Stytch – The most powerful identity platform built for developers

Submit OAuth Authorization

POST

https://test.stytch.com/v1/b2b/idp/oauth/authorize

Completes a request for authorization of a Connected App to access a Member's account.

Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the Preflight Check API. Note that this endpoint takes in a few additional parameters the preflight check does not- state, nonce, and code_challenge.

If the authorization was successful, the redirect_uri will contain a valid authorization_code embedded as a query parameter. If the authorization was unsuccessful, the redirect_uri will contain an OAuth2.1 error_code. In both cases, redirect the Member to the location for the response to be consumed by the Connected App.

Exactly one of the following must be provided to identify the Member granting authorization:

organization_id + member_id
session_token
session_jwt

If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Body parameters

organization_id string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

member_id string

Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

session_token string

A secret token for a given Stytch Session.

session_jwt string

The JSON Web Token (JWT) for a given Stytch Session.

consent_granted boolean

Indicates whether the user granted the requested scopes.

scopes array[strings]

An array of scopes requested by the client.

client_id* string

The ID of the Connected App client.

redirect_uri* string

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

response_type* string

The OAuth 2.0 response type. For authorization code flows this value is code.

prompt string

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

state string

An opaque value used to maintain state between the request and callback.

nonce string

A string used to associate a client session with an ID token to mitigate replay attacks.

code_challenge string

A base64url encoded challenge derived from the code verifier for PKCE flows.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

redirect_uri string

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

authorization_code string

A one-time use code that can be exchanged for tokens.

const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  consent_granted: true,
  scopes: ["openid"],
  client_id: "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888",
  redirect_uri: "https://app.example/oauth/callback",
  response_type: "code",
};

client.idp.oauth.authorize(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

RESPONSE 200

{
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "redirect_uri": "https://example.com/callback",
  "authorization_code": "example-authorization-code"
}

RESPONSE 401

{
  "status_code": 401,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "unauthorized_credentials",
  "error_message": "Unauthorized credentials.",
  "error_url": "https://stytch.com/docs/api/errors/401"
}

RESPONSE 429

{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}

RESPONSE 500

{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Delete

Organization

Discovery

Organization

Discovery

Discovery

Organization

Token

SAML

OIDC

External

Shared

Connection management

Token management

SCIM groups

Create or Reset Options

One-time passcodes

Time-based one-time passcodes

Recovery codes

TOKEN

M2M Client

Rotate secret

Tokens

Configuration

Methods

Consent Management

Application Management

Rotate secret

Submit OAuth Authorization

Body parameters

Response fields