Authentication
PIP uses ORY Kratos (opens in a new tab) for user sessions and ORY Hydra (opens in a new tab) for OAuth2/OIDC.
User authentication (browser flows)
User login/signup is handled by Kratos browser flows. You redirect users to the PIP login UI — you do not build your own login form.
GET https://pip.pcampus.co/self-service/login/browserAfter a successful login, Kratos sets a session cookie and redirects back to your return_to URL.
If you only need machine-to-machine access (no end users), skip browser flows and use M2M API keys or client credentials instead.
OAuth2 / OIDC (authorization code flow)
For apps acting on behalf of a user:
Authorization endpoint: https://pip.pcampus.co/oauth2/auth
Token endpoint: https://pip.pcampus.co/oauth2/token
JWKS endpoint: https://pip.pcampus.co/oauth2/.well-known/jwks.json
Discovery: https://pip.pcampus.co/oauth2/.well-known/openid-configurationSteps
- Redirect the user to
/oauth2/authwithclient_id,response_type=code,redirect_uri,scope. - User logs in and approves.
- Hydra redirects back with
?code=…. - Exchange code for tokens at
/oauth2/token.
Client credentials (M2M via OAuth)
curl -X POST https://pip.pcampus.co/oauth2/token \
-d grant_type=client_credentials \
-d client_id=YOUR_CLIENT_ID \
-d client_secret=YOUR_CLIENT_SECRET \
-d scope="openid"Returns:
{
"access_token": "eyJ...",
"token_type": "bearer",
"expires_in": 3600
}M2M API Keys (recommended for backend services)
For simple server-to-server calls, use an M2M API key instead of OAuth. No token exchange needed.
curl https://pip.pcampus.co/identity/users \
-H "Authorization: Bearer pip_live_xxxxxxxx"Token validation
PIP access tokens are JWTs signed with RSA-256. Validate with the JWKS endpoint:
https://pip.pcampus.co/oauth2/.well-known/jwks.json