Developer-friendly & type-safe Ruby SDK specifically catered to leverage Authlete API v3.0 and forward.
Important
This is a beta SDK.
If you're new to Authlete or want to see sample implementations, these resources will help you get started:
If you have any questions or need assistance, our team is here to help:
Authlete API: Welcome to the Authlete API documentation. Authlete is an API-first service where every aspect of the platform is configurable via API. This documentation will help you authenticate and integrate with Authlete to build powerful OAuth 2.0 and OpenID Connect servers.
At a high level, the Authlete API is grouped into two categories:
- Management APIs: Enable you to manage services and clients.
- Runtime APIs: Allow you to build your own Authorization Servers or Verifiable Credential (VC) issuers.
Authlete is a global service with clusters available in multiple regions across the world:
- πΊπΈ US:
https://us.authlete.com - π―π΅ Japan:
https://jp.authlete.com - πͺπΊ Europe:
https://eu.authlete.com - π§π· Brazil:
https://br.authlete.com
Our customers can host their data in the region that best meets their requirements.
All API endpoints are secured using Bearer token authentication. You must include an access token in every request:
Authorization: Bearer YOUR_ACCESS_TOKEN
Authlete supports two types of access tokens:
Service Access Token - Scoped to a single service (authorization server instance)
- Log in to Authlete Console
- Navigate to your service β Settings β Access Tokens
- Click Create Token and select permissions (e.g.,
service.read,client.write) - Copy the generated token
Organization Token - Scoped to your entire organization
- Log in to Authlete Console
- Navigate to Organization Settings β Access Tokens
- Click Create Token and select org-level permissions
- Copy the generated token
β οΈ Important Note: Tokens inherit the permissions of the account that creates them. Service tokens can only access their specific service, while organization tokens can access all services within your org.
- Never commit tokens to version control - Store in environment variables or secure secret managers
- Rotate regularly - Generate new tokens periodically and revoke old ones
- Scope appropriately - Request only the permissions your application needs
- Revoke unused tokens - Delete tokens you're no longer using from the console
Verify your token works with a simple API call:
curl -X GET https://us.authlete.com/api/service/get/list \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"If you're new to Authlete or want to see sample implementations, these resources will help you get started:
If you have any questions or need assistance, our team is here to help:
The SDK can be installed using RubyGems:
gem install authlete_ruby_sdkYou need to pass a valid access token to be able to use any resource or operation. The bearer parameter required when initializing the SDK client must be one of the following two token types:
- Service Access Token - Scoped to a single service (authorization server instance). Use when you need to access a specific service only. Create from Service Settings β Access Tokens in the Authlete Console.
- Organization Token - Scoped to your entire organization, allowing access to all services. Use when you need to access multiple services or perform organization-level operations. Create from Organization Settings β Access Tokens.
Refer to Creating an Access Token to learn how to create one.
If you face permission (403) errors when already sending a token, it can be one of the following problems:
- The token you are using has expired. Check the expiry date in the Authlete Console.
- You're using the wrong token type (e.g., using a Service Token to access a different service, or using a Service Token when you need organization-level access).
- The resource or operation you are trying to use is not available for that service tier. For example, some features are Enterprise-only and you may be using a token for a service on a different plan.
Important: You must specify which Authlete server to use when initializing the client. If omitted, it defaults to the US server (server_idx: 0).
require "authlete_ruby_sdk"
# Create an alias for cleaner code (optional but recommended)
Models = ::Authlete::Models
# Initialize the Authlete client
# Available servers: https://us.authlete.com, https://jp.authlete.com,
# https://eu.authlete.com, https://br.authlete.com
authlete_client = ::Authlete::Client.new(
bearer: "<YOUR_BEARER_TOKEN>", # Service Access Token or Organization Token (see Access Tokens section)
server_url: "https://us.authlete.com" # Required: Specify your server
)
# Example 1: Retrieve a service
begin
response = authlete_client.services.retrieve(service_id: "<service_id>")
unless response.service.nil?
