--- descriptions: user_management_get_authorization_url: response_type: > The only valid option for the response type parameter is `"code"`. The `"code"` parameter value initiates an [authorization code grant type](https://tools.ietf.org/html/rfc6749#section-4.1). This grant type allows you to exchange an authorization code for an access token during the redirect that takes place after a user has authenticated with an identity provider. redirect_uri: >- Where to redirect the user after they complete the authentication process. You must use one of the redirect URIs configured via the [Redirects](https://dashboard.workos.com/redirects) page on the dashboard. connection_id: > Used to initiate SSO for a connection. The value should be a WorkOS connection ID. You can persist the WorkOS connection ID with application user or team identifiers. WorkOS will use the connection indicated by the connection parameter to direct the user to the corresponding IdP for authentication. organization_id: > Used to initiate SSO for an organization. The value should be a WorkOS organization ID. You can persist the WorkOS organization ID with application user or team identifiers. WorkOS will use the organization ID to determine the appropriate connection and the IdP to direct the user to for authentication. If this parameter is passed when `provider` is also set to `authkit`, then the organization will be automatically selected during the authentication flow. provider: > Used to initiate authentication with AuthKit, Google OAuth, Microsoft OAuth, GitHub OAuth, or Sign in with Apple. state: > An optional parameter that can be used to encode arbitrary information to help restore application state between redirects. If included, the redirect URI received from WorkOS will contain the exact state value that was passed. login_hint: > Can be used to pre-fill the username/email address field of the IdP sign-in page for the user, if you know their username ahead of time. Currently, this parameter is supported for OAuth, AuthKit, OpenID Connect, Okta, and Entra ID connections. domain_hint: > Can be used to pre-fill the domain field when initiating authentication with Microsoft OAuth or with a Google SAML connection type. url: An OAuth 2.0 authorization URL. screen_hint: > Specify which AuthKit screen users should land on upon redirection (Only applicable when provider is 'authkit'). code_challenge: Code challenge is derived from the code verifier used for the PKCE flow. code_challenge_method: > The only valid PKCE code challenge method is `"S256"`. This parameter is required when specifying a `code_challenge` for the PKCE flow. provider_scopes: > A list of additional OAuth scopes to request from the OAuth provider. This parameter can be used with Google OAuth, Microsoft OAuth, GitHub OAuth, GitLab OAuth, and Xero OAuth. Tokens from the OAuth provider will be included in the authentication response if your OAuth connection for the provider is configured in the WorkOS Dashboard to return OAuth tokens. reference: curl: - url: /reference/authkit/authentication/get-authorization-url key: user_management_get_authorization_url id: user_management_get_authorization_url title: /user_management/authorize type: GET properties: - key: response_type type: '"code"' description: (user_management_get_authorization_url.response_type) - key: client_id type: string description: (client_id) - key: code_challenge optional: true type: string description: (user_management_get_authorization_url.code_challenge) - key: code_challenge_method optional: true type: '"S256"' description: (user_management_get_authorization_url.code_challenge_method) - key: redirect_uri type: string description: (user_management_get_authorization_url.redirect_uri) - key: connection_id optional: true type: string description: (user_management_get_authorization_url.connection_id) - key: organization_id optional: true type: string description: (user_management_get_authorization_url.organization_id) - key: provider optional: true type: >- "authkit" | "AppleOAuth" | "GitHubOAuth" | "GoogleOAuth" | "MicrosoftOAuth" description: (user_management_get_authorization_url.provider) - key: state optional: true type: string description: (user_management_get_authorization_url.state) - key: login_hint optional: true type: string description: (user_management_get_authorization_url.login_hint) - key: domain_hint optional: true type: string description: (user_management_get_authorization_url.domain_hint) - key: screen_hint optional: true type: '"sign-up" | "sign-in"' description: (user_management_get_authorization_url.screen_hint) - key: provider_scopes optional: true type: array description: (user_management_get_authorization_url.provider_scopes) returns: - key: url type: string description: (user_management_get_authorization_url.url) js: - url: /reference/authkit/authentication/get-authorization-url