Authorization endpoint (OAuth 2.1)
OAuth 2.1 authorization endpoint. Validates the request parameters, creates a
browser-bound PendingFlow record (15-minute TTL), and redirects the user to
the Bifrost consent screen at /oauth/consent?flow_id=xxx.
PKCE is required - code_challenge and code_challenge_method=S256 must
be provided. Plain code challenges are not supported.
A __bifrost_flow_secret HttpOnly SameSite=Lax cookie is set on redirect to
bind the consent flow to the initiating browser session (CSRF protection).
Authentication is not required - this is part of the unauthenticated OAuth bootstrap flow.
Bearer token authentication. Use your MPilot virtual-key JWT or admin JWT.
Virtual keys (prefixed with sk-bf-) can also be passed here.
In: header
Query Parameters
Must be code
"code"Client ID obtained from the registration endpoint
Must match a URI registered for this client
PKCE code challenge (Base64URL-encoded SHA-256 of the code verifier)
Must be S256
"S256"Opaque value to maintain state between request and callback (CSRF protection)
Response Body
curl -X GET "https://loading/{AI_GATEWAY_URL}/api/oauth/per-user/authorize?response_type=code&client_id=string&redirect_uri=string&code_challenge=string&code_challenge_method=S256&state=string"{
"event_id": "string",
"type": "string",
"is_bifrost_error": true,
"status_code": 0,
"error": {
"type": "string",
"code": "string",
"message": "string",
"param": "string",
"event_id": "string"
},
"extra_fields": {
"provider": "openai",
"model_requested": "string",
"request_type": "string"
}
}"string"{
"event_id": "string",
"type": "string",
"is_bifrost_error": true,
"status_code": 0,
"error": {
"type": "string",
"code": "string",
"message": "string",
"param": "string",
"event_id": "string"
},
"extra_fields": {
"provider": "openai",
"model_requested": "string",
"request_type": "string"
}
}