API Reference

Authorize

get https://{applicationQualifiedDomain}.us.wristband.dev/api/v1/oauth2/authorize

NOTE: Your application will need to redirect to this endpoint instead of making a direct API call. The redirect should use the vanity domain of the tenant that the user is logging in to.

The OAuth 2 authorization endpoint that is called as part of an authorization code grant type flow.

This endpoint will return one of the following responses:

  • If the given request fails and the client redirect URI can't be determined or the client ID is invalid, then this API returns a redirect to either the default Wristband error page or a custom error page, if one is configured.
  • If the given request fails and the client redirect URI can be determined, then this API returns a 302 redirect to the client's redirect URI with the appropriate error code. See Error Responses.
  • If the request is valid but the user is not authenticated (a valid auth session cookie is not present), then the user will be redirected to either the Wristband onboard login page or a custom login page, if one is configured. The prompt param must also either be set to login or not be set at all. If the prompt param is set to none then an error redirect response will be returned.
  • If the request is valid and the user is authenticated (a valid auth session cookie is present) but the prompt param is set to login, then the user will be redirected to either the Wristband onboard login page or a custom login page, if one is configured.
  • If the request is valid and the user is authenticated (a valid auth session cookie is present) and the prompt query param is set to none, or is not set at all, then this API will return a redirect to the client's redirect URI with an authorization code.

NOTE: If a response is returned that redirects to a login page, then an authorization request JWT will be created (composed of the original authorization request parameters) and appended to the URL using the req query parameter. The authorization request JWT can then be used by the login page to infer the original authorization request parameters by introspecting the JWT.

Supported Error Codes on Redirect:

  • invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
  • unauthorized_client: The client is not authorized to request an authorization code, usually because the client doesn't support the authorization_code grant type flow.
  • access_denied: The resource owner or authorization server denied the request.
  • unsupported_response_type: The authorization server does not support obtaining an authorization code using this method.
  • invalid_scope: The requested scope is invalid, unknown, or malformed.
  • server_error: The authorization server encountered an unexpected condition that prevented it from fulfilling the request.
  • temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
  • login_required: The requested authorization does not have an existing active session and requires the client to prompt the end user to authenticate before proceeding.
  • request_not_supported: Returned if the OIDC request parameter is specified in the request.
  • request_uri_not_supported: Returned if the the OIDC request_uri parameter is specified in the request.
  • registration_not_supported: Returned if the OIDC registration parameter is specified in the request.
Language
URL
Click Try It! to start a request and see the response here!