Endpoints

All endpoints are served under https://api.app.vacationtracker.io/oauth.

GET /oauth/authorize

Initiates the authorization code flow. Redirect the user's browser to this endpoint.

Parameter	Required	Description
`client_id`	Yes	Your registered OAuth client ID
`redirect_uri`	Yes	Must exactly match a registered redirect URI
`state`	Yes	Opaque value for CSRF protection, returned unchanged in the callback
`scope`	No	Space-separated scopes. Defaults to `openid`
`response_type`	No	Must be `code`. Defaults to `code`

HTTP/1.1 302 Found
Location: https://app.vacationtracker.io/oauth/authorize?session={sessionId}
Cache-Control: no-store

The user is redirected to the Vacation Tracker login and consent page.

{
  "error": "invalid_client | invalid_request | invalid_scope | unsupported_response_type",
  "error_description": "Human-readable description"
}

Error code	Cause
`invalid_client`	Unknown `client_id`
`invalid_request`	Missing required parameter or `redirect_uri` not registered for this client
`invalid_scope`	Requested scope not allowed for this client
`unsupported_response_type`	`response_type` is not `code`

Exchanges an authorization code for tokens, or refreshes an existing token.

Two methods are supported:

Request body: Include client_id and client_secret as form fields
HTTP Basic: Send Authorization: Basic base64(client_id:client_secret) header

Parameter	Required	Description
`grant_type`	Yes	`authorization_code`
`code`	Yes	The authorization code from the callback redirect
`redirect_uri`	Yes	Must match the URI used in the authorization request
`client_id`	Yes	Via body or Basic auth
`client_secret`	Yes	Via body or Basic auth

{
  "access_token": "eyJ...",
  "id_token": "eyJ...",
  "refresh_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Parameter	Required	Description
`grant_type`	Yes	`refresh_token`
`refresh_token`	Yes	The refresh token from a previous token response
`client_id`	Yes	Via body or Basic auth
`client_secret`	Yes	Via body or Basic auth

{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Note: The same refresh token is echoed back. No id_token is included in refresh responses.

{
  "error": "invalid_client | invalid_grant | unsupported_grant_type | server_error",
  "error_description": "Human-readable description"
}

Error code	Cause
`invalid_client`	Unknown `client_id` or incorrect `client_secret`
`invalid_grant`	Authorization code is invalid, expired, or already used. Or `redirect_uri` / `client_id` does not match. Or refresh token is invalid/expired.
`unsupported_grant_type`	Only `authorization_code` and `refresh_token` are supported
`server_error`	Unexpected server-side error

All token responses include:

Cache-Control: no-store
Pragma: no-cache

Returns basic profile information for the authenticated user.

Requires a valid access token in the Authorization header:

Authorization: Bearer {access_token}

The access token must be one obtained via the /oauth/token endpoint (from the Shadow User Pool).

{
  "id": "vt-user-123",
  "name": "Jane Doe",
  "email": "jane.doe@example.com"
}

Status	Error code	Cause
401	`unauthorized`	Missing or invalid `Authorization` header
401	`invalid_token`	Token is missing required claims