Start OAuth Authorization

// POST /v1/b2b/idp/oauth/authorize/start
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  client_id: "${exampleConnectedAppClientID}",
  redirect_uri: "https://app.example/oauth/callback",
  response_type: "code",
  scopes: ["openid"],
};

client.IDP.OAuth.AuthorizeStart(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

{
  "request_id": "<string>",
  "member_id": "<string>",
  "member": {
    "organization_id": "<string>",
    "member_id": "<string>",
    "email_address": "<string>",
    "status": "<string>",
    "name": "<string>",
    "sso_registrations": [
      {
        "connection_id": "<string>",
        "external_id": "<string>",
        "registration_id": "<string>",
        "sso_attributes": {}
      }
    ],
    "is_breakglass": true,
    "member_password_id": "<string>",
    "oauth_registrations": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "member_oauth_registration_id": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>"
      }
    ],
    "email_address_verified": true,
    "mfa_phone_number_verified": true,
    "is_admin": true,
    "totp_registration_id": "<string>",
    "retired_email_addresses": [
      {
        "email_id": "<string>",
        "email_address": "<string>"
      }
    ],
    "is_locked": true,
    "mfa_enrolled": true,
    "mfa_phone_number": "<string>",
    "default_mfa_method": "<string>",
    "roles": [
      {
        "role_id": "<string>",
        "sources": [
          {
            "type": "<string>",
            "details": {}
          }
        ]
      }
    ],
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "created_at": "<string>",
    "updated_at": "<string>",
    "scim_registration": {
      "connection_id": "<string>",
      "registration_id": "<string>",
      "external_id": "<string>",
      "scim_attributes": {
        "user_name": "<string>",
        "id": "<string>",
        "external_id": "<string>",
        "active": true,
        "groups": [
          {
            "value": "<string>",
            "display": "<string>"
          }
        ],
        "display_name": "<string>",
        "nick_name": "<string>",
        "profile_url": "<string>",
        "user_type": "<string>",
        "title": "<string>",
        "preferred_language": "<string>",
        "locale": "<string>",
        "timezone": "<string>",
        "emails": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "phone_numbers": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "addresses": [
          {
            "formatted": "<string>",
            "street_address": "<string>",
            "locality": "<string>",
            "region": "<string>",
            "postal_code": "<string>",
            "country": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "ims": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "photos": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "entitlements": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "roles": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "x509certificates": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "name": {
          "formatted": "<string>",
          "family_name": "<string>",
          "given_name": "<string>",
          "middle_name": "<string>",
          "honorific_prefix": "<string>",
          "honorific_suffix": "<string>"
        },
        "enterprise_extension": {
          "employee_number": "<string>",
          "cost_center": "<string>",
          "division": "<string>",
          "department": "<string>",
          "organization": "<string>",
          "manager": {
            "value": "<string>",
            "ref": "<string>",
            "display_name": "<string>"
          }
        }
      }
    },
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "organization": {
    "organization_id": "<string>",
    "organization_name": "<string>",
    "organization_logo_url": "<string>",
    "organization_slug": "<string>",
    "sso_jit_provisioning": "<string>",
    "sso_jit_provisioning_allowed_connections": [
      "<string>"
    ],
    "sso_active_connections": [
      {
        "connection_id": "<string>",
        "display_name": "<string>",
        "identity_provider": "<string>"
      }
    ],
    "email_allowed_domains": [
      "<string>"
    ],
    "email_jit_provisioning": "<string>",
    "email_invites": "<string>",
    "auth_methods": "<string>",
    "allowed_auth_methods": [
      "<string>"
    ],
    "mfa_policy": "<string>",
    "rbac_email_implicit_role_assignments": [
      {
        "domain": "<string>",
        "role_id": "<string>"
      }
    ],
    "mfa_methods": "<string>",
    "allowed_mfa_methods": [
      "<string>"
    ],
    "oauth_tenant_jit_provisioning": "<string>",
    "claimed_email_domains": [
      "<string>"
    ],
    "first_party_connected_apps_allowed_type": "<string>",
    "allowed_first_party_connected_apps": [
      "<string>"
    ],
    "third_party_connected_apps_allowed_type": "<string>",
    "allowed_third_party_connected_apps": [
      "<string>"
    ],
    "custom_roles": [
      {
        "role_id": "<string>",
        "description": "<string>",
        "permissions": [
          {
            "resource_id": "<string>",
            "actions": [
              "<string>"
            ]
          }
        ]
      }
    ],
    "trusted_metadata": {},
    "created_at": "<string>",
    "updated_at": "<string>",
    "organization_external_id": "<string>",
    "sso_default_connection_id": "<string>",
    "scim_active_connection": {
      "connection_id": "<string>",
      "display_name": "<string>",
      "bearer_token_last_four": "<string>",
      "bearer_token_expires_at": "<string>"
    },
    "allowed_oauth_tenants": {}
  },
  "client": {
    "client_id": "<string>",
    "client_name": "<string>",
    "client_description": "<string>",
    "client_type": "<string>",
    "logo_url": "<string>"
  },
  "consent_required": true,
  "scope_results": [
    {
      "scope": "<string>",
      "description": "<string>",
      "is_grantable": true
    }
  ],
  "status_code": 123
}

