OAuth authorization code
Authorize, callback, and token exchange.
SohojX Auth implements OAuth 2.0 authorization code flow with optional OpenID Connect scopes. PKCE is optional per application (disabled by default for simpler server-side apps).
1. Authorization request
Redirect the user's browser to:
Authorize URL
GET https://platform.sohojx.com/oauth/authorize
?client_id={api_key}
&redirect_uri={url_encoded_callback}
&response_type=code
&scope=openid%20profile%20email
&state={random_csrf_token}If the user is not signed in, they are sent to the hosted login page for your app slug, then returned to complete authorization.
2. Callback
On success, the user lands on your redirect_uri with:
?code={authorization_code}&state={your_state}3. Token exchange (server-side)
Token request
curl -X POST https://platform.sohojx.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=YOUR_API_KEY" \
-d "client_secret=YOUR_API_SECRET" \
-d "code=AUTHORIZATION_CODE" \
-d "redirect_uri=YOUR_CALLBACK_URL"Response includes access_token, refresh_token (when applicable), id_token, and expires_in.
Refresh token
bash
curl -X POST https://platform.sohojx.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "client_id=YOUR_API_KEY" \
-d "client_secret=YOUR_API_SECRET" \
-d "refresh_token=REFRESH_TOKEN"