Kinde is designed to help founders and developers build SaaS products by providing software infrastructure like authentication, feature flags, user management, and more.
We support connecting to Kinde through our SDKs, but everything we build is also OAuth 2 standard, so you can integrate into any language framework with Kinde without an SDK.
Start for free on Kinde.
To connect to Kinde you need to know where the endpoints are for things like authorization, tokens and user profiles. You’ll also need to know the response types and claims that are supported. All this data and more can be found in your OpenID configuration file which is located at:
https://<your_kinde_subdomain>.kinde.com/.well-known/openid-configuration
Your users must be redirected from your product to Kinde to sign up or sign in securely. The redirect URL on your product side would look like the following:
https://<your_kinde_sudomain>.kinde.com/oauth2/auth
?response_type=code
&client_id=<your_kinde_client_id>
&redirect_uri=<your_app_redirect_url>
&scope=openid+profile+email
&state=abc
Note: Never include the client secret in the URL as this is publicly viewable.
Kinde supports all the standard OAuth 2 request parameters as well as a few additional Kinde-specific parameters to improve the end user experience. Full details can be found in the Request parameters table below.
Recommended for regular web applications rendered on the server.
Kinde supports the PKCE extension, in which case the code_challenge
and code_challenge_method
parameters are also required. This is recommended for mobile apps and single page applications (SPAs).
Before PKCE (see above) this was the method used by applications that were unable to store secrets securely. This flow has security implications and Kinde does not support it for this reason.
There are a few useful additional parameters that Kinde supports in the authorization URL.
Property | Type | Is required | Description |
---|---|---|---|
audience | string | No | The audience claim for the JWT. This can be used to protect your APIs and resource servers |
client_id | string | Yes | The id of your application - get this from the Kinde admin area |
logout_uri | string | No | Where your user will be redirected upon logout |
code_challenge | string | For PKCE | A base64 encoded string of a SHA256 hash of a code verifier |
code_challenge_method | string | For PKCE | Should always be S256 tells Kinde the method used to hash the code challenge above |
is_create_org | boolean | No | If an organization should be created along with the user |
org_code | string | No | For multi-tenant or platform apps, tell Kinde which organization a user is trying to sign in or sign up to |
org_name | string | No | If is_create_org is passed then you can optionally include the name of the organization your would like to create |
redirect_uri | string | Yes | The url that the user will be returned to after authentication |
response_type | string | Yes | Should always be code . Kinde does not support the implicit flow as it has shown to be insecure. |
scope | string | No | The scopes to be requested from Kinde |
start_page | string | No | Accepts sign_in or registration so you can determine if your user should land on the sign up or sign in page. (By default users will land on the sign in page) |
state (recommended) | string | No | Kinde will return this to your app so you can validate it came from us and prevent CSRF attacks |
It’s likely you will be using a library to validate your JWTs and they will require the url for your public JSON Web Key (also known as a jwks file).
The file can be found here:
https://<your_kinde_subdomain>.kinde.com/.well-known/jwks
When user sign out, you will want to clear any session or locally stored data in your app and redirect them to your preferred logout URL. Such as:
https://<your_kinde_subdomain>.kinde.com/logout
This will end their session on Kinde. A new access token or refresh token needs to be issued for them to sign in again.
To add a logout URL in Kinde, go to Settings > Applications > View Details, then add the URLs to the Allowed logout redirect URLs field. Users will be redirected back to this URL when they sign out.
Developer tools