OAuth 2.1
Discovery (RFC 8414)
Obtén los metadatos del Authorization Server de Whatalo de forma programática.
El endpoint de discovery expone la metadata del Authorization Server de Whatalo conforme a RFC 8414. Los clientes OAuth deben usar este endpoint para resolver todas las URLs de los endpoints — nunca las escribas manualmente en tu código.
Endpoint
GET https://app.whatalo.com/.well-known/oauth-authorization-serverNo requiere autenticación. La respuesta es pública y cacheable.
Ejemplo de respuesta
{
"issuer": "https://app.whatalo.com",
"authorization_endpoint": "https://app.whatalo.com/oauth/authorize",
"token_endpoint": "https://app.whatalo.com/oauth/token",
"registration_endpoint": "https://app.whatalo.com/oauth/register",
"introspection_endpoint": "https://app.whatalo.com/oauth/introspect",
"revocation_endpoint": "https://app.whatalo.com/oauth/revoke",
"jwks_uri": "https://app.whatalo.com/oauth/jwks",
"response_types_supported": ["code"],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:token-exchange"
],
"code_challenge_methods_supported": ["S256"],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"none"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"revocation_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"scopes_supported": [
"read:products",
"write:products",
"read:inventory",
"write:inventory",
"read:discounts",
"write:discounts",
"read:orders",
"write:orders",
"read:customers",
"write:customers",
"read:store",
"write:store",
"read:analytics",
"read:webhooks",
"write:webhooks"
],
"subject_types_supported": ["public"],
"resource_parameter_supported": true,
"service_documentation": "https://developers.whatalo.com/docs/api/oauth/overview",
"op_policy_uri": "https://whatalo.com/legal/privacy",
"op_tos_uri": "https://whatalo.com/legal/terms"
}Campos destacados
| Campo | Significado |
|---|---|
issuer | Identificador canónico del AS. Valida que coincida en tokens JWT. |
registration_endpoint | Usa este para Dynamic Client Registration. |
code_challenge_methods_supported | Solo S256 — plain no está permitido. |
scopes_supported | Los 15 scopes disponibles. Ver Scopes. |
resource_parameter_supported | true indica soporte para RFC 8707. Política de valor único por solicitud. |
token_endpoint_auth_methods_supported | Clientes confidenciales usan client_secret_basic o client_secret_post; clientes públicos usan none. |
Por qué usar discovery
Si escribes las URLs de endpoint manualmente (hardcoded), tu integración se romperá si Whatalo las cambia. El endpoint de discovery es la única fuente de verdad y puede cambiar sin previo aviso de versión.
El patrón recomendado al iniciar tu cliente OAuth:
// Fetch once at startup, cache for the session
const AS_METADATA_URL =
"https://app.whatalo.com/.well-known/oauth-authorization-server";
async function getAuthServerMetadata() {
const res = await fetch(AS_METADATA_URL);
if (!res.ok) throw new Error("Could not fetch AS metadata");
return res.json();
}
// Use resolved URLs instead of hardcoded ones
const metadata = await getAuthServerMetadata();
const tokenEndpoint = metadata.token_endpoint;
const authEndpoint = metadata.authorization_endpoint;Siguiente paso
Después de descubrir el servidor, registra tu cliente con Dynamic Client Registration.