API ReferenceInbound Apps (OAuth)
POST
/oauth2/v1/apps/authorize

Request Body

application/json

response_type?string

RFC 9101 §6.3: when a JAR request parameter is present, response_type and redirect_uri may be omitted from the outer query and carried inside the JWT. The controller validates the resolved values after JAR processing.

scope?string
client_id?string
state?string
redirect_uri?string
code_challenge_method?string

PKCE

code_challenge?string
nonce?string
loginHint?string
prompt?string
flow?string
flow_token?string
resource?array<string>
string

RFC 8707 - OAuth 2.0 Resource Indicators

project_id?string
tenant?string
mcp_server_id?string
style?string
dpop_jkt?string
request?string
request_uri?string

Start authorization with a JSON request body (non-browser clients). Same semantics as the GET endpoint.

See Authorization server endpoints.

curl -X POST "https://api.descope.com/oauth2/v1/apps/authorize" \  -H "Content-Type: application/json" \  -d '{}'
{}
export interface Response {}
Was this helpful?

OAuth 2.0 authorize endpoint (GET) GET

Start the authorization code flow for an [Inbound App](/identity-federation/inbound-apps). Redirect the user-agent to this endpoint with `client_id`, `redirect_uri`, `response_type=code`, `scope`, `state`, and PKCE parameters. See [Authorization server endpoints](/identity-federation/inbound-apps/authorization-server) for the full flow.

OAuth 2.0 token endpoint (Inbound Apps) POST

Exchange authorization codes, refresh tokens, client credentials, JWT bearer assertions, and RFC 8693 token-exchange requests for [Inbound App](/identity-federation/inbound-apps) access tokens. Supported `grant_type` values and examples are documented in [Authorization server endpoints](/identity-federation/inbound-apps/authorization-server) and [Using Inbound Apps](/identity-federation/inbound-apps/using-inbound-apps).