> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fluz.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication reference

> OAuth endpoints, grant types, and the exact request/response shapes for minting tokens.

For the conceptual overview, see [Authentication](/concepts/authentication). This page documents the exact GraphQL contracts on the OAuth service at `https://oauth-service.fluzapp.com`.

## `generateUserAccessToken`

Mint an access token from an application's `clientId` / `clientSecret` (own account) or from an OAuth authorization code (customer account).

### Own-account request

```http theme={null}
POST /graphql HTTP/1.1
Host: oauth-service.fluzapp.com
Content-Type: application/json

{
  "query": "mutation ($clientId: String!, $clientSecret: String!, $scopes: [Scope!]!) { generateUserAccessToken(clientId: $clientId, clientSecret: $clientSecret, scopes: $scopes) { accessToken expiresIn scopes } }",
  "variables": {
    "clientId": "app_01H...",
    "clientSecret": "sk_...",
    "scopes": ["LIST_OFFERS", "PURCHASE_GIFTCARD"]
  }
}
```

### Customer-account request (OAuth code exchange)

Pass the `code` returned from the authorize redirect along with the same client credentials. Fluz returns a customer-scoped `accessToken` for that user.

### Response

```json theme={null}
{
  "data": {
    "generateUserAccessToken": {
      "accessToken": "eyJhbGciOi...",
      "expiresIn": 3600,
      "scopes": ["LIST_OFFERS", "PURCHASE_GIFTCARD"]
    }
  }
}
```

## OAuth authorize redirect

Redirect customers to Fluz's OAuth authorize URL to start a platform flow.

| Query parameter | Required    | Notes                                              |
| --------------- | ----------- | -------------------------------------------------- |
| `client_id`     | Yes         | Your application's `clientId`                      |
| `redirect_uri`  | Yes         | Must exactly match one registered in the dashboard |
| `scope`         | Yes         | Space-separated Fluz scopes                        |
| `state`         | Recommended | Opaque value echoed back for CSRF protection       |
| `response_type` | Yes         | Always `code`                                      |

On success, Fluz redirects to `redirect_uri?code=...&state=...`. On denial, `redirect_uri?error=access_denied&state=...`. Exchange the `code` via `generateUserAccessToken`.

## Scopes

See the scope table in [Authentication](/concepts/authentication#scopes). Unknown scopes cause the mutation to fail.
