# identity > Central OpenID Connect provider and API key issuer for the 1above platform. Apps authenticate users via OIDC and accept agent traffic via API keys that exchange for short-lived JWTs. Three auth flows are supported: OIDC authorization-code with PKCE for users, an api-key grant for non-interactive agents, and origin-gated publishable keys for browser SDKs. Each downstream app is registered as an AppClient with its own scope vocabulary; identity validates scopes at mint time and stamps them onto issued tokens. ## Docs - [Project brief for coding agents](https://identity-dev.1above.io/agents.md): stack, auth flows, key endpoints, and where to look in the source tree - [MCP agent setup tutorial](https://identity-dev.1above.io/mcp.md): copy-paste agent install config, tool sequence, JSON-RPC examples, and recovery hints - [OIDC integration manual](https://identity-dev.1above.io/oidc.md): full integration guide covering authorize, token, userinfo, JWKS, scopes, claims, error cases, the api-key grant, and publishable keys - [OIDC discovery document](https://identity-dev.1above.io/.well-known/openid-configuration) - [JWKS](https://identity-dev.1above.io/oauth/jwks.json) ## Endpoints - [Authorize](https://identity-dev.1above.io/oauth/authorize): start an authorization-code flow - [Token](https://identity-dev.1above.io/oauth/token): exchange authorization codes, refresh tokens, or api keys plus resource for access tokens - [Userinfo](https://identity-dev.1above.io/oauth/userinfo): retrieve user and org claims with a Bearer access token - [Logout](https://identity-dev.1above.io/oauth/logout): end the identity session - [Public AppClient config](https://identity-dev.1above.io/api/public/app-client): pk-authed AppClient configuration for browser SDKs - [MCP setup endpoint](https://identity-dev.1above.io/mcp): Streamable HTTP MCP tools for agent-native setup requests - [Resource-service discovery](https://identity-dev.1above.io/api/orgs/{orgId}/resource-services): org-admin discovery for agent setup - [Access requests](https://identity-dev.1above.io/api/orgs/{orgId}/access-requests): service-access and API-key setup requests ## Optional - [Device-flow client provisioning](https://identity-dev.1above.io/api/integration/device/start): admin-approved setup that delivers an OIDC client_secret once