Descope website screenshot

Descope

Descope is a customer and agentic identity access management (CIAM) platform founded in 2022 by veterans of Sentrigo and Demisto (acquired by Palo Alto Networks). Its signature is drag-and-drop Descope Flows — a visual authentication-flow builder — paired with passwordless methods (passkeys, magic link, OTP, social, biometric), risk-based MFA, SSO/SAML/SCIM, fine-grained authorization, and a growing Agentic Identity Hub that issues scoped OAuth tokens to AI agents and MCP servers. Descope ships SDKs for every mainstream language and framework, a CLI, Terraform/Pulumi providers, self-hostable hosted-auth app, and prebuilt migration tools from Auth0, Cognito, Firebase, and Keycloak. Free tier covers 7,500 MAUs forever; paid tiers start at $249/month.

5 APIs 23 Features
AuthenticationIdentityCIAMPasswordlessPasskeysMFASSOOAuthOIDCSAMLSCIMAuthorizationFGAAgentic IdentityMCP

APIs

Descope Authentication API

Public, end-user-facing authentication API covering every Descope login experience — One-Time Passwords (email/SMS/voice/IM), Magic Link, Enchanted Link, OAuth/Social, One-Tap, ...

Descope Management API

Server-side administrative API for managing every resource in a Descope project — users, access keys, tenants, roles, permissions, groups, SSO/SAML/OIDC configuration, password ...

Descope OAuth Applications API

Standards-compliant OAuth 2.1 / OIDC authorization server endpoints that let Descope act as an identity provider for inbound third-party applications and agentic clients. Covers...

Descope SCIM 2.0 API

System for Cross-domain Identity Management (SCIM) 2.0 endpoints under `/scim/v2/` for automated user and group lifecycle provisioning from upstream IdPs (Okta, Entra ID, Google...

Descope JWKS and Discovery API

Public key and discovery endpoints used by any RP that needs to validate Descope-issued session JWTs without calling the API. Includes the project JWKS endpoints (`/v1/keys`, `/...

Collections

Features

Drag-and-drop Descope Flows for designing authentication, signup, MFA, step-up, and account-recovery journeys with no code
Passwordless authentication — magic links, enchanted links, passkeys/WebAuthn, OTP (email/SMS/voice/IM), nOTP push, TOTP authenticator apps, and Google One Tap
Social login and OIDC federation with 30+ providers
SAML 2.0 inbound and outbound SSO with self-service IdP configuration for B2B customers
WS-Federation IdP support for Microsoft enterprise tenants
SCIM 2.0 user and group provisioning
Fine-grained authorization (FGA / ReBAC) modeled after Google Zanzibar with schema, relation, and policy APIs
Role-based access control with company/project/tag-scoped management keys
Multi-tenant architecture with delegated admin widgets for B2B customer self-service
Risk-based / adaptive MFA via flow conditional logic and connectors (reCAPTCHA, Fingerprint, ipQualityScore)
Step-up authentication for sensitive transactions
50+ outbound connectors (HTTP, audit, AWS, Segment, Salesforce, HubSpot, Twilio, SendGrid, Slack, etc.)
Inbound third-party app OAuth — Descope as an OIDC/OAuth 2.1 authorization server
Agentic Identity Hub with MCP server registration, per-agent OAuth scopes, and token vaulting for AI agents (Claude, ChatGPT, Cursor, etc.)
OAuth 2.1, PKCE, JAR (RFC 9101), DPoP, CIBA, and device authorization flows
Anonymous-to-known user merging
Account takeover prevention with disposable-email/burner detection (go-free-email-providers)
Custom domains for hosted authentication pages
Hosted Flow app (React) with full source available for self-hosting
Terraform and Pulumi providers for declarative project management
CLI (`descopecli`) for project snapshot, import, export, and CI/CD pipelines
Audit log API and analytics API
Free 7,500 MAU forever tier

Use Cases

B2C Customer Authentication

Add passwordless sign-up/sign-in (passkeys, magic link, social) to consumer apps with adaptive MFA and account-takeover protection.

B2B Enterprise SSO

Let business customers self-serve SAML/OIDC SSO and SCIM provisioning without per-tenant engineering work, using delegated admin widgets.

Auth Migration

Migrate users from Auth0, Cognito, Firebase, Keycloak, and other IdPs with prebuilt Python-based migration tools that preserve password hashes where possible.

Agentic Identity for AI Agents

Issue scoped OAuth tokens to AI agents and MCP servers using progressive scoping, token vaulting, and per-agent audit trails via the Agentic Identity Hub.

Multi-Tenant SaaS

Model tenant hierarchies, delegated admin, per-tenant SSO, and tenant-scoped RBAC/FGA from a single Descope project.

Fine-Grained Authorization

Replace homegrown permission systems with a Zanzibar-style schema, relations, and policies via the FGA Management API.

Mobile Authentication

Native passkey, biometric, and social login in iOS, Android, React Native, and Flutter apps using Descope's mobile SDKs.

Compliance-Driven Auth

Use audit logs, custom message templates, MFA enforcement, and SOC 2 / GDPR controls to satisfy regulated-industry requirements.

Integrations

AWS

SaaS Builder Toolkit integration, Cognito migration, and IAM role assumption from GCP via OIDC GitHub Action.

Cloudflare

Workers-based redirect worker for tenant-level SSO migration.

Terraform

Official `terraform-provider-descope` for managing projects, flows, tenants, and SSO declaratively.

Pulumi

Official `pulumi-descope` provider.

WordPress

Descope auth plugin replacing native WordPress login.

Django

`django-descope` plugin for first-class Django auth integration.

Passport.js

`passport-descope` strategy for Node.js apps using Passport.

Next.js / React / Vue / Angular / SvelteKit

Client SDKs and Flow web components shipped under `descope-js`.

Salesforce / HubSpot / Segment / Twilio / SendGrid / Slack / S3 / Snowflake

50+ outbound connectors invoked from inside Flows to enrich users, send messages, and stream events.

Anthropic Claude / OpenAI / Cursor / MCP Clients

Agentic Identity Hub issues short-lived, scoped tokens to AI agents via MCP server registration and per-agent OAuth.

Solutions

Customer Identity (CIAM)

Drop-in B2C authentication with Flows, passwordless methods, and progressive profiling.

Workforce-Adjacent B2B Identity

SAML SSO, SCIM, delegated admin, and tenant management for SaaS vendors selling to enterprises.

Agentic Identity

OAuth issuance, MCP server registration, and credential vaulting for AI agents and autonomous workflows.

Migration & Modernization

Tooling to lift users off legacy IdPs (Auth0, Cognito, Firebase, Keycloak) onto a modern, passwordless-first platform.

Resources

🌐
Portal
Portal
🔗
Documentation
Documentation
🚀
GettingStarted
GettingStarted
🔗
APIReference
APIReference
🌐
Console
Console
📝
Signup
Signup
🔗
Plans
Plans
💰
Pricing
Pricing
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
🟢
StatusPage
StatusPage
📰
Blog
Blog
💬
Support
Support
🔗
CaseStudies
CaseStudies
🎓
Training
Training
🔗
Documentation
Documentation
👥
GitHubOrganization
GitHubOrganization
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
🔗
Plugins
Plugins
🔗
CLI
CLI
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔗
LinkedIn
LinkedIn
🔗
Twitter
Twitter
👥
YouTube
YouTube
🔗
Forums
Forums
🌐
Portal
Portal
🔗
Documentation
Documentation

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Descope API
  version: 0.0.1
request:
  auth:
    type: bearer
    token: '{{bearerToken}}'
items:
- info:
    name: Default
    type: folder
  items:
  - info:
      name: ThirdPartyApplicationAuthorizeGetByMcpServerID
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/apps/agentic/:project_id/:mcp_server_id/authorize
      params:
      - name: project_id
        value: ''
        type: path
      - name: mcp_server_id
        value: ''
        type: path
      - name: response_type
        value: ''
        type: query
        description: "RFC 9101 §6.3: when a JAR `request` parameter is present, response_type and\n redirect_uri may be omitted\
          \ from the outer query and carried inside the JWT.\n The controller validates the resolved values after JAR processing."
      - name: scope
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: state
        value: ''
        type: query
      - name: redirect_uri
        value: ''
        type: query
      - name: code_challenge_method
        value: ''
        type: query
        description: PKCE
      - name: code_challenge
        value: ''
        type: query
      - name: nonce
        value: ''
        type: query
      - name: loginHint
        value: ''
        type: query
      - name: prompt
        value: ''
        type: query
      - name: flow
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: resource
        value: ''
        type: query
        description: RFC 8707 - OAuth 2.0 Resource Indicators
      - name: tenant
        value: ''
        type: query
      - name: style
        value: ''
        type: query
      - name: dpop_jkt
        value: ''
        type: query
      - name: request
        value: ''
        type: query
    docs: Third Party application authorization GET endpoint by MCP server ID
  - info:
      name: ThirdPartyApplicationAuthorizePOSTByMcpServerID
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/agentic/:project_id/:mcp_server_id/authorize
      params:
      - name: project_id
        value: ''
        type: path
      - name: mcp_server_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application authorization POST endpoint by MCP server ID
  - info:
      name: ThirdPartyApplicationTokenEndpointByMcpServerID
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/agentic/:project_id/:mcp_server_id/token
      params:
      - name: project_id
        value: ''
        type: path
      - name: mcp_server_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application token endpoint by MCP server ID
  - info:
      name: Get Authorization Endpoint
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/apps/authorize
      params:
      - name: response_type
        value: ''
        type: query
        description: "RFC 9101 §6.3: when a JAR `request` parameter is present, response_type and\n redirect_uri may be omitted\
          \ from the outer query and carried inside the JWT.\n The controller validates the resolved values after JAR processing."
      - name: scope
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: state
        value: ''
        type: query
      - name: redirect_uri
        value: ''
        type: query
      - name: code_challenge_method
        value: ''
        type: query
        description: PKCE
      - name: code_challenge
        value: ''
        type: query
      - name: nonce
        value: ''
        type: query
      - name: loginHint
        value: ''
        type: query
      - name: prompt
        value: ''
        type: query
      - name: flow
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: resource
        value: ''
        type: query
        description: RFC 8707 - OAuth 2.0 Resource Indicators
      - name: project_id
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: mcp_server_id
        value: ''
        type: query
      - name: style
        value: ''
        type: query
      - name: dpop_jkt
        value: ''
        type: query
      - name: request
        value: ''
        type: query
    docs: Third Party application authorization GET endpoint
  - info:
      name: Post Authorization Endpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/authorize
      body:
        type: json
        data: '{}'
    docs: Third Party application authorization POST endpoint
  - info:
      name: ThirdPartyApplicationCIBAEndpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/bc-authorize
      body:
        type: json
        data: '{}'
    docs: Third Party application CIBA backchannel authentication endpoint
  - info:
      name: ThirdPartyApplicationDeviceEndpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/device
      body:
        type: json
        data: '{}'
    docs: Third Party application device endpoint
  - info:
      name: Finish Authorization Endpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/finish-authorize
      body:
        type: json
        data: '{}'
    docs: Third Party application authorization finish endpoint
  - info:
      name: OIDC revoke endpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/revoke
      body:
        type: json
        data: '{}'
    docs: OIDC revoke endpoint
  - info:
      name: Third Party application token endpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/token
      body:
        type: json
        data: '{}'
    docs: Third Party application token endpoint
  - info:
