{"files":{"SKILL.md":"---\nname: aws-sso-oidc\ndescription: \"AWS SSO OIDC API skill. Use when working with AWS SSO OIDC for token, token?aws_iam=t, client. Covers 4 endpoints.\"\nversion: 1.0.0\ngenerator: lapsh\n---\n\n# AWS SSO OIDC\nAPI version: 2019-06-10\n\n## Auth\nAWS SigV4\n\n## Base URL\nNot specified.\n\n## Setup\n1. Configure auth: AWS SigV4\n2. Verify API access with a test request\n3. POST /token -- create first token\n\n## Endpoints\n4 endpoints across 4 groups. See references/api-spec.lap for full details.\n\n### Token\n| Method | Path | Description |\n|--------|------|-------------|\n| POST | /token | Creates and returns access and refresh tokens for clients that are authenticated using client secrets. The access token can be used to fetch short-term credentials for the assigned AWS accounts or to access application APIs using bearer authentication. |\n\n### Token?aws_iam=t\n| Method | Path | Description |\n|--------|------|-------------|\n| POST | /token?aws_iam=t | Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned Amazon Web Services accounts or to access application APIs using bearer authentication. |\n\n### Client\n| Method | Path | Description |\n|--------|------|-------------|\n| POST | /client/register | Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests. |\n\n### Device_authorization\n| Method | Path | Description |\n|--------|------|-------------|\n| POST | /device_authorization | Initiates device authorization by requesting a pair of verification codes from the authorization service. |\n\n## Common Questions\nMatch user requests to endpoints in references/api-spec.lap. Key patterns:\n- \"Create a token?\" -> POST /token\n- \"Create a token?aws_iam=t?\" -> POST /token?aws_iam=t\n- \"Create a register?\" -> POST /client/register\n- \"Create a device_authorization?\" -> POST /device_authorization\n- \"How to authenticate?\" -> See Auth section above\n\n## Response Tips\n- Check response schemas in references/api-spec.lap for field details\n- Create/update endpoints return the modified resource on success\n\n## References\n- Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas\n\n> Generated from the official API spec by [LAP](https://lap.sh)\n","references/api-spec.lap":"@lap v0.3\n# Machine-readable API spec. Each @endpoint block is one API call.\n@api AWS SSO OIDC\n@version 2019-06-10\n@auth AWS SigV4\n@endpoints 4\n@toc token(1), token?aws_iam=t(1), client(1), device_authorization(1)\n\n@group token\n@endpoint POST /token\n@desc Creates and returns access and refresh tokens for clients that are authenticated using client secrets. The access token can be used to fetch short-term credentials for the assigned AWS accounts or to access application APIs using bearer authentication.\n@required {clientId: str, clientSecret: str, grantType: str}\n@optional {deviceCode: str, code: str, refreshToken: str, scope: [str], redirectUri: str, codeVerifier: str}\n@returns(200) {accessToken: str?, tokenType: str?, expiresIn: int?, refreshToken: str?, idToken: str?}\n\n@endgroup\n\n@group token?aws_iam=t\n@endpoint POST /token?aws_iam=t\n@desc Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned Amazon Web Services accounts or to access application APIs using bearer authentication.\n@required {clientId: str, grantType: str}\n@optional {code: str, refreshToken: str, assertion: str, scope: [str], redirectUri: str, subjectToken: str, subjectTokenType: str, requestedTokenType: str, codeVerifier: str}\n@returns(200) {accessToken: str?, tokenType: str?, expiresIn: int?, refreshToken: str?, idToken: str?, issuedTokenType: str?, scope: [str]?}\n\n@endgroup\n\n@group client\n@endpoint POST /client/register\n@desc Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests.\n@required {clientName: str, clientType: str}\n@optional {scopes: [str], redirectUris: [str], grantTypes: [str], issuerUrl: str, entitledApplicationArn: str}\n@returns(200) {clientId: str?, clientSecret: str?, clientIdIssuedAt: int(i64)?, clientSecretExpiresAt: int(i64)?, authorizationEndpoint: str?, tokenEndpoint: str?}\n\n@endgroup\n\n@group device_authorization\n@endpoint POST /device_authorization\n@desc Initiates device authorization by requesting a pair of verification codes from the authorization service.\n@required {clientId: str, clientSecret: str, startUrl: str}\n@returns(200) {deviceCode: str?, userCode: str?, verificationUri: str?, verificationUriComplete: str?, expiresIn: int?, interval: int?}\n\n@endgroup\n\n@end\n"}}