Skip to main content
POST
/
v1
/
auth
/
oauth
/
authorize
Generate Authorization Code
curl --request POST \
  --url https://api.example.com/v1/auth/oauth/authorize \
  --header 'Authorization: <authorization>' \
  --header 'Content-Type: application/json' \
  --header 'x-client-key: <x-client-key>' \
  --data '
{
  "token": "<string>"
}
'
{
  "url": "<string>",
  "code": "<string>",
  "state": "<string>"
}

Overview

Called after user authentication to generate an authorization code. This endpoint requires two different tokens:
  1. JWT Token (in request body): Session token from Step 1
  2. Access Token (in Authorization header): User access token from Step 2
In hosted UI mode, this endpoint is called automatically. In API-mode, your application calls this directly.

Request

Headers

x-client-key
string
required
Your public API client key
Authorization
string
required
Bearer token from POST /v1/auth/loginFormat: Bearer ACCESS_TOKEN

Body

token
string
required
JWT session token from Step 1Format: JWTExample: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Response

url
string
Complete redirect URL with authorization codeExample: https://yourapp.com/callback?state=random_csrf&code=auth_code_xyz
code
string
Authorization code (single-use, exchange in Step 4)Example: auth_code_xyz123
state
string
CSRF protection token from Step 1 (verify this matches)Example: random_csrf_protection_string_12345

Code Examples

curl -X POST "https://dev.api.baanx.com/v1/auth/oauth/authorize" \
  -H "x-client-key: your-client-key" \
  -H "Authorization: Bearer ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"token": "JWT_FROM_STEP_1"}'

Next Steps

Step 4: Token Exchange

Exchange authorization code for access and refresh tokens