Get an authorization URL

Generates an OAuth 2.0 authorization URL to authenticate a user with AuthKit or SSO.

JavaScript

 import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

const authorizationUrl = workos.userManagement.getAuthorizationUrl({
  connectionId: 'conn_01E4ZCR3C56J083X43JQXF3JK5',
  clientId: 'client_123456789',
  redirectUri: 'https://your-app.com/callback',
  state: 'dj1kUXc0dzlXZ1hjUQ==',
});

 https://api.workos.com/user_management/authorize?
response_type=code&
client_id=client_123456789&
redirect_uri=https://your-app.com/callback&
state=dj1kUXc0dzlXZ1hjUQ==&
connection_id=conn_01E4ZCR3C56J083X43JQXF3JK5

GET

`/user_management/authorize`

`Parameters`

`Returns`

If you are using AuthKit, set the provider parameter to "authkit", which will generate an authorization URL for your AuthKit domain. AuthKit will take care of detecting the user’s authentication method, such as identifying whether they use Email + Password or Single Sign-On,and direct them to the corresponding login flow.

Otherwise, to generate an authorization URL for a WorkOS SSO connection, you’ll have to specify the user’s connection, organization, or OAuth provider as a parameter. These connection selectors are mutually exclusive, and exactly one must be provided. The generated URL automatically directs the user to their identity provider. Once the user authenticates with their identity provider, WorkOS then issues a redirect to your redirect URI to complete the sign-in flow.

Redirect URI

In the OAuth 2.0 protocol, a redirect URI is the location that the user is redirected to once they have successfully authenticated with their identity provider.

When redirecting the user, WorkOS will generate an authorization code and pass it to your redirect URI as a code query parameter, your app will use this code to authenticate the user. Additionally, WorkOS can pass a state parameter back to your application that you may use to encode arbitrary information to restore your application state between the redirects.

Redirect URI with query parameters

 https://your-app.com/callback?code=01E2RJ4C05B52KKZ8FSRDAP23J&state=dj1kUXc0dzlXZ1hjUQ==

You can use state to encode parameters like originating URL and query parameters. This is useful in a flow where unauthenticated users are automatically redirected to a login page. After successful sign in, users will be routed to your redirect URI callback route. From there you can extract the originating URL from state and redirect the user to their intended destination.

You’ll need to configure the allowed redirect URIs for your application in the Applications section of the WorkOS Dashboard. Open your application and go to the Redirects tab. Without a valid redirect URI, your users will be unable to sign in. Make sure that the redirect URI you use as a parameter to get the authorization URL matches one of the redirect URIs configured for the application.

Redirect URIs follow stricter requirements in production environments:

HTTPS protocol is required in production environments
HTTP and localhost are allowed in staging environments
The sole exception is the use of http://127.0.0.1 in production environments to support native clients.

Wildcards

WorkOS supports using wildcard characters (*) in Redirect URIs to handle dynamic subdomains or variable ports during development.

Subdomains

The * symbol can be used as a wildcard for subdomains; however, it must be used in accordance with the following rules:

The protocol of the URL must not be http: in production environments.
The wildcard must be located in the subdomain furthest from the root domain (e.g., https://*.sub.example.com will work, but https://sub.*.example.com will not).
The URL must not contain more than one wildcard.
A wildcard character may be prefixed and/or suffixed (e.g., https://prefix-*-suffix.example.com).
A wildcard will not match across multiple subdomain levels (e.g., https://*.example.com will not match https://sub1.sub2.example.com).
Wildcards cannot be used with public suffix domains (e.g., https://*.ngrok-free.app will not work).
The wildcard will match letters, digits, hyphens, and underscores.
A URL with a wildcard cannot be set as the default redirect URI.

Ports

To support RFC 8252 (“OAuth 2.0 for Native Apps”) and local development, a wildcard may be used in place of the port number.

This is strictly limited to localhost and loopback IP addresses (e.g., 127.0.0.1).
Example: http://localhost:*/auth/callback is valid.

PKCE

The Proof Key for Code Exchange (PKCE) flow is an extension to the OAuth 2.0 Authorization Code flow. It enables public clients, like native apps or single-page apps, to perform the authorization code flow securely. If you are developing a client that makes API calls in public, you’ll need to use this flow.

In this flow, your client generates a code verifier which is a high-entropy cryptographic random string. A code challenge is derived by hashing the code verifier. Instead of using a client secret, provide the code challenge when getting the authorization URL and the code verifier when authenticating a User.

Error codes

If there is an issue generating an authorization URL, the API will return the original redirect URI with error and error_description query parameters. If provided, the state value will also be included.

Redirect URI with an error code

 https://your-app.com/callback?error=organization_invalid&error_description=No%20connection%20associated%20with%20organization&state=123456789

Possible error codes and the corresponding descriptions are listed below.

Error code	Description
`access_denied`	The identity provider denied user access to the client application or the user denied an OAuth authorization request at the identity provider.
`ambiguous_connection_selector`	A connection could not be uniquely identified using the provided connection selector (e.g., organization). This can occur when there are multiple SSO connections under the same organization. If you need multiple SSO connections for an organization, use the connection parameter to identify which connection to use for SSO.
`connection_invalid`	There is no connection for the provided ID.
`connection_strategy_invalid`	The provider has multiple strategies associated per environment.
`connection_unlinked`	The connection associated with the request is unlinked.
`invalid_connection_selector`	A valid connection selector query parameter must be provided in order to correctly determine the proper connection to return an authorization URL for. Valid connection selectors are either `connection`, `organization`, or `provider`.
`organization_invalid`	There is no organization matching the provided ID.
`oauth_failed`	An OAuth authorization request failed for a user.
`server_error`	The SSO authentication failed for the user. More detailed errors and steps to resolve are available in the Sessions tab on the connection page in the WorkOS Dashboard.

Session tokens Continue to the next section

Up next

Get an authorization URL

/user_management/authorize

Parameters

code_challenge_method?: "S256"

code_challenge?: string

domain_hint?: string

connection_id?: string

provider_query_params?: object

provider_scopes?: string[]

invitation_token?: string

screen_hint?: "sign-up" | "sign-in"

login_hint?: string

provider?: "authkit" | "AppleOAuth" | "BitbucketOAuth" | ..."authkit" | "AppleOAuth" | "BitbucketOAuth" | "GitHubOAuth" | "GitLabOAuth" | "GoogleOAuth" | "IntuitOAuth" | "LinkedInOAuth" | "MicrosoftOAuth" | "SalesforceOAuth" | "SlackOAuth" | "VercelMarketplaceOAuth" | "VercelOAuth" | "XeroOAuth"

prompt?: string

state?: string

organization_id?: string

response_type: "code"

redirect_uri: string

client_id: string

Returns

url: string