> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endaoment.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Start OAuth authorization

> Starts the OAuth 2.0 Authorization Code + PKCE login flow by redirecting the user to Endaoment's sign-in page.

This endpoint lives on the Endaoment **auth server** (`{AUTH_URL}/auth`). Redirect the user's browser here from your backend after generating PKCE values and `state`. After login, Endaoment redirects back to your registered `redirect_uri` with `code` and `state` query parameters.

Exchange the returned `code` at [`POST /token`](/developers/api/authentication/get-access-token).



## OpenAPI

````yaml https://api.endaoment.org/oas-json get /auth
openapi: 3.0.0
info:
  title: Endaoment API
  description: >-
    The official Endaoment API endpoints. Dev (canary) = newest features;
    Staging (stable) = pre-production.
  version: 0.0.0-dev
  contact: {}
servers:
  - url: https://api.endaoment.org
    description: Production
security: []
tags:
  - name: Partner Endpoints
    description: Tech-platform partner server-to-server APIs
  - name: Authentication
    description: OAuth callers, API keys, and session verification
  - name: Funds
    description: Donor-advised fund lifecycle
  - name: Donations
    description: Donation pledges, supported assets, and impact totals
  - name: Portfolios
    description: Investment portfolio catalog
  - name: Nonprofit Organizations
    description: Nonprofit lookup, subprojects, and missing-org intake
  - name: Grant Transfers
    description: Grant and entity transfers
  - name: Collaboration
    description: Collaborator recommendations and fund collaboration
  - name: Activity
    description: Public and scoped activity feeds
paths:
  /auth:
    servers:
      - url: https://auth.endaoment.org
        description: Production
      - url: https://auth.dev.endaoment.org
        description: Development
      - url: https://auth.staging.endaoment.org
        description: Staging
    get:
      tags:
        - Authentication
      summary: Start OAuth authorization
      description: >-
        Starts the OAuth 2.0 Authorization Code + PKCE login flow by redirecting
        the user to Endaoment's sign-in page.


        This endpoint lives on the Endaoment **auth server**
        (`{AUTH_URL}/auth`). Redirect the user's browser here from your backend
        after generating PKCE values and `state`. After login, Endaoment
        redirects back to your registered `redirect_uri` with `code` and `state`
        query parameters.


        Exchange the returned `code` at [`POST
        /token`](/developers/api/authentication/get-access-token).
      operationId: OAuthController_authorize
      parameters:
        - name: response_type
          in: query
          required: true
          schema:
            type: string
            enum:
              - code
          description: Must be `code` for the Authorization Code flow.
          example: code
        - name: client_id
          in: query
          required: true
          schema:
            type: string
          description: OAuth client ID issued by Endaoment.
          example: your-client-id
        - name: redirect_uri
          in: query
          required: true
          schema:
            type: string
            format: uri
          description: >-
            Registered callback URL. Must match exactly in the later token
            exchange.
          example: http://localhost:5454/callback
        - name: scope
          in: query
          required: true
          schema:
            type: string
          description: >-
            Space-delimited OAuth scopes. Common value: `openid accounts
            transactions profile email address`. Add `offline_access` for
            refresh tokens — include `prompt=consent` on this request or refresh
            tokens are silently omitted.
          example: openid accounts transactions profile email address offline_access
        - name: code_challenge
          in: query
          required: true
          schema:
            type: string
          description: PKCE code challenge (S256 hash of the stored `code_verifier`).
          example: E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
        - name: code_challenge_method
          in: query
          required: true
          schema:
            type: string
            enum:
              - S256
          description: PKCE challenge method. Endaoment supports `S256` only.
          example: S256
        - name: state
          in: query
          required: true
          schema:
            type: string
          description: Random value your backend can verify on callback to prevent CSRF.
          example: random-state-value
        - name: prompt
          in: query
          required: false
          schema:
            type: string
            enum:
              - consent
          description: >-
            Use `consent` when requesting `offline_access` to ensure a refresh
            token can be issued.
          example: consent
      responses:
        '302':
          description: >-
            Redirect to Endaoment login, or back to `redirect_uri` with `code`
            and `state` after successful authentication
        '400':
          description: Missing or invalid OAuth parameters

````