Authorize

↪️

Redirect Required

Your application will need to redirect to this endpoint instead of making a direct API call.

🏢

Tenant Vanity Domain Required

When calling this API you need to use the vanity domain of the tenant that the user is logging in to.

🛡️

OIDC Compliant

This endpoint is compliant with the OIDC Authorization Endpoint (Authorization Code Flow) specification.

Initiates a user login request for a specific tenant. The tenant vanity domain in the request identifies the tenant the user is logging into. When this endpoint is redirected to, one of the following responses will be returned:

• If the request fails and the client's redirect URI can't be determined or the client ID is invalid, this API returns a redirect to either the default Wristband error page or a custom error page, if one is configured.
• If the given request fails and the client's redirect URI is valid, then this API returns a 302 redirect to the client's redirect URI with the appropriate error code.
• If the request is valid but the user is not authenticated (i.e., a valid auth session cookie is not present), the user will be redirected to either the Wristband-hosted login page or a custom login page, if configured. The prompt param must also either be set to login or not be set at all. If the prompt param is set to none then a 302 redirect to the client's redirect URI will be returned with a login_required error code.
• If the request is valid and the user is authenticated (i.e., a valid auth session cookie is present), but the prompt param is set to login, then the user will be redirected to either the Wristband-hosted login page or a custom login page, if one is configured.
• If the request is valid and the user is authenticated (i.e., a valid auth session cookie is present) and the prompt query param is set to none, or is not set at all, then this API will return a redirect to the client's redirect URI with an authorization code.

ℹ️

Note

If a response is returned that redirects to a login page, then an authorization request JWT will be created (composed of the original authorization request parameters) and appended to the URL using the req query parameter. The authorization request JWT can then be used by the login page to infer the original authorization request parameters by introspecting the JWT using the Introspect Authorization Request Token API.

Error Codes:

Below is a list of error codes that can be returned on redirects to the client's callback URI.

• invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
• unauthorized_client: The client is not authorized to request an authorization code, usually because the client doesn't support the authorization_code grant type.
• access_denied: The resource owner or authorization server denied the request.
• unsupported_response_type: The response type specified in the request is not supported.
• invalid_scope: The requested scope is invalid, unknown, or malformed.
• server_error: The authorization server encountered an unexpected condition that prevented it from fulfilling the request.
• temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overload or maintenance of the server.
• login_required: The authorization request does not have a valid auth session associated with it and requires the user to authenticate.
• request_not_supported: Returned if the OIDC request parameter is specified in the request.
• request_uri_not_supported: Returned if the OIDC request_uri parameter is specified in the request.
• registration_not_supported: Returned if the OIDC registration parameter is specified in the request.