sso.user.m7.org Public Documentation

This folder contains public-facing documentation for the current sso.user.m7.org surface.

Start here if your client expects strict off-the-shelf OAuth or OIDC behavior:

• Compatibility Differences and Current Gaps

Audience:

• developers integrating an OAuth or OpenID Connect client
• developers building device-code or service-to-service flows
• teams using the hosted M7 login, signup, and logout pages

Important current notes:

• The primary browser entrypoint is /authorize.
• The token endpoint is /token.
• Tokens returned by this surface are currently issued with iss values from id.m7.org.
• The refresh flow currently uses token=<REFRESH_TOKEN> plus binding_chain and binding_link.
• /userinfo currently requires client_id.
• /register is protected by a bearer access token and is create-only in the current version.
• /jwks.json is not a traditional enumerable JWKS set.

Core integration endpoints

• /authorize
• /par
• /token
• /userinfo
• /revoke
• /introspect
• /register
• /device_authorization
• /end-session
• /.well-known/openid-configuration
• /.well-known/oauth-authorization-server
• /jwks.json

Hosted browser pages

• /login
• /signup
• /device_login
• /logout

Routes not intended for direct third-party integration

The following public routes exist, but they are part of the hosted browser flow rather than the stable third-party API surface:

• /login-init
• /authorize-process
• /process-login
• /process-signup
• /device_login_process
• /end-session-process

These routes are used by the hosted M7 pages and should be treated as implementation details unless M7 publishes a separate compatibility promise for them.

The temporary /test route is intentionally not documented as part of the public surface.