/authorize

Start the browser-based OAuth or OpenID Connect sign-in flow.

Endpoint

• Method: GET
• URL: https://sso.user.m7.org/authorize
• Response: hosted HTML page

When to use it

Use this as the main browser entrypoint when you want M7 to authenticate the user and return an authorization code to your application.

Current server support:

• response_type=code
• query response mode
• PKCE-friendly authorization code flow
• optional PAR handoff through request_uri

Query parameters

• client_id required
• redirect_uri required
• response_type required Current supported value: code
• scope recommended
• state expected by the current hosted flow
• code_challenge recommended for PKCE clients
• code_challenge_method recommended when using PKCE Current discovery advertises S256 and plain
• nonce recommended when requesting openid
• login_hint optional
• prompt optional
• max_age optional
• request_uri optional Use this when you first sent the request through /par

Example

https://sso.user.m7.org/authorize?client_id=CLIENT_ID&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback&response_type=code&scope=openid%20profile%20offline_access&state=STATE123&code_challenge=PKCE_CHALLENGE&code_challenge_method=S256&nonce=NONCE123

PAR example:

https://sso.user.m7.org/authorize?client_id=CLIENT_ID&request_uri=REQUEST_URI

Success behavior

After the user completes the hosted flow, M7 returns the browser to your redirect_uri with:

• code
• state if you supplied one

Example:

https://app.example.com/callback?code=AUTHORIZATION_CODE&state=STATE123

Notes

• Most client applications should start at /authorize, not at /login or /signup.
• client_id and redirect_uri are validated before the hosted flow proceeds.
• If you are using PAR, send the full authorization request to /par first, then send the browser here with request_uri.