Acquire Authorization Code (Cross-Domain)

curl https://api.thanxsandbox.com/oauth/authorize-cross-domain \
  -X POST \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "f4bf04a6fc27b5fa926a7318933b76440642c25cde037d8e867b3d18d771ad86",
    "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login",
    "response_type": "code",
    "scope": "passwordless"
  }'

{
  "code": "def50200a8d9c3f2e1b4a7c6d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
  "expires_in": 600,
  "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login"
}

POST

oauth

authorize-cross-domain

curl https://api.thanxsandbox.com/oauth/authorize-cross-domain \
  -X POST \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "f4bf04a6fc27b5fa926a7318933b76440642c25cde037d8e867b3d18d771ad86",
    "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login",
    "response_type": "code",
    "scope": "passwordless"
  }'

{
  "code": "def50200a8d9c3f2e1b4a7c6d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
  "expires_in": 600,
  "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login"
}

This endpoint allows applications to generate OAuth authorization codes for users who are already authenticated, enabling seamless cross-domain authentication flows. Unlike the standard /oauth/authorize endpoint, this endpoint:

Requires an existing access token (Bearer authentication)
Does NOT send a passwordless email
Immediately returns an authorization code
Is designed for cross-domain authentication transfers

Use Cases

This endpoint is primarily designed for:

Cross-domain authentication (e.g., rewards.thanx.com → order.thanx.com)
Single sign-on flows where the user is already authenticated
Mobile app to web transitions

Security Considerations

Codes expire in 10 minutes
Codes are single-use only
Requires valid access token for the target user
redirect_uri must be whitelisted for your integration

curl https://api.thanxsandbox.com/oauth/authorize-cross-domain \
  -X POST \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "f4bf04a6fc27b5fa926a7318933b76440642c25cde037d8e867b3d18d771ad86",
    "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login",
    "response_type": "code",
    "scope": "passwordless"
  }'

{
  "code": "def50200a8d9c3f2e1b4a7c6d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
  "expires_in": 600,
  "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login"
}

Request

client_id

string

required

OAuth Client ID (same as your application’s OAuth credentials)

redirect_uri

string

required

Where the authorization code should be valid for redemption. Must be whitelisted.

response_type

string

required

Must be code

scope

string

required

Must be passwordless

Response

code

string

The authorization code that can be exchanged for an access token

expires_in

number

Code expiration time in seconds (typically 600 = 10 minutes)

redirect_uri

string

Echo of the redirect URI for validation

Acquire Authorization Code Acquire Access Token

Consumer API

Reference

Acquire Authorization Code (Cross-Domain)

Use Cases

Security Considerations

Request

Response

Consumer API

Reference

​Use Cases

​Security Considerations

​Request

​Response

Use Cases

Security Considerations

Request

Response