      name: Third Party application Get UserInfo endpoint
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/apps/userinfo
      params:
      - name: project_id
        value: ''
        type: query
        description: Can be empty as data arrived on the Authorization header token
    docs: Third Party application Get UserInfo endpoint
  - info:
      name: Third Party application Post UserInfo endpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/userinfo
      body:
        type: json
        data: '{}'
    docs: Third Party application Post UserInfo endpoint
  - info:
      name: ThirdPartyApplicationAuthorizeGetByProjectID
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/apps/:project_id/authorize
      params:
      - name: project_id
        value: ''
        type: path
      - name: response_type
        value: ''
        type: query
        description: "RFC 9101 §6.3: when a JAR `request` parameter is present, response_type and\n redirect_uri may be omitted\
          \ from the outer query and carried inside the JWT.\n The controller validates the resolved values after JAR processing."
      - name: scope
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: state
        value: ''
        type: query
      - name: redirect_uri
        value: ''
        type: query
      - name: code_challenge_method
        value: ''
        type: query
        description: PKCE
      - name: code_challenge
        value: ''
        type: query
      - name: nonce
        value: ''
        type: query
      - name: loginHint
        value: ''
        type: query
      - name: prompt
        value: ''
        type: query
      - name: flow
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: resource
        value: ''
        type: query
        description: RFC 8707 - OAuth 2.0 Resource Indicators
      - name: tenant
        value: ''
        type: query
      - name: mcp_server_id
        value: ''
        type: query
      - name: style
        value: ''
        type: query
      - name: dpop_jkt
        value: ''
        type: query
      - name: request
        value: ''
        type: query
    docs: Third Party application authorization GET endpoint
  - info:
      name: ThirdPartyApplicationAuthorizePostByProjectID
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/:project_id/authorize
      params:
      - name: project_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application authorization POST endpoint
  - info:
      name: ThirdPartyApplicationCIBAEndpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/:project_id/bc-authorize
      params:
      - name: project_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application CIBA backchannel authentication endpoint
  - info:
      name: ThirdPartyApplicationDeviceEndpoint
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/:project_id/device
      params:
      - name: project_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application device endpoint
  - info:
      name: ThirdPartyApplicationRevocationEndpointByProjectID
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/:project_id/revoke
      params:
      - name: project_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application revoke endpoint by project ID
  - info:
      name: ThirdPartyApplicationTokenEndpointByProjectID
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/:project_id/token
      params:
      - name: project_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: Third Party application token endpoint by project ID
  - info:
      name: ThirdPartyApplicationUserInfoEndpointGetByProjectID
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/apps/:project_id/userinfo
      params:
      - name: project_id
        value: ''
        type: path
        description: Can be empty as data arrived on the Authorization header token
    docs: Third Party application Get UserInfo endpoint by project ID
  - info:
      name: ThirdPartyApplicationUserInfoEndpointPostByProjectID
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/apps/:project_id/userinfo
      params:
      - name: project_id
        value: ''
        type: path
        description: Can be empty as data arrived on the Authorization header token
      body:
        type: json
        data: '{}'
    docs: Third Party application POST UserInfo endpoint by project ID
  - info:
      name: RegisterThirdPartyApplication
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/mgmt/inboundapp/app/:projectId/register
      params:
      - name: projectId
        value: ''
        type: path
        description: Auto fill by proto from the requested URL
      body:
        type: json
        data: '{}'
    docs: Register Third Party Application according to RFC 7591
  - info:
      name: RegisterMcpServerClient
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/mgmt/mcp/client/:projectId/:mcpServerId/register
      params:
      - name: projectId
        value: ''
        type: path
        description: Auto fill by proto from the requested URL
      - name: mcpServerId
        value: ''
        type: path
        description: Auto fill by proto from the requested URL (only in agentic hub)
      body:
        type: json
        data: '{}'
    docs: Register MCP Server client according to RFC 7591
  - info:
      name: OIDC Authorize
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/authorize
      params:
      - name: response_type
        value: ''
        type: query
      - name: scope
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: state
        value: ''
        type: query
      - name: redirect_uri
        value: ''
        type: query
      - name: code_challenge_method
        value: ''
        type: query
        description: PKCE
      - name: code_challenge
        value: ''
        type: query
      - name: dynamic_val
        value: ''
        type: query
      - name: nonce
        value: ''
        type: query
      - name: ssoAppId
        value: ''
        type: query
      - name: loginHint
        value: ''
        type: query
      - name: prompt
        value: ''
        type: query
      - name: flow
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: style
        value: ''
        type: query
      - name: dpop_jkt
        value: ''
        type: query
    docs: OIDC GET authorization endpoint start
  - info:
      name: OIDC Authorize
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/authorize
      body:
        type: json
        data: '{}'
    docs: OIDC POST authorization endpoint start
  - info:
      name: OIDC Authorize Entra MFA
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/authorize/entramfa
      body:
        type: json
        data: '{}'
    docs: OIDC Entra MFA authorization endpoint
  - info:
      name: OIDC Device
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/device
      body:
        type: json
        data: '{}'
    docs: OIDC device endpoint
  - info:
      name: OIDC Finish Authorize
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/finish-authorize
      params:
      - name: state_id
        value: ''
        type: query
      - name: sso_app_id
        value: ''
        type: query
      - name: error_redirect_uri
        value: ''
        type: query
    docs: OIDC POST authorization endpoint finish
  - info:
      name: OIDC Finish Authorize
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/finish-authorize
      body:
        type: json
        data: '{}'
    docs: OIDC GET authorization endpoint finish
  - info:
      name: OIDC End Session
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/logout
      params:
      - name: id_token_hint
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: post_logout_redirect_uri
        value: ''
        type: query
      - name: state
        value: ''
        type: query
      - name: ssoAppId
        value: ''
        type: query
    docs: OIDC end session GET endpoint
  - info:
      name: OIDC End Session
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/logout
      body:
        type: json
        data: '{}'
    docs: OIDC end session POST endpoint
  - info:
      name: OIDC Revoke
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/revoke
      body:
        type: json
        data: '{}'
    docs: OIDC revoke endpoint
  - info:
      name: OIDC Token
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/token
      body:
        type: json
        data: '{}'
    docs: OIDC token endpoint
  - info:
      name: OIDC UserInfo
      type: http
    http:
      method: GET
      url: https://api.descope.com/oauth2/v1/userinfo
      params:
      - name: ssoAppId
        value: ''
        type: query
        description: Can be empty as data arrived on the Authorization header token
    docs: OIDC Get UserInfo endpoint
  - info:
      name: OIDC UserInfo
      type: http
    http:
      method: POST
      url: https://api.descope.com/oauth2/v1/userinfo
      body:
        type: json
        data: '{}'
    docs: OIDC POST UserInfo endpoint
  - info:
      name: SAML IDP Initiate Redirect
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/saml/idp/initiate
      params:
      - name: app
        value: ''
        type: query
      - name: RelayState
        value: ''
        type: query
      - name: LoginHint
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: login_hint
        value: ''
        type: query
    docs: SAML IDP Initiate HTTP redirect binding login flow
  - info:
      name: SAML IDP Initiate POST
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/saml/idp/initiate
      body:
        type: json
        data: '{}'
    docs: SAML IDP Initiate HTTP POST binding login flow
  - info:
      name: SAML IDP Redirect Binding
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/saml/idp/sso
      params:
      - name: app
        value: ''
        type: query
      - name: SAMLRequest
        value: ''
        type: query
      - name: SamlRequest
        value: ''
        type: query
      - name: RelayState
        value: ''
        type: query
      - name: LoginHint
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: login_hint
        value: ''
        type: query
    docs: SAML IDP http redirect binding login flow
  - info:
      name: SAML IDP POST Binding
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/saml/idp/sso
      params:
      - name: app
        value: ''
        type: query
      body:
        type: json
        data: '{}'
    docs: SAML IDP HTTP POST binding login flow
  - info:
      name: SAML IDP Finish
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/saml/idp/sso-finish
      body:
        type: json
        data: '{}'
    docs: SAML IDP finish endpoint
  - info:
      name: WS-Fed IDP Initiate
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/wsfed/idp/initiate
      params:
      - name: app
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: login_hint
        value: ''
        type: query
    docs: WS-Fed IDP-initiated sign-in (GET)
  - info:
      name: WS-Fed IDP Initiate
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/wsfed/idp/initiate
      body:
        type: json
        data: '{}'
    docs: WS-Fed IDP-initiated sign-in (POST)
  - info:
      name: WS-Fed IDP Passive
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/wsfed/idp/sso
      params:
      - name: app
        value: ''
        type: query
      - name: wa
        value: ''
        type: query
      - name: wtrealm
        value: ''
        type: query
      - name: wreply
        value: ''
        type: query
      - name: wctx
        value: ''
        type: query
      - name: whr
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: login_hint
        value: ''
        type: query
    docs: WS-Fed IDP passive sign-in endpoint (GET)
  - info:
      name: WS-Fed IDP Passive
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/wsfed/idp/sso
      body:
        type: json
        data: '{}'
    docs: WS-Fed IDP passive sign-in endpoint (POST)
  - info:
      name: WS-Fed IDP Finish
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/wsfed/idp/sso-finish
      body:
        type: json
        data: '{}'
    docs: WS-Fed IDP finish endpoint after authentication
  - info:
      name: OIDC Authorize
      type: http
    http:
      method: GET
      url: https://api.descope.com/:ssoAppId/oauth2/v1/authorize
      params:
      - name: ssoAppId
        value: ''
        type: path
      - name: response_type
        value: ''
        type: query
      - name: scope
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: state
        value: ''
        type: query
      - name: redirect_uri
        value: ''
        type: query
      - name: code_challenge_method
        value: ''
        type: query
        description: PKCE
      - name: code_challenge
        value: ''
        type: query
      - name: dynamic_val
        value: ''
        type: query
      - name: nonce
        value: ''
        type: query
      - name: loginHint
        value: ''
        type: query
      - name: prompt
        value: ''
        type: query
      - name: flow
        value: ''
        type: query
      - name: flow_token
        value: ''
        type: query
      - name: tenant
        value: ''
        type: query
      - name: style
        value: ''
        type: query
      - name: dpop_jkt
        value: ''
        type: query
    docs: OIDC GET authorization endpoint start (sso app)
  - info:
      name: OIDC Authorize
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/authorize
      params:
      - name: ssoAppId
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: OIDC POST authorization endpoint start (sso app)
  - info:
      name: OIDC Authorize Entra MFA
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/authorize/entramfa
      params:
      - name: ssoAppId
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: OIDC Entra MFA authorization endpoint (SSO App)
  - info:
      name: OIDC Device
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/device
      params:
      - name: ssoAppId
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: OIDC device endpoint (sso app)
  - info:
      name: OIDC End Session
      type: http
    http:
      method: GET
      url: https://api.descope.com/:ssoAppId/oauth2/v1/logout
      params:
      - name: ssoAppId
        value: ''
        type: path
      - name: id_token_hint
        value: ''
        type: query
      - name: client_id
        value: ''
        type: query
      - name: post_logout_redirect_uri
        value: ''
        type: query
      - name: state
        value: ''
        type: query
    docs: OIDC end session GET endpoint (sso app)
  - info:
      name: OIDC End Session
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/logout
      params:
      - name: ssoAppId
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: OIDC end session POST endpoint (sso app)
  - info:
      name: OIDC Revoke
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/revoke
      params:
      - name: ssoAppId
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: OIDC revoke endpoint (sso app)
  - info:
      name: OIDC Token
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/token
      params:
      - name: ssoAppId
        value: ''
        type: path
      body:
        type: json
        data: '{}'
    docs: OIDC token endpoint (sso app)
  - info:
      name: OIDC UserInfo
      type: http
    http:
      method: GET
      url: https://api.descope.com/:ssoAppId/oauth2/v1/userinfo
      params:
      - name: ssoAppId
        value: ''
        type: path
        description: Can be empty as data arrived on the Authorization header token
    docs: OIDC Get UserInfo endpoint (sso app)
  - info:
      name: OIDC UserInfo
      type: http
    http:
      method: POST
      url: https://api.descope.com/:ssoAppId/oauth2/v1/userinfo
      params:
      - name: ssoAppId
        value: ''
        type: path
        description: Can be empty as data arrived on the Authorization header token
      body:
        type: json
        data: '{}'
    docs: OIDC POST UserInfo endpoint (sso app)
  - info:
      name: Exchange Key
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/accesskey/exchange
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Exchange API key for access token


