Authentication Flows
Thanx supports two OAuth authentication flows:Standard Passwordless Flow
Here is what the standard flow would look like:- User navigates to the partner website and clicks an authentication button.
- The partner website prompts the user to input an email address
- The partner website makes a request to the
POST /oauth/authorize
endpoint described below. (Continue to #4 or #5) - If no account exists for the specified email address, a 401 error is thrown.
A user can be created via the
POST /users
endpoint. - If an account exists for the specified email address, an auth email is sent
to specified email. The user clicks the auth email link which redirects to
the partner website at the specified
redirect_uri
with an authorization code in the params. - Partner website exchanges the authorization code for an access token via the
POST /oauth/token
endpoint described below. User is now authenticated with the Thanx system through the returned access token.
Cross-Domain Flow
For users who are already authenticated on one domain and need to be transferred to another domain (e.g., rewards.thanx.com → order.thanx.com), Thanx provides a seamless cross-domain authentication flow:- User is already authenticated on the source domain with a valid access token.
- Source application makes a request to the
POST /oauth/authorize-cross-domain
endpoint with the user’s access token. - The endpoint immediately returns an authorization code (no email is sent).
- Source application redirects the user to the target domain with the authorization code:
target-domain.com/path?code=...
- Target domain exchanges the authorization code for an access token via the
POST /oauth/token
endpoint. User is now authenticated on the target domain.