POST

b2b

idp

oauth

authorize

start

// POST /v1/b2b/idp/oauth/authorize/start
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  client_id: "${exampleConnectedAppClientID}",
  redirect_uri: "https://app.example/oauth/callback",
  response_type: "code",
  scopes: ["openid"],
};

client.IDP.OAuth.AuthorizeStart(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

{
  "request_id": "<string>",
  "member_id": "<string>",
  "member": {
    "organization_id": "<string>",
    "member_id": "<string>",
    "email_address": "<string>",
    "status": "<string>",
    "name": "<string>",
    "sso_registrations": [
      {
        "connection_id": "<string>",
        "external_id": "<string>",
        "registration_id": "<string>",
        "sso_attributes": {}
      }
    ],
    "is_breakglass": true,
    "member_password_id": "<string>",
    "oauth_registrations": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "member_oauth_registration_id": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>"
      }
    ],
    "email_address_verified": true,
    "mfa_phone_number_verified": true,
    "is_admin": true,
    "totp_registration_id": "<string>",
    "retired_email_addresses": [
      {
        "email_id": "<string>",
        "email_address": "<string>"
      }
    ],
    "is_locked": true,
    "mfa_enrolled": true,
    "mfa_phone_number": "<string>",
    "default_mfa_method": "<string>",
    "roles": [
      {
        "role_id": "<string>",
        "sources": [
          {
            "type": "<string>",
            "details": {}
          }
        ]
      }
    ],
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "created_at": "<string>",
    "updated_at": "<string>",
    "scim_registration": {
      "connection_id": "<string>",
      "registration_id": "<string>",
      "external_id": "<string>",
      "scim_attributes": {
        "user_name": "<string>",
        "id": "<string>",
        "external_id": "<string>",
        "active": true,
        "groups": [
          {
            "value": "<string>",
            "display": "<string>"
          }
        ],
        "display_name": "<string>",
        "nick_name": "<string>",
        "profile_url": "<string>",
        "user_type": "<string>",
        "title": "<string>",
        "preferred_language": "<string>",
        "locale": "<string>",
        "timezone": "<string>",
        "emails": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "phone_numbers": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "addresses": [
          {
            "formatted": "<string>",
            "street_address": "<string>",
            "locality": "<string>",
            "region": "<string>",
            "postal_code": "<string>",
            "country": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "ims": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "photos": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "entitlements": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "roles": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "x509certificates": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "name": {
          "formatted": "<string>",
          "family_name": "<string>",
          "given_name": "<string>",
          "middle_name": "<string>",
          "honorific_prefix": "<string>",
          "honorific_suffix": "<string>"
        },
        "enterprise_extension": {
          "employee_number": "<string>",
          "cost_center": "<string>",
          "division": "<string>",
          "department": "<string>",
          "organization": "<string>",
          "manager": {
            "value": "<string>",
            "ref": "<string>",
            "display_name": "<string>"
          }
        }
      }
    },
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "organization": {
    "organization_id": "<string>",
    "organization_name": "<string>",
    "organization_logo_url": "<string>",
    "organization_slug": "<string>",
    "sso_jit_provisioning": "<string>",
    "sso_jit_provisioning_allowed_connections": [
      "<string>"
    ],
    "sso_active_connections": [
      {
        "connection_id": "<string>",
        "display_name": "<string>",
        "identity_provider": "<string>"
      }
