Reference
Authorization Endpoints
Technical reference for the OAuth 2.0 authorization and discovery endpoints.
Authorization endpoint
GET /oauth/authorizeInitiates the OAuth 2.0 Authorization Code flow. Redirects the user to the Loopwise login and consent screen.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
response_type | string | Yes | Must be code |
client_id | string | Yes | The application's client ID |
redirect_uri | string | Yes | Must exactly match a registered redirect URI |
scope | string | Yes | Space-separated list of requested scopes |
state | string | Recommended | Opaque value to prevent CSRF. Returned unchanged in the callback |
code_challenge | string | Yes | Base64url-encoded SHA-256 hash of the code_verifier |
code_challenge_method | string | Yes | Must be S256 |
school_id | integer | No | Pre-select a school (skips the school picker if valid) |
Success response
Redirects to redirect_uri with:
| Parameter | Description |
|---|---|
code | The authorization code (single-use, short-lived) |
state | The state value from the request |
Error response
Redirects to redirect_uri with:
| Parameter | Description |
|---|---|
error | Error code (e.g., access_denied, invalid_request) |
error_description | Human-readable error description |
state | The state value from the request |
Discovery endpoint
GET /.well-known/oauth-authorization-serverReturns OAuth 2.0 Authorization Server Metadata per RFC 8414.
Response
{
"issuer": "https://your-school.loopwise.com",
"authorization_endpoint": "https://your-school.loopwise.com/oauth/authorize",
"token_endpoint": "https://your-school.loopwise.com/api/oauth/token",
"token_endpoint_auth_methods_supported": ["none", "client_secret_post"],
"revocation_endpoint": "https://your-school.loopwise.com/api/oauth/revoke",
"registration_endpoint": "https://your-school.loopwise.com/api/oauth/register",
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code", "refresh_token"],
"code_challenge_methods_supported": ["S256"],
"scopes_supported": ["read", "write", "courses:read", "..."],
"service_documentation": "https://docs.loopwise.com",
"mcp_client_id": "..."
}Dynamic Client Registration endpoint
POST /api/oauth/registerRegisters a new OAuth client per RFC 7591. Known platforms (Claude Code, Cursor, etc.) receive pre-registered credentials.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
client_name | string | Yes | Human-readable name for the client |
redirect_uris | string[] | No | List of allowed redirect URIs |
grant_types | string[] | No | Defaults to ["authorization_code", "refresh_token"] |
response_types | string[] | No | Defaults to ["code"] |
token_endpoint_auth_method | string | No | Defaults to "none" (public client) |
Response
{
"client_id": "abc123...",
"client_name": "My Integration",
"redirect_uris": ["https://myapp.com/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "none",
"scope": "read write courses:read ..."
}If the application is confidential, the response also includes client_secret.