Hosted Auth Context
/authorize is the hosted AuthOS login entrypoint for end-user applications. Applications should redirect users there and let AuthOS handle provider selection, HRD, password, magic link, passkeys, MFA, recovery, and final token return.
GET /api/auth/context returns public organization and service metadata for hosted login surfaces before a user authenticates. It is mainly used by the hosted UI and by custom login UIs that intentionally opt out of the default /authorize page.
/app/account-security is the hosted account-security portal. Send authenticated users there to manage user-level factors such as authenticator MFA, backup codes, passkeys, and trusted devices on the AuthOS origin.
Hosted URLs
GET /authorize?org=acme-corp&service=main-app&redirect_uri=https%3A%2F%2Fapp.acme.com%2Fcallback
GET /app/account-security?org=acme-corp&service=main-app&return_to=https%3A%2F%2Fapp.acme.com%2Fsettings
Query parameters
| Parameter | Type | Description |
|---|---|---|
org |
string |
Optional organization slug |
service |
string |
Optional service slug |
redirect_uri |
string |
Optional candidate callback URI to validate |
return_to |
string |
Optional account-security return URL; used by /app/account-security |
Example
curl "https://sso.example.com/api/auth/context?org=acme-corp&service=main-app&redirect_uri=https://app.acme.com/callback"
Response
{
"organization": {
"slug": "acme-corp",
"name": "Acme Corp",
"logo_url": "https://cdn.example.com/logo.svg",
"primary_color": "#0f766e",
"status": "active"
},
"service": {
"slug": "main-app",
"name": "Main App",
"service_type": "web",
"redirect_uri_valid": true
},
"available_providers": ["github", "google"],
"auth_methods": ["password", "magic_link", "passkey"],
"support_available": true
}
Notes
- If
orgis omitted, the endpoint returns platform-level defaults. - If the organization is not active,
available_providersandauth_methodsare emptied. redirect_uri_validis only returned when bothserviceandredirect_uriare provided.- Passkey registration and authentication are WebAuthn RP/origin-bound. Prefer the hosted AuthOS surfaces unless you have explicitly designed and configured a custom WebAuthn origin.