Oauth Callback
GET/api/v1/auth/oauth/:provider/callback
Handle OAuth callback from provider. Exchanges code for tokens and creates/links user account.
OAuth state is always invalidated on callback (success, error, or exception) to prevent replay attacks. State tokens are one-time use for CSRF protection.
Phase 74: When the OAuth state has a bound Invitation (invite-driven SSO flow), recovers the FK and routes through invite_sso_service.resolve_for_callback. On email match: creates WorkspaceMembership, marks invite used, delivers JWT. On mismatch: redirects to accept-invite page with error_code (D-12).
Request
Responses
- 200
- 401
- 403
- 404
- 422
OK
Unauthorized
Forbidden
Not Found
Validation Error