flows.md

Flows — pointer index

Flow-level documentation has migrated. Wire-level details (request shapes, parameters, error codes for every endpoint involved in each flow) now live in http-api.md. Architectural and topology-level walk-throughs of flows live under docs/topologies/. Conceptual explanations of delegation, agent chains, and impersonation live in docs/concepts/delegation-and-agent-chains.md. Hands-on integration guidance is grouped under docs/guides/.

This page is a thin pointer; use the index below to jump to the canonical home of each flow.

Where to find each flow

Flow	Canonical location
Authorization Code (interactive user login, PKCE S256)	http-api.md → GET /oauth/authorize + POST /oauth/token · guides/integrate
Refresh-token rotation (sender-constrained, reuse detection)	http-api.md → POST /oauth/token · concepts/
Client Credentials (machine-to-machine)	guides/integrate/client-credentials-grant.md · http-api.md → POST /oauth/token
Token Exchange (RFC 8693, delegation, fronting, agent chains)	concepts/delegation-and-agent-chains.md · http-api.md → POST /oauth/token
Broker / upstream OAuth (vending upstream-format tokens)	guides/upstream-providers/ · topologies/
Dynamic Client Registration (DCR) and CIMD auto-registration	http-api.md → POST /oauth/register · concepts/architecture.md
JWT Bearer / Cross-AS Assertion (XAA)	guides/federation/jwt-bearer-grant.md · http-api.md → POST /oauth/token
OIDC federation (upstream IdP login)	guides/federation/oidc.md · http-api.md → GET /oidc/start, GET /oidc/callback
DPoP (RFC 9449) sender-constrained tokens	http-api.md → POST /oauth/token · reference/compliance.md
Token introspection (RFC 7662)	http-api.md → POST /oauth/introspect
Token revocation (RFC 7009)	http-api.md → POST /oauth/revoke