OAuth 2.0 authentication

curl --request POST \
  --url https://api.turnkey.com/public/v1/submit/oauth2_authenticate \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "X-Stamp: <string> (see Authorizations)" \
  --data '{
    "type": "ACTIVITY_TYPE_OAUTH2_AUTHENTICATE",
    "timestampMs": "<string> (e.g. 1746736509954)",
    "organizationId": "<string> (Your Organization ID)",
    "parameters": {
        "oauth2CredentialId": "<string>",
        "authCode": "<string>",
        "redirectUri": "<string>",
        "codeVerifier": "<string>",
        "nonce": "<string>",
        "bearerTokenTargetPublicKey": "<string>"
    }
}'

{
  "activity": {
    "id": "<activity-id>",
    "status": "ACTIVITY_STATUS_COMPLETED",
    "type": "ACTIVITY_TYPE_OAUTH2_AUTHENTICATE",
    "organizationId": "<organization-id>",
    "timestampMs": "<timestamp> (e.g. 1746736509954)",
    "result": {
      "activity": {
        "id": "<string>",
        "organizationId": "<string>",
        "status": "<string>",
        "type": "<string>",
        "intent": {
          "oauth2AuthenticateIntent": {
            "oauth2CredentialId": "<string>",
            "authCode": "<string>",
            "redirectUri": "<string>",
            "codeVerifier": "<string>",
            "nonce": "<string>",
            "bearerTokenTargetPublicKey": "<string>"
          }
        },
        "result": {
          "oauth2AuthenticateResult": {
            "oidcToken": "<string>"
          }
        },
        "votes": "<array>",
        "fingerprint": "<string>",
        "canApprove": "<boolean>",
        "canReject": "<boolean>",
        "createdAt": "<string>",
        "updatedAt": "<string>"
      }
    }
  }
}

POST

public

submit

oauth2_authenticate

Authorizations

API Key
WebAuthn (Passkey)

X-Stamp

string

required

Cryptographically signed (stamped) request to be passed in as a header. For more info, see here.

Body

type

enum<string>

required

Enum options: ACTIVITY_TYPE_OAUTH2_AUTHENTICATE

timestampMs

string

required

Timestamp (in milliseconds) of the request, used to verify liveness of user requests.

organizationId

string

required

Unique identifier for a given Organization.

parameters

object

required

The parameters object containing the specific intent data for this activity.

Show details

parameters.oauth2CredentialId

string

required

The OAuth 2.0 credential id whose client_id and client_secret will be used in the OAuth 2.0 flow

parameters.authCode

string

required

The auth_code provided by the OAuth 2.0 provider to the end user to be exchanged for a Bearer token in the OAuth 2.0 flow

parameters.redirectUri

string

required

The URI the user is redirected to after they have authenticated with the OAuth 2.0 provider

parameters.codeVerifier

string

required

The code verifier used by OAuth 2.0 PKCE providers

parameters.nonce

string

An optional nonce used by the client to prevent replay/substitution of an ID token

parameters.bearerTokenTargetPublicKey

string

An optional P256 public key to which, if provided, the bearer token will be encrypted and returned via the encrypted_bearer_token claim of the OIDC Token

Response

A successful response returns the following fields:

activity

object

required

The activity object containing type, intent, and result

Show activity details

activity.id

string

required

Unique identifier for a given Activity object.

activity.organizationId

string

required

Unique identifier for a given Organization.

activity.status

string

required

The activity status

activity.type

string

required

The activity type

activity.intent

object

required

The intent of the activity

Show intent details

activity.intent.oauth2AuthenticateIntent

object

required

The oauth2AuthenticateIntent object

Show oauth2AuthenticateIntent details

activity.intent.oauth2AuthenticateIntent.oauth2CredentialId

string

required

The OAuth 2.0 credential id whose client_id and client_secret will be used in the OAuth 2.0 flow

activity.intent.oauth2AuthenticateIntent.authCode

string

required

The auth_code provided by the OAuth 2.0 provider to the end user to be exchanged for a Bearer token in the OAuth 2.0 flow

activity.intent.oauth2AuthenticateIntent.redirectUri

string

required

The URI the user is redirected to after they have authenticated with the OAuth 2.0 provider

activity.intent.oauth2AuthenticateIntent.codeVerifier

string

required

The code verifier used by OAuth 2.0 PKCE providers

activity.intent.oauth2AuthenticateIntent.nonce

string

An optional nonce used by the client to prevent replay/substitution of an ID token

activity.intent.oauth2AuthenticateIntent.bearerTokenTargetPublicKey

string

An optional P256 public key to which, if provided, the bearer token will be encrypted and returned via the encrypted_bearer_token claim of the OIDC Token

activity.result

object

required

The result of the activity

Show result details

activity.result.oauth2AuthenticateResult

object

required

The oauth2AuthenticateResult object

Show oauth2AuthenticateResult details

activity.result.oauth2AuthenticateResult.oidcToken

string

required

Base64 encoded OIDC token issued by Turnkey to be used with the LoginWithOAuth activity

activity.votes

array

required

A list of objects representing a particular User’s approval or rejection of a Consensus request, including all relevant metadata.

activity.fingerprint

string

required

An artifact verifying a User’s action.

activity.canApprove

boolean

required

Whether the activity can be approved.

activity.canReject

boolean

required

Whether the activity can be rejected.

activity.createdAt

string

required

The creation timestamp.

activity.updatedAt

string

required

The last update timestamp.

curl --request POST \
  --url https://api.turnkey.com/public/v1/submit/oauth2_authenticate \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "X-Stamp: <string> (see Authorizations)" \
  --data '{
    "type": "ACTIVITY_TYPE_OAUTH2_AUTHENTICATE",
    "timestampMs": "<string> (e.g. 1746736509954)",
    "organizationId": "<string> (Your Organization ID)",
    "parameters": {
        "oauth2CredentialId": "<string>",
        "authCode": "<string>",
        "redirectUri": "<string>",
        "codeVerifier": "<string>",
        "nonce": "<string>",
        "bearerTokenTargetPublicKey": "<string>"
    }
}'

{
  "activity": {
    "id": "<activity-id>",
    "status": "ACTIVITY_STATUS_COMPLETED",
    "type": "ACTIVITY_TYPE_OAUTH2_AUTHENTICATE",
    "organizationId": "<organization-id>",
    "timestampMs": "<timestamp> (e.g. 1746736509954)",
    "result": {
      "activity": {
        "id": "<string>",
        "organizationId": "<string>",
        "status": "<string>",
        "type": "<string>",
        "intent": {
          "oauth2AuthenticateIntent": {
            "oauth2CredentialId": "<string>",
            "authCode": "<string>",
            "redirectUri": "<string>",
            "codeVerifier": "<string>",
            "nonce": "<string>",
            "bearerTokenTargetPublicKey": "<string>"
          }
        },
        "result": {
          "oauth2AuthenticateResult": {
            "oidcToken": "<string>"
          }
        },
        "votes": "<array>",
        "fingerprint": "<string>",
        "canApprove": "<boolean>",
        "canReject": "<boolean>",
        "createdAt": "<string>",
        "updatedAt": "<string>"
      }
    }
  }
}

⌘I

Activities

Queries

OAuth 2.0 authentication

Authorizations

Body

Response