> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prelude.so/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth callback (POST)

> Handle the OAuth provider callback via POST (form data). Used by providers like Apple that use form_post response_mode. Redirects to the client application with a challenge token or error.



## OpenAPI

````yaml post /v1/session/login/oauth/{provider}/callback
openapi: 3.1.1
info:
  title: Prelude Session Frontend API
  version: 0.0.1
  description: The Prelude Frontend API for Session Management
  contact:
    email: support@prelude.so
servers:
  - url: https://{appId}.session.prelude.dev
    description: Production server
    variables:
      appId:
        default: changeme
        description: The appID
security: []
tags:
  - name: Login OTP
    description: Login and step-up via OTP (phone or email)
  - name: Login Email Password
    description: Login via email and password
  - name: Login OAuth
    description: Login via OAuth providers
  - name: Login Finalize
    description: Finalize a login flow and create a session
  - name: Login Migration
    description: Migrate sessions from a legacy authentication system
  - name: Session
    description: Session refresh and revocation
  - name: Session Management
    description: Authenticated session and identifier management
  - name: Step-Up
    description: Step-up authentication flow
  - name: Well-Known
    description: Public key discovery endpoints
  - name: Password
    description: Password compliancy and change password
paths:
  /v1/session/login/oauth/{provider}/callback:
    post:
      tags:
        - Login OAuth
      summary: OAuth callback (POST)
      description: >-
        Handle the OAuth provider callback via POST (form data). Used by
        providers like Apple that use form_post response_mode. Redirects to the
        client application with a challenge token or error.
      operationId: oauthCallbackPost
      parameters:
        - name: provider
          in: path
          required: true
          schema:
            type: string
            examples:
              - apple
          description: The OAuth provider identifier
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                code:
                  type: string
                  description: The authorization code from the OAuth provider
                state:
                  type: string
                  description: The state parameter for CSRF protection
                error:
                  type: string
                  description: Error code from the OAuth provider
                error_description:
                  type: string
                  description: Error description from the OAuth provider
              required:
                - state
      responses:
        '302':
          description: |
            Redirect to the client application's `redirect_uri` with one of:
              * `challenge_token=<jwt>` — login may be finalized via the [Finalize login](/session/api-reference/frontend/finalize-login) endpoint.
              * `challenge_token=<jwt>&status=otp_required` — the OAuth provider has `verify_email=true` and the IdP returned an unverified email. The SDK sends an email OTP and the host app must collect the code via the OTP screen; the SDK finalizes the login automatically once the OTP is verified.
              * `error=<code>&error_description=<message>` — provider error or Session-level rejection (e.g. `email_in_use`).
        '400':
          description: Bad Request (invalid provider or missing state)
        '500':
          description: Internal Server Error

````