Start OAuth authorization
Starts the OAuth 2.0 Authorization Code + PKCE login flow by redirecting the user to Endaoment’s sign-in page.
This endpoint lives on the Endaoment auth server ({AUTH_URL}/auth). Redirect the user’s browser here from your backend after generating PKCE values and state. After login, Endaoment redirects back to your registered redirect_uri with code and state query parameters.
Exchange the returned code at POST /token.
Query Parameters
Must be code for the Authorization Code flow.
code OAuth client ID issued by Endaoment.
Registered callback URL. Must match exactly in the later token exchange.
Space-delimited OAuth scopes. Common value: openid accounts transactions profile email address. Add offline_access for refresh tokens — include prompt=consent on this request or refresh tokens are silently omitted.
PKCE code challenge (S256 hash of the stored code_verifier).
PKCE challenge method. Endaoment supports S256 only.
S256 Random value your backend can verify on callback to prevent CSRF.
Use consent when requesting offline_access to ensure a refresh token can be issued.
consent Response
Redirect to Endaoment login, or back to redirect_uri with code and state after successful authentication