Skip to main content
POST
Handle WorkOS callback (API response mode)

Body

application/json
code
string

OAuth authorization code returned by WorkOS/Okta; exchanged server-side (SSO first, AuthKit fallback). Required unless error is set.

state
string

Opaque CSRF state token round-tripped from the original /authorize call.

error
string

Provider-reported error code; when present the request short-circuits with a 400 instead of attempting code exchange.

redirect_uri
string

Redirect URI used in the original /authorize call; must match for the code exchange to succeed. Falls back to ${CLIENT_URL}/signin.

organizationId
string

Mongo _id used to assign the org when provisioning a brand-new WorkOS user; falls back to DEFAULT_ORGANIZATION_ID then the oldest org.

Response

Auth session created

Returned by /api/auth/login and POST /api/auth/workos/callback on success. Contains access + refresh tokens, session config, and the resolved user.

token
string
required

JWT access token.

refreshToken
string
required
sessionConfig
object
required

Resolved session configuration returned alongside tokens. Mirrors the org-level idle-timeout / SSO renewal policy so the client can enforce it.

Example:
user
object
required

Compact User payload returned with auth tokens.

Example: