This endpoint is the starting point for the OAuth 2.0 Authorization Code flow, a secure method for obtaining access tokens. When a client application wants to access a user's protected resources, it directs the user's browser to this authorization endpoint.

Upon accessing this endpoint:

1. The user will be prompted to log in if they haven't already. This ensures that the user is aware of and in control of the permissions they grant.
2. After successful authentication, the user will be presented with a consent screen. This screen will detail the permissions the client application is requesting.
3. If the user grants the requested permissions, the authorization server will redirect the user's browser back to the client application using the provided redirect_uri.
4. Appended to this redirect will be an important piece of information: the authorization code. This short-lived code is essential for the next step in the flow, where the client application exchanges it for an access token.

It's worth noting that this flow provides an added layer of security. The user's credentials are never shared directly with the client application. Instead, the application receives an authorization code, which can only be used in conjunction with the application's own credentials to obtain an access token.

The JWKs (JSON Web Key Set) endpoint provides a set of public keys used by the authorization server. These keys are essential for clients and other entities to verify the digital signatures of tokens issued by the server.

By accessing this endpoint, client applications can retrieve the current public keys and use them to validate the JWT (JSON Web Token) signatures, ensuring the tokens' authenticity and integrity. This dynamic retrieval ensures that clients can adapt to key rotations and other security measures implemented by the authorization server.

The returned JWKS is in a standard format, making it compatible with many JWT libraries and tools.

Use this endpoint to obtain an access token. The required parameters vary based on the grant type:

Authorization Code Grant with PKCE:

• grant_type: Must be set to authorization_code.
• code: The authorization code received from the authorization server.
• redirect_uri: The same redirect URI that was used to obtain the authorization code.
• client_id: The Marpp ID.
• code_verifier: The original code verifier used to generate the code challenge.

Client Credentials Grant using Service Account:

• grant_type: Must be set to client_credentials.
• service_account: The identifier of the service account.
• client_id: The Marpp ID.
• client_secret: The service account's apiKey.

Client Credentials with JWT Bearer Token:

• grant_type: Must be set to client_credentials.
• client_assertion_type: Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
• client_assertion: The JWT Bearer token.
• client_id: The Marpp ID.

This endpoint facilitates user authentication. Clients send user credentials (username and password) to this endpoint to establish an authenticated session. Upon successful authentication, the server sets an HTTP-only cookie named FINBOOTSESSIONID. This cookie represents the authenticated session and allows for immediate redirections without the need for re-authentication.

This endpoint allows authenticated users to log out, effectively ending their session. When a user logs out, the associated FINBOOTSESSIONID cookie is invalidated on the server side, ensuring it can't be used for further authenticated requests.

Clients should call this endpoint when users explicitly choose to log out or when refreshing authentication tokens to ensure a clean session state.

Initializes the identity after they have been sent the onboarding email