> ## Documentation Index
> Fetch the complete documentation index at: https://formhug.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Start an OAuth authorization request (PKCE)

> Start an OAuth 2.0 authorization request with PKCE (S256). The browser is redirected to the login page and ultimately back to the client `redirect_uri` with a `code` query parameter.



## OpenAPI

````yaml GET /api/v1/oauth/authorize
openapi: 3.0.1
info:
  title: FormHug API V1
  version: v1
  description: |
    FormHug public REST API. All request/response keys are snake_case.

    Successful response:

    ```json
    {
      "data": { ... }
    }
    ```

    Paginated response:

    ```json
    {
      "data": [ ... ],
      "pagination": {
        "total": 123,
        "next_cursor": "NQ=="
      }
    }
    ```

    Error response:

    ```json
    {
      "error": "Human-readable message",
      "error_details": [
        { "attribute": "field_name", "message": "specific error" }
      ]
    }
    ```

    `error_details` only appears for model validation failures.
servers:
  - url: https://formhug.ai
security: []
tags:
  - name: Forms
    description: Form CRUD
  - name: Attachments
    description: >-
      2-step upload for form-element images (theme, rich-text, or field-element
      images). Prepare returns an `upload_id`; consume it in a theme update,
      attachment_commitments, or the form `fields` payload depending on purpose.
  - name: Entries
    description: Entries collected by a form owned by the current user
  - name: Folders
    description: Folder CRUD
  - name: Participated Forms
    description: Forms the current user has submitted to (does not own)
  - name: Published Form Entries
    description: Submit entries to a published form
  - name: Published Forms
    description: Read a published form's public structure for filling
  - name: Entry Attachments
    description: >-
      2-step upload for `attachment` field submissions. Prepare returns an
      `upload_id`; submit it under the attachment field in `field_values` when
      creating the entry.
  - name: Me
    description: Current authenticated user
  - name: Webhooks
    description: Webhook integrations attached to a form
  - name: Form Themes
    description: Read and update a form's visual theme
  - name: Form Settings
    description: >-
      Per-form settings — submission flow, availability, access control,
      presentation
  - name: Field Rules
    description: >-
      Read and replace a form's conditional field-display and post-submission
      redirect rules.
  - name: OAuth
    description: OAuth 2.0 PKCE token issuance and revocation
paths:
  /api/v1/oauth/authorize:
    get:
      tags:
        - OAuth
      summary: Start an OAuth authorization request (PKCE)
      description: >-
        Start an OAuth 2.0 authorization request with PKCE (S256). The browser
        is redirected to the login page and ultimately back to the client
        `redirect_uri` with a `code` query parameter.
      parameters:
        - name: client_id
          in: query
          required: true
          schema:
            type: string
        - name: redirect_uri
          in: query
          required: true
          schema:
            type: string
          description: Must be on the client whitelist
        - name: code_challenge
          in: query
          required: true
          schema:
            type: string
          description: PKCE code_challenge (S256)
        - name: code_challenge_method
          in: query
          required: true
          schema:
            type: string
            enum:
              - S256
        - name: scope
          in: query
          required: false
          schema:
            type: string
          description: Space-separated; defaults to the client default scope
        - name: state
          in: query
          required: false
          schema:
            type: string
      responses:
        '302':
          description: >-
            Redirect to the login page or to the client redirect_uri (with
            error)
        '400':
          description: >-
            Missing required params, unknown client_id, or redirect_uri not on
            the whitelist
          content:
            application/json:
              examples:
                invalid_request:
                  value:
                    error: invalid_request
                    error_description: Unknown client_id
              schema:
                $ref: '#/components/schemas/OAuthError'
components:
  schemas:
    OAuthError:
      type: object
      description: RFC 6749 OAuth error response
      required:
        - error
      properties:
        error:
          type: string
          description: Error code per RFC 6749
        error_description:
          type: string
          description: Human-readable error description

````