Starts an OAuth 2.0 Authorization Code flow (with PKCE) by issuing a short-lived authorization code.
POST/authcode
Validates the client by checking the supplied ClientId against payment keys, confirms the user is logged in,
and generates a 5-minute authorization code bound to the provided PKCE code_challenge.
The code and the original state are returned to the caller; the code is cached server-side until it expires or is redeemed.
Errors:
400 Bad Request for invalid model, invalid client key, or when the user is not logged in.
Request
Responses
- 200
OK