Cativa SSO endpoints follow the OIDC standard and are organized by tenant slug (
{customerName}). That slug is the community’s public subdomain — confirm with the tenant admin which value to use.Create an OAuth App in the Console
Go to app.cativa.digital/admin/developers, OAuth Apps tab, click Create app.Save the returned
client_id and client_secret. The secret is shown only once — store it carefully.Configure the redirect URI
In the same modal, add your redirect URI (e.g.
https://myapp.com/callback or http://localhost:3000/callback for development).Redirect the user to /authorize
On the frontend, generate a
code_verifier and code_challenge (PKCE), then redirect to the tenant’s /authorize endpoint:Exchange the code for an access_token in the callback
After the user consents, Cativa redirects to your URL with The response follows the OIDC standard and contains
?code=...&state=.... On the backend, POST to the same tenant’s /token endpoint with the body in application/x-www-form-urlencoded:access_token, token_type, expires_in and id_token.The tenant’s OIDC discovery document lives at
https://apis.cativalab.digital/tenant/api/v2/sso/{customerName}/.well-known/openid-configuration and lists every endpoint (authorize, token, userinfo, jwks) plus the supported algorithms (S256 for PKCE, ES256 for id_token signing). The public JWKS is served at https://apis.cativalab.digital/tenant/api/v2/sso/{customerName}/jwks. Libraries like jose (Node) or PyJWT (Python) read the discovery doc and validate the id_token automatically.Next steps
Tenants and Customers
Understand the
customerName concept in the OIDC flow and when tenant matters in integrations.First API call
For server-to-server integrations, use an API Key directly instead of OAuth.
