Skip to main content

Getting Started with Curupira

Curupira is an OAuth2 / OpenID Connect (OIDC) authentication-as-a-service platform. It lets your application delegate login, sign-up, token issuance, and role-based access control to a hosted, standards-compliant identity provider — so you never store passwords, mint JWTs, or hand-roll an OAuth flow yourself.

If you have integrated with Auth0, Okta, or "Sign in with Google" before, Curupira will feel familiar: your app redirects users to Curupira to log in, and Curupira redirects them back with a signed token that proves who they are and what they are allowed to do.

What Curupira gives you

  • Standard OAuth2 Authorization Code flow with PKCE — the modern, secure flow for web, mobile, and single-page apps.
  • OpenID Connect — a signed id_token (RS256 JWT) plus a /userinfo endpoint and a discovery document, so any OIDC-compatible client library works out of the box.
  • Multi-tenant RBAC — model your customers as tenants, their apps as applications, and their permissions as roles and role groups (see Product Concepts).
  • A hosted login & sign-up UI — Curupira serves the login and registration pages; you do not build them.
  • Optional social / enterprise SSO — Google, Microsoft (Entra ID), and GitHub can be enabled per tenant.
  • An admin dashboard — manage tenants, applications, users, roles, and view audit/event logs at admin.curupira.api.br.

The public endpoints

Everything protocol-related lives under the auth host. These are the URLs your integration will use:

PurposeURL
OIDC discovery documenthttps://auth.curupira.api.br/.well-known/openid-configuration
JSON Web Key Set (JWKS)https://auth.curupira.api.br/.well-known/jwks.json
Authorization endpointhttps://auth.curupira.api.br/oauth2/authorize
Token endpointhttps://auth.curupira.api.br/oauth2/token
UserInfo endpointhttps://auth.curupira.api.br/oauth2/userinfo
Admin dashboardhttps://admin.curupira.api.br

:::tip Start from discovery Any conformant OIDC client can bootstrap itself from a single URL — the discovery document. It advertises every other endpoint, the supported scopes, and the signing algorithm. :::

How to sign up / get access

Curupira is operated by DW-Corp. Onboarding is currently admin-provisioned (self-service tenant registration is on the roadmap — see the note below):

  1. Request a tenant. Contact the Curupira operators to have a tenant created for your organization. A tenant is your isolated space — your users, applications, and roles live inside it and are never visible to other tenants.
  2. Get your first application. Every tenant is created with at least one application. The application is the OAuth client your software authenticates as. You will receive:
    • a client_id (a UUID, safe to embed in your app), and
    • an API key (secret — used by confidential clients on the token endpoint).
  3. Register your redirect URI(s). Curupira will only send users back to redirect URIs that are registered on your application (exact match). Provide the callback URL(s) your app listens on.
  4. Integrate login. Follow the Integration Guide to wire the Authorization Code + PKCE flow into your app.
  5. Model your permissions. Create the roles and role groups your app needs, then assign them to users from the dashboard.

:::note Self-service sign-up Public / self-service tenant registration is being built (epic tracking multi-tenant self-service). Until it ships, tenants are provisioned by the Curupira operators. This page will be updated when self-service onboarding is live. :::

Where to go next

  • Product Concepts — understand tenants → applications → roles → role-groups → users before you build.
  • Authentication — the full OAuth2 + PKCE + OIDC flow with concrete request/response examples.
  • Integration Guides — step-by-step wiring for a subscriber's app, plus how to get and use an API token.
  • API Reference — the machine-readable OpenAPI surfaces (in progress).