Initiates the mobile OAuth authentication flow by redirecting to StackAuth.
**Security Requirements:**
- Requires valid mobile API key in X-API-Key header
- Rate limited to prevent abuse
**Flow:**
1. Validates API key and parameters
2. Generates secure state parameter with CSRF protection
3. Constructs StackAuth OAuth URL
4. Redirects user to StackAuth for authentication
**After OAuth:**
User will be redirected to `/auth/mobile/callback` which handles token exchange
and redirects back to the mobile app with an exchange code.
Authorizations
X-Tenant-IDstringRequired
Query parameters
providerstringRequired
OAuth provider (google, apple, discord, etc.)
Example: google
redirect_uristringRequired
Mobile app deep link URI for final redirect
Example: myapp://auth-callback
Responses
200
Successful Response
application/json
400
Invalid provider or redirect URI
401
Missing or invalid mobile API key
422
Validation Error
application/json
429
Rate limit exceeded
get
/auth/mobile/login
Handle OAuth Callback
get
Handles the OAuth callback from StackAuth and redirects to mobile app.
**Flow:**
1. Receives authorization code and state from StackAuth
2. Validates state parameter for CSRF protection
3. Exchanges authorization code for access token
4. Stores tokens temporarily in Redis with exchange code
5. Returns HTML page that redirects to mobile app with exchange code
**Security:**
- State parameter validation prevents CSRF attacks
- Exchange codes expire in 60 seconds
- One-time use codes prevent replay attacks
**Note:** This endpoint does not require API key as it's called by StackAuth.
Query parameters
codeany ofOptional
OAuth authorization code from StackAuth
stringOptional
or
nullOptional
stateany ofOptional
CSRF state parameter
stringOptional
or
nullOptional
errorany ofOptional
OAuth error if authentication failed
stringOptional
or
nullOptional
Responses
200
HTML page with mobile app redirect
text/html
Responsestring
400
Invalid or expired state parameter
422
Validation Error
application/json
500
OAuth processing failed
get
/auth/mobile/callback
Exchange Code for Tokens
post
Exchanges the exchange code for final authentication tokens and user data.
**Security Requirements:**
- Requires valid mobile API key in X-API-Key header
- Rate limited to prevent abuse
- Exchange codes are one-time use and expire in 60 seconds
**Flow:**
1. Validates API key and exchange code
2. Retrieves stored authentication data from Redis
3. Processes post-login flow (user creation, role assignment)
4. Returns complete authentication response
**Response includes:**
- StackAuth access and refresh tokens
- Complete user profile with roles and permissions
- Tenant information
Authorizations
X-Tenant-IDstringRequired
Body
Mobile token exchange request model.
exchange_codestring · min: 1 · max: 64Required
Exchange code received from OAuth callback
Responses
200
Complete authentication response
application/json
400
Invalid or expired exchange code
401
Missing or invalid mobile API key
422
Validation Error
application/json
429
Rate limit exceeded
500
Token exchange failed
post
/auth/mobile/exchange
Get Me
get
Get current authenticated user
Authorizations
OAuth2passwordRequired
Token URL:
cookie
__Secure-next-auth.session-tokenany ofOptional
stringOptional
or
nullOptional
Responses
200
Successful Response
application/json
422
Validation Error
application/json
get
/auth/me
Direct API login
post
Direct API login.
Body
Direct API authentication request.
usernamestringRequired
passwordstringRequired
Responses
200
Successful Response
application/json
422
Validation Error
application/json
post
/auth/direct-api-login
Post auth login
post
Mandatory post-auth login endpoint to complete user registration in backend database.
This endpoint MUST be called after completing the OAuth/credential login flow with StackAuth to properly
store basic user data in the backend database and establish the link between StackAuth and
the backend user systems. This creates the necessary mapping for the application to function.
OAuth Flow Sequence:
1. Frontend initiates OAuth flow: {stackauth_url}/api/v1/auth/oauth/authorize/{provider}
2. User completes OAuth authentication with the provider (Google, GitHub, etc.)
3. StackAuth processes the OAuth callback and creates/updates user in StackAuth DB
4. **THIS ENDPOINT** must be called to:
- Store basic user data in the backend database
- Create the mapping between StackAuth user ID and backend user ID
- Return the user profile for the frontend session
Credential Flow Sequence:
1. Frontend initiates credential login flow: {stackauth_url}/api/v1/auth/password/sign-in
2. StackAuth processes the credential login
3. **THIS ENDPOINT** must be called to:
- Fetch the user data from database based on the StackAuth user ID
- Return the user profile for the frontend session
Why This Is Mandatory:
- StackAuth DB and Backend DB are separate systems
- Backend needs to store the StackAuth ID link for user identification
- RBAC (roles/permissions) remain in StackAuth and are checked there
- Required for proper user session management in the application
