Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-feat-authentication-api-migration.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

GET /authorize To begin an OAuth 2.0 Authorization flow, your application should first send the user to the authorization URL.

Authorize endpoint

The purpose of this call is to obtain consent from the user to invoke the API (specified in audience) and do certain things (specified in scope) on behalf of the user. Auth0 will authenticate the user and obtain consent, unless consent has been previously given. If you alter the value in scope, Auth0 will require consent to be given again. The OAuth 2.0 flows that require user authorization are: The Resource Owner Password Grant and Client Credentials Flow do not use this endpoint since there is no user authorization involved. Instead, they directly invoke the POST /oauth/token endpoint to retrieve an Access Token. Based on the OAuth 2.0 flow you are implementing, the parameters slightly change. To determine which flow is best suited for your case, refer to: Which OAuth 2.0 flow should I use?.

Parameters

audience
string
required
The unique identifier of the target API you want to access.
resource
string
The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to audience when the tenant’s Resource Parameter Compatibility Profile is set to compatibility.
scope
string
The scopes which you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes, custom claims, or any scopes supported by the target API. Include offline_access to get a Refresh Token.
response_type
string
required
Indicates to Auth0 which OAuth 2.0 Flow you want to perform. Use ‘code’ for Authorization Code Grant Flow.
client_id
string
required
Your application’s ID.
redirect_uri
string
The URL to which Auth0 will redirect the browser after authorization has been granted by the user.
state
string
An opaque value the application adds to the initial request that Auth0 includes when redirecting the back to the application. This value must be used by the application to prevent CSRF attacks.
connection
string
The name of the connection configured for your application.
prompt
string
To initiate a silent authentication request, use ‘prompt=none’.
organization
string
ID of the organization to use when authenticating a user. When not provided, if your application is configured to Display Organization Prompt, the user will be able to enter the organization name when authenticating.
invitation
string
Ticket ID of the organization invitation. When inviting a member to an Organization, your application should handle invitation acceptance by forwarding the invitation and organization key-value pairs when the user accepts the invitation.
dpop_jkt
string
The JWK Thumbprint [RFC7638] of the proof-of-possession public key using the SHA-256 hash function. Only when using Demonstrating Proof-of-Possession (DPoP).

Response

StatusDescription
302Redirect with authorization code