Authorization Endpoint

Initiates the Authorization Code + PKCE flow. Redirect the end user's browser to this endpoint. Whatalo displays the consent screen where the user signs in, selects a store, and approves or declines the requested scopes.

On approval, Whatalo redirects to redirect_uri with code and state. On denial, it redirects with error=access_denied.

PKCE is mandatory. Only code_challenge_method=S256 is accepted.

Query Parameters

response_type*string

Must be code.

Value in"code"

client_id*string

The client_id obtained during Dynamic Client Registration.

redirect_uri*string

Must match exactly one of the URIs registered for this client.

scope*string

Space-separated list of requested scopes.

state*string

Random opaque value. Validate on callback to prevent CSRF attacks.

code_challenge*string

SHA-256 of the code_verifier, encoded in base64url (RFC 7636).

code_challenge_method*string

Must be S256. The plain method is explicitly rejected.

Value in"S256"

resource?string

RFC 8707 resource indicator. Single-value policy — only one resource per request.

Response Body

curl -X GET "https://api.whatalo.com/oauth/authorize?response_type=code&client_id=abc123def456ghi789jkl012&redirect_uri=https%3A%2F%2Fmy-app.com%2Foauth%2Fcallback&scope=read%3Aproducts+read%3Aorders&state=xK9mP2qR7vL&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256"

Empty

Query Parameters

Response Body

302

400