Handle WorkOS callback (API response mode)
Called by the SPA after the browser redirect to finalize the WorkOS session. Exchanges the authorization code, upserts the user, and returns access/refresh tokens plus the resolved session config — the JSON equivalent of the GET callback redirect.
Body
OAuth authorization code returned by WorkOS/Okta; exchanged server-side (SSO first, AuthKit fallback). Required unless error is set.
Opaque CSRF state token round-tripped from the original /authorize call.
Provider-reported error code; when present the request short-circuits with a 400 instead of attempting code exchange.
Redirect URI used in the original /authorize call; must match for the code exchange to succeed. Falls back to ${CLIENT_URL}/signin.
Mongo _id used to assign the org when provisioning a brand-new WorkOS user; falls back to DEFAULT_ORGANIZATION_ID then the oldest org.
Response
Auth session created
Returned by /api/auth/login and POST /api/auth/workos/callback on success. Contains access + refresh tokens, session config, and the resolved user.
JWT access token.
Resolved session configuration returned alongside tokens. Mirrors the org-level idle-timeout / SSO renewal policy so the client can enforce it.
Compact User payload returned with auth tokens.