Stytch – The most powerful identity platform built for developers

Start SSO Login Flow

GET

https://test.stytch.com/v1/public/sso/start?connection_id={connection_id}&public_token={public_token}

A client-side endpoint (can only be queried from the user's browser) that starts the SSO Authentication flow. This endpoint redirects the User to the IdP with all of the information required to complete the SSO Authentication flow. From there, the user signs into their IdP before getting redirected back to Stytch. After verifying the request, Stytch immediately redirects the user back to the redirect_url configured in the Redirect URLs page of the Stytch Dashboard.

When making a request to this endpoint, you must include one of connection_id or organization_id. If you use organization_id, that organization's default SSO connection will be used for the login flow.

Query parameters

connection_id string

The ID of the SSO connection to use for the login flow.

organization_id string

If an organization ID (or external ID) is specified, the organization's default SSO connection will be used.

public_token* string

The public token from the Stytch Dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

pkce_code_challenge string

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device.

login_redirect_url string

The URL Stytch redirects to after the SSO flow is completed for a Member that already exists. This URL should be a route in your application which will run sso.authenticate (see below) and finish the login.

The URL must be configured as a Login URL in the Redirect URL page. If the field is not specified, the default Login URL will be used.

signup_redirect_url string

The URL Stytch redirects to after the SSO flow is completed for a Member that does not yet exist. This URL should be a route in your application which will run sso.authenticate (see below) and finish the login.

The URL must be configured as a Sign Up URL in the Redirect URL page. If the field is not specified, the default Sign Up URL will be used.

custom_scopes string

A list of custom scopes that will be requested on each SSOStart call, separated by the plus sign (+). The total set of scopes will be the union of: the OIDC scopes openid email profile, the scopes requested in the custom_scopes query parameter on each SSOStart call, and the scopes listed in the OIDC Connection object.

Response fields

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

redirect_url string

The url to redirect to. This should be done automatically by the browser.

// Not applicable since this endpoint is only meant to be queried on the client's browser

RESPONSE 302

{
  "status_code": 302,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "redirect_url": "https://idp.example.com/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml"
}

RESPONSE 400

{
    "status_code": 400,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "error_type": "duplicate_email",
    "error_message": "A user with the specified email already exists for this project.",
    "error_url": "https://stytch.com/docs/api/errors/400"
}

RESPONSE 401

{
  "status_code": 401,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "unauthorized_credentials",
  "error_message": "Unauthorized credentials.",
  "error_url": "https://stytch.com/docs/api/errors/401"
}

RESPONSE 429

{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}

RESPONSE 500

{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Delete

Organization

Discovery

Organization

Discovery

Discovery

Organization

Token

SAML

OIDC

External

Shared

Connection management

Token management

SCIM groups

Create or Reset Options

One-time passcodes

Time-based one-time passcodes

Recovery codes

TOKEN

M2M Client

Rotate secret

Tokens

Configuration

Methods

Consent Management

Application Management

Rotate secret

Start SSO Login Flow

Query parameters

Response fields