> ## Documentation Index > Fetch the complete documentation index at: https://docs.baanx.com/llms.txt > Use this file to discover all available pages before exploring further. # Generate Authorization Code > Third step of OAuth 2.0 flow - generate authorization code from JWT and access tokens ## Overview Called after user authentication to generate an authorization code. This endpoint requires **two different tokens**: 1. **JWT Token** (in request body): Session token from Step 1 2. **Access Token** (in Authorization header): User access token from Step 2 In hosted UI mode, this endpoint is called automatically. In API-mode, your application calls this directly. ## Request ### Headers Your public API client key Bearer token from `POST /v1/auth/login` **Format**: `Bearer ACCESS_TOKEN` ### Body JWT session token from Step 1 **Format**: JWT **Example**: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...` ## Response Complete redirect URL with authorization code **Example**: `https://yourapp.com/callback?state=random_csrf&code=auth_code_xyz` Authorization code (single-use, exchange in Step 4) **Example**: `auth_code_xyz123` CSRF protection token from Step 1 (verify this matches) **Example**: `random_csrf_protection_string_12345` ## Code Examples ```bash cURL theme={null} curl -X POST "https://dev.api.baanx.com/v1/auth/oauth/authorize" \ -H "x-client-key: your-client-key" \ -H "Authorization: Bearer ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{"token": "JWT_FROM_STEP_1"}' ``` ```javascript JavaScript theme={null} const response = await fetch('https://dev.api.baanx.com/v1/auth/oauth/authorize', { method: 'POST', headers: { 'x-client-key': 'your-client-key', 'Authorization': `Bearer ${accessToken}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ token: jwtToken }) }); const { code, state, url } = await response.json(); console.log('Authorization code:', code); console.log('Verify state:', state === originalState); ``` ## Next Steps Exchange authorization code for access and refresh tokens