Authenticate
Authenticate an OAuth token.
session_duration_minutes; a session with the identity provider, e.g. Google or Facebook, will always be initiated upon successful authentication.Authorizations
Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.
Body
Request type
The OAuth token from the ?token= query parameter in the URL.
The redirect URL will look like `https://example.com/authenticate?stytch_token_type=oauth&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7`
In the redirect URL, the `stytch_token_type` will be `oauth`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail.Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this OAuth factor. If this session_token belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of
five minutes regardless of the underlying session duration, and will need to be refreshed over time.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.
If the session_duration_minutes parameter is not specified, a Stytch session will not be created.
Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this OAuth factor. If this session_jwt belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value.
Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
A base64url encoded one time secret used to validate that the request starts and ends on the same device.
If the telemetry_id is passed, as part of this request, Stytch will call the Fingerprint Lookup API and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.
Response
Successful response
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
The unique ID of the affected User.
The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.
A secret token for a given Stytch Session.
The JSON Web Token (JWT) for a given Stytch Session.
The provider_values object lists relevant identifiers, values, and scopes for a given OAuth provider. For example this object will include a provider's access_token that you can use to access the provider's API for a given user.
Note that these values will vary based on the OAuth provider in question, e.g. id_token is only returned by OIDC compliant identity providers.
The user object affected by this API call. See the Get user endpoint for complete response field details.
Indicates if all other of the User's Sessions need to be reset. You should check this field if you aren't using Stytch's Session product. If you are using Stytch's Session product, we revoke the User's other sessions for you.
The unique ID for an OAuth registration.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
A Session object. For backwards compatibility reasons, the session from an OAuth authenticate call is labeled as user_session, but is otherwise just a standard stytch Session object.
See Session object for complete response fields.
If a valid telemetry_id was passed in the request and the Fingerprint Lookup API returned results, the user_device response field will contain information about the user's device attributes.