The authorization endpoint can be used to initiate a hybrid flow authorization request, in which an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. In a hybrid flow, the authorization endpoint’s response_type property specifies the code type and it also specifies id_token, or token, or both. An authorization code (specified by the code response type) is always returned in a hybrid flow. An ID token is returned when the response_type property is code id_token or code id_token token. An access token is returned when the response_type property is code token or code id_token token.

Note that for the POST request, parameters and their values are Form Serialized by adding the parameter names and values to the entity body of the HTTP request and specifying the Content-Type: application/x-www-form-urlencoded request header.

For a Proof Key for Code Exchange (PKCE) authorization request, the /{{envID}}/as/authorize request must include the code_challenge parameter. The code_challenge_method parameter is required if the application’s pkceEnforcement property is set to S256_REQUIRED. Otherwise, it is optional.

The request parameter can be optionally signed with the application secret. The JWT should be constructed according to the following example:

JWT: "header" :
  "alg": "HS256",
  "typ": "JWT"
"body" : 
  "aud": "{{envID}}/as",
  "iss": "{{appID}}",
  "pi.template": {
    "name": "{{templateName}}",
    "variant": "{{variantName}}",
    "variables": {
      "key1": "value1"
  "pi.clientContext": {
    "key2": "value2"

The sample shows the POST /{{envID}}/as/authorize operation for a hybrid flow. For more information about hybrid flows, see Authentication using the Hybrid Flow.

Property Type Required?
acr_values String Optional
client_id String Required
login_hint String Optional
mobilePayload String Optional
max_age String Optional
nonce String Optional
prompt String Optional
redirect_uri String Required
request String Optional
response_mode String Optional
response_type String Required
scope String Optional
state String Optional

See the OpenID Connect/OAuth2 data model for full property descriptions.

Parameter Description
client_id The application’s UUID.
nonce A string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code.
redirect_uri A string that specifies the URL that specifies the return entry point of the application. This is a required property.
response_type The code or token type returned by an authorization request. Options are token, id_token, and code.
scope Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources.