Skip to main content
GET
/
oauth
/
authorize
OAuth2 Authorization Endpoint (redirects to consent screen)
curl --request GET \
  --url http://sandbox.mintlify.com/oauth/authorize
Entry point for the Authorization Code Flow. Validates the request and redirects the user’s browser to the Timbrix consent screen.
This is a browser redirect, not a direct API call. Construct the URL with the parameters below and redirect your user to it.
Rate-limited to 30 requests per minute.

​
Query Parameters

ParameterTypeRequiredDescription
client_idstringYesYour OAuth application client ID
redirect_uristringYesRedirect URI registered with your application
scopestringYesComma-separated list of requested scopes (e.g. read:user,read:organization)
statestringYesRandom value for CSRF protection β€” verify it matches on callback
response_typestringYesMust be code
code_challengestringNoPKCE code challenge β€” Base64-URL encoded SHA-256 hash of your code_verifier
code_challenge_methodstringNoS256 (recommended) or plain

​
Example

Construct the URL and redirect your user: 
const params = new URLSearchParams({
  client_id: "app_1234567890abcdef",
  redirect_uri: "https://example.com/oauth/callback",
  scope: "read:user,read:organization",
  state: crypto.randomUUID(), // store this to verify on callback
  response_type: "code",
  // PKCE (recommended)
  code_challenge: "<base64url(sha256(code_verifier))>",
  code_challenge_method: "S256",
})

window.location.href = `https://api.timbrix.com/api/oauth/authorize?${params}`

​
What happens next

  1. The user is shown the Timbrix consent screen with the requested scopes
  2. If the user approves, they are redirected to your redirect_uri with a code and state parameter
  3. If the user denies, they are redirected with error=access_denied
  4. Exchange the code for tokens using POST /oauth/token/exchange

​
Callback example

https://example.com/oauth/callback?code=code_abc123xyz&state=<your_state>
Always verify the state parameter matches the value you generated before proceeding.

​
Common Errors

​
400 Bad Request

Invalid client_id, redirect_uri mismatch, or unsupported response_type. On success, the user is redirected to the Timbrix consent screen β€” no JSON response is returned.

Query Parameters

​
client_id
string
required

OAuth application client ID

Example:

"app_abc123..."

​
redirect_uri
string
required

Redirect URI registered with the application

Example:

"https://example.com/oauth/callback"

​
scope
string
required

Comma-separated list of requested scopes

Example:

"read:user,read:organization"

​
state
string
required

CSRF protection state parameter. Client should generate a random value and verify it on callback.

Example:

"random_state_abc123"

​
response_type
string
default:code
required

Response type (must be 'code' for Authorization Code Flow)

Example:

"code"

​
code_challenge
string

PKCE code challenge (optional, for enhanced security). Base64-URL encoded SHA256 hash of code_verifier.

Example:

"E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"

​
code_challenge_method
enum<string>

PKCE code challenge method. Use 'S256' for SHA256 hashing (recommended) or 'plain' for no hashing.

Available options:
S256,
plain
Example:

"S256"

Response

Redirects to consent screen with validated parameters. User will be prompted to authorize or deny the application.