> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thanx.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Acquire Authorization Code (Cross-Domain)

> Generate an OAuth authorization code for an authenticated user without sending email.

This endpoint allows applications to generate OAuth authorization codes for users who are already authenticated, enabling seamless cross-domain authentication flows.

Unlike the standard `/oauth/authorize` endpoint, this endpoint:

* Requires an existing access token (Bearer authentication)
* Does NOT send a passwordless email
* Immediately returns an authorization code
* Is designed for cross-domain authentication transfers

## Use Cases

This endpoint is primarily designed for:

* Cross-domain authentication (e.g., rewards.thanx.com → order.thanx.com)
* Single sign-on flows where the user is already authenticated
* Mobile app to web transitions

## Security Considerations

* Codes expire in 10 minutes
* Codes are single-use only
* Requires valid access token for the target user
* `redirect_uri` must be whitelisted for your integration

<RequestExample>
  ```bash theme={null}
  curl https://api.thanxsandbox.com/oauth/authorize-cross-domain \
    -X POST \
    -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "client_id": "f4bf04a6fc27b5fa926a7318933b76440642c25cde037d8e867b3d18d771ad86",
      "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login",
      "response_type": "code",
      "scope": "passwordless"
    }'
  ```
</RequestExample>

<ResponseExample>
  ```json 200 theme={null}
  {
    "code": "def50200a8d9c3f2e1b4a7c6d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
    "expires_in": 600,
    "redirect_uri": "https://order.example.com/merchant-handle/passwordless-login"
  }
  ```

  ```json 401 (Access Denied) theme={null}
  {
    "error": "access_denied",
    "error_description": "The access token is invalid or has expired."
  }
  ```

  ```json 401 (Invalid Redirect URI) theme={null}
  {
    "error": "invalid_redirect_uri",
    "error_description": "The redirect uri included is not valid."
  }
  ```
</ResponseExample>

### Request

<ResponseField name="client_id" type="string" required>
  OAuth Client ID (same as your application's OAuth credentials)
</ResponseField>

<ResponseField name="redirect_uri" type="string" required>
  Where the authorization code should be valid for redemption. Must be whitelisted.
</ResponseField>

<ResponseField name="response_type" type="string" required>
  Must be `code`
</ResponseField>

<ResponseField name="scope" type="string" required>
  Must be `passwordless`
</ResponseField>

### Response

<ResponseField name="code" type="string">
  The authorization code that can be exchanged for an access token
</ResponseField>

<ResponseField name="expires_in" type="number">
  Code expiration time in seconds (typically 600 = 10 minutes)
</ResponseField>

<ResponseField name="redirect_uri" type="string">
  Echo of the redirect URI for validation
</ResponseField>