GET /api/oauth/:provider/callback — provider redirects here after user authorizes
const url = 'https://example.com/api/oauth/example/callback?state=example';const options = {method: 'GET'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url 'https://example.com/api/oauth/example/callback?state=example'Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”OAuth provider name (e.g. anthropic, openai, google, copilot, openrouter)
Query Parameters
Section titled “Query Parameters”Optional so a provider denial / stale-reload (which reaches the server-hosted
callback without a code) yields the friendly ?oauth_error= page instead of a
raw 400 from the extractor. The handler rejects an absent/blank code before use.
(OpenRouter is the first provider to actually exercise this callback in prod.)
Responses
Section titled “Responses”Redirect to settings page on success or with error query parameter
Structured client error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Structured server error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}