OAuth Overview

OAuth, otherwise known as Social Login or Social SSO, is an easy way for end users to sign-up and login to your application through their authenticated identity on common OAuth providers, such as Google or Microsoft.

API Objects & Endpoints

API Resources



A top-level tenant that groups members, auth settings, roles, and other identity configurations.


Represents an authenticated user who is a member of a specific Organization.


A collection of OAuth endpoints for login and signup via social identity providers.

Member Session

A managed session that tracks a Member's logged-in state using JWTs or session tokens.

How It Works

In Stytch’s B2B product there are two different versions of the OAuth authentication flow:

  1. Discovery Authentication: used for self-serve Organization creation or login prior to knowing the Organization context
  2. Organization-specific Authentication: used when you already know the Organization that the end user is trying to log into

Both flows support OAuth, allow end users to accepting pending invites or Just-in-Time (JIT) Provision by email domain, and finish with the end user authenticated in a specific Organization. However, Discovery involves one additional step to surface the end user's "discovered organizations" that they are eligible to login to and also allows self-serve organization creation.

Summary of Key Differences

Each guide walks through both OAuth flows in detail for the integration method chosen. However, for a quick overview of differences see the table below:



OAuth Start Initiated With


public_token and organization_id OR slug

Redirect URL Used for Callback


Login or Sign-up

Stytch Token Type



Authenticate Method



Access and Refresh Token

Retrieve via Get Access Token APIs after organization selection

Returned in oauth.authenticate() response, or can retrieve via Get Access Token APIs