Initialize a Flow Engine session.
curl --request POST \ --url https://auth.example.com/api/flow/init \ --header 'Content-Type: application/json' \ --data '{ "flowType": "authorization", "clientId": "client_123", "oauthParams": { "responseType": "code", "redirectUri": "https://app.example.com/callback", "scope": "openid profile", "codeChallenge": "rfc7636-code-challenge", "codeChallengeMethod": "S256" } }'Creates a Flow Engine runtime session for login, authorization, consent, or logout and returns the initial UI contract.
Request Body required
Section titled “Request Body required ”object
object
Example
{ "flowType": "authorization", "clientId": "client_123", "oauthParams": { "responseType": "code", "redirectUri": "https://app.example.com/callback", "scope": "openid profile", "codeChallenge": "rfc7636-code-challenge", "codeChallengeMethod": "S256" }}Responses
Section titled “ Responses ”Successful JSON response.
object
Server-driven Flow Engine UI contract for the current node.
object
object
Example
{ "sessionId": "flow_sess_123", "uiContractVersion": "0.1", "uiContract": { "version": "0.1", "sessionId": "flow_sess_123", "nodeId": "start", "capabilities": [] }}Error response.
object
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}Error response.
object
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}Error response.
object
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}