Using Kinde without an SDK

Link to this section

Kinde is designed to help founders and developers build SaaS products by providing software infrastructure like authentication, feature flags, user management, and more.

We support connecting to Kinde through our SDKs, but everything we build is also OAuth 2 standard, so you can integrate into any language framework with Kinde without an SDK.

Start for free on Kinde.

OpenID Connect

Link to this section

To connect to Kinde you need to know where the endpoints are for things like authorization, tokens and user profiles. You’ll also need to know the response types and claims that are supported. All this data and more can be found in your OpenID configuration file which is located at:

https://<your_kinde_subdomain>.kinde.com/.well-known/openid-configuration

Signing up and signing in

Link to this section

Your users must be redirected from your product to Kinde to sign up or sign in securely. The redirect URL on your product side would look like the following:

https://<your_kinde_sudomain>.kinde.com/oauth2/auth
?response_type=code
&client_id=<your_kinde_client_id>
&redirect_uri=<your_app_redirect_url>
&scope=openid+profile+email
&state=abc

Note: Never include the client secret in the URL as this is publicly viewable.

Kinde supports all the standard OAuth 2 request parameters as well as a few additional Kinde-specific parameters to improve the end user experience. Full details can be found in the Request parameters table below.

Supported grant types for getting access tokens

Link to this section

Authorization Code Flow

Link to this section

Recommended for regular web applications rendered on the server.

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Link to this section

Kinde supports the PKCE extension, in which case the code_challenge and code_challenge_method parameters are also required. This is recommended for mobile apps and single page applications (SPAs).

Implicit flow (not supported)

Link to this section

Before PKCE (see above) this was the method used by applications that were unable to store secrets securely. This flow has security implications and Kinde does not support it for this reason.

Request parameters

Link to this section

There are a few useful additional parameters that Kinde supports in the authorization URL.

PropertyTypeIs requiredDescription
audiencestringNoThe audience claim for the JWT. This can be used to protect your APIs and resource servers
client_idstringYesThe id of your application - get this from the Kinde admin area
logout_uristringNoWhere your user will be redirected upon logout
code_challengestringFor PKCEA base64 encoded string of a SHA256 hash of a code verifier
code_challenge_methodstringFor PKCEShould always be S256 tells Kinde the method used to hash the code challenge above
is_create_orgbooleanNoIf an organization should be created along with the user
org_codestringNoFor multi-tenant or platform apps, tell Kinde which organization a user is trying to sign in or sign up to
org_namestringNoIf is_create_org is passed then you can optionally include the name of the organization your would like to create
redirect_uristringYesThe url that the user will be returned to after authentication
response_typestringYesShould always be code. Kinde does not support the implicit flow as it has shown to be insecure.
scopestringNoThe scopes to be requested from Kinde
start_pagestringNoAccepts sign_in or registration so you can determine if your user should land on the sign up or sign in page. (By default users will land on the sign in page)
state (recommended)stringNoKinde will return this to your app so you can validate it came from us and prevent CSRF attacks

Verifying the Kinde access token

Link to this section

It’s likely you will be using a library to validate your JWTs and they will require the url for your public JSON Web Key (also known as a jwks file).

The file can be found here:

https://<your_kinde_subdomain>.kinde.com/.well-known/jwks

Signing out your users

Link to this section

When user sign out, you will want to clear any session or locally stored data in your app and redirect them to your preferred logout URL. Such as:

https://<your_kinde_subdomain>.kinde.com/logout

This will end their session on Kinde. A new access token or refresh token needs to be issued for them to sign in again.

To add a logout URL in Kinde, go to Settings > Applications > View Details, then add the URLs to the Allowed logout redirect URLs field. Users will be redirected back to this URL when they sign out.

Talk to us

If you can’t find what you’re looking for in our help center — email our team

Contact us