OAuth 2.0 Authorization Code

Standard flow with PKCE-ready endpoints and refresh token rotation.

RS256 signed JWTs

Asymmetric keys — any service can verify tokens without calling this server.

OIDC Discovery

Standard /.well-known/openid-configuration and JWKS endpoint.