OAuth 2.0


https://api.wgtwo.com expects the access token as a Bearer credential in the HTTP Authorization headers:

Authorization: Bearer {access token}


Base URI:   https://id.wgtwo.com

Authorization endpointhttps://id.wgtwo.com/oauth2/authpublic
Token endpointhttps://id.wgtwo.com/oauth2/tokenbasic auth
User info endpointhttps://id.wgtwo.com/userinfotoken
Log-out endpointhttps://id.wgtwo.com/oauth2/sessions/logoutpublic
Revoke endpointhttps://id.wgtwo.com/oauth2/revokebasic auth

The token and revoke endpoints are protected using basic auth, where client ID must be provided as the username and client secret as the password.

Grant types supported

  • Authorization Code
  • Client Credentials


The required scopes for each service is described in their documentation.

In addition to those, we have some common scopes for our OAuth 2.0 flows

openidIf included, the token endpoint will include a ID token (signed JWT) in its response
offline_accessIf included, the token endpoint will will include a refresh token
phoneIf included, the ID token and the user info endpoint will include the subjects phone number

Subject identifier

We use pairwise Subject Identifiers, which will calculate unique subject values for each Sector Identifier. That is, two clients will not be able to correlate end-user activity without the consent of the user.

Note that many of our APIs does include phone numbers, which will provide an ID of the user. The phone scope will therefore be required for most services, but does require user consent.

JSON Web Key Set

JWKS endpoint:   https://id.wgtwo.com/.well-known/jwks.json

All issued JWTs are signed using the RS256 signing algorithm.

The JWT is signed using one of these keys, but the endpoint may contain multiple keys to allow key rotation.

It is recommended to use a library that fetches the keys dynamically as they may be re rotated without notice.