Appearance
OAuth 2.0 / OpenID Connect
e-Próspera provides an OAuth 2.0 and OpenID Connect authorization server so third-party applications can authenticate users and access their data with consent.
Capabilities
- Authenticate users with their e-Próspera account
- Receive standard OIDC claims (
sub,name,email,picture) - Obtain refresh tokens for long-lived server access via
offline_access - Fetch user-authorized personal and legal-entity data through the
/api/v1/me/*endpoints
Getting credentials
OAuth clients are provisioned per account. If you already have one, you can view the client ID, allowed scopes, and redirect URIs in Settings > Developer.
To request a new client or have your secret re-issued, contact gmembreno@prospera.hn.
Standard endpoints
| Endpoint | URL |
|---|---|
| OpenID configuration | https://portal.eprospera.com/.well-known/openid-configuration |
| JWKS | https://portal.eprospera.com/api/oauth/.well-known/jwks.json |
| Authorization endpoint | https://portal.eprospera.com/api/oauth/authorize |
| Token endpoint | https://portal.eprospera.com/api/oauth/token |
| Userinfo endpoint | https://portal.eprospera.com/api/oauth/userinfo |
Reference pages:
Recommended initial scopes
Start with:
text
openid profile emailAdd offline_access if your backend needs refresh tokens.
Supported scopes
| Scope | Description |
|---|---|
openid | Authenticate the user with e-Próspera. |
profile | Read the user's name and profile picture. |
email | Read the user's email address. |
offline_access | Receive a refresh token for background access-token renewal. |
eprospera:person.details.read | Read detailed natural-person profile data. |
eprospera:person.residency.read | Read the user's current residency status. |
eprospera:person.id_verification.read | Read the latest approved identity-verification images. |
eprospera:entity.read | Read legal-entity data for entities the user consents to share. |
eprospera:entity.documents.read | Read legal-entity documents for consented entities. |
Consent behavior
When you request entity scopes (eprospera:entity.read, eprospera:entity.documents.read), the consent screen lets the user choose which legal entities to share. The access token is limited to that selection.
This means:
GET /api/v1/me/legal-entitiescan return an empty array even with a valid token.GET /api/v1/me/legal-entities/{id}and/documentsonly work for consented entity IDs.- If the user is no longer a representative of an entity, it stops appearing in responses.
Resource endpoints
The scopes above unlock these endpoints:
| Endpoint | Required scope |
|---|---|
GET /api/v1/me/natural-person | eprospera:person.details.read |
GET /api/v1/me/natural-person/residency | eprospera:person.residency.read |
GET /api/v1/me/natural-person/id-verification | eprospera:person.id_verification.read |
GET /api/v1/me/legal-entities | eprospera:entity.read |
GET /api/v1/me/legal-entities/[id] | eprospera:entity.read |
GET /api/v1/me/legal-entities/[id]/documents | eprospera:entity.documents.read |
INFO
/api/v1/me/natural-person/id_verification (underscore) exists as a compatibility alias. Use /id-verification (hyphen) for new integrations.
Authorization flow
response_type=codeis required.stateis required.nonceis required whenopenidis in scope.response_modeis optional (query,fragment, orform_post; defaultquery).- Unauthenticated users are redirected to the portal login before returning to the authorization request.
Refresh tokens
Access tokens expire after 1 hour.
If the granted scope set includes offline_access, the token response also includes a refresh_token valid for up to 180 days.
Example refresh request:
bash
curl -X POST https://portal.eprospera.com/api/oauth/token \
-u "$CLIENT_ID:$CLIENT_SECRET" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "refresh_token=$REFRESH_TOKEN"WARNING
Refresh tokens rotate on every successful refresh. Always persist the newest refresh_token from the response. You may request a reduced scope set on refresh, provided it is a subset of the originally granted scopes.