Início rápido

Pré-requisitos

Auth Platform rodando (http://localhost:4000)
Admin Console rodando (http://localhost:4001)
Token de admin (logue no Admin Console e copie o Bearer token do DevTools)

1. Registre seu sistema

Acesse o Admin Console → Sistemas → Novo sistema e preencha:

Campo	Valor para dev
Nome	`Meu App`
Redirect URIs	`http://localhost:3000/callback`
Allow Self Register	`true` (usuário se cadastra sozinho)
Require Admin Activation	`false` (acesso imediato)
Require MFA	`false`

Ou via API:

curl -X POST http://localhost:4000/admin/systems \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Meu App",
    "redirectUris": ["http://localhost:3000/callback"],
    "allowedScopes": ["openid","email","profile","offline_access"],
    "allowSelfRegister": true,
    "requireAdminActivation": false,
    "requireEmailOtp": false,
    "requireMfa": false
  }'

Guarde o clientId retornado.

2. Configure o cliente OIDC

import { UserManager, WebStorageStateStore } from 'oidc-client-ts';

const userManager = new UserManager({
  authority:                `http://localhost:4000`,
  client_id:                'SEU_CLIENT_ID',
  redirect_uri:             `${window.location.origin}/callback`,
  post_logout_redirect_uri: `${window.location.origin}/`,
  scope:                    'openid email profile offline_access',
  response_type:            'code',
  automaticSilentRenew:     true,
  userStore: new WebStorageStateStore({ store: window.sessionStorage }),
});

// Login
await userManager.signinRedirect();

// Callback
await userManager.signinRedirectCallback();

// Obter token
const user = await userManager.getUser();
const accessToken = user?.access_token;

3. Teste o login

Abra http://localhost:4000/auth?client_id=SEU_CLIENT_ID&response_type=code&redirect_uri=http://localhost:3000/callback&scope=openid+email+profile&code_challenge=...&code_challenge_method=S256

ou use o exemplo completo em examples/01-nextjs-pkce.

4. Valide o token na sua API

import { createRemoteJWKSet, jwtVerify } from 'jose';

const jwks = createRemoteJWKSet(new URL('http://localhost:4000/jwks'));

const { payload } = await jwtVerify(token, jwks, {
  issuer:   'http://localhost:4000',
  audience: 'http://localhost:4000',
});

console.log(payload.sub);           // userId
console.log(payload.account_id);    // conta ativa
console.log(payload.roles);         // ['admin', 'user', ...]
console.log(payload.is_admin);      // true | false
console.log(payload.resource_scopes); // ['carteira:read', ...]

Pronto. Veja os claims do token para entender todos os campos disponíveis.