The authorization endpoint is used to interact with the end user and obtain an authorization grant. The sample shows the GET /{{envID}}/as/authorize operation. The request URL includes the response_type parameter with a value of code id_token token, which designates that this authorization request is a hybrid flow.

In a hybrid flow, an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. The authorization endpoint’s response_type property specifies the code type and it also specifies id_token, or token, or both. An authorization code (specified by the code response type) is always returned in a hybrid flow. An ID token is returned when the response_type property is code id_token or code id_token token. An access token is returned when the response_type property is code token or code id_token token.

Note that for the POST request, parameters and their values are Form Serialized by adding the parameter names and values to the entity body of the HTTP request and specifying the Content-Type: application/x-www-form-urlencoded request header.

For a Proof Key for Code Exchange (PKCE) authorization request, the /{{envID}}/as/authorize request must include the code_challenge parameter. The code_challenge_method parameter is required if the application’s pkceEnforcement property is set to S256_REQUIRED. Otherwise, it is optional.

The request parameter can be optionally signed with the application secret. The JWT should be constructed according to the following example:

JWT: "header" :
  "alg": "HS256",
  "typ": "JWT"
"body" : 
  "aud": "{{envID}}/as",
  "iss": "{{appID}}",
  "pi.template": {
    "name": "{{templateName}}",
    "variant": "{{variantName}}",
    "variables": {
      "key1": "value1"
  "pi.clientContext": {
    "key2": "value2"

The sample shows the POST /{{envID}}/as/authorize operation for a hybrid flow. For more information about hybrid flows, see Authentication using the Hybrid Flow.

Parameter Description
client_id The application’s UUID.
nonce A string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code.
redirect_uri A string that specifies the URL that specifies the return entry point of the application. This is a required property.
response_type The code or token type returned by an authorization request. Options are token, id_token, and code.
scope Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources.