> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorize

> Initiate the Authorization Code Flow with PKCE, the recommended OAuth 2.0 grant for mobile and single-page applications.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`GET /authorize`

This is the OAuth 2.0 grant that mobile apps utilize in order to access an API. Before starting with this flow, you need to generate and store a `code_verifier`, and using that, generate a `code_challenge` that will be sent in the authorization request.

## Query Parameters

<ParamField query="audience" type="string" required>
  The unique identifier of the target API you want to access.
</ParamField>

<ParamField query="resource" type="string">
  The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`.
</ParamField>

<ParamField query="scope" type="string">
  The scopes which you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes, custom claims, or any scopes supported by the target API. Include 'offline\_access' to get a Refresh Token.
</ParamField>

<ParamField query="response_type" type="string" required>
  Indicates to Auth0 which OAuth 2.0 Flow you want to perform. Use 'code' for Authorization Code Grant (PKCE) Flow.

  Allowed values: `code`
</ParamField>

<ParamField query="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField query="state" type="string">
  An opaque value the client adds to the initial request that Auth0 includes when redirecting back to the client. This value must be used by the client to prevent CSRF attacks.
</ParamField>

<ParamField query="redirect_uri" type="string">
  The URL to which Auth0 will redirect the browser after authorization has been granted by the user.
</ParamField>

<ParamField query="code_challenge_method" type="string" required>
  Method used to generate the challenge. Use `S256` as Auth0 only supports this method.

  Allowed values: `S256`
</ParamField>

<ParamField query="code_challenge" type="string" required>
  Generated challenge from the `code_verifier`.
</ParamField>

<ParamField query="connection" type="string">
  The name of the connection configured to your application.
</ParamField>

<ParamField query="prompt" type="string">
  To initiate a silent authentication request, use `prompt=none`.
</ParamField>

<ParamField query="organization" type="string">
  ID of the organization to use when authenticating a user.
</ParamField>

<ParamField query="invitation" type="string">
  Ticket ID of the organization invitation.
</ParamField>

<ParamField query="dpop_jkt" type="string">
  The JWK Thumbprint [RFC7638](https://www.rfc-editor.org/rfc/rfc7638.html) of the proof-of-possession public key using the SHA-256 hash function.
</ParamField>

## Response Schema

<ResponseSchema statusCode="default error">
  <ResponseField name="error" type="string">
    Error code.
  </ResponseField>

  <ResponseField name="error_description" type="string">
    Error description.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status  | Description                                                  |
| ------- | ------------------------------------------------------------ |
| 302     | Redirect to the specified redirect\_uri after authorization. |
| default | Unexpected error                                             |