Ticket Parameter in Authorization Endpoint

Authlete's Authorization Endpoint APIs are backend APIs to implement an authorization endpoint. The APIs are comprised of two types of APIs:

  1. API that understands authorization requests and provides information that will be required in the next step, such as end-user authentication, and
  2. API that issues tokens or codes, or returns errors

These two APIs are linked using "ticket." 

First, Authlete /auth/authorization API returns ticket in its response to authorization requests. Then, auth/authorization/issue or auth/authorization/fail API receives the ticket and process the authorization requests to issue tokens or codes or return errors.

authorization-endpoint.png 178.54 KB


Here is a couple of nature of the ticket.
  • A ticket will be expired in 24 hours. Expired tickets will be deleted from Authlete's database.
  • A ticket can only be used once. When auth/authorization/issue or auth/authorization/fail API receives and process a ticket, it will be removed from the database.
When you use a ticket that has already been used or expired, you will get an error code like below:

[A041202] There is no entity having the ticket specified in the /api/auth/authorization/issue request (ticket = {Ticket}).


Please note that tickets are designed to be used only between an authorization server and Authlete server; It must thus not be used between an authorization server and user agent, such as web browser, to manage sessions, for example.

How did we do with this article?