Hosted Auth Context

Public hosted-auth metadata for login UIs.

Updated May 29, 2026 Edit this page

Hosted Auth Context

/authorize is the hosted AuthOS login entrypoint for end-user applications. Applications should redirect users there and let AuthOS handle provider selection, HRD, password, magic link, passkeys, MFA, recovery, and final token return.

GET /api/auth/context returns public organization and service metadata for hosted login surfaces before a user authenticates. It is mainly used by the hosted UI and by custom login UIs that intentionally opt out of the default /authorize page.

/app/account-security is the hosted account-security portal. Send authenticated users there to manage user-level factors such as authenticator MFA, backup codes, passkeys, and trusted devices on the AuthOS origin.

Hosted URLs

GET /authorize?org=acme-corp&service=main-app&redirect_uri=https%3A%2F%2Fapp.acme.com%2Fcallback
GET /app/account-security?org=acme-corp&service=main-app&return_to=https%3A%2F%2Fapp.acme.com%2Fsettings

Query parameters

Parameter Type Description
org string Optional organization slug
service string Optional service slug
redirect_uri string Optional candidate callback URI to validate
return_to string Optional account-security return URL; used by /app/account-security

Example

curl "https://sso.example.com/api/auth/context?org=acme-corp&service=main-app&redirect_uri=https://app.acme.com/callback"

Response

{
  "organization": {
    "slug": "acme-corp",
    "name": "Acme Corp",
    "logo_url": "https://cdn.example.com/logo.svg",
    "primary_color": "#0f766e",
    "status": "active"
  },
  "service": {
    "slug": "main-app",
    "name": "Main App",
    "service_type": "web",
    "redirect_uri_valid": true
  },
  "available_providers": ["github", "google"],
  "auth_methods": ["password", "magic_link", "passkey"],
  "support_available": true
}

Notes

  • If org is omitted, the endpoint returns platform-level defaults.
  • If the organization is not active, available_providers and auth_methods are emptied.
  • redirect_uri_valid is only returned when both service and redirect_uri are provided.
  • Passkey registration and authentication are WebAuthn RP/origin-bound. Prefer the hosted AuthOS surfaces unless you have explicitly designed and configured a custom WebAuthn origin.