/api/oauth2

The OAuth2 client identifier.

The OAuth2/OIDC response type. Combined types such as code id_token are also supported.

Where to redirect with the result. Must match the client registration.

Space-separated scopes, within the client's allowed set (a client that configures none may use all of read, write, openid, offline). Their effect in fylr:

• openid — also issue an OpenID Connect id_token (an RS256 JWT) alongside the access token. (The /api/oauth2/userinfo endpoint itself accepts any valid access token and is not gated on this scope.)
• offline — request a refresh token. A refresh token is issued (for the authorization-code and password grants) only when this scope is granted, and granting it also applies the configured refresh-token expiration override. fylr accepts both offline and the OIDC-standard offline_access for this.
• read, write — capability labels only; they are not consulted to authorize API calls. Actual API authorization uses fylr's per-user/per-pool ACL rights, which are independent of these OAuth2 scopes despite the matching names.

Opaque value echoed back to the client.

PKCE code challenge.

fylr login method (default easydb). The endpoint accepts a comma-separated list and tries the methods in order; the web-app sends a single value. Each method authenticates a specific user type:

• easydb — login + password against the fylr user database (user types easydb, system, easydb_self_register). Also the fallback when auth_method is set to an unrecognised value. (An empty auth_method parses to auto, not easydb.)
• ldap — login + password bound against a configured LDAP directory; provisions/updates an ldap user. Only available when an LDAP connection is configured and the license permits external auth.
• email — passwordless login for invited email users: login plus the account UUID (sent in the password field) — the UUID is the secret.
• collection — login + password for collection user accounts.
• saml — SAML 2.0 SSO; no credentials in the form. The first call redirects to the IdP, then the returned assertion provisions/updates an sso user. Only available when SAML is configured and the license permits external auth.
• action_code — a one-time secret + action_code pair used by internal redirect flows (forced password change, system messages); logs in whichever user the code was issued for. Single-use.
• anonymous — guest login, no credentials; binds to a per-browser anonymous user. Only when guest login is enabled (base config guest).
• auto — server-side selector (the web-app default): resolves to anonymous when guests are allowed and no login is supplied, otherwise to password login (easydb, then ldap when configured).

User login (for password methods).

User password (for password methods).