This is the bare-metal walkthrough — no SDK, just HTTP. If your stack isn't covered by an SDK quickstart, or if you just want to see how Authaz works before reaching for one, start here.
You'll authenticate a real user against Universal Login, exchange the resulting code for tokens, and call a protected endpoint. About 5 minutes.
An Authaz organization. Sign up at dashboard.authaz.io if you don't have one yet.
An application created in the dashboard. Note its Application ID (app_01h...) and Domain (your-app.authaz.io). The Password provider is enabled by default, which is enough for this walkthrough.
The redirect URI doesn't have to actually serve anything. The browser only needs to land on it so you can grab the code from the URL bar. For production, register a real callback URL in your application's settings.
Verify tokens server-side. Don't trust an access token's claims without checking the signature. Authaz publishes its keys at https://your-app.authaz.io/.well-known/jwks.json (JWKS — the standard set of public keys for verifying RSA-signed JWTs).
Add roles and permissions. Use the dashboard or POST /api/v1/roles to define them, then POST /api/v1/role-assignments to assign. Check at runtime via POST /api/v1/authorization/check.
