Generate an URL for this endpoint in your app and show the page to your user in a web environment. If needed he will be asked to sign in and give your app permission to use his account for the api. When the user gave his permission we redirect back to your app (in redirect_uri) and you receive a code in the redirect URI which you can use to request an access token.
Append the querystring with following properties to the URL.
A dictionary with fields
|response_type||String||String. Should be equal to 'code'|
|client_id||ApiClient||String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request.|
|redirect_uri||URL||When the user allows or denies access to give your app access, we'll redirect the browser back to this URL and add the code and state query parameters. Please note that you need to register your redirect_uri's in our system in order for them to be used, or they will get rejected. So your redirect_uri should not change on each request.|
|scope||ScopeList||The scope parameter is a space-separated list of OAuth scopes, indicating which parts of the user's account you'd like your app to be able to access. The complete list of scopes can be found by clicking on the ScopeList type.|
|code_challenge||String||PKCE extension. BASE64-encoded string of the SHA256 hash of the code verifier (if possible, but strongly recommended). The code verifier is a cryptographically random string, generated by the client for each new authentication request, using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.|
|state||String||Optional. Recommended. To prevent CSRF attacks. Send a unique state on the client that is only known by the client and compare this state with the state returned in the redirect. If it is not the same, it should get rejected.|
|code_challenge_method||String||Optional. PKCE extension. Either plain or S256, depending on whether the challenge is the plain verifier string or the SHA256 hash of the string. If this parameter is omitted, the server will assume plain.|
GET /oauth/authorize?response_type=code&client_id=264ade60a4ca76716a53056cecb171c027586dc722d6cf5ba40b1519de78170910d9ce0602c776f9&redirect_uri=https%3A%2F%2Fexample.com&scope=company%3Aread+company%3Awrite&code_challenge=...&state=...&code_challenge_method=S256 HTTP/1.1 Host: accounts.bakeronline.be X-VERSION: 1.8.0 Accept-Language: en-US,en;q=0.5
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 5