Skip to main content
POST
/
v1
/
idp
/
oauth
/
authorize
C#
// POST /v1/idp/oauth/authorize
const stytch = require('stytch');

const client = new stytch.Client({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  consent_granted: true,
  scopes: ["openid"],
  client_id: "${exampleConnectedAppClientID}",
  redirect_uri: "https://app.example/oauth/callback",
  response_type: "code",
};

client.IDP.OAuth.Authorize(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "redirect_uri": "<string>",
  "status_code": 123,
  "authorization_code": "<string>"
}
Completes a request for authorization of a Connected App to access a User’s account. Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the Preflight Check API. Note that this endpoint takes in a few additional parameters the preflight check does not- state, nonce, and code_challenge. If the authorization was successful, the redirect_uri will contain a valid authorization_code embedded as a query parameter. If the authorization was unsuccessful, the redirect_uri will contain an OAuth2.1 error_code. In both cases, redirect the user to the location for the response to be consumed by the Connected App. Exactly one of the following must be provided to identify the user granting authorization:
  • user_id
  • session_token
  • session_jwt
If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the user’s session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

consent_granted
boolean
required

Indicates whether the user granted the requested scopes.

scopes
string[]
required

An array of scopes requested by the client.

client_id
string
required

The ID of the Connected App client.

redirect_uri
string
required

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

response_type
string
required

The OAuth 2.0 response type. For authorization code flows this value is code.

user_id
string

The unique ID of a specific User. You may use an external_id here if one is set for the user.

session_token
string

The session_token associated with a User's existing Session.

session_jwt
string

The session_jwt associated with a User's existing Session.

prompt
string

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

state
string

An opaque value used to maintain state between the request and callback.

nonce
string

A string used to associate a client session with an ID token to mitigate replay attacks.

code_challenge
string

A base64url encoded challenge derived from the code verifier for PKCE flows.

resources
string[]

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

redirect_uri
string
required

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

status_code
integer<int32>
required
authorization_code
string

A one-time use code that can be exchanged for tokens.