Stytch – The most powerful identity platform built for developers

POST

https://test.stytch.com/v1/idp/oauth/authorize/start

Initiates a request for authorization of a Connected App to access a User's account.

Call this endpoint using the query parameters from an OAuth Authorization request. This endpoint validates various fields (scope, client_id, redirect_uri, prompt, etc...) are correct and returns relevant information for rendering an OAuth Consent Screen.

This endpoint returns:

A public representation of the Connected App requesting authorization
Whether explicit user consent must be granted before proceeding with the authorization
A list of scopes the user has the ability to grant the Connected App

Use this response to prompt the user for consent (if necessary) before calling the Submit OAuth Authorization endpoint.

Exactly one of the following must be provided to identify the user granting authorization:

user_id
session_token
session_jwt

If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the user's session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Body parameters

user_id string

The unique ID of a specific User. You may use an external_id here if one is set for the user.

session_token string

The session_token associated with a User's existing Session.

session_jwt string

The session_jwt associated with a User's existing Session.

client_id* string

The ID of the Connected App client.

redirect_uri* string

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

response_type* string

The OAuth 2.0 response type. For authorization code flows this value is code.

scopes array[strings]

An array of scopes requested by the client.

prompt string

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

user_id string

The unique ID of the affected User.

user object

The user object affected by this API call. See the Get user endpoint for complete response field details.

user_id string

The unique ID of the affected User.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

request_id string

name object

The name of the User. Each field in the name object is optional.

first_name string

The first name of the user.

middle_name string

The middle name(s) of the user.

last_name string

The last name of the user.

trusted_metadata object

The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.

untrusted_metadata object

The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.

emails array[objects]

An array of email objects for the User.

email_id string

The unique ID of a specific email address.

email string

The email address.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

phone_numbers array[objects]

An array of phone number objects linked to the User.

phone_id string

The unique ID for the phone number.

phone_number string

The phone number.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

providers array[objects]

An array of OAuth provider objects linked to the User.

oauth_user_registration_id string

The unique ID for an OAuth registration.

provider_subject string

The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.

provider_type string

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.

profile_picture_url string

If available, the profile_picture_url is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture.

locale string

If available, the locale is the User's locale set in the OAuth identity provider that the user has authenticated with.

webauthn_registrations array[objects]

An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.

webauthn_registration_id string

The unique ID for the Passkey or WebAuthn registration.

domain string

The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app.

user_agent string

The user agent of the User.

authenticator_type string

The authenticator_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

name string

The name of the Passkey or WebAuthn registration.

biometric_registrations array[objects]

An array that contains a list of all biometric registrations for a given User in the Stytch API.

biometric_registration_id string

The unique ID for a biometric registration.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

totps array[objects]

An array containing a list of all TOTP instances for a given User in the Stytch API.

totp_id string

The unique ID for a TOTP instance.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

crypto_wallets array[objects]

An array contains a list of all crypto wallets for a given User in the Stytch API.

crypto_wallet_id string

The unique ID for a crypto wallet

crypto_wallet_address string

The actual blockchain address of the User's crypto wallet.

crypto_wallet_type string

The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

password object

The password object is returned for users with a password.

password_id string

The unique ID of a specific password

requires_reset boolean

Indicates whether this password requires a password reset

roles array[strings]

Roles assigned to this User. See the RBAC guide for more information about role assignment.

created_at string

The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

status string

The status of the User. The possible values are pending and active.

connected_app object

The Connected App affected by this operation. Only a subset of fields safe for public viewing are returned.

client_id string

The ID of the Connected App client.

client_name string

A human-readable name for the client.

client_description string

A human-readable description for the client.

client_type string

The type of Connected App. Supported values are first_party, first_party_public, third_party, and third_party_public.

logo_url string

The logo URL of the Connected App, if any.

consent_required boolean

Whether the user must provide explicit consent for the authorization request.

scope_results array[object]

Details about each requested scope.

scope string

The name of the scope.

description string

A human-readable description of the scope, taken from the RBAC Policy.

is_grantable boolean

Indicates whether the scope can be granted. Users can only grant scopes if they have the required permissions.

Delete

Via email

Embeddable

Start

Reset options

Via SMS

Via Whatsapp

Via email

Register

Authenticate

Token

M2M Client

Rotate secret

Tokens

Configuration

Methods

Consent Management

Application Management

Rotate secret

Start OAuth Authorization

Body parameters

Response fields