Authorization Code Flow

The Authorization Code flow with PKCE is the only supported OAuth flow in Loopwise. This page explains each step in detail.

Flow diagram

Step-by-step

1. Generate PKCE values

Before starting the flow, generate a random code_verifier (43-128 characters, URL-safe) and compute its SHA-256 hash as the code_challenge:

const codeVerifier = generateRandomString(64);
const codeChallenge = base64url(sha256(codeVerifier));

2. Authorization request

Redirect the user to the authorization endpoint:

GET /oauth/authorize

3-6. User authentication and consent

Loopwise handles user authentication. If the user is not logged in, they are shown a login page. After authentication:

• If the client is a trusted first-party app, authorization is granted automatically (no consent screen)
• Otherwise, the user sees a consent screen showing the requested scopes
• The token is automatically scoped to the school where the OAuth application was registered

7. Authorization response

After the user grants consent, Loopwise redirects to your redirect_uri:

https://myapp.com/callback?code=AUTH_CODE&state=YOUR_STATE

Verify that state matches what you sent in step 2.

8-9. Token exchange

Exchange the authorization code for tokens. See Token Endpoints for the full specification.

POST /api/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTH_CODE
&redirect_uri=https://myapp.com/callback
&client_id=YOUR_CLIENT_ID
&code_verifier=YOUR_CODE_VERIFIER

10. Use the access token

Include the token in the Authorization header for all API requests:

GET /api/v1/courses
Authorization: Bearer ACCESS_TOKEN

Error responses

If the authorization request fails, Loopwise redirects to your redirect_uri with error parameters:

https://myapp.com/callback?error=access_denied&error_description=The+user+denied+the+request

Common error codes: