],{},"\u002F.well-known\u002Fjwks.json",[186,290,291,294,298],{},[204,292,293],{},"OIDC discovery",[204,295,296],{},[137,297,210],{},[204,299,300],{},[137,301,302],{},"\u002F.well-known\u002Fopenid-configuration",[186,304,305,308,312],{},[204,306,307],{},"OAuth AS metadata",[204,309,310],{},[137,311,210],{},[204,313,314],{},[137,315,316],{},"\u002F.well-known\u002Foauth-authorization-server",[186,318,319,322,326],{},[204,320,321],{},"Protected-resource metadata",[204,323,324],{},[137,325,210],{},[204,327,328],{},[137,329,330],{},"\u002F.well-known\u002Foauth-protected-resource",[113,332,334],{"id":333},"base-urls","Base URLs",[180,336,337,347],{},[183,338,339],{},[186,340,341,344],{},[189,342,343],{},"Environment",[189,345,346],{},"Issuer URL",[199,348,349,359],{},[186,350,351,354],{},[204,352,353],{},"Production",[204,355,356],{},[137,357,358],{},"https:\u002F\u002Fauth.pandelab.ahyalfan.dev",[186,360,361,364],{},[204,362,363],{},"Local development",[204,365,366],{},[137,367,368],{},"http:\u002F\u002Flocalhost:8080",[79,370,371,372,376],{},"Always start by fetching the ",[373,374,375],"a",{"href":62},"discovery document"," — it\nlists the exact endpoint URLs, supported scopes, grant types, and signing\nalgorithms for the environment you are targeting.",[113,378,380],{"id":379},"core-concepts","Core concepts",[382,383,384,408,424,434,444],"field-group",{},[385,386,389],"field",{"name":387,"type":388},"Client","application",[79,390,391,392,395,396,399,400,403,404,407],{},"Your application, identified by a ",[137,393,394],{},"client_id",". ",[82,397,398],{},"Confidential"," clients (with\na server backend) hold a ",[137,401,402],{},"client_secret","; ",[82,405,406],{},"public"," clients (SPAs, mobile)\nhold no secret and must use PKCE.",[385,409,412],{"name":410,"type":411},"Scope","string",[79,413,414,415,418,419,423],{},"A space-separated list of permissions requested from the user, e.g.\n",[137,416,417],{},"openid profile email",". See ",[373,420,422],{"href":421},"\u002Fwell-known\u002Fdiscovery#scopes","supported scopes",".",[385,425,428],{"name":426,"type":427},"Access token","JWT",[79,429,430,431,433],{},"A signed, short-lived token the client sends to resource servers. Verify it\nwith the ",[373,432,65],{"href":66}," public keys.",[385,435,437],{"name":436,"type":427},"ID token",[79,438,439,440,443],{},"An OpenID Connect token asserting the user's identity, returned when the\n",[137,441,442],{},"openid"," scope is requested.",[385,445,448],{"name":446,"type":447},"Refresh token","opaque",[79,449,450,451,453],{},"A long-lived credential used to obtain new access tokens without user\ninteraction. Issued only when ",[137,452,139],{}," is granted.",[113,455,457],{"id":456},"next-steps","Next steps",[118,459,460,466,473],{},[121,461,462,463,465],{},"New here? Follow the ",[373,464,9],{"href":10}," walkthrough.",[121,467,468,469,472],{},"Building a web or mobile app? Read the\n",[373,470,471],{"href":19},"Authorization Code + PKCE"," flow.",[121,474,475,476,478,479,423],{},"Integrating a resource server? See ",[373,477,65],{"href":66}," and\n",[373,480,52],{"href":53},{"title":482,"searchDepth":483,"depth":483,"links":484},"",3,[485,487,488,489,490],{"id":115,"depth":486,"text":116},2,{"id":170,"depth":486,"text":171},{"id":333,"depth":486,"text":334},{"id":379,"depth":486,"text":380},{"id":456,"depth":486,"text":457},"OAuth 2.0 and OpenID Connect authorization server documentation for Gembok Secure Systems.","md","i-lucide-book-open",{},true,{"title":5,"description":491},"qdNGsviJ4ZrXD4ySqmpoz6_iGmOxkIQLc06v9lzWcUQ",[74,499],{"title":9,"path":10,"stem":11,"description":500,"children":-1},"Complete your first Authorization Code + PKCE flow against Gembok in a few minutes.",1784230319295]