> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Submit OAuth Authorization

> Submit OAuth authorization for Connected Apps using the Stytch Vanilla JS SDK

export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

`idp.oauthAuthorizeSubmit` wraps the [Submit OAuth Authorization](/api-reference/b2b/api/connected-apps/consent-management/submit-oauth-authorization) API endpoint. It completes a request for authorization of a Connected App to access a <Tooltip tip={member}>Member's</Tooltip> account.

Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the [`idp.oauthAuthorizeStart`](./oauth-authorize-start) method. Note that this endpoint takes in a few additional parameters the `start` method does not- `state`, `nonce`, and `code_challenge`.

If the authorization was successful, the `redirect_uri` will contain a valid `authorization_code` embedded as a query parameter. If the authorization was unsuccessful, the `redirect_uri` will contain an OAuth2.1 `error_code`. In both cases, redirect the Member to the location for the response to be consumed by the Connected App.

Exactly one of the following must be provided to identify the Member granting authorization: `organization_id` + `member_id`, `session_token`, or `session_jwt`.

If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

## Parameters

<ParamField path="client_id" type="string" required>
  The ID of the Connected App client.
</ParamField>

<ParamField path="redirect_uri" type="string" required>
  The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant.
</ParamField>

<ParamField path="response_type" type="string" required>
  The OAuth 2.0 response type. For authorization code flows this value is `code`.
</ParamField>

<ParamField path="scopes" type="string[]" required>
  An array of scopes requested by the client.
</ParamField>

<ParamField path="consent_granted" type="boolean" required>
  Indicates whether the user granted the requested scopes.
</ParamField>

<ParamField path="state" type="string">
  An opaque value used to maintain state between the request and callback.
</ParamField>

<ParamField path="nonce" type="string">
  A string used to associate a client session with an ID token to mitigate replay attacks.
</ParamField>

<ParamField path="code_challenge" type="string">
  A base64url encoded challenge derived from the code verifier for PKCE flows.
</ParamField>

<ParamField path="prompt" type="string">
  Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.
</ParamField>

## Response

<ResponseField name="redirect_uri" type="string">
  The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.
</ResponseField>

<ResponseField name="authorization_code" type="string">
  A one-time use code that can be exchanged for tokens.
</ResponseField>

<ResponseField name="request_id" type="string">
  Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
  may ask for this value to help identify a specific API call when helping you debug an issue.
</ResponseField>

<ResponseField name="status_code" type="number">
  The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
  equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
</ResponseField>

<Panel>
  <RequestExample>
    ```javascript theme={null}
    import { StytchB2BClient } from '@stytch/vanilla-js/b2b';

    const stytch = new StytchB2BClient('public-token-test-b8c84de4-7d58-4ffc-9341-432b56596862');

    // Get OAuth parameters from URL
    const urlParams = new URLSearchParams(window.location.search);

    const submitAuthorization = async (consentGranted) => {
      const response = await stytch.idp.oauthAuthorizeSubmit({
        client_id: urlParams.get('client_id'),
        redirect_uri: urlParams.get('redirect_uri'),
        response_type: urlParams.get('response_type'),
        scopes: urlParams.get('scope')?.split(' ') || [],
        consent_granted: consentGranted,
        state: urlParams.get('state'),
        nonce: urlParams.get('nonce'),
        code_challenge: urlParams.get('code_challenge'),
      });

      window.location.href = response.redirect_uri;
    };

    document.getElementById('allow-btn').addEventListener('click', () => submitAuthorization(true));
    document.getElementById('deny-btn').addEventListener('click', () => submitAuthorization(false));
    ```
  </RequestExample>
</Panel>