Skip to content

oxd 3.1.2 Documentation#


oxd exposes simple, static APIs web application developers can use to securely implement user authentication and authorization against an OAuth 2.0 authorization server like the Gluu Server.

The oxd software package includes the oxd-server and the oxd-https-extension.


oxd-server is designed to work as a standalone service daemon via sockets. By defafult, oxd must be installed on the same host as the web application it is securing.



oxd-https-extension is an optional component that, when enabled, allows apps to call oxd APIs over the web. The https extension makes it possible for many apps across many servers to leverage one central oxd service for OAuth 2.0 security.



oxd offers operational and security benefits for developers and organizations:

  • oxd centralizes and standardizes OAuth 2.0 implementations across web applications.
  • When new OAuth 2.0 vulnerabilities are discovered, simply update the oxd package--applications never have to be changed or regression tested.
  • oxd is written, maintained and supported by OAuth 2.0 security experts.

Get Started#

Follow these steps to get started:

  1. Sign up to obtain your oxd license and $50 credit.

  2. Install oxd on the same host as your application (or any host if enabling the https extension)

  3. Configure the oxd-server and add your license keys.

  4. Start the oxd-server, as described in the installation docs.

  5. Start and configure oxd-https-extension to support RESTful calls (Optional).

  6. In your app(s), call the oxd API using one of the native libraries or oxd plugins to securely send users to the central authentication server for sign in.


oxd 3.1.2 has been tested against the following OAuth 2.0 servers:

OpenID Providers (OP)#

UMA Authorization Servers (AS)#


If you have tested oxd against another OP or AS, please email details to


oxd implements the OpenID Connect and UMA 2.0 profiles of OAuth 2.0.

  • The oxd OpenID Connect APIs can be used to send a user to an OpenID Connect Provider (OP) for authentication and to gather identity information ("claims") about the user.

  • The oxd UMA APIs can be used to send a user to an UMA Authorization Server (AS) for access management policy enforcement, for example to centrally manage which people (or software clients) can access which web pages and APIs.

Learn more in the oxd API section of the documentation.

Native Libraries#

oxd native client libraries provide simple and flexible access to the oxd APIs.




Gluu publishes oxd plugins, modules, and extensions for the following open source applications:

Specific functionality is not guaranteed. If you spot a bug or need feature enhancements, open a ticket on Gluu support.

Source code#

The oxd source code is available on GitHub.

Pricing & Billing#

oxd costs USD $0.33 per OAuth2 client per day. New accounts include a $50 credit that is automatically applied to usage fees incurred during the first 60 days after account creation.

Get your oxd license.

Additional notes about pricing and billing:

  • Each time an OAuth2 client connects to oxd, a client record is created and billed USD $0.33 per day. To stop billing for a client, simply delete it from the oxd db.

  • At the end of each month usage fees are compiled and a billing summary is sent to the billing contacts associated with your account.

  • On the 7th day of each month we will attempt to bill your credit card for usage fees incurred during the previous month. If it is unsuccessful, we will try again on the 14th.

  • To discuss annual billing and bulk discounts, schedule a call.


Have questions or run into issues? Just open a public issue on the Gluu support portal. If your organization needs guaranteed response times, private support, and priority access to our team, Gluu offers a range of VIP support plans.


Visit our FAQ page to review frequently asked questions.