OAuth 2.1
Discovery (RFC 8414)
Fetch Whatalo's Authorization Server metadata programmatically.
The discovery endpoint exposes the Whatalo Authorization Server metadata in accordance with RFC 8414. OAuth clients must use this endpoint to resolve all endpoint URLs — never hardcode them in your code.
Endpoint
GET https://app.whatalo.com/.well-known/oauth-authorization-serverNo authentication required. The response is public and cacheable.
Example response
{
"issuer": "https://app.whatalo.com",
"authorization_endpoint": "https://app.whatalo.com/oauth/authorize",
"token_endpoint": "https://app.whatalo.com/oauth/token",
"registration_endpoint": "https://app.whatalo.com/oauth/register",
"introspection_endpoint": "https://app.whatalo.com/oauth/introspect",
"revocation_endpoint": "https://app.whatalo.com/oauth/revoke",
"jwks_uri": "https://app.whatalo.com/oauth/jwks",
"response_types_supported": ["code"],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:token-exchange"
],
"code_challenge_methods_supported": ["S256"],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"none"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"revocation_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"scopes_supported": [
"read:products",
"write:products",
"read:inventory",
"write:inventory",
"read:discounts",
"write:discounts",
"read:orders",
"write:orders",
"read:customers",
"write:customers",
"read:store",
"write:store",
"read:analytics",
"read:webhooks",
"write:webhooks"
],
"subject_types_supported": ["public"],
"resource_parameter_supported": true,
"service_documentation": "https://developers.whatalo.com/docs/api/oauth/overview",
"op_policy_uri": "https://whatalo.com/legal/privacy",
"op_tos_uri": "https://whatalo.com/legal/terms"
}Key fields
| Field | Meaning |
|---|---|
issuer | Canonical AS identifier. Validate that it matches in JWT tokens. |
registration_endpoint | Use this for Dynamic Client Registration. |
code_challenge_methods_supported | Only S256 — plain is not allowed. |
scopes_supported | The 15 available scopes. See Scopes. |
resource_parameter_supported | true indicates RFC 8707 support. Single-value policy per request. |
token_endpoint_auth_methods_supported | Confidential clients use client_secret_basic or client_secret_post; public clients use none. |
Why use discovery
If you hardcode endpoint URLs, your integration will break if Whatalo changes them. The discovery endpoint is the single source of truth and may change without a versioned notice.
The recommended pattern when starting your OAuth client:
// Fetch once at startup, cache for the session
const AS_METADATA_URL =
"https://app.whatalo.com/.well-known/oauth-authorization-server";
async function getAuthServerMetadata() {
const res = await fetch(AS_METADATA_URL);
if (!res.ok) throw new Error("Could not fetch AS metadata");
return res.json();
}
// Use resolved URLs instead of hardcoded ones
const metadata = await getAuthServerMetadata();
const tokenEndpoint = metadata.token_endpoint;
const authEndpoint = metadata.authorization_endpoint;Next step
After discovering the server, register your client using Dynamic Client Registration.