Skip to main content

Get Authorization Code

GET 
/auth/brands/:brandIdentity/authorize

Overview

This is the Authorization Endpoint, used as part of the Authorization Code Grant, with the PKCE extension. This endpoint allows clients to securely authenticate into the Paysafe infrastructure by generating an authorization code, which can then be exchanged for an access token. For an enhanced security all clients must use the PKCE extension with the SHA-256 code challenge method.

How Authorization Code Flow works

  1. User initiates a Login process through the Paysafe Embedded Wallet SDK.

  2. Paysafe Embedded Wallet SDK redirects user to login page (/authorize endpoint).

  3. User authenticates using one of the configured login options.

  4. Upon successful authentication, the authorization endpoint redirects the user back to the application with a single-use authorization code.

  5. The application exchanges the authorization code with the Paysafe Embedded Wallet’s Token endpoint, sending along the client credentials and PKCE verifier.

  6. The token endpoint verifies the authorization code, client credentials, and PKCE verifier.

  7. The token endpoint responds with an access token (optionally refresh token and ID token).

  8. The application uses the access token to call the wallet’s APIs to access user information or perform actions.

  9. The wallet API responds with the requested data or performs the requested operation.

Security Considerations

  • Strict Redirect URI Validation: Only valid redirect_uri values are used for redirections to prevent open redirect vulnerabilities.
  • OAuth 2.0 Compliance: The Login API strictly adheres to the OAuth 2.0 specification for error reporting and redirection behavior.

Intended Audience

This endpoint is designed for partner applications to facilitate secure authentication for their end-users and to enable access to protected resources.

Request

Responses

This endpoint initiates the OAuth 2.0 authorization process by displaying an authentication page to the end-user’s browser. Once the user completes the authentication and authorization steps, the endpoint redirects to the client’s specified redirection endpoint with the appropriate parameters. #### Success Behavior Redirect to the actual HTML content shown to a user agent to begin the OAuth 2 authorization process. If the `client_id` and `redirect_uri` match the client configuration on the authorization server, and the user has entered valid credentials, they are redirected to the specified redirection endpoint as defined by [RFC 6749 §4.1.2] with the following query parameters: - `code`: The authorization code, to be exchanged for an access token. - `state`: A value originally sent by the client to maintain request integrity and prevent CSRF attacks. #### Error Handling If any required parameters are missing or invalid, or if there is a mismatch in the `client_id` or `redirect_uri`, the authorization server will: 1. Display an error page to the user. 2. Redirect to the client’s redirection endpoint (if valid) with the following query parameters as specified by [RFC 6749 §4.1.2.1]: - `error`: An error code indicating the reason for the failure. - `error_description`: A description of the error to aid troubleshooting. [RFC 6749 §4.1.2]: https://tools.ietf.org/html/rfc6749#section-4.1.2 [RFC 6749 §4.1.2.1]: https://tools.ietf.org/html/rfc6749#section-4.1.2.1