> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thanx.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Acquire Authorization Code

> This endpoint triggers the passwordless login flow.

Calling this endpoint will send a passwordless email to the email address
specified as the `username`. The response to this request will be a `200`
and an empty response body. The passwordless email will contain a link to log
in which will redirect the user to the specified `redirect_uri` with the
authorization code included in the query params (`?code=...`).

The `redirect_uri` must be whitelisted for your integration by our developer
support team. If you need a URL added or changed, feel free to write to
<a href="mailto:developer.support@thanx.com">[developer.support@thanx.com](mailto:developer.support@thanx.com)</a>.

<Warning>
  `redirect_uri` is validated by **exact string match**. Register every URI you
  use — including native custom-scheme deeplinks (`yourscheme://magic`,
  `yourscheme://open`) **verbatim and separately** from your HTTPS web callbacks.
  Registering only HTTPS callbacks makes native sign-in fail with
  `invalid_redirect_uri`. Custom schemes are kept as-is — do not convert them to
  `https`.
</Warning>

Note that abitrary data can be passed through this authentication process by
using custom query parameters. For example, for the whitelisted `redirect_uri`
of `https://www.example.com/oauth/callback`, query parameters can be appended
to the URL and will be passed through the entire auth process. As an example,
`https://www.example.com/oauth/callback?table=1` as the input `redirect_uri` to
the API request would preserve `table=1`. Note that the `code` value is a
reserved parameter that should not be used, as that will conflict with the
access code that will be appended to the `redirect_uri`.

If an account does not exist for the specified email, a 401 error will be
returned. To create an account, the [POST /users](/consumer/users/create-user)
endpoint should be used.

<RequestExample>
  ```bash theme={null}
  curl https://api.thanxsandbox.com/oauth/authorize \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{
      "client_id": "${client_id}",
      "redirect_uri": "https://www.example.com/oauth/callback",
      "response_type": "code",
      "scope": "passwordless",
      "username": "john.smith@example.com"
    }'
  ```
</RequestExample>

<ResponseExample>
  ```json 200 theme={null}
  ""
  ```

  ```json 401 (Access Denied) theme={null}
  {
    "error": "access_denied",
    "error_description": "The resource owner or authorization server denied the request."
  }
  ```

  ```json 401 (Invalid Redirect URI) theme={null}
  {
    "error": "invalid_redirect_uri",
    "error_description": "The redirect uri included is not valid."
  }
  ```
</ResponseExample>

### Request

<ResponseField name="client_id" type="string" required>
  OAuth Client ID
</ResponseField>

<ResponseField name="redirect_uri" type="string" required>
  Where you want the user to be redirected
</ResponseField>

<ResponseField name="response_type" type="string" required>
  `code` is the required value
</ResponseField>

<ResponseField name="scope" type="string" required>
  `passwordless` is the required value
</ResponseField>

<ResponseField name="username" type="string" required>
  The user's email
</ResponseField>
