Skip to content

Web App Integration

OpenASA browser sign-in should be integrated through standard top-level redirects, client-side state validation, and backend token exchange.

1. Build authorize URL from your client metadata

Your frontend should assemble the OpenASA authorize request from:

  • client_id
  • redirect_uri
  • scope
  • state
  • optional PKCE fields when enabled

2. Use top-level browser redirect

When the user clicks sign-in:

const base = "https://api.openasa.com";
const authorizeUrl = `${base}/<authorize-endpoint>?response_type=code&client_id=...`;
window.location.href = authorizeUrl;

Do not start OAuth from XHR/fetch.

3. Handle callback on your own app URL

After OpenASA redirects back to your app:

  1. Read code and state
  2. Validate state
  3. Hand the code to your backend for token exchange
  4. Refresh your app session and user state

4. Production Recommendations

  • Keep OpenASA authorize on top-level browser navigation.
  • Keep code exchange on a trusted backend, not in browser JavaScript.
  • Match registered redirect_uri exactly.
  • Add retry and clear error UX for expired code or callback mismatch.