> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Start SSO Authenticate

> Start the SSO Authentication flow

<Note>
  Any SSO Connections created after registering a [Custom Domain](/resources/branding/custom-domains) will be configured to use that domain. After registering your domain, you should replace Stytch's API domain in requests with your custom domain.
</Note>

A client-side endpoint (can only be queried from the user's browser) that starts the SSO Authentication flow. This endpoint redirects the User to the IdP with all of the information required to complete the SSO Authentication flow. From there, the user signs into their IdP before getting redirected back to Stytch. After verifying the request, Stytch immediately redirects the user back to the `redirect_url` configured in the [Stytch Dashboard](https://stytch.com/dashboard/redirect-urls).

When making a request to this endpoint, you must include one of `connection_id` or `organization_id`. If you use `organization_id`, that organization's default SSO connection will be used for the login flow.

### Query parameters

<ParamField query="connection_id" type="string">
  The ID of the SSO connection to use for the login flow.
</ParamField>

<ParamField query="organization_id" type="string">
  The `organization_id` or `external_id` of the organization whose default SSO connection should be used for the login flow.
</ParamField>

<ParamField query="public_token" type="string" required>
  The public token found in your [Stytch Dashboard](https://stytch.com/dashboard). Since this endpoint must be called client-side, the public token authenticates the request instead of the project ID and secret.
</ParamField>

<ParamField query="pkce_code_challenge" type="string">
  A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device.
</ParamField>

<ParamField query="login_redirect_url" type="string">
  The URL Stytch redirects to after the SSO flow is completed for a Member that already exists. This URL should be a route in your application which will run `sso.authenticate` and finish the login.

  The URL must be configured as a Login URL in the [Stytch Dashboard](https://stytch.com/dashboard/redirect-urls). If the field is not specified, the default Login URL will be used.
</ParamField>

<ParamField query="signup_redirect_url" type="string">
  The URL Stytch redirects to after the SSO flow is completed for a Member that does not yet exist. This URL should be a route in your application which will run `sso.authenticate` (see below) and finish the login.
  The URL must be configured as a Sign Up URL in the [Redirect URL page](https://stytch.com/dashboard/redirect-urls). If the field is not specified, the default Sign Up URL will be used.
</ParamField>

<ParamField query="custom_scopes" type="string">
  A list of custom scopes that will be requested on this specific SSOStart call, separated by the plus sign (+). These scopes will be requested in addition to any custom scopes defined on the SSO Connection object.
</ParamField>

### Response

<ResponseField name="redirect_url" type="string">
  The url to redirect to. This should be handled automatically by the browser.
</ResponseField>

<ResponseField name="status_code" type="number">
  The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
  equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
</ResponseField>

<ResponseField name="request_id" type="string">
  Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
  may ask for this value to help identify a specific API call when helping you debug an issue.
</ResponseField>

<Panel>
  <RequestExample>
    ```js theme={null}
    // Client-side in the user's browser
    const response = await fetch('https://test.stytch.com/v1/public/sso/start?connection_id=saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9&public_token=PUBLIC_TOKEN', {
      method: 'GET',
    });
    ```
  </RequestExample>

  <ResponseExample>
    ```json 302 theme={null}
    {
      "status_code": 302,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "redirect_url": "https://idp.example.com/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml"
    }
    ```

    ```json 400 theme={null}
    {
      "status_code": 400,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "duplicate_email",
      "error_message": "A user with the specified email already exists for this project.",
      "error_url": "https://stytch.com/docs/api/errors/400"
    }
    ```

    ```json 401 theme={null}
    {
      "status_code": 401,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "unauthorized_credentials",
      "error_message": "Unauthorized credentials.",
      "error_url": "https://stytch.com/docs/api/errors/401"
    }
    ```

    ```json 429 theme={null}
    {
      "status_code": 429,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "too_many_requests",
      "error_message": "Too many requests have been made.",
      "error_url": "https://stytch.com/docs/api/errors/429"
    }
    ```

    ```json 500 theme={null}
    {
      "status_code": 500,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "internal_server_error",
      "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
      "error_url": "https://stytch.com/docs/api/errors/500"
    }
    ```
  </ResponseExample>
</Panel>
