API ReferenceInbound Apps (OAuth)
GET
/oauth2/v1/apps/authorize

Query Parameters

response_type?string

RFC 9101 §6.3: when a JAR request parameter is present, response_type and redirect_uri may be omitted from the outer query and carried inside the JWT. The controller validates the resolved values after JAR processing.

scope?string
client_id?string
state?string
redirect_uri?string
code_challenge_method?string

PKCE

code_challenge?string
nonce?string
loginHint?string
prompt?string
flow?string
flow_token?string
resource?array<string>
string

RFC 8707 - OAuth 2.0 Resource Indicators

project_id?string
tenant?string
mcp_server_id?string
style?string
dpop_jkt?string
request?string
request_uri?string

Start the authorization code flow for an Inbound App. Redirect the user-agent to this endpoint with client_id, redirect_uri, response_type=code, scope, state, and PKCE parameters.

See Authorization server endpoints for the full flow.

curl -X GET "https://api.descope.com/oauth2/v1/apps/authorize"
{}
export interface Response {}
Was this helpful?

Inbound Apps (OAuth) API Overview

REST API reference for Descope's OAuth 2.0 authorization server used by Inbound Apps — authorize, token, revoke, and userinfo endpoints.

OAuth 2.0 authorize endpoint (POST) POST

Start authorization with a JSON request body (non-browser clients). Same semantics as the GET endpoint. See [Authorization server endpoints](/identity-federation/inbound-apps/authorization-server).