Storyden
Auth

O Auth Remote Callback

Complete a remote OAuth authorization code callback. This validates the saved state, exchanges the code with PKCE, and stores returned tokens on the remote connection.

GET/oauth/remote/callback

Complete a remote OAuth authorization code callback. This validates the saved state, exchanges the code with PKCE, and stores returned tokens on the remote connection.

Authorization

browser
storyden-session<token>

In: cookie

Query Parameters

state?string

Client-provided opaque state returned to the redirect URI.

code*string

OAuth authorization code returned to the redirect URI.

Response Body

application/json

application/json

curl -X GET "https://example.com/oauth/remote/callback?code=string"
{
  "connection": {
    "id": "cc5lnd2s1s4652adtu50",
    "createdAt": "2019-08-24T14:15:22Z",
    "updatedAt": "2019-08-24T14:15:22Z",
    "resource_url": "http://example.com",
    "resource": "string",
    "resource_name": "string",
    "authorization_server": "http://example.com",
    "mode": "cimd",
    "status": "pending",
    "client_id": "string",
    "has_client_secret": true,
    "authorization_endpoint": "http://example.com",
    "token_endpoint": "http://example.com",
    "registration_endpoint": "http://example.com",
    "token_endpoint_auth_method": "string",
    "redirect_uri": "http://example.com",
    "redirect_uris": [
      "http://example.com"
    ],
    "scope": "string",
    "has_access_token": true,
    "has_refresh_token": true,
    "token_type": "string",
    "token_expiry": "2019-08-24T14:15:22Z",
    "last_error": "string"
  }
}
Empty
Empty
Empty
{
  "type": "string",
  "title": "string",
  "detail": "string",
  "trace_id": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Refresh Token List GET

List OAuth refresh tokens issued to the authenticated account. This is the member-facing "authorised applications" view: it lists apps the signed-in account has authorised and can revoke. In OAuth terms, these rows are grants/tokens, not application definitions. This may include grants for built-in first-party clients such as the default Storyden CLI. Those clients are not created by the member and therefore do not appear in the member OAuth client list.

O Auth Token POST

Exchange an OAuth authorisation code, device code, refresh token, or client credentials grant for tokens. Supported grants are advertised by `/.well-known/openid-configuration`. Public clients authenticate with `client_id` only and must use grants suitable for public clients, such as device code or authorisation code with PKCE. Confidential clients must provide `client_secret` for authorisation-code, refresh-token, and client-credentials exchanges. Storyden access tokens are short-lived JWTs containing the issued `scope`. Revoking a refresh token or changing account permissions does not revoke an already-issued access token; permission changes are applied on the next token issuance or refresh. Device-code polling returns OAuth-compatible errors such as `authorization_pending`, `slow_down`, `expired_token`, `access_denied`, and `invalid_grant`.