Enterprise Identity.
Open Standards. Zero Compromise.
FoxAuth is the centralized identity platform for the Fox ecosystem — built on OAuth 2.1 and OpenID Connect, with a compatibility bridge for legacy clients. One trusted authority for tokens, sessions, and access control across every service.
Capabilities
Everything you need for secure identity
Purpose-built for the Fox ecosystem with the flexibility to serve any standards-compliant client.
Token Issuance
Signed JWT access tokens and ID tokens with configurable lifetimes, claims mapping, and opaque token support for legacy clients.
Single Sign-On
One authentication event grants access across all registered Fox services. Silent re-authentication for a seamless user experience.
PKCE Enforcement
All public clients require Proof Key for Code Exchange by default, eliminating authorization-code interception risks end-to-end.
Token Rotation
Refresh tokens rotate on every use. Reuse detection immediately revokes the entire token family to contain compromised sessions.
Audit Trail
Every authentication event, token grant, and session lifecycle change is recorded with IP, device, and timestamp for compliance.
Multi-Tenancy
Isolated branding, login policies, and user directories per company — custom login page, logo, and color scheme per tenant.
High Availability
Stateless JWT verification with JWKS caching keeps downstream services working even during auth-server maintenance windows.
Passwordless & OTP
Email magic links and time-based OTP alongside password auth — configurable per service or per user policy.
Protocol Support
Standards & Grant Types
Full OAuth 2.1 and OIDC 1.0 compliance alongside a legacy compatibility bridge for existing integrations.
- Authorization Code + PKCE
- Client Credentials
- Device Authorization
- Refresh Token Rotation
- Implicit / ROPC (deprecated)
- ID Token (JWT / RS256)
- UserInfo Endpoint
- JWKS Endpoint
- Discovery Document
- Standard Claims (sub, email, name…)
- API Key pass-through
- Token introspection (RFC 7662)
- Session cookie validation
- CAS ticket protocol
- Graceful migration path
| Endpoint | Method | Path | Standard | Status |
|---|---|---|---|---|
| Discovery | GET | /.well-known/openid-configuration | OIDC 1.0 | Active |
| JWKS | GET | /connect/jwks | OIDC 1.0 | Active |
| Authorization | GET | /connect/authorize | OAuth 2.1 | Active |
| Token | POST | /connect/token | OAuth 2.1 | Active |
| UserInfo | GET | /connect/userinfo | OIDC 1.0 | Active |
| Revocation | POST | /connect/revoke | RFC 7009 | Active |
| Logout | GET | /connect/logout | OIDC 1.0 | Active |
Auth Flow
How FoxAuth works
A single, secure round-trip from application to user and back — fully standards-compliant.
App Redirects
Client sends the user to FoxAuth with response_type=code and a PKCE code challenge.
User Authenticates
FoxAuth presents the branded login page. Credentials, OTP, or passwordless challenge are verified securely.
Code Issued
FoxAuth redirects back with a short-lived authorization code bound to the PKCE verifier.
Tokens Granted
App exchanges code + verifier for access token, ID token, and optionally a refresh token via back-channel.
API Access
Downstream services verify the signed JWT locally via JWKS — no FoxAuth round-trip required per request.
Legacy Compatibility — No Big-Bang Migration Required
Existing Fox services using API keys, session cookies, or CAS ticket validation continue to work unchanged. FoxAuth's compatibility bridge translates legacy auth signals into first-class OAuth tokens behind the scenes, giving teams a gradual migration path to full OAuth 2.1 at their own pace.