# Grant the access request

The resource owner will consent or deny the third party application access request, and Zephr will return an authorization code upon user's consent.

Endpoint: POST /zephr/oauth2/grant
Version: 2025-07-30
Security: CookieBlaizeSession, JwtQuery, JwtHeaderXBlaizeJwt, JwtHeaderXZephrJwt, JwtBearer, JwtCookie

## Request fields (application/json):

  - `client_id` (string, required)
    Zephr Site Oauth2 Client ID
    Example: "1234567890"

  - `response_type` (string, required)
    Must be set to code
    Example: "code"

  - `redirect_uri` (string, required)
    Client's redirection endpoint. Must be an absolute URI
    Example: "https://someUrl.com/callback"

  - `scope` (string, required)
    The scope of the access request. Supported scopes: user.account:read, user.profile:read and user.profile:update
    Example: "user.account:read user.profile:read"

  - `state` (string, required)
    An opaque value used by the client to maintain state between the request and callback
    Example: "abcdefghijklmnopqrstuvwsyz"

  - `allow` (boolean, required)
    Resource owner consent
    Example: true

## Response 200 fields (*/*):

  - `state` (string)
    State (string)

  - `code` (string)
    Authorization code (string)

## Response 401 fields (*/*):

  - `state` (string)
    State (string)

  - `error` (string)
    Error type (string)