> ## Documentation Index
> Fetch the complete documentation index at: https://www.ravion.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.1 PKCE authorize

> Mints a one-shot authorization code bound to the current session. Called by the approval page after the user approves.



## OpenAPI

````yaml https://api.ravion.com/openapi.yaml post /oauth/authorize
openapi: 3.0.0
info:
  title: Ravion
  version: 0.0.0
servers:
  - url: https://api.ravion.com
security:
  - BearerAuth: []
tags:
  - name: Projects
  - name: Environments
  - name: Pipelines
  - name: PipelineRuns
  - name: TerraformResources
  - name: TerraformExecutionSummaries
  - name: PipelineStepExecutions
  - name: AwsCloudWatch
  - name: PipelineVersions
  - name: Organizations
  - name: Stacks
  - name: StackWorkspaces
  - name: Auth
  - name: OAuth
  - name: User
  - name: Health
  - name: Memberships
  - name: ServiceAccounts
  - name: AwsDefaultNetworks
  - name: AwsAccounts
  - name: ApiKeys
  - name: ExecutionEnvironments
  - name: ModuleDefinitions
  - name: ModuleVersions
  - name: ModuleInstances
  - name: DefaultValueDefinitions
  - name: DefaultValues
  - name: CodeSources
  - name: Github
  - name: Gitlab
  - name: Git
  - name: Values
  - name: Deployments
  - name: DeploymentResources
  - name: InfrastructureEvents
  - name: WebSocket
  - name: Describe
paths:
  /oauth/authorize:
    post:
      tags:
        - OAuth
      summary: OAuth 2.1 PKCE authorize
      description: >-
        Mints a one-shot authorization code bound to the current session. Called
        by the approval page after the user approves.
      operationId: OAuthAuthorize
      requestBody:
        content:
          application/json:
            schema:
              additionalProperties: false
              properties:
                data:
                  $ref: '#/components/schemas/OAuth.AuthorizeRequest'
              required:
                - data
              type: object
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                additionalProperties: false
                properties:
                  data:
                    $ref: '#/components/schemas/OAuth.AuthorizeResponse'
                required:
                  - data
                type: object
          description: The request has succeeded.
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: The request is invalid or malformed.
        '401':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: You are not authenticated
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: You do not have permission to access this resource.
        '422':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: Client error
        '500':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: Server error
components:
  schemas:
    OAuth.AuthorizeRequest:
      additionalProperties: false
      description: >-
        Authorization request body. The approval page posts this on the user's
        behalf after they sign in and approve. The server validates the loopback
        redirect URI and PKCE code challenge, then mints a one-shot
        authorization code bound to the active session.
      properties:
        code_challenge:
          description: >-
            PKCE code challenge: base64url(SHA-256(code_verifier)). Must be 43
            characters.
          type: string
        code_challenge_method:
          description: PKCE method. Only S256 is accepted; the server rejects plain.
          enum:
            - S256
          type: string
        redirect_uri:
          description: >-
            Loopback redirect URI the client is listening on. Must be
            http://127.0.0.1:<port>/callback or
            http://localhost:<port>/callback.
          type: string
        state:
          description: >-
            Opaque client-generated state string echoed back on the loopback
            redirect for the client's own state-binding check.
          type: string
      required:
        - redirect_uri
        - state
        - code_challenge
        - code_challenge_method
      type: object
    OAuth.AuthorizeResponse:
      additionalProperties: false
      description: >-
        Authorization response. The browser is redirected to redirect_url to
        hand the code back to the client's loopback listener.
      properties:
        code:
          description: >-
            The one-shot authorization code. Valid for 60 seconds, consumed on
            first /oauth/token exchange.
          type: string
        redirect_url:
          description: >-
            Pre-baked redirect URL to send the browser to. Equivalent to
            redirect_uri + ?code=<code>&state=<state>.
          type: string
      required:
        - code
        - redirect_url
      type: object
    Errors.UserFacingErrorData:
      additionalProperties: false
      description: |-
        User-facing error presentation data.
        This is what the API returns to the frontend after formatting ErrorData
        using CEL templates from the error registry.

        Used for both:
        - Error fields on domain models (e.g., PipelineRun.error)
        - API error response bodies (HTTP 4xx/5xx responses)
      properties:
        action:
          allOf:
            - $ref: '#/components/schemas/Errors.Action'
          description: Optional action to help resolve the error
        code:
          description: Full error code, e.g., "Ravion:Pipeline:NOT_FOUND"
          type: string
        description:
          description: Additional description with more details
          type: string
        details:
          description: Structured details rendered as user-facing sections.
          items:
            $ref: '#/components/schemas/Errors.UserFacingErrorDetailSection'
          type: array
        isInternal:
          description: >-
            Indicates whether this error is internal (only set when
            ShowInternal=true).

            This allows SUPERADMINs to identify internal errors while viewing
            full details.
          type: boolean
        message:
          description: Main error message (required)
          type: string
        metadata:
          additionalProperties: {}
          description: >-
            Error params/metadata. Stripped for internal errors unless
            superadmin.
          type: object
        requestId:
          description: Request ID for correlating errors with server logs.
          type: string
      required:
        - code
        - message
      type: object
    Errors.Action:
      additionalProperties: false
      description: Action to help user resolve the error
      properties:
        label:
          description: Button/link label text
          type: string
        url:
          description: URL to navigate to for resolution
          type: string
      required:
        - label
        - url
      type: object
    Errors.UserFacingErrorDetailSection:
      additionalProperties: false
      description: Structured user-facing error detail section.
      properties:
        items:
          description: List of detail values for this section.
          items:
            type: string
          type: array
        object:
          additionalProperties: {}
          description: Structured detail payload for object rendering.
          type: object
        render:
          description: Rendering hint for clients. Valid values are list or object.
          type: string
        title:
          description: Detail section title shown in the UI.
          type: string
      required:
        - title
        - render
      type: object
  securitySchemes:
    BearerAuth:
      scheme: Bearer
      type: http

````