--- descriptions: authentication: code: >- The authorization value which was passed back as a query parameter in the callback to the [redirect URI](/reference/authkit/authentication/get-authorization-url/redirect-uri). impersonator: email: > The email address of the WorkOS Dashboard user who is impersonating the user. Read more about how impersonation works [here](/authkit/impersonation). reason: The justification the impersonator gave for impersonating the user. code_verifier: > The randomly generated string used to derive the code challenge that was passed to the [authorization url](/reference/authkit/authentication/get-authorization-url) as part of the PKCE flow. This parameter is **required** when the client secret is not present. oauth_tokens: access_token: The access token from the OAuth provider. refresh_token: The refresh token from the OAuth provider. expires_at: The timestamp at which the access token expires. scopes: A list of OAuth scopes for which the access token is authorized. reference: curl: - key: oauth-sso id: authenticate_with_code url: /reference/authkit/authentication/code title: /user_management/authenticate type: POST parameters: - key: client_id type: string description: (client_id) - key: client_secret optional: true type: string description: (client_secret) - key: code_verifier optional: true type: string description: (authentication.code_verifier) - key: grant_type type: '"authorization_code"' description: (authentication.grant_type) - key: code type: string description: (authentication.code) - key: invitation_token type: string optional: true description: (authentication.invitation_token) - key: ip_address type: string optional: true description: (authentication.ip_address) - key: user_agent type: string optional: true description: (authentication.user_agent) returns: - key: anonymous type: object unwrap: true properties: - key: user type: user description: (user.self) - key: organization_id type: string optional: true description: (authentication.organization_id) - key: access_token type: String optional: false description: | A JWT containing information about the session. - key: refresh_token type: String optional: false description: > [Exchange this token](/reference/authkit/authentication/refresh-token) for a new access token. - key: authentication_method type: >- "SSO" | "Password" | "AppleOAuth" | "GitHubOAuth" | "GoogleOAuth" | "MicrosoftOAuth" | "MagicAuth" | "Impersonation" optional: false description: (authentication.authentication_method) - key: impersonator type: object optional: true properties: - key: email type: string description: (authentication.impersonator.email) - key: reason type: string optional: true description: (authentication.impersonator.reason) - key: oauth_tokens type: object optional: true properties: - key: access_token type: string description: (authentication.oauth_tokens.access_token) - key: refresh_token type: string description: (authentication.oauth_tokens.refresh_token) - key: expires_at type: int description: (authentication.oauth_tokens.expires_at) - key: scopes type: array description: (authentication.oauth_tokens.scopes) js: - key: authenticateWithCode id: authenticate_with_code url: /reference/authkit/authentication/code title: userManagement.authenticateWithCode() parameters: - key: options type: object unwrap: true properties: - key: clientId type: string description: (client_id) - key: code type: string description: (authentication.code) - key: codeVerifier optional: true type: string description: (authentication.code_verifier) - key: invitationToken type: string optional: true description: (authentication.invitation_token) - key: ipAddress type: string optional: true description: (authentication.ip_address) - key: userAgent type: string optional: true description: (authentication.user_agent) - key: session type: object optional: true unwrap: true properties: - key: sealSession type: boolean description: (authentication.seal_session) - key: cookiePassword type: string optional: true description: (authentication.cookie_password_seal) returns: - key: anonymous type: object unwrap: true properties: - key: user type: User description: (user.self) - key: organizationId type: string optional: true description: (authentication.organization_id) - key: accessToken type: string optional: false description: | A JWT containing information about the session. - key: refreshToken type: string optional: false description: > [Exchange this token](/reference/authkit/authentication/refresh-token) for new access tokens. - key: authenticationMethod type: >- "SSO" | "Password" | "AppleOAuth" | "GitHubOAuth" | "GoogleOAuth" | "MicrosoftOAuth" | "MagicAuth" | "Impersonation" optional: false description: (authentication.authentication_method) - key: impersonator type: object optional: true properties: - key: email type: string description: (authentication.impersonator.email) - key: reason type: string optional: true description: (authentication.impersonator.reason) - key: sealedSession type: string optional: true description: (authentication.sealed_session) - key: oauthTokens type: object optional: true properties: - key: accessToken type: string description: (authentication.oauth_tokens.access_token) - key: refreshToken type: string description: (authentication.oauth_tokens.refresh_token) - key: expiresAt type: number description: (authentication.oauth_tokens.expires_at) - key: scopes type: array description: (authentication.oauth_tokens.scopes) python: - key: authenticate_with_code id: authenticate_with_code url: /reference/authkit/authentication/code title: user_management.authenticate_with_code() parameters: - key: code type: str description: (authentication.code) - key: invitation_token type: str optional: true description: (authentication.invitation_token) - key: ip_address type: str optional: true description: (authentication.ip_address) - key: user_agent type: str optional: true description: (authentication.user_agent) returns: - key: anonymous type: AuthKitAuthenticationResponse unwrap: true properties: - key: user type: User description: (user.self) - key: organization_id type: str optional: true description: (authentication.organization_id) - key: access_token type: str optional: false description: (authentication.access_token) - key: refresh_token type: str optional: false description: (authentication.refresh_token) - key: impersonator type: Impersonator optional: true properties: - key: email type: str description: (authentication.impersonator.email) - key: reason type: str optional: true description: (authentication.impersonator.reason) - key: oauth_tokens type: OAuthTokens optional: true properties: - key: access_token type: str description: (authentication.oauth_tokens.access_token) - key: refresh_token type: str description: (authentication.oauth_tokens.refresh_token) - key: expires_at type: int description: (authentication.oauth_tokens.expires_at) - key: scopes type: 'Sequence[str]' description: (authentication.oauth_tokens.scopes) go: - key: AuthenticateWithCode id: authenticate_with_code url: /reference/authkit/authentication/code title: usermanagement.AuthenticateWithCode() parameters: - (ctx) - key: opts type: usermanagement.AuthenticateWithCodeOpts unwrap: true properties: - key: ClientID type: string description: (client_id) - key: Code type: string description: (authentication.code) - key: IPAddress type: string optional: true description: (authentication.ip_address) - key: UserAgent type: string optional: true description: (authentication.user_agent) returns: - key: response type: object unwrap: true properties: - key: User type: User description: (user.self) - key: OrganizationID type: string optional: true description: (authentication.organization_id) - key: Impersonator type: Impersonator optional: true properties: - key: Email type: string description: (authentication.impersonator.email) - key: Reason type: string optional: true description: (authentication.impersonator.reason) - key: OAuthTokens type: OAuthTokens optional: true properties: - key: AccessToken type: string description: (authentication.oauth_tokens.access_token) - key: RefreshToken type: string description: (authentication.oauth_tokens.refresh_token) - key: ExpiresAt type: int description: (authentication.oauth_tokens.expires_at) - key: Scopes type: '[]string' description: (authentication.oauth_tokens.scopes) - (err) php: - key: authenticateWithCode id: authenticate_with_code url: /reference/authkit/authentication/code title: $userManagement->authenticateWithCode() parameters: - key: clientID type: string description: (client_id) - key: code type: string description: (authentication.code) - key: ipAddress type: string optional: true description: (authentication.ip_address) - key: userAgent type: string optional: true description: (authentication.user_agent) returns: - key: response type: object unwrap: true properties: - key: User type: User description: (user.self) - key: organizationID type: string optional: true description: (authentication.organization_id) - key: impersonator type: Impersonator optional: true properties: - key: email type: string description: (authentication.impersonator.email) - key: reason type: string optional: true description: (authentication.impersonator.reason) - key: oauthTokens type: OAuthTokens optional: true properties: - key: accessToken type: string description: (authentication.oauth_tokens.access_token) - key: refreshToken type: string description: (authentication.oauth_tokens.refresh_token) - key: expiresAt type: int description: (authentication.oauth_tokens.expires_at) - key: scopes type: array description: (authentication.oauth_tokens.scopes) ruby: - key: authenticate_with_code id: authenticate_with_code url: /reference/authkit/authentication/code title: UserManagement.authenticate_with_code() parameters: - key: client_id type: String description: (client_id) - key: code type: String description: (authentication.code) - key: ip_address type: String optional: true description: (authentication.ip_address) - key: user_agent type: String optional: true description: (authentication.user_agent) returns: - key: response type: object unwrap: true properties: - key: user type: User description: (user.self) - key: organization_id type: String optional: true description: (authentication.organization_id) - key: impersonator type: Struct optional: true properties: - key: email type: String description: (authentication.impersonator.email) - key: reason type: String optional: true description: (authentication.impersonator.reason) - key: oauth_tokens type: OAuthTokens optional: true properties: - key: access_token type: String description: (authentication.oauth_tokens.access_token) - key: refresh_token type: String description: (authentication.oauth_tokens.refresh_token) - key: expires_at type: Integer description: (authentication.oauth_tokens.expires_at) - key: scopes type: 'Array[String]' description: (authentication.oauth_tokens.scopes) java: - key: authenticateWithCode id: authenticate_with_code url: /reference/authkit/authentication/code title: userManagement.authenticateWithCode() parameters: - key: clientId type: String description: (client_id) - key: code type: String description: (authentication.code) - key: options type: AuthenticationAdditionalOptionsBuilder optional: true unwrap: true properties: - key: invitationToken type: String optional: true description: (authentication.invitation_token) - key: ipAddress type: String optional: true description: (authentication.ip_address) - key: userAgent type: String optional: true description: (authentication.user_agent) returns: - key: response type: Authentication unwrap: true properties: - key: user type: User optional: true description: (user.self) - key: organizationId type: String optional: true description: (authentication.organization_id) - key: accessToken type: string optional: true description: (authentication.access_token) - key: refreshToken type: string optional: true description: (authentication.refresh_token) - key: impersonator type: AuthenticationImpersonator optional: true properties: - key: email type: String description: (authentication.impersonator.email) - key: reason type: String optional: true description: (authentication.impersonator.reason) - key: oauthTokens type: OAuthTokens optional: true properties: - key: accessToken type: String description: (authentication.oauth_tokens.access_token) - key: refreshToken type: String description: (authentication.oauth_tokens.refresh_token) - key: expiresAt type: Long description: (authentication.oauth_tokens.expires_at) - key: scopes type: List description: (authentication.oauth_tokens.scopes) originalPath: >- .tmp-workos-clone/packages/docs/content/reference/authkit/authentication/code.mdx --- ## Authenticate with code Authenticates a user using AuthKit, OAuth or an organization’s SSO connection. AuthKit handles all authentication methods, however it is conceptually similar to a social login experience. Like OAuth and SSO, AuthKit returns you a code that you can exchange for an authenticated user. See [Integrating with AuthKit](/authkit).