Skip to main content
POST
/
v1
/
b2b
/
oauth
/
discovery
/
authenticate
C#
// POST /v1/b2b/oauth/discovery/authenticate
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  discovery_oauth_token: "${exampleOAuthAuthenticateToken}",
};

client.OAuth.Discovery.Authenticate(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "intermediate_session_token": "<string>",
  "email_address": "<string>",
  "discovered_organizations": [
    {
      "member_authenticated": true,
      "organization": {
        "organization_id": "<string>",
        "organization_name": "<string>",
        "organization_logo_url": "<string>",
        "organization_slug": "<string>",
        "sso_jit_provisioning": "<string>",
        "sso_jit_provisioning_allowed_connections": [
          "<string>"
        ],
        "sso_active_connections": [
          {
            "connection_id": "<string>",
            "display_name": "<string>",
            "identity_provider": "<string>"
          }
        ],
        "email_allowed_domains": [
          "<string>"
        ],
        "email_jit_provisioning": "<string>",
        "email_invites": "<string>",
        "auth_methods": "<string>",
        "allowed_auth_methods": [
          "<string>"
        ],
        "mfa_policy": "<string>",
        "rbac_email_implicit_role_assignments": [
          {
            "domain": "<string>",
            "role_id": "<string>"
          }
        ],
        "mfa_methods": "<string>",
        "allowed_mfa_methods": [
          "<string>"
        ],
        "oauth_tenant_jit_provisioning": "<string>",
        "claimed_email_domains": [
          "<string>"
        ],
        "first_party_connected_apps_allowed_type": "<string>",
        "allowed_first_party_connected_apps": [
          "<string>"
        ],
        "third_party_connected_apps_allowed_type": "<string>",
        "allowed_third_party_connected_apps": [
          "<string>"
        ],
        "custom_roles": [
          {
            "role_id": "<string>",
            "description": "<string>",
            "permissions": [
              {
                "resource_id": "<string>",
                "actions": [
                  "<string>"
                ]
              }
            ]
          }
        ],
        "trusted_metadata": {},
        "created_at": "<string>",
        "updated_at": "<string>",
        "organization_external_id": "<string>",
        "sso_default_connection_id": "<string>",
        "scim_active_connection": {
          "connection_id": "<string>",
          "display_name": "<string>",
          "bearer_token_last_four": "<string>",
          "bearer_token_expires_at": "<string>"
        },
        "allowed_oauth_tenants": {}
      },
      "membership": {
        "type": "<string>",
        "details": {},
        "member": {
          "organization_id": "<string>",
          "member_id": "<string>",
          "email_address": "<string>",
          "status": "<string>",
          "name": "<string>",
          "sso_registrations": [
            {
              "connection_id": "<string>",
              "external_id": "<string>",
              "registration_id": "<string>",
              "sso_attributes": {}
            }
          ],
          "is_breakglass": true,
          "member_password_id": "<string>",
          "oauth_registrations": [
            {
              "provider_type": "<string>",
              "provider_subject": "<string>",
              "member_oauth_registration_id": "<string>",
              "profile_picture_url": "<string>",
              "locale": "<string>"
            }
          ],
          "email_address_verified": true,
          "mfa_phone_number_verified": true,
          "is_admin": true,
          "totp_registration_id": "<string>",
          "retired_email_addresses": [
            {
              "email_id": "<string>",
              "email_address": "<string>"
            }
          ],
          "is_locked": true,
          "mfa_enrolled": true,
          "mfa_phone_number": "<string>",
          "default_mfa_method": "<string>",
          "roles": [
            {
              "role_id": "<string>",
              "sources": [
                {
                  "type": "<string>",
                  "details": {}
                }
              ]
            }
          ],
          "trusted_metadata": {},
          "untrusted_metadata": {},
          "created_at": "<string>",
          "updated_at": "<string>",
          "scim_registration": {
            "connection_id": "<string>",
            "registration_id": "<string>",
            "external_id": "<string>",
            "scim_attributes": {
              "user_name": "<string>",
              "id": "<string>",
              "external_id": "<string>",
              "active": true,
              "groups": [
                {
                  "value": "<string>",
                  "display": "<string>"
                }
              ],
              "display_name": "<string>",
              "nick_name": "<string>",
              "profile_url": "<string>",
              "user_type": "<string>",
              "title": "<string>",
              "preferred_language": "<string>",
              "locale": "<string>",
              "timezone": "<string>",
              "emails": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "phone_numbers": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "addresses": [
                {
                  "formatted": "<string>",
                  "street_address": "<string>",
                  "locality": "<string>",
                  "region": "<string>",
                  "postal_code": "<string>",
                  "country": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "ims": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "photos": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "entitlements": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "roles": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "x509certificates": [
                {
                  "value": "<string>",
                  "type": "<string>",
                  "primary": true
                }
              ],
              "name": {
                "formatted": "<string>",
                "family_name": "<string>",
                "given_name": "<string>",
                "middle_name": "<string>",
                "honorific_prefix": "<string>",
                "honorific_suffix": "<string>"
              },
              "enterprise_extension": {
                "employee_number": "<string>",
                "cost_center": "<string>",
                "division": "<string>",
                "department": "<string>",
                "organization": "<string>",
                "manager": {
                  "value": "<string>",
                  "ref": "<string>",
                  "display_name": "<string>"
                }
              }
            }
          },
          "external_id": "<string>",
          "lock_created_at": "<string>",
          "lock_expires_at": "<string>"
        }
      },
      "primary_required": {
        "allowed_auth_methods": [
          "<string>"
        ]
      },
      "mfa_required": {
        "member_options": {
          "mfa_phone_number": "<string>",
          "totp_registration_id": "<string>"
        },
        "secondary_auth_initiated": "<string>"
      }
    }
  ],
  "provider_type": "<string>",
  "provider_tenant_id": "<string>",
  "provider_tenant_ids": [
    "<string>"
  ],
  "full_name": "<string>",
  "status_code": 123
}
Authenticates the Discovery token and exchanges it for an . Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

discovery_oauth_token
string
required

The Discovery OAuth token to authenticate.

session_token
string
session_duration_minutes
integer<int32>
session_jwt
string
session_custom_claims
object
pkce_code_verifier
string

A base64url encoded one time secret used to validate that the request starts and ends on the same device.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

intermediate_session_token
string
required

The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.

email_address
string
required

The email address.

discovered_organizations
object[]
required

An array of discovered_organization objects tied to the intermediate_session_token, session_token, or session_jwt. See the Discovered Organization Object for complete details.

Note that Organizations will only appear here under any of the following conditions:

  1. The end user is already a Member of the Organization.

  2. The end user is invited to the Organization.

  3. The end user can join the Organization because:

    a) The Organization allows JIT provisioning.

    b) The Organizations' allowed domains list contains the Member's email domain.

    c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks).

provider_type
string
required

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.

provider_tenant_id
string
required

The tenant ID returned by the OAuth provider. This is typically used to identify an organization or group within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. This field will only be populated if exactly one tenant ID is returned from a successful OAuth authentication and developers should prefer provider_tenant_ids over this since it accounts for the possibility of an OAuth provider yielding multiple tenant IDs.

provider_tenant_ids
string[]
required

All tenant IDs returned by the OAuth provider. These is typically used to identify organizations or groups within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. Some OAuth providers do not return tenant IDs, some providers are guaranteed to return one, and some may return multiple. This field will always be populated if at least one tenant ID was returned from the OAuth provider and developers should prefer this field over provider_tenant_id.

full_name
string
required

The full name of the authenticated end user, if available.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.