Reference parent-consent authorize leg (sandbox)
SANDBOX-ONLY reference OAuth provider hosted on the census host root (NOT /api/v1). With no decision, renders an HTML consent page seeded with the sandbox test family (Mia/Leo/Ava). MACHINE-USABLE CONTRACT: re-request with decision=approve and the census issues an authorization code and 302-redirects to redirect_uri?code=…&state=… — so CI can automate the approval with no HTML scraping. decision=deny 302s with error=access_denied&state=…. Custom mobile schemes (e.g. propagate://) are allowed as redirect_uri. Stateless (opaque sbxauth_ code). Gated on the Restricted band — 404 on dev/staging/production. Source: internal/ocsshttp/handler_sandbox_oauth.go Authorize().
/api/v1) and gated on PHOSRA_ENV==sandbox — 404 on dev, staging, and production.decision it renders an HTML consent page. Its machine-usable contract: add
decision=approve and the census issues an authorization code and 302-redirects to
redirect_uri?code=…&state=… — so CI can automate approval with no HTML scraping.
decision=deny redirects with error=access_denied&state=…. Custom mobile schemes (e.g.
propagate://) are allowed as redirect_uri.

Worked example
Fully runnable — this leg is unsigned:302 on approve (captured from the hosted sandbox):
sbxauth_… code at POST /oauth/token.Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Query Parameters
Where the 302 sends the code (https, http, or a custom mobile scheme).
Opaque value echoed back verbatim in the redirect (CSRF binding).
Omit to render the consent page. approve → 302 with ?code=&state=. deny → 302 with ?error=access_denied&state=.
approve, deny Response
Consent page (text/html) — shown when decision is omitted.
The response is of type string.