How OAuth2 SSO Works with Opsalis
OAuth2 / OIDC flow: corporate identity provider authenticates the user, Opsalis validates the token and auto-provisions API subscriptions.
Why Corporate SSO for APIs?
Enterprise API consumers don't want to create individual accounts on every marketplace. They already have an identity provider — Okta, Azure Active Directory, Keycloak, or Auth0. Opsalis integrates with any OAuth2 / OIDC provider so employees authenticate with the credentials they already use every day.
When an employee signs in through their corporate SSO, Opsalis validates the token, checks their group memberships, and automatically provisions the correct subscription tier. A "Data Engineering" group might get access to streaming APIs, while "Finance" gets access to payment and settlement endpoints. No manual onboarding, no support tickets, no waiting.
For API owners, this means enterprise customers adopt faster and churn less. The IT department approves once, and hundreds of employees get instant access. Billing rolls up to the corporate account, and usage reports integrate with existing dashboards.
Live Demo: OAuth2 SSO Flow
Simulated OAuth2 Flow
This demo simulates the full OAuth2 authorization code flow. In production, the user would be redirected to their corporate IdP.
Code Samples
# Step 1: Exchange authorization code for token (done by IdP redirect)
# Step 2: Call Opsalis API with the OAuth2 bearer token
curl -X POST https://opsalis.com/api/demo/api/bb-sse-ticker \
-H "Content-Type: application/json" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6Ik..." \
-H "X-Consumer-Key: demo-public-key-2026" \
-d '{
"action": "getQuote",
"symbol": "AAPL"
}'
# The bearer token is validated against the corporate IdP.
# Opsalis checks group membership and subscription tier automatically.// OAuth2 flow: redirect user to corporate IdP, receive callback with code
// Exchange code for token, then call Opsalis APIs
async function callWithSSO(apiEndpoint, params) {
// Token obtained from OAuth2 callback
const token = sessionStorage.getItem('opsalis_oauth_token');
const response = await fetch(`/api/demo/${apiEndpoint}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${token}`,
'X-Consumer-Key': 'demo-public-key-2026'
},
body: JSON.stringify(params)
});
return response.json();
}
// Usage
const quote = await callWithSSO('api/bb-sse-ticker', {
action: 'getQuote',
symbol: 'AAPL'
});import requests
# Token obtained from OAuth2 authorization code exchange
oauth_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6Ik..."
response = requests.post(
"https://opsalis.com/api/demo/api/bb-sse-ticker",
headers={
"Content-Type": "application/json",
"Authorization": f"Bearer {oauth_token}",
"X-Consumer-Key": "demo-public-key-2026",
},
json={
"action": "getQuote",
"symbol": "AAPL",
},
)
data = response.json()
print(f"Status: {response.status_code}")
print(f"Response: {data}")Self-Host with Corporate SSO
Install Opsalis
Pull and run the free Docker container on your own infrastructure.
docker pull opsalis/control-center:latest
docker run -d --name opsalis -p 8080:8080 opsalis/control-center:latestConfigure Your OAuth2 Provider
In the Opsalis control center, navigate to Settings → Authentication and add your identity provider details.
# Example: Keycloak configuration
{
"provider": "oidc",
"issuer": "https://keycloak.yourcompany.com/realms/main",
"client_id": "opsalis-api-access",
"client_secret": "your-client-secret",
"scopes": ["openid", "profile", "groups"]
}Map Groups to Subscription Tiers
Define which IdP groups or roles map to which API subscription levels. Employees get auto-provisioned on first login.
# Group-to-subscription mapping
{
"mappings": [
{ "group": "engineering", "tier": "full-access" },
{ "group": "data-science", "tier": "streaming-only" },
{ "group": "finance", "tier": "payment-apis" }
]
}Employees Start Calling APIs
No manual onboarding. Employees sign in with their corporate credentials, receive an OAuth2 token, and make API calls immediately.