Request authentication credentials for a web application user.

This operation is the first step in server-side web application authentication.

This operation takes the user through a web authentication journey resulting in an authorisation code being returned to the server-side web application. The web application then performs a second step of exchanging this authorisation code for an access token.



Query parameters

Parameter name Value Description Additional
response_type string

Requests the type of response the authorisation API should return. For server-side web applications, this would be code, for JavaScript applications this would be token.

Possible values are:

  • code
  • token
client_id string

Identifies the client that is making the request. This is the requestors client ID.

redirect_uri string

One of the redirect URIs registered at the time of obtaining a client_id and client_secret. Must be the same as sent during the authorisation request that returned the code.

scope string

Indicates the service access your application is requesting, the user will be asked to give their consent of these permissions to be given to your application. Scope is given as a space delimited set of permissions requested by the application.

state string

This parameter contains any state which your application may want returned in the response roundtrip. The value should contain a nonce that your application can check to prevent cross-site-request-forgery attempts.

reauthenticate boolean

This parameter is used to force the user to reauthenticate for the application. This may be required to protect some user resources owned by the application.

hint string

This parameter is used to supply an email address to the authentication service. The value is used to pre-populate the email address web-screen field.


This request requires the use of one of following authorisation methods: OAuth2.

For OAuth 2 authorisation, the following scopes are required:

Scope Description User profile read permission


The following HTTP status codes may be returned, optionally with a response resource.

Status code Description Resource
302 Found

The users browser may be redirected to an appropriate authorisation web-screen, but will always result in a redirection to the supplied redirect_uri with a code= query parameter containing the authorization_code or an error= parameter otherwise.

Headers returned

Name Type Description
Location string

The URL to which the user must be directed.


GET /oauth2/authorisation?scope= HTTP/1.1

Handling the response

The response is sent to the redirect_uri passed in the authorisation request.

The redirect_uri will be of a server page that will decode the response and issue an access token exchange on the authorisation code.

The size of the code values may vary in size and be increased in the future.