Handle WorkOS callback (API response mode)
Called by the SPA after the browser redirect to finalize the WorkOS session. Exchanges the authorization code, upserts the user, and returns access/refresh tokens plus the resolved session config — the JSON equivalent of the GET callback redirect.
Body
OAuth authorization code returned by WorkOS/Okta; exchanged server-side (SSO first, AuthKit fallback). Required unless error is set.
Opaque CSRF state token round-tripped from the original /authorize call.
Provider-reported error code; when present the request short-circuits with a 400 instead of attempting code exchange.
Redirect URI used in the original /authorize call; must match for the code exchange to succeed. Falls back to ${CLIENT_URL}/signin.
Mongo _id used to assign the org when provisioning a brand-new WorkOS user; falls back to DEFAULT_ORGANIZATION_ID then the oldest org.
Response
Auth session created
Returned by /api/auth/login and POST /api/auth/workos/callback on success. Contains access + refresh tokens, session config, and the resolved user.
JWT access token.
Resolved session configuration returned alongside tokens. Mirrors the org-level idle-timeout / SSO renewal policy so the client can enforce it.
{
"enabled": true,
"idleTimeoutMinutes": 30,
"tokenExpiryHours": 8,
"warningTimeMinutes": 2,
"idleTrackingEnabled": true,
"ssoSilentRenewalEnabled": true,
"ssoFallbackBehavior": "redirect",
"passwordSilentRenewalEnabled": false,
"passwordFallbackBehavior": "logout"
}Compact User payload returned with auth tokens.
{
"id": "5f7b1c2e8a1d4e0012c3b4a5",
"email": "admin@acme.example",
"fullName": "Acme Admin",
"organizationId": "64a1b2c3d4e5f60012345678",
"accessRole": "ADMIN",
"conversationOpenPreference": "split"
}