Skip to main content
PymtHouse is the OpenID Connect issuer and builder platform for integrator applications. Your backend authenticates as a confidential OAuth client, provisions end-users via the Builder API, and uses signed JWTs to gate access to PymtHouse services on their behalf. All integrations share the same identity model: every registered app gets a public client (app_…) for device and browser flows and a confidential M2M client (m2m_…) for server-to-server calls. Read Client model first if this is new to you.

Start here

Quickstart

Provision a user and mint a scoped JWT in under ten minutes.

Client model

Understand public vs M2M clients, scopes, and the billing pattern before writing any code.

Authentication

Choose the authentication pattern that matches your integration:

Machine access

Client credentials grant and HTTP Basic auth for server-to-server calls.

Interactive login

Authorization code flow with PKCE for browser and server-side web apps.

Device flow

RFC 8628 device authorization for CLI tools, set-top boxes, and limited-input devices.

Token exchange

RFC 8693 token exchange for device completion and remote signer session issuance.

Builder API

User management

Create, upsert, update, and deactivate users in your app’s tenant.

User-scoped JWTs

Mint short-lived access tokens scoped to a specific end-user and capability.

Usage and billing

Usage API

Aggregate request counts and fee totals at the app level or broken down per user.

Discovery

All endpoint paths are published via OIDC discovery. Always read endpoints from the discovery document at runtime so your integration tracks rotations automatically: 
GET {issuer}/.well-known/openid-configuration
The issuer base URL for local development is http://localhost:3001/api/v1/oidc.