Authorization endpoint (OAuth 2.1)

OAuth 2.1 authorization endpoint. Validates the request parameters, creates a browser-bound PendingFlow record (15-minute TTL), and redirects the user to the Bifrost consent screen at /oauth/consent?flow_id=xxx.

PKCE is required - code_challenge and code_challenge_method=S256 must be provided. Plain code challenges are not supported.

A __bifrost_flow_secret HttpOnly SameSite=Lax cookie is set on redirect to bind the consent flow to the initiating browser session (CSRF protection).

Authentication is not required - this is part of the unauthenticated OAuth bootstrap flow.

GET
/api/oauth/per-user/authorize
AuthorizationBearer <token>

Bearer token authentication. Use your MPilot virtual-key JWT or admin JWT. Virtual keys (prefixed with sk-bf-) can also be passed here.

In: header

Query Parameters

response_typestring

Must be code

Value in"code"
client_idstring

Client ID obtained from the registration endpoint

redirect_uristring

Must match a URI registered for this client

code_challengestring

PKCE code challenge (Base64URL-encoded SHA-256 of the code verifier)

code_challenge_methodstring

Must be S256

Value in"S256"
state?string

Opaque value to maintain state between request and callback (CSRF protection)

Response Body

curl -X GET "https://loading/{AI_GATEWAY_URL}/api/oauth/per-user/authorize?response_type=code&client_id=string&redirect_uri=string&code_challenge=string&code_challenge_method=S256&state=string"
Empty
{
  "event_id": "string",
  "type": "string",
  "is_bifrost_error": true,
  "status_code": 0,
  "error": {
    "type": "string",
    "code": "string",
    "message": "string",
    "param": "string",
    "event_id": "string"
  },
  "extra_fields": {
    "provider": "openai",
    "model_requested": "string",
    "request_type": "string"
  }
}
"string"
{
  "event_id": "string",
  "type": "string",
  "is_bifrost_error": true,
  "status_code": 0,
  "error": {
    "type": "string",
    "code": "string",
    "message": "string",
    "param": "string",
    "event_id": "string"
  },
  "extra_fields": {
    "provider": "openai",
    "model_requested": "string",
    "request_type": "string"
  }
}
On this page

On this page

No Headings