Skip to main content
GET
/
v1
/
session
/
login
/
oauth
/
{provider}
/
callback
OAuth callback (GET)
curl --request GET \
  --url https://{appId}.session.prelude.dev/v1/session/login/oauth/{provider}/callback

Path Parameters

provider
string
required

The OAuth provider identifier

Example:

"google"

Query Parameters

code
string

The authorization code from the OAuth provider

Example:

"4/0AX4XfWh..."

state
string
required

The state parameter for CSRF protection

Example:

"st_01jqebhswje1ka1z7ahr9rfsgt"

error
string

Error code from the OAuth provider

Example:

"access_denied"

error_description
string

Error description from the OAuth provider

Example:

"The user denied access"

Response

Redirect to the client application's redirect_uri with one of:

  • challenge_token=<jwt> — login may be finalized via the Finalize login endpoint.
  • challenge_token=<jwt>&status=otp_required — the OAuth provider has verify_email=true and the IdP returned an unverified email. The SDK sends an email OTP and the host app must collect the code via the OTP screen; the SDK finalizes the login automatically once the OTP is verified.
  • error=<code>&error_description=<message> — provider error or Session-level rejection (e.g. email_already_in_use).