For Agents
Drive a multi-step Authgear signup, login, or recovery flow by creating a flow, posting input at each state, and finishing with an OAuth token exchange. Also import and export users in bulk via the admin endpoints.
Get started with Authgear Authentication Flow API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"create a custom login flow"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with Authgear Authentication Flow API API.
Create signup, login, account-recovery, or reauth flows with POST /api/v1/authentication_flows
Drive a flow forward by posting credentials, OTPs, or selections to /api/v1/authentication_flows/states/input
Inspect the current state of an in-progress flow with POST /api/v1/authentication_flows/states
Run the OAuth 2.0 authorization code flow via /oauth2/authorize and /oauth2/token
GET STARTED
Use for: I need to start a custom login flow for a user, Submit a one-time password to advance an authentication flow, Exchange an authorization code for an access token, Retrieve OIDC claims for the currently signed-in user
Not supported: Does not handle fine-grained authorization policies, per-resource permission checks, or audit log streaming — use for authentication flows, OAuth/OIDC, and user lifecycle only.
Jentic publishes the only available OpenAPI document for Authgear Authentication Flow API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for Authgear Authentication Flow API, keeping it validated and agent-ready. Authgear is an authentication-as-a-service platform that lets developers build custom signup, login, account-recovery, and re-authentication flows on top of a single API. The Authentication Flow API drives multi-step flows where each state is exchanged for the next via /states/input, and a WebSocket endpoint streams progress for real-time UIs. Authgear also exposes standard OAuth 2.0 and OpenID Connect endpoints (/oauth2/authorize, /oauth2/token, /oauth2/userinfo) and admin endpoints for bulk user import and export.
Retrieve OIDC user claims from /oauth2/userinfo and verify tokens against /oauth2/jwks
Bulk-import or export users using /_api/admin/users/import and /_api/admin/users/export
Revoke issued OAuth tokens with POST /oauth2/revoke when a session is terminated
Patterns agents use Authgear Authentication Flow API API for, with concrete tasks.
★ Custom login UI on top of Authgear
Build a fully branded login page in your own app while letting Authgear handle credential validation, OTP delivery, and policy enforcement. POST /api/v1/authentication_flows starts a flow, the UI displays the prompts returned in each state, and POST /api/v1/authentication_flows/states/input advances the flow until an authorization code is issued. The custom UI never touches password hashing or MFA secrets — Authgear does it server-side.
POST /api/v1/authentication_flows with type=login, then POST /api/v1/authentication_flows/states/input with the user's email, then again with the password to receive a finished flow result
Standard OAuth 2.0 / OIDC integration
Add 'Sign in with Authgear' to a third-party application using the standard authorization code flow. The app redirects to /oauth2/authorize, exchanges the returned code at /oauth2/token, and then calls /oauth2/userinfo to fetch the user's profile. Token signatures can be verified against /oauth2/jwks so downstream services validate tokens without an extra round trip.
Redirect to /oauth2/authorize with response_type=code and openid scope, then POST to /oauth2/token to exchange the code for an ID token and access token
Bulk user migration from a legacy system
Migrate users from a legacy IdP into Authgear without forcing password resets. POST /_api/admin/users/import accepts a batch of user records and returns a task_id; GET /_api/admin/users/import/{task_id} reports per-record success and failure. The complementary export endpoints let teams snapshot the directory before a major change.
POST /_api/admin/users/import with a JSON array of user records, then poll GET /_api/admin/users/import/{task_id} until status is completed
Agent-managed account recovery
An AI support agent can drive an account-recovery flow on behalf of a user by creating a recovery flow with type=account_recovery, then posting the recovery code the user received by email or SMS to /states/input. Through Jentic the admin API key is held in the credential vault, so the agent only sees the per-flow state token and not the long-lived admin secret.
Create an account_recovery flow, then POST /api/v1/authentication_flows/states/input with the user's email and the recovery code to issue a new password
14 endpoints — jentic publishes the only available openapi specification for authgear authentication flow api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/api/v1/authentication_flows
Create a new authentication flow
/api/v1/authentication_flows/states/input
Advance a flow with user input
/oauth2/authorize
OAuth 2.0 authorization endpoint
/oauth2/token
Exchange a code for tokens
/oauth2/userinfo
Retrieve OIDC user claims
/_api/admin/users/import
Initiate a bulk user import
/_api/admin/users/export
Initiate a bulk user export
/api/v1/authentication_flows
Create a new authentication flow
/api/v1/authentication_flows/states/input
Advance a flow with user input
/oauth2/authorize
OAuth 2.0 authorization endpoint
/oauth2/token
Exchange a code for tokens
/oauth2/userinfo
Retrieve OIDC user claims
Three things that make agents converge on Jentic-routed access.
Credential isolation
Authgear admin API keys and OAuth client secrets are stored encrypted in the Jentic credential vault. Agents receive scoped per-call tokens — the long-lived admin key never enters the agent's prompt context.
Intent-based discovery
Agents search Jentic for intents like 'create a login flow' or 'import users' and Jentic returns the matching Authgear operation with its input schema, including which state_token to pass on follow-up calls.
Time to first call
Direct Authgear integration: 2-4 days to wire up flow state management, OAuth callbacks, and admin tooling. Through Jentic: under an hour — search, load the schema for each operation, execute.
Alternatives and complements available in the Jentic catalogue.
Auth0 Management API
Auth0 covers a similar identity-as-a-service surface with broader enterprise SSO connectors
Choose Auth0 when the project needs SAML, AD, or LDAP enterprise connections; choose Authgear for a developer-friendly flow API and Asia-Pacific hosting
Clerk Backend API
Clerk pairs an authentication API with React, Next.js, and Expo prebuilt components
Choose Clerk when the front end is React or Next.js and prebuilt UI components are valuable; choose Authgear for headless flows and bulk migration tooling
Twilio API
Twilio delivers the SMS and voice OTPs that an Authgear MFA step requires
Use Twilio when Authgear's built-in OTP delivery is not enough — for example, sending custom-branded SMS messages from your own long code or short code
Specific to using Authgear Authentication Flow API API through Jentic.
Why is there no official OpenAPI spec for Authgear Authentication Flow API?
Authgear does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call Authgear Authentication Flow API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the Authgear Authentication Flow API use?
Authgear uses bearer tokens. End-user endpoints accept the OAuth access token issued at /oauth2/token, and admin endpoints under /_api/admin require an admin API key sent as a bearer token. Through Jentic both credential types are held in the vault and injected per call, so the agent never handles the raw admin key.
How do I drive a multi-step login flow with the Authgear API?
POST /api/v1/authentication_flows with type=login to create the flow. The response includes a state_token and a list of expected inputs. Submit each input (email, password, OTP) to POST /api/v1/authentication_flows/states/input, passing the state_token, until the flow finishes and returns an authorization code.
Can I bulk-import users into Authgear?
Yes. POST /_api/admin/users/import accepts a JSON array of user records and returns a task_id. Poll GET /_api/admin/users/import/{task_id} for per-record results. The matching /_api/admin/users/export endpoints return a similar task-based response for full directory exports.
What are the rate limits for the Authgear Authentication Flow API?
Project-specific rate limits are configured per Authgear plan and are not encoded in the OpenAPI spec. Treat /authentication_flows and /oauth2/token as user-initiated and apply backoff on 429 responses; check the Authgear dashboard for the active limits on your project.
How do I exchange an authorization code for tokens through Jentic?
Search Jentic for 'exchange OAuth code for token' and load the /oauth2/token operation. Execute it with grant_type=authorization_code, the code, and the redirect_uri to receive an access token, refresh token, and ID token. Get started at https://app.jentic.com/sign-up.
Does Authgear support OpenID Connect discovery?
Yes. GET /.well-known/openid-configuration returns the OIDC discovery document, and GET /oauth2/jwks returns the JSON Web Key Set used to verify ID and access token signatures. Standard OIDC client libraries pick these up automatically.
/_api/admin/users/import
Initiate a bulk user import
/_api/admin/users/export
Initiate a bulk user export