Storyden
Auth

O Auth Authorise

Start the browser-based OAuth 2.0 Authorization Code flow with PKCE. This endpoint requires a browser session. If the account is not signed in, Storyden redirects to the frontend login route instead of returning a protocol redirect to the client application. Unlike many OAuth servers, Storyden does not render a consent page from this API endpoint. A valid request creates a short-lived pending authorisation request and redirects the browser to the configured frontend authorisation-code consent URL. Custom frontends can change this URL with `OAUTH_AUTHORISATION_CODE_CONSENT_URL`. The `scope` parameter follows OAuth 2.0 and is optional. Empty or omitted scope means no requested scopes. Storyden permission scopes are granted only when allowed by the client and by the signed-in account's current permissions.

Start the browser-based OAuth 2.0 Authorization Code flow with PKCE.

This endpoint requires a browser session. If the account is not signed in, Storyden redirects to the frontend login route instead of returning a protocol redirect to the client application.

Unlike many OAuth servers, Storyden does not render a consent page from this API endpoint. A valid request creates a short-lived pending authorisation request and redirects the browser to the configured frontend authorisation-code consent URL. Custom frontends can change this URL with OAUTH_AUTHORISATION_CODE_CONSENT_URL.

The scope parameter follows OAuth 2.0 and is optional. Empty or omitted scope means no requested scopes. Storyden permission scopes are granted only when allowed by the client and by the signed-in account's current permissions.

GET/oauth/authorize

Authorization

browser
storyden-session<token>

In: cookie

Query Parameters

response_type*string

OAuth response type. Storyden currently supports authorisation code.

Value in"code"
client_id*string

OAuth client identifier.

redirect_uri*string

Registered redirect URI for the OAuth client.

Formaturi
scope?string

Space-separated OAuth scopes requested by the client.

state?string

Client-provided opaque state returned to the redirect URI.

code_challenge*string

PKCE code challenge.

code_challenge_method*string

PKCE code challenge method.

Value in"S256"

Response Body

text/html

application/json

application/json

curl -X GET "https://loading/api/oauth/authorize?response_type=code&client_id=string&redirect_uri=http%3A%2F%2Fexample.com&code_challenge=string&code_challenge_method=S256"
"string"
Empty
{
  "error": "string",
  "error_description": "string"
}
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

Auth Provider Logout POST

Performs a HTTP logout by clearing the session cookie and redirecting to to the requested path at the frontend's `WEB_ADDRESS`. Typically this may be a secondary logout route on the frontend implementation that can handle any frontend-specific logout tasks. This is necessary in cases where the frontend is running on a different origin to the API service such as api.site.com vs site.com because Clear-Site-Data and other headers are same-origin compliant and won't work cross-origin.

O Auth Authorise Consent GET

Read a pending OAuth authorisation code request for a signed-in user before they approve or deny consent in the frontend. This is a Storyden frontend/API integration endpoint, not an OAuth protocol endpoint. It returns the client, redirect URI, requested scopes, and currently grantable scopes so the frontend can render a consent screen.