Discovery Endpoint

The discovery endpoint can be used to retrieve metadata about your IdentityServer - it returns information like the issuer name, key material, supported scopes etc.

The discovery endpoint is available via /.well-known/openid-configuration relative to the base address, e.g.:


You can programmatically access the discovery endpoint using the IdentityModel library:

var discoveryClient = new DiscoveryClient("");
var doc = await discoveryClient.GetAsync();

var tokenEndpoint = doc.TokenEndpoint;
var keys = doc.KeySet.Keys;

For security reasons DiscoveryClient has a configurable validation policy that checks the following rules by default:

  • HTTPS must be used for the discovery endpoint and all protocol endpoints
  • The issuer name should match the authority specified when downloading the document (that’s actually a MUST in the discovery spec)
  • The protocol endpoints should be “beneath” the authority – and not on a different server or URL (this could be especially interesting for multi-tenant OPs)
  • A key set must be specified

If for whatever reason (e.g. dev environments) you need to relax a setting, you can use the following code:

var client = new DiscoveryClient("http://dev.identityserver.internal");
client.Policy.RequireHttps = false;

var disco = await client.GetAsync();

Btw – you can always connect over HTTP to localhost and (but this is also configurable).