Getting Started with Curupira
Curupira is an OAuth2 / OpenID Connect (OIDC) authentication-as-a-service platform. It lets your application delegate login, sign-up, token issuance, and role-based access control to a hosted, standards-compliant identity provider — so you never store passwords, mint JWTs, or hand-roll an OAuth flow yourself.
If you have integrated with Auth0, Okta, or "Sign in with Google" before, Curupira will feel familiar: your app redirects users to Curupira to log in, and Curupira redirects them back with a signed token that proves who they are and what they are allowed to do.
What Curupira gives you
- Standard OAuth2 Authorization Code flow with PKCE — the modern, secure flow for web, mobile, and single-page apps.
- OpenID Connect — a signed
id_token(RS256 JWT) plus a/userinfoendpoint and a discovery document, so any OIDC-compatible client library works out of the box. - Multi-tenant RBAC — model your customers as tenants, their apps as applications, and their permissions as roles and role groups (see Product Concepts).
- A hosted login & sign-up UI — Curupira serves the login and registration pages; you do not build them.
- Optional social / enterprise SSO — Google, Microsoft (Entra ID), and GitHub can be enabled per tenant.
- An admin dashboard — manage tenants, applications, users, roles, and view audit/event
logs at
admin.curupira.api.br.
The public endpoints
Everything protocol-related lives under the auth host. These are the URLs your integration will use:
| Purpose | URL |
|---|---|
| OIDC discovery document | https://auth.curupira.api.br/.well-known/openid-configuration |
| JSON Web Key Set (JWKS) | https://auth.curupira.api.br/.well-known/jwks.json |
| Authorization endpoint | https://auth.curupira.api.br/oauth2/authorize |
| Token endpoint | https://auth.curupira.api.br/oauth2/token |
| UserInfo endpoint | https://auth.curupira.api.br/oauth2/userinfo |
| Admin dashboard | https://admin.curupira.api.br |
:::tip Start from discovery Any conformant OIDC client can bootstrap itself from a single URL — the discovery document. It advertises every other endpoint, the supported scopes, and the signing algorithm. :::
How to sign up / get access
Curupira is operated by DW-Corp. Onboarding is currently admin-provisioned (self-service tenant registration is on the roadmap — see the note below):
- Request a tenant. Contact the Curupira operators to have a tenant created for your organization. A tenant is your isolated space — your users, applications, and roles live inside it and are never visible to other tenants.
- Get your first application. Every tenant is created with at least one application.
The application is the OAuth client your software authenticates as. You will receive:
- a
client_id(a UUID, safe to embed in your app), and - an API key (secret — used by confidential clients on the token endpoint).
- a
- Register your redirect URI(s). Curupira will only send users back to redirect URIs that are registered on your application (exact match). Provide the callback URL(s) your app listens on.
- Integrate login. Follow the Integration Guide to wire the Authorization Code + PKCE flow into your app.
- Model your permissions. Create the roles and role groups your app needs, then assign them to users from the dashboard.
:::note Self-service sign-up Public / self-service tenant registration is being built (epic tracking multi-tenant self-service). Until it ships, tenants are provisioned by the Curupira operators. This page will be updated when self-service onboarding is live. :::
Where to go next
- Product Concepts — understand tenants → applications → roles → role-groups → users before you build.
- Authentication — the full OAuth2 + PKCE + OIDC flow with concrete request/response examples.
- Integration Guides — step-by-step wiring for a subscriber's app, plus how to get and use an API token.
- API Reference — the machine-readable OpenAPI surfaces (in progress).