Skip to content

Redeem a Direct Auth artifact into a managed browser session.

POST
/api/v1/auth/direct/session
Code sample: Shell / cURL
curl --request POST \
--url https://auth.example.com/api/v1/auth/direct/session \
--header 'Content-Type: application/json' \
--data '{ "direct_auth_artifact": "direct_auth_code_123", "client_id": "client_123", "code_verifier": "rfc7636-code-verifier", "channel": "browser" }'

Consumes a short-lived Direct Auth artifact, verifies its client/channel/provider/PKCE bindings, creates an HttpOnly managed browser session, and returns session and user metadata.

Media type application/json
object
direct_auth_artifact
required
string
client_id
required
string
code_verifier
required
string
channel
required
string
Allowed values: browser
provider_id
string
authorization_challenge_id
string
defer_authorization_continuation

Creates the managed browser session without consuming an authorization challenge so a runtime Flow can complete its remaining steps first.

boolean
Example
{
"direct_auth_artifact": "direct_auth_code_123",
"client_id": "client_123",
"code_verifier": "rfc7636-code-verifier",
"channel": "browser"
}

Successful JSON response.

Media type application/json
object
ok
required
boolean
expires_in
required
integer
session
required
object
userId
string
createdAt
integer
expiresAt
integer
authTime
integer
acr
string
amr
Array<string>
key
additional properties
user
required
object
id
string
email
string format: email
name
Any of:
string
authorization
object
key
additional properties
redirect_url
string format: uri
Example
{
"ok": true,
"expires_in": 86400,
"session": {
"userId": "user_123",
"createdAt": 1770000000000,
"expiresAt": 1770086400000,
"authTime": 1770000000,
"acr": "urn:mace:incommon:iap:bronze",
"amr": [
"pwd",
"directory"
]
},
"user": {
"id": "user_123",
"email": "[email protected]",
"name": "Example User"
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}