> ## Documentation Index
> Fetch the complete documentation index at: https://devs.izap.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorize a client (OAuth 2.1 + PKCE)

> Authorization endpoint for third-party and MCP clients. Presents/consumes the resource-owner authorization decision for the requesting `client_id`, validates the PKCE `code_challenge` (S256), and redirects back to the client's `redirect_uri` with a single-use authorization `code`. High-level only — the underlying implementation also serves an interactive HTML consent flow for embedded WhatsApp signup and is not a general-purpose developer surface.



## OpenAPI

````yaml /api-reference/openapi.json post /oauth/authorize
openapi: 3.1.0
info:
  title: iZap API
  version: v1
  description: Public REST API for the iZap WhatsApp business messaging platform.
  contact:
    name: iZap API Support
    email: suporte@izap.ai
  license:
    name: MIT
    url: https://opensource.org/licenses/MIT
servers:
  - url: https://api.izap.ai
    description: Production
  - url: https://api-staging.izap.ai
    description: Staging
security:
  - bearerAuth: []
tags:
  - name: Auth
    description: Login and token refresh.
  - name: OAuth
    description: OAuth 2.1 / PKCE authorization for third-party and MCP clients.
  - name: Businesses
    description: Business profile, hours, menus, and chatbot configuration.
  - name: Chats
    description: Conversations, messages, and template sends.
  - name: Scheduling
    description: Customers, services, providers, and bookings (Trinks-backed).
  - name: WhatsApp Templates
    description: Manage and sync WhatsApp message templates.
  - name: Transmissions
    description: Bulk WhatsApp template broadcasts.
  - name: Me
    description: The authenticated user's own profile and active business.
paths:
  /oauth/authorize:
    post:
      tags:
        - OAuth
      summary: Authorize a client (OAuth 2.1 + PKCE)
      description: >-
        Authorization endpoint for third-party and MCP clients.
        Presents/consumes the resource-owner authorization decision for the
        requesting `client_id`, validates the PKCE `code_challenge` (S256), and
        redirects back to the client's `redirect_uri` with a single-use
        authorization `code`. High-level only — the underlying implementation
        also serves an interactive HTML consent flow for embedded WhatsApp
        signup and is not a general-purpose developer surface.
      operationId: oauthAuthorize
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - response_type
                - client_id
                - redirect_uri
                - code_challenge
                - code_challenge_method
              properties:
                response_type:
                  type: string
                  enum:
                    - code
                client_id:
                  type: string
                redirect_uri:
                  type: string
                  format: uri
                state:
                  type: string
                code_challenge:
                  type: string
                code_challenge_method:
                  type: string
                  enum:
                    - S256
                scope:
                  type: string
      responses:
        '200':
          description: Redirect (or consent page) issued.
          content:
            application/json:
              schema:
                type: object
                additionalProperties: true
              example:
                redirect_uri: https://client.example.com/callback?code=abc123&state=xyz
        '401':
          description: Not authenticated as the resource owner.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                detail: Not authenticated
      security: []
components:
  schemas:
    Error:
      type: object
      properties:
        detail:
          type: string
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        JWT access token obtained from POST /api/v1/auth/jwt/login, the OAuth
        token endpoint, or a business-scoped API token. Some
        Business/Chat/Template/Scheduling endpoints alternatively accept HTTP
        Basic credentials scoped to the business slug.

````