API Reference/Single Sign-On (SSO)
POST
/v1/auth/sso/authorize

Authorization

AuthorizationRequiredBearer <token>

In: header

Request Body

application/jsonRequired
stepupboolean
Default: false
customClaimsobject
mfaboolean
Default: false
ssoAppIdstring
templateOptionsobject
localestring
pkceChallengestring

relevant only for enchanted links in the point in time - other methods will ignore this field

Format: "bytes"
revokeOtherSessionsboolean

Query Parameters

tenantstring
redirectUrlstring
promptarray<string>
testboolean
forceAuthnboolean
curl -X POST "https://api.descope.com/v1/auth/sso/authorize?tenant=string&redirectUrl=string" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "stepup": false,
    "customClaims": {},
    "mfa": false,
    "ssoAppId": "string",
    "templateOptions": {
      "property1": "string",
      "property2": "string"
    },
    "locale": "string",
    "pkceChallenge": "string",
    "revokeOtherSessions": true
  }'

OK

{
  "url": "string"
}

Was this helpful?

SAML SSO API Overview

Use the Descope REST API to add SAML single sign-on (SSO) for your application.

Exchange Code POST

### Exchange OAuth code for Descope user session This endpoint will exchange the OAuth code for the Descope session information needed for managing the end user session. Call this endpoint from your code flow that responds to the `url` that was returned by the [Sign-In](/api/oauth/sign-up-sign-in) endpoint. The unique code `<unique-code\>` is appended as a URL parameter: `code=<unique-code\>`, for example, `url = https://oauth.mycompany.com/shopping.htm?code=<unique-code\>`. ### Next Steps 1. Extract the unique code `<unique-code\>` from the URL parameter. 2. Call this endpoint, passing the `<unique-code\>` as the request parameter The response object includes the session JWT (sessionJwt) and refresh JWT (refreshJwt) when this endpoint completes successfully. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. ### Endpoint Authentication Use authorization bearer header with the following format: `Authorization: Bearer <Project ID>`