Skip to main content
POST
This endpoint allows applications to generate OAuth authorization codes for users who are already authenticated, enabling seamless cross-domain authentication flows. Unlike the standard /oauth/authorize endpoint, this endpoint:
  • Requires an existing access token (Bearer authentication)
  • Does NOT send a passwordless email
  • Immediately returns an authorization code
  • Is designed for cross-domain authentication transfers

Use Cases

This endpoint is primarily designed for:
  • Cross-domain authentication (e.g., rewards.thanx.com → order.thanx.com)
  • Single sign-on flows where the user is already authenticated
  • Mobile app to web transitions

Security Considerations

  • Codes expire in 10 minutes
  • Codes are single-use only
  • Requires valid access token for the target user
  • redirect_uri must be whitelisted for your integration

Request

client_id
string
required
OAuth Client ID (same as your application’s OAuth credentials)
redirect_uri
string
required
Where the authorization code should be valid for redemption. Must be whitelisted.
response_type
string
required
Must be code
scope
string
required
Must be passwordless

Response

code
string
The authorization code that can be exchanged for an access token
expires_in
number
Code expiration time in seconds (typically 600 = 10 minutes)
redirect_uri
string
Echo of the redirect URI for validation