Skip to main content

Oauth Callback

GET 

/api/v1/auth/oauth/:provider/callback

Handle OAuth callback from provider. Exchanges code for tokens and creates/links user account.

OAuth state is always invalidated on callback (success, error, or exception) to prevent replay attacks. State tokens are one-time use for CSRF protection.

Phase 74: When the OAuth state has a bound Invitation (invite-driven SSO flow), recovers the FK and routes through invite_sso_service.resolve_for_callback. On email match: creates WorkspaceMembership, marks invite used, delivers JWT. On mismatch: redirects to accept-invite page with error_code (D-12).

Request

Responses

OK