      This API Endpoint will take an API key for the project and provide an access token to be used for accessing the application.

      The session token JWT token will be valid for the configured [Session Token Timeout](/project-settings#session-token-timeout),
      and its expiration time will be provided in the `expiration` field of the response object.'
  - info:
      name: Refresh Session
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/refresh
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Refresh the session token, using a valid fresh token


      This API endpoint will provide a new valid session token for an existing signed-in user, by validating the provided
      refresh token.

      The refresh token is provided as part of the HTTP Authorization Bearer.'
  - info:
      name: Try Refresh Session
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/try-refresh
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Refresh the current session if it is valid, will not fail if the refresh token is missing or invalid
  - info:
      name: My Details
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/me
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Get current signed-in user details


      This API Endpoint will return the current user''s details. This endpoint requires the user to be signed in and have
      a valid `refreshJwt`. The `refreshJwt` is then used as part of the Authorization Bearer to perform this task.'
  - info:
      name: Get Session History
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/me/history
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Get user''s session history


      This API Endpoint will return the current user''s session history including geo-location and IP address. This endpoint
      requires the user to be signed in and have a valid `refreshJwt`. The `refreshJwt` is then used as part of the Authorization
      Bearer to perform this task.'
  - info:
      name: Select an active tenant
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/tenant/select
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Set the active tenant for the user''s current session


      This endpoint allows you to get a new session token and refresh token with the `dct` claim on the JWT which shows the
      active selected tenant for the user.


      See [Tenant Selection Article](/knowledgebase/descopeflows/tenantselectcomponent/) for more details of the usage.'
  - info:
      name: Logout
      type: http
    http:
      method: GET
      url: https://api.descope.com/v1/auth/idp/sso/logout
      params:
      - name: app
        value: ''
        type: query
    docs: IDP SSO Logout from the session and delete the session and refresh cookies
  - info:
      name: Logout
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/idp/sso/logout
      body:
        type: json
        data: '{}'
    docs: IDP SSO Logout from the session and delete the session and refresh cookies
  - info:
      name: Sign-Out
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/logout
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Log the user out from the provided session

      This API endpoint will sign the user out of the provided session using the `refreshToken`.

      Successfully executing this endpoint will invalidate the provided refresh tokens.

      Response will also include all user tokens and fields empty, so the executing client will remove cookies as well.'
  - info:
      name: Sign-Out All Active Sessions
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/logoutall
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Log the user out from all signed-in sessions


      This API endpoint will sign the user out of all the devices they are currently signed-in with.

      Successfully executing this endpoint will invalidate all user''s refresh tokens. Response will include all user tokens
      and fields empty, so client will remove cookies as well.'
  - info:
      name: Validate Session
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/validate
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Validate and parse a user''s session JWT.


      This endpoint is used to validate a users session using the Project ID and the user''s session JWT. Upon successful
      validate of the user, you will receive the parsed JWT.


      When posting to this endpoint from an application, you get the JWT from local or cookie storage, and prepend it with
      project ID and use that as the bearer.'
  - info:
      name: Update User NOTP
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/notp/:provider/update
      params:
      - name: provider
        value: ''
        type: path
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Update user phone using NOTP
  - info:
      name: Sign-Up / Sign-In
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/oauth/authorize
      params:
      - name: provider
        value: ''
        type: query
      - name: redirectUrl
        value: ''
        type: query
      - name: prompt
        value: ''
        type: query
      - name: test
        value: ''
        type: query
      - name: rawResponse
        value: ''
        type: query
      - name: loginHint
        value: ''
        type: query
      - name: initiatedEmail
        value: ''
        type: query
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: '### Authorize end user to sign-up or sign-in using social login credentials


      Initiate a social login (OAuth) sign-up or sign-in process for an end user. Descope will coordinate the authorization
      process with the OAUth provider specified in the `provider` field. Specify the URL you want to redirect the end user
      to after a successful sign-in in the `redirectURL` parameter.


      When the OAuth authorization completes successfully, the endpoint returns a URL `url` that has a unique code `<unique-code\>`'
  - info:
      name: Create Redirect URI for Sign-In Request
      type: http
    http:
      method: POST
      url: https://api.descope.com/v1/auth/oauth/authorize/sig

# --- truncated at 32 KB (250 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/descope/refs/heads/main/apis.yml