Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

/authorize

To begin an authentication and authorization flow, the client should direct the user's browser to the /authorize endpoint:

GET https://oauth.iracing.com/oauth2/authorize?client_id=as_issued&redirect_uri=https%3A%2F%2Fregistered-app.com%2Fcallback&response_type=code&code_challenge=...elided...&code_challenge_method=S256&state=...client_state_data...&scope=iracing.auth HTTP/1.1

Parameters

  • client_id (required)

    The client identifer issued during client registration.

  • redirect_uri (required)

    A redirect URI registered to the client, which must match exactly.

  • response_type (required)

    The only valid value for this is code.

  • code_challenge (usually required, always recommended)

    A PKCE code challenge. We require this of any client which cannot reasonably keep a secret, and encourage server-side applications to implement it regardless.

  • code_challenge_method (optional, defaults to plain)

    The PKCE code challenge method. Either S256 (recommended) or plain.

  • state (optional, recommended)

    This state value will be returned unmodified at the end of the authentication and authorization flow. It may be used to store request-specific data and in the prevention of CSRF attacks.

  • scope (optional)

    One or more scopes to request, if any, separated by white space.

    Tip

    The server may add or remove scopes at its discretion or at the request of the user. Be sure to check the scope in the token response.

  • prompt (optional)

    Space-delimited, case-sensitive list of ASCII string values which influence how the authorization server interacts with the user. Values not in the following list are ignored:

    • "verify"

      The authorization server should not honor any stored verifications; remembered devices should be forgotten.

Response

If authentication and authorization succeed, the browser will be redirected to the given redirect_uri:

HTTP/1.1 302 Found
Location: https://registered-app.com/callback?code=3122eb8a-7a91-4dae-b174-07df2b083913&state=...client_state_data...

The following parameters are added to the query string of the redirect_uri:

  • code

    The authorization code which may be used with the /token endpoint. The value is considered opaque and its format may change without warning at our discretion.

  • state

    If a state value was provided in the initial request, it will be returned unmodified for use by the client.