Authorize
Start the OAuth 2.0 authorization code flow.
GET/oauth-authorize
These endpoints are used by third-party OAuth integrations (such as Zapier). If you are building a direct server integration, use an API key instead.
Redirect the user's browser to this endpoint to begin the OAuth flow. WundertreOS validates the request, then renders an in‑app consent screen where the user picks an organization and approves your requested scopes. On approval, the user is redirected back to your redirect_uri with an authorization code.
Query parameters
Query
| Name | Type | Description |
|---|---|---|
client_idrequired | string | Your OAuth client ID (from the WundertreOS developer dashboard). |
redirect_urirequired | string | Must exactly match a redirect URI registered with your client. |
response_typerequired | string | Must be `code`. Any other value returns `unsupported_response_type`. |
scope | string | Space‑separated list of scopes (e.g. `contacts:read contacts:write`). Optional — defaults to `contacts:read` if omitted. Every requested scope must be in your client's `allowed_scopes`. |
state | string | Opaque value echoed back to your redirect URI. Use it to prevent CSRF — strongly recommended. |
code_challenge | string | PKCE challenge (recommended for public clients). |
code_challenge_method | string | If using PKCE, must be `S256`. `plain` is not supported. |
Example
text
https://api.wundertreos.com/functions/v1/oauth-authorize
?client_id=zapier
&redirect_uri=https%3A%2F%2Fzapier.com%2Fdashboard%2Fauth%2Foauth%2Freturn
&response_type=code
&scope=contacts:read%20contacts:write%20webhooks:write
&state=abc123Successful redirect
text
https://your-app.com/callback?code=8f3c2a1d9e7b4f6a5c2d1e0f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b&state=abc123Authorization codes are single‑use and short‑lived. Exchange them immediately at POST /oauth-token.
Errors
If the user clicks Deny, or your request is malformed, WundertreOS redirects to your redirect_uri with an error query parameter:
text
https://your-app.com/callback?error=access_denied&state=abc123error | When |
|---|---|
invalid_request | Missing client_id / redirect_uri. |
invalid_client | Unknown or inactive client. |
invalid_scope | One or more requested scopes are not allowed for this client. |
unsupported_response_type | response_type was not code. |
access_denied | The user clicked Deny on the consent screen. |