Stytch - Auth platform for developers

Completes a request for authorization of a Connected App to access a Member's account.

Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the Preflight Check API. Note that this endpoint takes in a few additional parameters the preflight check does not- state, nonce, and code_challenge.

If the authorization was successful, the redirect_uri will contain a valid authorization_code embedded as a query parameter. If the authorization was unsuccessful, the redirect_uri will contain an OAuth2.1 error_code. In both cases, redirect the Member to the location for the response to be consumed by the Connected App.

Exactly one of the following must be provided to identify the Member granting authorization: organization_id + member_id session_token session_jwt

If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Method parameters

client_id* string

The ID of the Connected App client.

redirect_uri* string

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

response_type* string

The OAuth 2.0 response type. For authorization code flows this value is code.

consent_granted boolean

Indicates whether the user granted the requested scopes.

code_challenge string

A base64url encoded challenge derived from the code verifier for PKCE flows.

nonce string

A string used to associate a client session with an ID token to mitigate replay attacks.

prompt string

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

scopes array[strings]

An array of scopes requested by the client.

state string

An opaque value used to maintain state between the request and callback.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

redirect_uri string

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

authorization_code string

A one-time use code that can be exchanged for tokens.

import React, { useState } from 'react'; import { useStytch } from '@stytch/react'; export const OAuthAuthorizeSubmit = () => { const stytch = useStytch(); const [loading, setLoading] = useState(false); const [result] = useState(null); const submitOAuthAuthorization = async () => { setLoading(true); try { const response = await stytch.idp.oauthAuthorizeSubmit({ client_id: 'connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888', redirect_uri: 'https://example.com/callback', response_type: 'code', scopes: ['openid', 'profile', 'email'], prompt: 'consent', state: 'example-state', nonce: 'example-nonce', code_challenge: 'example-code-challenge', consent_granted: true, }); // Redirect to the returned redirect URI if (response.redirect_uri) { window.location.href = response.redirect_uri; } } catch (error) { console.error('Error submitting OAuth authorization:', error); } finally { setLoading(false); } }; return ( <div> <button onClick={submitOAuthAuthorization} disabled={loading}> {loading ? 'Submitting Authorization...' : 'Submit OAuth Authorization'} </button> {result && ( <div> <h3>Authorization Result:</h3> <pre>{JSON.stringify(result, null, 2)}</pre> </div> )} </div> ); };

{ "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141", "connected_app_redirect_uri": "https://example.com/callback?authorization_code=example-authorization-code&state=example-state", "authorization_code": "example-authorization-code" }