service = response.service
puts "Service Name: #{service.service_name}"
puts "Service ID (api_key): #{service.api_key}"
puts "Issuer: #{service.issuer}"
end
rescue Models::Errors::ResultError => e
# Handle Authlete-specific errors
puts "Authlete error: #{e.result_code} - #{e.result_message}"
rescue Models::Errors::APIError => e
# Handle HTTP errors
puts "API error: HTTP #{e.status_code} - #{e.message}"
end
# Example 2: List OAuth clients
begin
response = authlete_client.clients.list(service_id: "<service_id>")
if response.client_get_list_response && response.client_get_list_response.clients
response.client_get_list_response.clients.each do |oauth_client|
puts "Client: #{oauth_client.client_name} (ID: #{oauth_client.client_id})"
end
end
rescue Models::Errors::ResultError => e
puts "Error: #{e.result_message}"
end
# Example 3: Process an authorization request
begin
response = authlete_client.authorization.process_request(
service_id: "<service_id>",
authorization_request: Models::Components::AuthorizationRequest.new(
parameters: "response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>"
)
)
if response.authorization_response
puts "Action: #{response.authorization_response.action}"
puts "Ticket: #{response.authorization_response.ticket}" if response.authorization_response.ticket
end
rescue Models::Errors::ResultError => e
puts "Error: #{e.result_message}"
endNote: Do not include
/apiin theserver_url- the SDK appends it automatically. Theservice_idparameter uses the service'sapi_keyvalue.
require 'authlete_ruby_sdk'
Models = ::Authlete::Models
s = ::Authlete::Client.new(
bearer: '<YOUR_BEARER_TOKEN_HERE>',
)
res = s.services.retrieve(service_id: '<id>')
unless res.service.nil?
# handle response
endThis SDK supports the following security scheme globally:
| Name | Type | Scheme |
|---|---|---|
bearer |
http | HTTP Bearer |
To authenticate with the API the bearer parameter must be set when initializing the SDK client instance. For example:
require 'authlete_ruby_sdk'
Models = ::Authlete::Models
s = ::Authlete::Client.new(
bearer: '<YOUR_BEARER_TOKEN_HERE>',
)
res = s.services.retrieve(service_id: '<id>')
unless res.service.nil?
# handle response
endAvailable methods
- process_request - Process Authorization Request
- fail_request - Fail Authorization Request
- issue_response - Issue Authorization Response
- ticket_info - Get Ticket Information
- update_ticket - Update Ticket Information
- process_authentication - Process Backchannel Authentication Request
- issue_response - Issue Backchannel Authentication Response
- fail_request - Fail Backchannel Authentication Request
- complete_request - Complete Backchannel Authentication
- update_lock_flag - Update Client Lock
- refresh_secret - Rotate Client Secret
- update_secret - Update Client Secret
- authorizations - Get Authorized Applications (by Subject)
- update_authorizations - Update Client Tokens
- destroy_authorizations - Delete Client Tokens (by Subject)
- granted_scopes - Get Granted Scopes (by Subject)
- destroy_granted_scopes - Delete Granted Scopes (by Subject)
- requestable_scopes - Get Requestable Scopes
- update_requestable_scopes - Update Requestable Scopes
- destroy_requestable_scopes - Delete Requestable Scopes
- client_authorization_get_list_api - Get Authorized Applications
- client_authorization_get_list_api_post - Get Authorized Applications
- client_authorization_delete_api - Delete Client Tokens
- client_authorization_delete_api_post - Delete Client Tokens
- client_granted_scopes_get_api - Get Granted Scopes
- client_granted_scopes_get_api_post - Get Granted Scopes
- client_granted_scopes_delete_api - Delete Granted Scopes
- client_extension_requestables_scopes_update_api_post - Update Requestable Scopes
- retrieve - Get Client
- list - List Clients
- create - Create Client
- update - Update Client
- update_form - Update Client
- destroy - Delete Client β‘
- authorization - Process Device Authorization Request
- verification - Process Device Verification Request
- complete_request - Complete Device Authorization
- configuration - Process Entity Configuration Request
- registration - Process Federation Registration Request
- process_request - Process Grant Management Request
- create - Create Security Key
- destroy - Delete Security Key
- retrieve - Get Security Key
- list - List Security Keys
- process_request - Process Introspection Request
- standard_process - Process OAuth 2.0 Introspection Request
- jose_verify_api - Verify JOSE
- service_jwks_get_api - Get JWK Set
- get_api_lifecycle_healthcheck - Health Check
- process_request - Native SSO Processing
- logout - Native SSO Logout Processing
- create - Process Pushed Authorization Request
- process_request - Process Revocation Request
- retrieve - Get Service
- list - List Services
- create - Create Service
- update - Update Service
- destroy - Delete Service β‘
- configuration - Get Service Configuration
- auth_token_create_batch_api - Create Access Tokens in Batch
- auth_token_create_batch_status_api - Get Batch Token Creation Status
- reissue_id_token - Reissue ID Token
- list - List Issued Tokens
- create - Create Access Token
- update - Update Access Token
- destroy - Delete Access Token
- revoke - Revoke Access Token
- process_request - Process Token Request
- fail_request - Fail Token Request
- issue_response - Issue Token Response
- process_request - Process UserInfo Request
- issue_response - Issue UserInfo Response
- metadata - Get Verifiable Credential Issuer Metadata
- jwt_issuer - Get JWT Issuer Information
- jwks - Get JSON Web Key Set
- create_offer - Create Credential Offer
- offer_info - Get Credential Offer Information
- parse - Parse Single Credential
- issue_response - Issue Single Credential
- batch_parse - Parse Batch Credentials
- batch_issue - Issue Batch Credentials
- deferred_parse - Parse Deferred Credential
- deferred_issue - Issue Deferred Credential
Handling errors in this SDK should largely match your expectations. All operations return a response object or raise an error.
By default an API error will raise a Errors::APIError, which has the following properties:
| Property | Type | Description |
|---|---|---|
message |
string | The error message |
status_code |
int | The HTTP status code |
raw_response |
Faraday::Response | The raw HTTP response |
body |
string | The response content |
When custom error responses are specified for an operation, the SDK may also throw their associated exception. You can refer to respective Errors tables in SDK docs for more details on possible exception types for each operation. For example, the retrieve method throws the following exceptions:
| Error Type | Status Code | Content Type |
|---|---|---|
| Models::Errors::ResultError | 400, 401, 403 | application/json |
| Models::Errors::ResultError | 500 | application/json |
| Errors::APIError | 4XX, 5XX | */* |
require 'authlete_ruby_sdk'
Models = ::Authlete::Models
s = ::Authlete::Client.new(
bearer: '<YOUR_BEARER_TOKEN_HERE>',
)
begin
res = s.services.retrieve(service_id: '<id>')
unless res.service.nil?
# handle response
end
rescue Models::Errors::ResultError => e
# handle e.container data
raise e
rescue Models::Errors::ResultError => e
# handle e.container data
raise e
rescue Errors::APIError => e
# handle default exception
raise e
endProblem: Ruby version is too old or dependencies not installed.
Solution:
- Ensure Ruby >= 3.2.0 is installed:
ruby --version - Install dependencies:
gem install sorbet-runtime faraday faraday-multipart faraday-retry base64
Problem: Bearer token is invalid, expired, or lacks permissions.
Solution:
- Verify your bearer token is correct and matches the token type you need (see Access Tokens section)
- Check if token has expired in the Authlete Console
- Ensure you're using the correct token type (Service Token vs Organization Token)
- Verify you're using the correct server (token may be valid for a different region)
Problem: Service ID doesn't exist on the specified server.
Solution:
- Verify the service ID (
api_key) is correct - Check if you're using the correct server (service may be on a different region)
- List services to find available service IDs:
response = client.services.list() response.service_get_list_response.services.each do |s| puts "Service ID: #{s.api_key}, Name: #{s.service_name}" end
Problem: Base URL includes /api suffix or incorrect endpoint.
Solution:
- Remove
/apifromserver_url- usehttps://us.authlete.comnothttps://us.authlete.com/api - Verify the endpoint path is correct
Problem: SDK is being loaded multiple times.
Solution: This is just a warning and can be ignored. It doesn't affect functionality.
When calling services.retrieve(service_id: ...), use the service's api_key value as the service_id parameter:
# The service_id parameter uses the api_key value
response = client.services.retrieve(service_id: '715948317') # api_key value
service = response.service
puts service.api_key # Returns: 715948317You can override the default server globally by passing a server index to the server_idx (Integer) optional parameter when initializing the SDK client instance. The selected server will then be used as the default on the operations that use it. This table lists the indexes associated with the available servers:
| # | Server | Description |
|---|---|---|
| 0 | https://us.authlete.com |
πΊπΈ US Cluster |
| 1 | https://jp.authlete.com |
π―π΅ Japan Cluster |
| 2 | https://eu.authlete.com |
πͺπΊ Europe Cluster |
| 3 | https://br.authlete.com |
π§π· Brazil Cluster |
require 'authlete_ruby_sdk'
Models = ::Authlete::Models
s = ::Authlete::Client.new(
server_idx: 0,
bearer: '<YOUR_BEARER_TOKEN_HERE>',
)
res = s.services.retrieve(service_id: '<id>')
unless res.service.nil?
# handle response
endThe default server can also be overridden globally by passing a URL to the server_url (String) optional parameter when initializing the SDK client instance. For example:
require 'authlete_ruby_sdk'
Models = ::Authlete::Models
s = ::Authlete::Client.new(
server_url: 'https://br.authlete.com',
bearer: '<YOUR_BEARER_TOKEN_HERE>',
)
res = s.services.retrieve(service_id: '<id>')
unless res.service.nil?
# handle response
endThis SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.
While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.