Authenticate OAuth Organization Token
Authenticate a Member using an OAuth token for a specific Organization
session_duration_minutes parameter to set the lifetime of the session. If the session_duration_minutes parameter is not specified, a session will be created with a default 60 minute duration.
Multi-factor authentication (MFA)
If the Member is required to complete MFA to log in to the Organization, the returned value ofmember_authenticated will be false and an intermediate_session_token will be returned. The intermediate_session_token can be passed into the following endpoints to complete the MFA step and acquire a full member session (the session_duration_minutes and session_custom_claims parameters will be ignored):
The intermediate_session_token can also be used with the Exchange Intermediate Session endpoint or the Create Organization via Discovery endpoint to join a different Organization or create a new one. The session_duration_minutes and session_custom_claims parameters will be ignored.
If a valid session_token or session_jwt is passed in, the Member will not be required to complete an MFA step.
Step-up authentication
If the Member is logging in via an OAuth provider that does not fully verify the email, the returned value ofmember_authenticated will be false, and an intermediate_session_token will be returned. The primary_required field details the authentication flow the Member must perform in order to complete a step-up authentication into the organization. The intermediate_session_token must be passed into that authentication flow.Authorizations
Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.
Body
Request type
The token to authenticate.
A secret token for a given Stytch Session.
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of
five minutes regardless of the underlying session duration, and will need to be refreshed over time.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.
If the session_duration_minutes parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
to use the Stytch session product, you can ignore the session fields in the response.
The JSON Web Token (JWT) for a given Stytch Session.
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
delete a key, supply a null value. Custom claims made with reserved claims (iss, sub, aud, exp, nbf, iat, jti) will be ignored.
Total custom claims size cannot exceed four kilobytes.
A base64url encoded one time secret used to validate that the request starts and ends on the same device.
If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
Parameter is an IETF BCP 47 language tag, e.g. "en".
Currently supported languages are English ("en"), Spanish ("es"), and Brazilian Portuguese ("pt-br"); if no value is provided, the copy defaults to English.
Request support for additional languages here!
en, es, pt-br, fr, it, de-DE, zh-Hans, ca-ES Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned.
If the telemetry_id is passed, as part of this request, Stytch will call the Fingerprint Lookup API and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.
Response
Successful response
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
Globally unique UUID that identifies a specific Member.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.
A secret token for a given Stytch Session.
The JSON Web Token (JWT) for a given Stytch Session.
The Member object
Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value.
The Organization object.
This field is deprecated.
Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.
The returned Intermediate Session Token contains an OAuth factor associated with the Member's email address. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
The Session object.
The provider_values object lists relevant identifiers, values, and scopes for a given OAuth provider. For example this object will include a provider's access_token that you can use to access the provider's API for a given user.
Note that these values will vary based on the OAuth provider in question, e.g. id_token is only returned by Microsoft. Google One Tap does not return access tokens or refresh tokens.
Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.
Information about the primary authentication requirements of the Organization.
If a valid telemetry_id was passed in the request and the Fingerprint Lookup API returned results, the member_device response field will contain information about the member's device attributes.