Skip to main content
GET
/
oauth
/
authorize
curl (runnable — unsigned leg)
# Render the consent page (200, text/html):
curl "https://phosra-api-sandbox-production.up.railway.app/oauth/authorize?redirect_uri=https://example.com/cb&state=xyz123"
# Machine path — approve and capture the 302 Location:
curl -sD - -o /dev/null "https://phosra-api-sandbox-production.up.railway.app/oauth/authorize?redirect_uri=https://example.com/cb&state=xyz123&decision=approve" | grep -i '^location:'
"<!doctype html><meta charset=\"utf-8\"><meta name=\"viewport\" content=\"width=device-width,initial-scale=1\">\n<title>Phosra Sandbox — Connect</title>\n<style>body{font:16px/1.5 system-ui,sans-serif;max-width:30rem;margin:3rem auto;padding:0 1.25rem;color:#0f172a}\nh1{font-size:1.25rem}.card{border:1px solid #e2e8f0;border-radius:12px;padding:1.25rem}\nul{padding-left:1.1rem}.act{display:flex;gap:.75rem;margin-top:1.25rem}\na.btn{flex:1;text-align:center;text-decoration:none;padding:.7rem 1rem;border-radius:10px;font-weight:600}\n.ap{background:#4f46e5;color:#fff}.dn{background:#f1f5f9;color:#334155}\n.tag{display:inline-block;background:#eef2ff;color:#4338ca;border-radius:999px;padding:.1rem .6rem;font-size:.75rem}</style>\n<div class=\"card\"><span class=\"tag\">Sandbox reference provider</span>\n<h1>Connect your family to this app?</h1>\n<p>Approving shares these sandbox child profiles so the app can receive their safety policy:</p>\n<ul><li>Mia <small>(child)</small></li><li>Leo <small>(child)</small></li><li>Ava <small>(child)</small></li></ul>\n<div class=\"act\"><a class=\"btn ap\" href=\"/oauth/authorize?decision=approve&amp;redirect_uri=https%3A%2F%2Fexample.com%2Fcb&amp;state=xyz123\">Approve</a>\n<a class=\"btn dn\" href=\"/oauth/authorize?decision=deny&amp;redirect_uri=https%3A%2F%2Fexample.com%2Fcb&amp;state=xyz123\">Deny</a></div></div>\n"
Sandbox only. The reference OAuth provider is hosted on the census host root (not /api/v1) and gated on PHOSRA_ENV==sandbox404 on dev, staging, and production.
The first leg of the sandbox reference OAuth flow, seeded with the test family (Mia / Leo / Ava). With no decision it renders an HTML consent page. Its machine-usable contract: add decision=approve and the census issues an authorization code and 302-redirects to redirect_uri?code=…&state=… — so CI can automate approval with no HTML scraping. decision=deny redirects with error=access_denied&state=…. Custom mobile schemes (e.g. propagate://) are allowed as redirect_uri.
Phosra sandbox reference-provider consent page: a card titled 'Connect your family to this app?' with a 'Sandbox reference provider' pill and Approve / Deny buttons.

Worked example

Fully runnable — this leg is unsigned:
# Render the consent page (200, text/html):
curl "https://phosra-api-sandbox-production.up.railway.app/oauth/authorize?redirect_uri=https://example.com/cb&state=xyz123"

# Machine path — approve and capture the 302 Location header:
curl -sD - -o /dev/null \
  "https://phosra-api-sandbox-production.up.railway.app/oauth/authorize?redirect_uri=https://example.com/cb&state=xyz123&decision=approve" \
  | grep -i '^location:'
Real 302 on approve (captured from the hosted sandbox):
HTTP/2 302
location: https://example.com/cb?code=sbxauth_QBmKueI14KzQj9PM-2M9naWGkh2OU6WL&state=xyz123
Exchange the sbxauth_… code at POST /oauth/token.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Query Parameters

redirect_uri
string
required

Where the 302 sends the code (https, http, or a custom mobile scheme).

state
string

Opaque value echoed back verbatim in the redirect (CSRF binding).

decision
enum<string>

Omit to render the consent page. approve → 302 with ?code=&state=. deny → 302 with ?error=access_denied&state=.

Available options:
approve,
deny

Response

Consent page (text/html) — shown when decision is omitted.

The response is of type string.