Runnable, copy-pasteable integrations for NamoID — an OAuth 2.1 + OpenID Connect identity provider. Every example does the same thing in a different stack: sign a user in with NamoID, read their profile, sign them out — using the standard Authorization Code flow with PKCE.
No example hardcodes endpoint URLs. They all start from your project's issuer
URL and use OIDC discovery (/.well-known/openid-configuration) to find the
authorize / token / userinfo / jwks endpoints. Point an example at a different
NamoID project by changing one env var.
| Example | Language | Framework | OIDC library |
|---|---|---|---|
nextjs-quickstart |
TypeScript | Next.js (App Router) | Auth.js v5 |
node-express |
JavaScript | Express | openid-client |
python-flask |
Python | Flask | Authlib |
python-fastapi |
Python | FastAPI | Authlib |
go-oidc |
Go | net/http | coreos/go-oidc + x/oauth2 |
ruby-sinatra |
Ruby | Sinatra | openid_connect |
php |
PHP | vanilla | jumbojett/openid-connect-php |
java-spring-boot |
Java | Spring Boot | Spring Security OAuth2 Client |
dotnet-aspnet |
C# | ASP.NET Core | built-in OpenID Connect |
rust-axum |
Rust | axum | openidconnect |
bash-curl |
Shell | — | hand-rolled (learn the raw flow) |
If you just want to understand the protocol with zero framework magic, read
bash-curl — it runs the whole Authorization Code + PKCE flow
with curl, openssl, and jq.
Every example needs an OAuth client. Create one once and reuse the credentials:
-
Go to namoid.in → Projects → your project → Applications → New application.
-
Set:
Field Value Display name Local quickstartRedirect URI the example's NAMOID_REDIRECT_URI(see its README)Scopes openid,profile,email -
Save. You'll see the
client_id(idpc_test_…) and a one-timeclient_secret(idps_test_…) — copy both now; the secret is shown once. -
On the project page, copy your issuer URL — your project's hosted discovery host,
https://<your-project-slug>.id.namoid.in.
Every example reads the same four NamoID variables (plus a framework session
secret and a port). Copy each example's .env.example and fill these in:
NAMOID_ISSUER=https://<your-project-slug>.id.namoid.in
NAMOID_CLIENT_ID=idpc_test_xxxxxxxx
NAMOID_CLIENT_SECRET=idps_test_xxxxxxxx
NAMOID_REDIRECT_URI=http://localhost:<port>/callbackUse the test credentials (
idpc_test_…/idps_test_…) for local dev and the live ones (idpc_live_…/idps_live_…) in production. The prefix tells the two environments apart so you can't accidentally cross them.
/login— generate a PKCEcode_verifier+ S256code_challenge, a randomstateandnonce, then redirect to theauthorization_endpointwithresponse_type=codeandscope=openid profile email./callback— verifystate, POST thecode+code_verifierto thetoken_endpoint(authenticating withclient_secret_basic). You get back anaccess_token, anid_token, and a rotatingrefresh_token.- Validate the
id_token(RS256, againstjwks_uri; checkiss,aud,exp,nonce) and optionally call theuserinfo_endpointwith theaccess_tokenforsub/email/name. /logout— clear the local session (and optionally redirect to the provider'send_session_endpointwithid_token_hint).
PKCE is required — every flow must send a code_challenge (S256). There is
no implicit flow.
| Thing | Value |
|---|---|
| Discovery | <NAMOID_ISSUER>/.well-known/openid-configuration |
| Grant | authorization_code (+ refresh_token for rotation) |
| PKCE | required, S256 only |
| Scopes | openid, profile, email, phone, offline_access |
| Token auth | client_secret_basic or client_secret_post |
| ID token alg | RS256 (verify via jwks_uri) |
| Refresh tokens | rotate on every use; reuse of an old one revokes the chain |
Full API docs: docs.namoid.in.
- Website — namoid.in
- Docs — docs.namoid.in
- Contact — hello@namoid.in
- Issues — github.com/namoidhq/namoid-examples/issues
MIT © PolyMindsLabs Pvt. Ltd.