Redeem a Direct Auth artifact into a managed browser session.
curl --request POST \ --url https://auth.example.com/api/v1/auth/direct/session \ --header 'Content-Type: application/json' \ --data '{ "direct_auth_artifact": "direct_auth_code_123", "client_id": "client_123", "code_verifier": "rfc7636-code-verifier", "channel": "browser" }'Consumes a short-lived Direct Auth artifact, verifies its client/channel/provider/PKCE bindings, creates an HttpOnly managed browser session, and returns session and user metadata.
Request Body required
Section titled “Request Body required ”object
Creates the managed browser session without consuming an authorization challenge so a runtime Flow can complete its remaining steps first.
Example
{ "direct_auth_artifact": "direct_auth_code_123", "client_id": "client_123", "code_verifier": "rfc7636-code-verifier", "channel": "browser"}Responses
Section titled “ Responses ”Successful JSON response.
object
object
object
Example
{ "ok": true, "expires_in": 86400, "session": { "userId": "user_123", "createdAt": 1770000000000, "expiresAt": 1770086400000, "authTime": 1770000000, "acr": "urn:mace:incommon:iap:bronze", "amr": [ "pwd", "directory" ] }, "user": { "id": "user_123", "name": "Example User" }}Error response.
object
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}Error response.
object
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}Error response.
object
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}