Platform
Identity Platform
Authentication

Authentication

PIP uses ORY Kratos (opens in a new tab) for user sessions and ORY Hydra (opens in a new tab) for OAuth2/OIDC.

User authentication (browser flows)

User login/signup is handled by Kratos browser flows. You redirect users to the PIP login UI — you do not build your own login form.

GET https://pip.pcampus.co/self-service/login/browser

After a successful login, Kratos sets a session cookie and redirects back to your return_to URL.

If you only need machine-to-machine access (no end users), skip browser flows and use M2M API keys or client credentials instead.

OAuth2 / OIDC (authorization code flow)

For apps acting on behalf of a user:

Authorization endpoint: https://pip.pcampus.co/oauth2/auth
Token endpoint:         https://pip.pcampus.co/oauth2/token
JWKS endpoint:          https://pip.pcampus.co/oauth2/.well-known/jwks.json
Discovery:              https://pip.pcampus.co/oauth2/.well-known/openid-configuration

Steps

  1. Redirect the user to /oauth2/auth with client_id, response_type=code, redirect_uri, scope.
  2. User logs in and approves.
  3. Hydra redirects back with ?code=….
  4. Exchange code for tokens at /oauth2/token.

Client credentials (M2M via OAuth)

curl -X POST https://pip.pcampus.co/oauth2/token \
  -d grant_type=client_credentials \
  -d client_id=YOUR_CLIENT_ID \
  -d client_secret=YOUR_CLIENT_SECRET \
  -d scope="openid"

Returns:

{
  "access_token": "eyJ...",
  "token_type": "bearer",
  "expires_in": 3600
}

M2M API Keys (recommended for backend services)

For simple server-to-server calls, use an M2M API key instead of OAuth. No token exchange needed.

curl https://pip.pcampus.co/identity/users \
  -H "Authorization: Bearer pip_live_xxxxxxxx"

See Applications & API Keys →

Token validation

PIP access tokens are JWTs signed with RSA-256. Validate with the JWKS endpoint:

https://pip.pcampus.co/oauth2/.well-known/jwks.json

Authentication

PIP uses ORY Kratos (opens in a new tab) for user sessions and ORY Hydra (opens in a new tab) for OAuth2/OIDC.

User authentication (browser flows)

User login/signup is handled by Kratos browser flows. You redirect users to the PIP login UI — you do not build your own login form.

GET https://pip.pcampus.co/self-service/login/browser

After a successful login, Kratos sets a session cookie and redirects back to your return_to URL.

If you only need machine-to-machine access (no end users), skip browser flows and use M2M API keys or client credentials instead.

OAuth2 / OIDC (authorization code flow)

For apps acting on behalf of a user:

Authorization endpoint: https://pip.pcampus.co/oauth2/auth
Token endpoint:         https://pip.pcampus.co/oauth2/token
JWKS endpoint:          https://pip.pcampus.co/oauth2/.well-known/jwks.json
Discovery:              https://pip.pcampus.co/oauth2/.well-known/openid-configuration

Steps

  1. Redirect the user to /oauth2/auth with client_id, response_type=code, redirect_uri, scope.
  2. User logs in and approves.
  3. Hydra redirects back with ?code=….
  4. Exchange code for tokens at /oauth2/token.

Client credentials (M2M via OAuth)

curl -X POST https://pip.pcampus.co/oauth2/token \
  -d grant_type=client_credentials \
  -d client_id=YOUR_CLIENT_ID \
  -d client_secret=YOUR_CLIENT_SECRET \
  -d scope="openid"

Returns:

{
  "access_token": "eyJ...",
  "token_type": "bearer",
  "expires_in": 3600
}

M2M API Keys (recommended for backend services)

For simple server-to-server calls, use an M2M API key instead of OAuth. No token exchange needed.

curl https://pip.pcampus.co/identity/users \
  -H "Authorization: Bearer pip_live_xxxxxxxx"

See Applications & API Keys →

Token validation

PIP access tokens are JWTs signed with RSA-256. Validate with the JWKS endpoint:

https://pip.pcampus.co/oauth2/.well-known/jwks.json