Skip to main content
// Client-side in the user's browser
const response = await fetch('https://test.stytch.com/v1/public/sso/start?connection_id=saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9&public_token=PUBLIC_TOKEN', {
  method: 'GET',
});

{
  "status_code": 302,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "redirect_url": "https://idp.example.com/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml"
}
Any SSO Connections created after registering a Custom Domain will be configured to use that domain. After registering your domain, you should replace Stytch’s API domain in requests with your custom domain.
A client-side endpoint (can only be queried from the user’s browser) that starts the SSO Authentication flow. This endpoint redirects the User to the IdP with all of the information required to complete the SSO Authentication flow. From there, the user signs into their IdP before getting redirected back to Stytch. After verifying the request, Stytch immediately redirects the user back to the redirect_url configured in the Stytch Dashboard. When making a request to this endpoint, you must include one of connection_id or organization_id. If you use organization_id, that organization’s default SSO connection will be used for the login flow.

Query parameters

connection_id
string
The ID of the SSO connection to use for the login flow.
organization_id
string
The organization_id or external_id of the organization whose default SSO connection should be used for the login flow.
public_token
string
required
The public token found in your Stytch Dashboard. Since this endpoint must be called client-side, the public token authenticates the request instead of the project ID and secret.
pkce_code_challenge
string
A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device.
login_redirect_url
string
The URL Stytch redirects to after the SSO flow is completed for a Member that already exists. This URL should be a route in your application which will run sso.authenticate and finish the login.The URL must be configured as a Login URL in the Stytch Dashboard. If the field is not specified, the default Login URL will be used.
signup_redirect_url
string
The URL Stytch redirects to after the SSO flow is completed for a Member that does not yet exist. This URL should be a route in your application which will run sso.authenticate (see below) and finish the login. The URL must be configured as a Sign Up URL in the Redirect URL page. If the field is not specified, the default Sign Up URL will be used.
custom_scopes
string
A list of custom scopes that will be requested on this specific SSOStart call, separated by the plus sign (+). These scopes will be requested in addition to any custom scopes defined on the SSO Connection object.

Response

redirect_url
string
The url to redirect to. This should be handled automatically by the browser.
status_code
number
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
request_id
string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.