Skip to main content

Overview

The authorization flow starts when your agent needs permissions from a user (principal). You create an authorization request, redirect the user to the consent URL, and receive a callback with an authorization code. 
authReq, err := client.Authorize(ctx, grantex.AuthorizeParams{
    AgentID:     "agent-id",
    PrincipalID: "user-123",
    Scopes:      []string{"read:email", "send:email"},
})

Parameters

ParameterTypeRequiredDescription
AgentIDstringYesThe agent requesting authorization
PrincipalIDstringYesThe user granting authorization
Scopes[]stringYesPermissions being requested
ExpiresInstringNoGrant duration (e.g. "24h", "7d")
RedirectURIstringNoWhere to redirect after consent
CodeChallengestringNoPKCE S256 code challenge
CodeChallengeMethodstringNoMust be "S256" when using PKCE

Response

FieldTypeDescription
AuthRequestIDstringUnique request identifier
ConsentURLstringURL to redirect user for consent
AgentIDstringAgent ID
PrincipalIDstringPrincipal (user) ID
Scopes[]stringRequested scopes
ExpiresInstringRequested duration
ExpiresAtstringISO 8601 expiry timestamp
Statusstring"pending", "approved", "denied", "expired"
CreatedAtstringISO 8601 creation timestamp

With PKCE

// Generate PKCE challenge
pkce, err := grantex.GeneratePKCE()
if err != nil {
    log.Fatal(err)
}

// Include challenge in authorization request
authReq, err := client.Authorize(ctx, grantex.AuthorizeParams{
    AgentID:             "agent-id",
    PrincipalID:         "user-123",
    Scopes:              []string{"read:email"},
    CodeChallenge:       pkce.CodeChallenge,
    CodeChallengeMethod: pkce.CodeChallengeMethod,
})

// Later, include verifier when exchanging code
tokenResp, err := client.Tokens.Exchange(ctx, grantex.ExchangeTokenParams{
    Code:         "auth-code",
    AgentID:      "agent-id",
    CodeVerifier: pkce.CodeVerifier,
})

Next Steps

After the user approves the consent, exchange the authorization code for a grant token using tokens.Exchange().