    ],
    "email_allowed_domains": [
      "<string>"
    ],
    "email_jit_provisioning": "<string>",
    "email_invites": "<string>",
    "auth_methods": "<string>",
    "allowed_auth_methods": [
      "<string>"
    ],
    "mfa_policy": "<string>",
    "rbac_email_implicit_role_assignments": [
      {
        "domain": "<string>",
        "role_id": "<string>"
      }
    ],
    "mfa_methods": "<string>",
    "allowed_mfa_methods": [
      "<string>"
    ],
    "oauth_tenant_jit_provisioning": "<string>",
    "claimed_email_domains": [
      "<string>"
    ],
    "first_party_connected_apps_allowed_type": "<string>",
    "allowed_first_party_connected_apps": [
      "<string>"
    ],
    "third_party_connected_apps_allowed_type": "<string>",
    "allowed_third_party_connected_apps": [
      "<string>"
    ],
    "custom_roles": [
      {
        "role_id": "<string>",
        "description": "<string>",
        "permissions": [
          {
            "resource_id": "<string>",
            "actions": [
              "<string>"
            ]
          }
        ]
      }
    ],
    "trusted_metadata": {},
    "created_at": "<string>",
    "updated_at": "<string>",
    "organization_external_id": "<string>",
    "sso_default_connection_id": "<string>",
    "scim_active_connection": {
      "connection_id": "<string>",
      "display_name": "<string>",
      "bearer_token_last_four": "<string>",
      "bearer_token_expires_at": "<string>"
    },
    "allowed_oauth_tenants": {}
  },
  "client": {
    "client_id": "<string>",
    "client_name": "<string>",
    "client_description": "<string>",
    "client_type": "<string>",
    "logo_url": "<string>"
  },
  "consent_required": true,
  "scope_results": [
    {
      "scope": "<string>",
      "description": "<string>",
      "is_grantable": true
    }
  ],
  "status_code": 123
}

Initiates a request for authorization of a Connected App to access a Members’s account. Call this endpoint using the query parameters from an OAuth Authorization request. This endpoint validates various fields (scope, client_id, redirect_uri, prompt, etc…) are correct and returns relevant information for rendering an OAuth Consent Screen. This endpoint returns:

A public representation of the Connected App requesting authorization
Whether explicit user consent must be granted before proceeding with the authorization
A list of scopes the user has the ability to grant the Connected App

Use this response to prompt the user for consent (if necessary) before calling the Submit OAuth Authorization endpoint. Exactly one of the following must be provided to identify the user granting authorization:

user_id
session_token
session_jwt

If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the user’s session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Authorizations

Authorization

string

header

required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

client_id

string

required

The ID of the Connected App client.

redirect_uri

string

required

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

response_type

string

required

The OAuth 2.0 response type. For authorization code flows this value is code.

scopes

string[]

required

An array of scopes requested by the client.

organization_id

string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

member_id

string

Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

session_token

string

A secret token for a given Stytch Session.

session_jwt

string

The JSON Web Token (JWT) for a given Stytch Session.

prompt

string

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

Response

Successful response

request_id

string

required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

member_id

string

required

Globally unique UUID that identifies a specific Member.

member

object

required

The Member object

Show child attributes

organization

object

required

The Organization object.

Show child attributes

client

object

required

Show child attributes

Whether the user must provide explicit consent for the authorization request.

scope_results

object[]

required

Details about each requested scope.

Show child attributes

status_code

integer<int32>

required

⌘I