--- title: /oauth2/authorize description: The /oauth2/authorize endpoint is the OAuth 2.0 authorization endpoint defined in RFC 6749. component: pingoneaic-api page_id: pingoneaic-api:am-oauth2:oauth2-authorize-endpoint canonical_url: https://developer.pingidentity.com/pingoneaic-api/am-oauth2/oauth2-authorize-endpoint.html keywords: ["OAuth 2.0", "Endpoints", "Authorization", "REST API"] --- # /oauth2/authorize The `/oauth2/authorize` endpoint is the OAuth 2.0 authorization endpoint defined in [RFC 6749](https://www.rfc-editor.org/info/rfc6749). Use this endpoint to gather consent and authorization from the resource owner for the following flows: * Authorization code grant ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant.html)) * Authorization code grant with PKCE ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-pkce.html)) * Authorization code grant with PAR ([OAuth 2.0](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-par.html)) * Implicit grant ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-implicit-grant.html)) Specify the realm in the request URL; for example: ```none https:///am/oauth2/realms/root/realms/alpha/authorize ``` The authorization endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `acr_values` | The OpenID Connect authentication context class reference values. | Yes, if [required by the OpenID Connect provider](https://docs.pingidentity.com/pingoneaic/latest/am-oidc1/oidc-authentication-requirements.html) | | `claims` | The user attributes to be returned in the ID token. | No | | `client_id` | Uniquely identifies the application making the request. | Yes | | `code_challenge` | The code verifier generated for the PKCE flow. | Yes, for the [Authorization code grant with PKCE](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-pkce.html) flow | | `code_challenge_method` | The method to derive the code challenge. | Yes, when the `code_challenge` is hashed (recommended) | | `csrf` | The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks. | Yes, when gathering consent without a remote consent service | | `decision` | Specifies whether the resource owner consents to the requested access. | Yes, when gathering consent unless consent is already saved for the scope | | `id_token_hint` | Previously issued ID token passed as a hint about the end user's session with the client. | No | | `login_hint` | String value that can be set to the ID the user uses to log in. | No | | `nonce` | String value that associates the client session with the ID token. | Yes, for the [Implicit Grant](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-implicit-grant.html) flow for OIDC | | `prompt` | Specifies whether to prompt the end user for authentication and consent. | No | | `redirect_uri` | The URI to return the resource owner to after authorization is complete. | No | | `response_mode` | Specifies the mechanism for returning response parameters. | No | | `response_type` | The type of response expected from the authorization server. | Yes | | `request` | The JWT request object. | Yes, for JAR request and OIDC flows requiring a request object and providing no `request_uri` | | `request_uri` | For PAR or OIDC flows, a reference to JWT request object(s). | Yes, for JAR request and OIDC flows requiring a request object and providing no `request` | | `save_consent` | Specifies whether to store a resource owner's consented scopes. | No | | `scope` | The scopes linked to the permissions requested by the client from the resource owner. | No | | `service` | The authentication journey to use when authenticating the resource owner. | No | | `state` | The value to maintain state between the request and the callback. | No, but strongly recommended | | `ui_locales` | The end user's preferred languages for the user interface. | No |