This page describes the full request flow behind the hosted journey for custom integrations that do not use an SDK.
For SDK-based integrations, the SDK handles all of the steps below automatically; you do not need to implement any of this yourself. See the Hosted journey overview page for the recommended approach.
PrerequisitesBefore starting, your Strivacity application must have a client of the OIDC (using no-code components) type. See the Application clients documentation for setup instructions.
Flow overview
| Method | Endpoint | Description |
|---|---|---|
| GET | /oauth2/auth | Initiate the OIDC authorization flow. |
| GET | <redirect_uri> | Strivacity redirects back with the authorization code. |
| POST | /oauth2/token | Exchange the auth code for tokens. |
Step 1: Initiate OIDC authorization
GET https://<tenant>/oauth2/auth
?client_id=<clientId>
&redirect_uri=<redirectUrl>
&scope=openid
&response_type=code
&response_mode=query
&code_challenge_method=S256
&code_challenge=<code_challenge>
&state=<state>
&nonce=<nonce>This starts the OAuth 2.0 PKCE authorization code flow. Required parameters:
| Parameter | Description |
|---|---|
client-id | Your OIDC client ID (no-code components type) |
redirect_uri | Must match the registered callback URL on the client |
scope | At minimum openid |
response_type | Must be code |
response_mode | Typically query |
code_challenge | PKCE code challenge (S256) |
code_challenge_method | Must be S256 |
state | Random value to prevent CSRF |
nonce | Random value tied to the ID token |
Response: HTTP 302 redirect to the Strivacity-hosted login page. Navigate to this URL. The entire authentication flow runs there; no further API interaction is required until the user completes or cancels login.
Step 2: Receive the authorization code
When the user completes authentication on the hosted page, Strivacity redirects back to your redirect_uri with an authorization code:
https://<your-redirect-uri>?code=<authCode>&state=<state>Verify that state matches the value sent in step 1, then capture the code value.
Step 3: Exchange code for tokens
POST /oauth2/token HTTP/1.1
Host: <tenant>
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<clientId>
&code_verifier=<codeVerifier>
&code=<authCode>
&redirect_uri=<redirectUrl>| Parameter | Description |
|---|---|
grant_type | Must be authorization_code. |
client_id | Same client ID used in step 1. |
code_verifier | The plain PKCE verifier string corresponding to the challenge sent in step 1. |
code | The authorization code from step 2. |
redirect_uri | Must exactly match the value used in step 1. |
Response: JSON with access_token, id_token, and optionally refresh_token.