Authorization Endpoint
π PUBLIC ENDPOINT: Standard OAuth2 authorization endpoint. Validates request parameters and redirects to the consent screen. Supports PKCE for enhanced security. This is the entry point for Authorization Code Flow - compatible with standard OAuth2 clients.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your OAuth application client ID |
redirect_uri | string | Yes | Redirect URI registered with your application |
scope | string | Yes | Comma-separated list of requested scopes (e.g. read:user,read:organization) |
state | string | Yes | Random value for CSRF protection β verify it matches on callback |
response_type | string | Yes | Must be code |
code_challenge | string | No | PKCE code challenge β Base64-URL encoded SHA-256 hash of your code_verifier |
code_challenge_method | string | No | S256 (recommended) or plain |
Example
Construct the URL and redirect your user:What happens next
- The user is shown the Timbrix consent screen with the requested scopes
- If the user approves, they are redirected to your
redirect_uriwith acodeandstateparameter - If the user denies, they are redirected with
error=access_denied - Exchange the
codefor tokens usingPOST /oauth/token/exchange
Callback example
state parameter matches the value you generated before proceeding.
Common Errors
400 Bad Request
Invalidclient_id, redirect_uri mismatch, or unsupported response_type.
302 β consent screen
On success, the user is redirected to the Timbrix consent screen β no JSON response is returned.Query Parameters
OAuth application client ID
"app_abc123..."
Redirect URI registered with the application
"https://example.com/oauth/callback"
Comma-separated list of requested scopes
"read:user,read:organization"
CSRF protection state parameter. Client should generate a random value and verify it on callback.
"random_state_abc123"
Response type (must be 'code' for Authorization Code Flow)
"code"
PKCE code challenge (optional, for enhanced security). Base64-URL encoded SHA256 hash of code_verifier.
"E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
PKCE code challenge method. Use 'S256' for SHA256 hashing (recommended) or 'plain' for no hashing.
S256, plain "S256"
Response
Redirects to consent screen with validated parameters. User will be prompted to authorize or deny the application.