key: getAuthorizationUrl patternBefore: userManagement. id: user_management_get_authorization_url title: userManagement.getAuthorizationUrl() parameters: - key: options type: object unwrap: true properties: - key: redirectUri type: string description: (user_management_get_authorization_url.redirect_uri) - key: clientId type: string description: (client_id) - key: codeChallenge optional: true type: string description: (user_management_get_authorization_url.code_challenge) - key: codeChallengeMethod optional: true type: '"S256"' description: (user_management_get_authorization_url.code_challenge_method) - key: connectionId optional: true type: string description: (user_management_get_authorization_url.connection_id) - key: organizationId optional: true type: string description: (user_management_get_authorization_url.organization_id) - key: provider optional: true type: >- "authkit" | "AppleOAuth" | "GitHubOAuth" | "GoogleOAuth" | "MicrosoftOAuth" description: (user_management_get_authorization_url.provider) - key: state optional: true type: string description: (user_management_get_authorization_url.state) - key: loginHint optional: true type: string description: (user_management_get_authorization_url.login_hint) - key: domainHint optional: true type: string description: (user_management_get_authorization_url.domain_hint) - key: screenHint optional: true type: '"sign-up" | "sign-in"' description: (user_management_get_authorization_url.screen_hint) - key: providerScopes optional: true type: array description: (user_management_get_authorization_url.provider_scopes) returns: - key: url type: string description: (user_management_get_authorization_url.url) python: - url: /reference/authkit/authentication/get-authorization-url key: get_authorization_url patternBefore: user_management. id: user_management_get_authorization_url title: user_management.get_authorization_url() parameters: - key: redirect_uri type: str description: (user_management_get_authorization_url.redirect_uri) - key: connection_id optional: true type: str description: (user_management_get_authorization_url.connection_id) - key: organization_id optional: true type: str description: (user_management_get_authorization_url.organization_id) - key: provider optional: true type: UserManagementProviderType description: (user_management_get_authorization_url.provider) - key: state optional: true type: str description: (user_management_get_authorization_url.state) - key: login_hint optional: true type: str description: (user_management_get_authorization_url.login_hint) - key: domain_hint optional: true type: str description: (user_management_get_authorization_url.domain_hint) - key: screen_hint optional: true type: '"sign-up" | "sign-in"' description: (user_management_get_authorization_url.screen_hint) - key: provider_scopes optional: true type: 'Sequence[str]' description: (user_management_get_authorization_url.provider_scopes) returns: - key: url type: str description: (user_management_get_authorization_url.url) go: - url: /reference/authkit/authentication/get-authorization-url key: GetAuthorizationURL patternBefore: usermanagement. id: user_management_get_authorization_url title: usermanagement.GetAuthorizationURL() parameters: - (ctx) - key: opts type: usermanagement.GetAuthorizationURLOpts unwrap: true properties: - key: RedirectURI type: string description: (user_management_get_authorization_url.redirect_uri) - key: ClientID type: string description: (client_id) - key: CodeChallenge optional: true type: string description: (user_management_get_authorization_url.code_challenge) - key: CodeChallengeMethod optional: true type: '"S256"' description: (user_management_get_authorization_url.code_challenge_method) - key: ConnectionID optional: true type: string description: (user_management_get_authorization_url.connection_id) - key: OrganizationID optional: true type: string description: (user_management_get_authorization_url.organization_id) - key: Provider optional: true type: string description: (user_management_get_authorization_url.provider) - key: State optional: true type: string description: (user_management_get_authorization_url.state) - key: LoginHint optional: true type: string description: (user_management_get_authorization_url.login_hint) - key: DomainHint optional: true type: string description: (user_management_get_authorization_url.domain_hint) - key: ScreenHint optional: true type: ScreenHint description: (user_management_get_authorization_url.screen_hint) - key: ProviderScopes optional: true type: '[]string' description: (user_management_get_authorization_url.provider_scopes) returns: - key: url type: string description: (user_management_get_authorization_url.url) - (err) php: - url: /reference/authkit/authentication/get-authorization-url key: getAuthorizationUrl id: user_management_get_authorization_url patternBefore: userManagement-> title: $userManagement->getAuthorizationUrl() parameters: - key: redirectUri type: string description: (user_management_get_authorization_url.redirect_uri) - key: connectionId optional: true type: string description: (user_management_get_authorization_url.connection_id) - key: organizationId optional: true type: string description: (user_management_get_authorization_url.organization_id) - key: provider optional: true type: >- "authkit" | "AppleOAuth" | "GitHubOAuth" | "GoogleOAuth" | "MicrosoftOAuth" description: (user_management_get_authorization_url.provider) - key: state optional: true type: string description: (user_management_get_authorization_url.state) - key: loginHint optional: true type: string description: (user_management_get_authorization_url.login_hint) - key: domainHint optional: true type: string description: (user_management_get_authorization_url.domain_hint) - key: providerScopes optional: true type: 'string[]' description: (user_management_get_authorization_url.provider_scopes) returns: - key: url type: string description: (user_management_get_authorization_url.url) ruby: - url: /reference/authkit/authentication/get-authorization-url key: authorization_url id: user_management_get_authorization_url title: UserManagement.authorization_url() parameters: - key: redirect_uri type: String description: (user_management_get_authorization_url.redirect_uri) - key: client_id type: String description: (client_id) - key: screen_hint optional: true type: '"sign-up" | "sign-in"' description: (user_management_get_authorization_url.screen_hint) - key: domain_hint optional: true type: String description: (user_management_get_authorization_url.domain_hint) - key: login_hint optional: true type: String description: (user_management_get_authorization_url.login_hint) - key: provider optional: true type: >- "authkit" | "AppleOAuth" | "GitHubOAuth" | "GoogleOAuth" | "MicrosoftOAuth" description: (user_management_get_authorization_url.provider) - key: connection_id optional: true type: String description: (user_management_get_authorization_url.connection_id) - key: organization_id optional: true type: String description: (user_management_get_authorization_url.organization_id) - key: state optional: true type: String description: (user_management_get_authorization_url.state) - key: provider_scopes optional: true type: 'Array[String]' description: (user_management_get_authorization_url.provider_scopes) returns: - key: url type: String description: (user_management_get_authorization_url.url) java: - url: /reference/authkit/authentication/get-authorization-url key: authorization_url id: user_management_get_authorization_url title: userManagement.getAuthorizationUrl() parameters: - key: clientId type: String description: (client_id) - key: redirectUri type: String description: (user_management_get_authorization_url.redirect_uri) returns: - key: response type: AuthorizationUrlOptionsBuilder unwrap: true properties: - key: connectionId optional: true type: String description: (user_management_get_authorization_url.connection_id) - key: domainHint optional: true type: String description: (user_management_get_authorization_url.domain_hint) - key: loginHint optional: true type: String description: (user_management_get_authorization_url.login_hint) - key: screenHint optional: true type: String description: (user_management_get_authorization_url.login_hint) - key: organizationId optional: true type: String description: (user_management_get_authorization_url.organization_id) - key: provider optional: true type: UserManagementProviderEnumType description: (user_management_get_authorization_url.provider) - key: state optional: true type: String description: (user_management_get_authorization_url.state) - key: providerScopes optional: true type: List description: (user_management_get_authorization_url.provider_scopes) originalPath: >- .tmp-workos-clone/packages/docs/content/reference/authkit/authentication/get-authorization-url/index.mdx --- # Get an authorization URL Generates an OAuth 2.0 authorization URL to authenticate a user with AuthKit or SSO. If you are using AuthKit, set the provider parameter to `"authkit"`, which will generate an authorization URL for your AuthKit domain. AuthKit will take care of detecting the user’s authentication method, such as identifying whether they use Email + Password or Single Sign-On,and direct them to the corresponding login flow. Otherwise, to generate an authorization URL for a WorkOS SSO connection, you’ll have to specify the user’s connection, organization, or OAuth provider as a parameter. These connection selectors are mutually exclusive, and exactly one must be provided. The generated URL automatically directs the user to their identity provider. Once the user authenticates with their identity provider, WorkOS then issues a redirect to your redirect URI to complete the sign-in flow.