---
descriptions:
  workos_connect_authorize:
    client_id: |
      The client ID of the WorkOS Connect Application.
    nonce: >
      A random string generated by the client that is used to mitigate replay
      attacks.
    redirect_uri: |
      The URL to redirect the user to after they have logged in.
    response_type: >
      The type of authentication flow. Currently, the only supported value is
      `"code"`.
    scope: |
      A space-separated list of scopes being requested.

      Acceptable values:
      - `openid`: Required to enable other scopes like `profile` and `email`.
      - `profile`: Adds profile information (name fields) to the ID token.
        - `name`
        - `given_name`
        - `family_name`
      - `email`: Adds email information to the ID token.
        - `email`
        - `email_verified`
      - `offline_access`: Adds a refresh token to the response.
    state: >
      An opaque string used by the client to maintain state between the request
      and callback.
    code_challenge: >
      A code challenge used for PKCE (Proof Key for Code Exchange). This should
      be a cryptographically

      random string, encoded using the given `code_challenge_method`.


      **Note:** PKCE is only supported by applications created through Dynamic
      Client Registration,

      which is required to use MCP (Model Context Protocol) authorization. For
      setup instructions,

      see our [MCP guide](/authkit/mcp).
    code_challenge_method: >
      The method used to encode the `code_challenge`. Currently, only `S256` is
      supported, which means

      the `code_challenge` is a Base64url-encoded SHA256 hash of the
      `code_verifier`.
  workos_connect_authorize_response:
    url: |
      The OAuth 2.0 authorization URL to redirect the user to.
reference:
  curl:
    - url: /reference/workos-connect/authorize
      key: workos_connect_authorize
      id: workos_connect_authorize
      title: /oauth2/authorize
      type: GET
      parameters:
        - key: client_id
          type: string
          description: (workos_connect_authorize.client_id)
        - key: nonce
          type: string
          description: (workos_connect_authorize.nonce)
        - key: redirect_uri
          type: string
          description: (workos_connect_authorize.redirect_uri)
        - key: response_type
          type: '"code"'
          description: (workos_connect_authorize.response_type)
        - key: scope
          type: string
          description: (workos_connect_authorize.scope)
        - key: state
          type: string
          description: (workos_connect_authorize.state)
          optional: true
        - key: code_challenge
          type: string
          description: (workos_connect_authorize.code_challenge)
          optional: true
        - key: code_challenge_method
          type: '"S256"'
          description: (workos_connect_authorize.code_challenge_method)
          optional: true
      returns:
        - key: url
          type: string
          description: (workos_connect_authorize_response.url)
originalPath: >-
  .tmp-workos-clone/packages/docs/content/reference/workos-connect/authorize/index.mdx
---

# Authorize

When authenticating a user for a WorkOS Connect application, this is the endpoint they should be redirected to. If they’re not already logged in, the user will be redirected to the AuthKit login page. For a third-party application, the user will have to authorize the application’s access on their first access.

<CodeBlock referenceId="workos_connect_authorize">
  <CodeBlockTab title="Request" file="authorize-request" />
  <CodeBlockTab title="Response" file="authorize-response" />
</CodeBlock>