Start OAuth Authorization

// POST /v1/idp/oauth/authorize/start
const stytch = require('stytch');

const client = new stytch.Client({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  client_id: "${exampleConnectedAppClientID}",
  redirect_uri: "https://app.example/oauth/callback",
  response_type: "code",
  scopes: ["openid"],
};

client.IDP.OAuth.AuthorizeStart(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

{
  "request_id": "<string>",
  "user_id": "<string>",
  "user": {
    "user_id": "<string>",
    "emails": [
      {
        "email_id": "<string>",
        "email": "<string>",
        "verified": true
      }
    ],
    "status": "<string>",
    "phone_numbers": [
      {
        "phone_id": "<string>",
        "phone_number": "<string>",
        "verified": true
      }
    ],
    "webauthn_registrations": [
      {
        "webauthn_registration_id": "<string>",
        "domain": "<string>",
        "user_agent": "<string>",
        "verified": true,
        "authenticator_type": "<string>",
        "name": "<string>"
      }
    ],
    "providers": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>",
        "oauth_user_registration_id": "<string>"
      }
    ],
    "totps": [
      {
        "totp_id": "<string>",
        "verified": true
      }
    ],
    "crypto_wallets": [
      {
        "crypto_wallet_id": "<string>",
        "crypto_wallet_address": "<string>",
        "crypto_wallet_type": "<string>",
        "verified": true
      }
    ],
    "biometric_registrations": [
      {
        "biometric_registration_id": "<string>",
        "verified": true
      }
    ],
    "is_locked": true,
    "roles": [
      "<string>"
    ],
    "name": {
      "first_name": "<string>",
      "middle_name": "<string>",
      "last_name": "<string>"
    },
    "created_at": "<string>",
    "password": {
      "password_id": "<string>",
      "requires_reset": true
    },
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "client": {
    "client_id": "<string>",
    "client_name": "<string>",
    "client_description": "<string>",
    "client_type": "<string>",
    "logo_url": "<string>"
  },
  "consent_required": true,
  "scope_results": [
    {
      "scope": "<string>",
      "description": "<string>",
      "is_grantable": true
    }
  ],
  "status_code": 123
}

POST

idp

oauth

authorize

start

// POST /v1/idp/oauth/authorize/start
const stytch = require('stytch');

const client = new stytch.Client({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  client_id: "${exampleConnectedAppClientID}",
  redirect_uri: "https://app.example/oauth/callback",
  response_type: "code",
  scopes: ["openid"],
};

client.IDP.OAuth.AuthorizeStart(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

{
  "request_id": "<string>",
  "user_id": "<string>",
  "user": {
    "user_id": "<string>",
    "emails": [
      {
        "email_id": "<string>",
        "email": "<string>",
        "verified": true
      }
    ],
    "status": "<string>",
    "phone_numbers": [
      {
        "phone_id": "<string>",
        "phone_number": "<string>",
        "verified": true
      }
    ],
    "webauthn_registrations": [
      {
        "webauthn_registration_id": "<string>",
        "domain": "<string>",
        "user_agent": "<string>",
        "verified": true,
        "authenticator_type": "<string>",
        "name": "<string>"
      }
    ],
    "providers": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>",
        "oauth_user_registration_id": "<string>"
      }
    ],
    "totps": [
      {
        "totp_id": "<string>",
        "verified": true
      }
    ],
    "crypto_wallets": [
      {
        "crypto_wallet_id": "<string>",
        "crypto_wallet_address": "<string>",
        "crypto_wallet_type": "<string>",
        "verified": true
      }
    ],
    "biometric_registrations": [
      {
        "biometric_registration_id": "<string>",
        "verified": true
      }
    ],
    "is_locked": true,
    "roles": [
      "<string>"
    ],
    "name": {
      "first_name": "<string>",
      "middle_name": "<string>",
      "last_name": "<string>"
    },
    "created_at": "<string>",
    "password": {
      "password_id": "<string>",
      "requires_reset": true
    },
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "client": {
    "client_id": "<string>",
    "client_name": "<string>",
    "client_description": "<string>",
    "client_type": "<string>",
    "logo_url": "<string>"
  },
  "consent_required": true,
  "scope_results": [
    {
      "scope": "<string>",
      "description": "<string>",
      "is_grantable": true
    }
  ],
  "status_code": 123
}

Initiates a request for authorization of a Connected App to access a User’s account. Call this endpoint using the query parameters from an OAuth Authorization request. This endpoint validates various fields (scope, client_id, redirect_uri, prompt, etc…) are correct and returns relevant information for rendering an OAuth Consent Screen. This endpoint returns:

A public representation of the Connected App requesting authorization
Whether explicit user consent must be granted before proceeding with the authorization
A list of scopes the user has the ability to grant the Connected App

Use this response to prompt the user for consent (if necessary) before calling the Submit OAuth Authorization endpoint. Exactly one of the following must be provided to identify the user granting authorization:

user_id
session_token
session_jwt

If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the user’s session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Authorizations

Authorization

string

header

required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

client_id

string

required

The ID of the Connected App client.

redirect_uri

string

required

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

response_type

string

required

The OAuth 2.0 response type. For authorization code flows this value is code.

scopes

string[]

required

An array of scopes requested by the client.

user_id

string

The unique ID of a specific User. You may use an external_id here if one is set for the user.

session_token

string

The session_token associated with a User's existing Session.

session_jwt

string

The session_jwt associated with a User's existing Session.

prompt

string

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

Response

Successful response

request_id

string

required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

user_id

string

required

The unique ID of the affected User.

user

object

required

The user object affected by this API call. See the Get user endpoint for complete response field details.

Show child attributes

client

object

required

Show child attributes

Whether the user must provide explicit consent for the authorization request.

scope_results

object[]

required

Details about each requested scope.

Show child attributes

status_code

integer<int32>

required

⌘I