Authorization endpoint
Initiates the OAuth 2.0 authorization code flow. Direct users to this endpoint to request authorization.
Authorization Code Flow Steps
- Direct the user's browser to this endpoint with required parameters
- User logs in (if not already authenticated) and authorizes your application
- User is redirected to your
redirect_uriwith an authorizationcodeparameter - Exchange the code for an access token at
/oauth/token
PKCE (Proof Key for Code Exchange)
For public clients (mobile/SPA applications), PKCE is recommended for security:
1. Generate a random code_verifier (43-128 characters)
2. Create code_challenge = BASE64URL(SHA256(code_verifier))
3. Include code_challenge and code_challenge_method=S256 in this request
4. Include code_verifier when exchanging the code at /oauth/token
Important Notes
- This is a browser-based flow - users will see a login/authorization screen
- The
redirect_urimust be pre-registered with your OAuth application - The authorization code expires after 10 minutes
- Some applications may be configured to skip the authorization screen (auto-approve)
/oauth/authorize
Parameters
Query Parameters
response_type
string
OAuth response type (must be "code" for authorization code flow)
client_id
string
Your OAuth application's client ID
redirect_uri
string
URI to redirect to after authorization (must match registered redirect URI)
scope
string
Space-separated list of requested scopes (see available scopes in security schemes section)
state
string
Opaque value to maintain state between request and callback (recommended for CSRF protection)
code_challenge
string
PKCE code challenge (BASE64URL(SHA256(code_verifier)))
code_challenge_method
string
PKCE code challenge method (must be S256)