Auth API

OAuth 2.0 authentication endpoints. Use these to authorize client applications, obtain consent, and exchange authorization codes for access tokens using the authorization code flow with PKCE.

GET https://api.qonic.com/v1/auth/scopes

List available scopes

Returns all OAuth 2.0 scopes that can be requested during authorization. Each scope grants access to a specific set of API operations. This endpoint is public and does not require authentication.

Response fields

  • Name
    scopes
    Type
    array<object>
    Required
    Optional
    Description
    The list of available OAuth scopes.

GET https://api.qonic.com/v1/auth/authorize

Authorize a client application

Initiates the OAuth 2.0 authorization code flow with PKCE support. Redirects the user to a consent screen if they haven't previously approved the requested scopes. If consent was already granted, immediately issues an authorization code and redirects back to the client.

Query parameters

  • Name
    client_id
    Type
    string
    Required
    Optional
    Description
  • Name
    redirect_uri
    Type
    string
    Required
    Optional
    Description
  • Name
    scope
    Type
    string
    Required
    Optional
    Description
  • Name
    state
    Type
    string
    Required
    Optional
    Description
  • Name
    code_challenge
    Type
    string
    Required
    Optional
    Description
  • Name
    code_challenge_method
    Type
    string
    Required
    Optional
    Description

POST https://api.qonic.com/v1/auth/consent

Submits the user's consent decision for the requested scopes. If approved, redirects to the client's redirect_uri with an authorization code. If denied, redirects with an error parameter.

Request body

  • Name
    client_id
    Type
    string
    Required
    Optional
    Description
  • Name
    redirect_uri
    Type
    string
    Required
    Optional
    Description
  • Name
    scope
    Type
    string
    Required
    Optional
    Description
  • Name
    state
    Type
    string
    Required
    Optional
    Description
  • Name
    code_challenge
    Type
    string
    Required
    Optional
    Description
  • Name
    code_challenge_method
    Type
    string
    Required
    Optional
    Description
  • Name
    decision
    Type
    string
    Required
    Optional
    Description

Error responses

  • Name
    400
    Type
    error
    Description
    Invalid request parameters or body

POST https://api.qonic.com/v1/auth/token

Exchange authorization code for access token

Exchanges an authorization code for an access token using the OAuth 2.0 token endpoint. Requires client_id, client_secret, the authorization code, and the redirect_uri used during authorization. If PKCE was used during authorization, the code_verifier must also be provided.

Request body

  • Name
    client_id
    Type
    string
    Required
    Optional
    Description
  • Name
    client_secret
    Type
    string
    Required
    Optional
    Description
  • Name
    redirect_uri
    Type
    string
    Required
    Optional
    Description
  • Name
    code
    Type
    string
    Required
    Optional
    Description
  • Name
    code_verifier
    Type
    string
    Required
    Optional
    Description
  • Name
    grant_type
    Type
    string
    Required
    Optional
    Description

Response fields

  • Name
    access_token
    Type
    string
    Required
    Optional
    Description
    The access token string used to authenticate API requests.
  • Name
    token_type
    Type
    string
    Required
    Optional
    Description
    The type of token issued (e.g. "Bearer").
  • Name
    scope
    Type
    string
    Required
    Optional
    Description
    The scope of access granted by the token.

Error responses

  • Name
    400
    Type
    error
    Description
    Invalid request parameters or body