Auth Routes - Toolshed

GET /api/auth/:provider/login?userId=<userId>

Redirects the user’s browser to the OAuth provider’s authorization page with the appropriate scopes.

Parameter	In	Required	Description
`provider`	path	Yes	OAuth provider: `github`, `google`, `slack`, or `linear`
`userId`	query	Yes	The user ID to associate with the connection

Response: HTTP 302 redirect to the provider’s authorization URL. The server generates a random state parameter (10-minute TTL) and stores a pending OAuth entry with the user’s ID, provider, PKCE verifier (if applicable), and requested scopes.

OAuth callback

GET /api/auth/:provider/callback

Handles the OAuth redirect after the user authorizes. Exchanges the authorization code for tokens, encrypts them, and stores them.

Parameter	In	Required	Description
`provider`	path	Yes	OAuth provider
`code`	query	Yes	Authorization code from the provider
`state`	query	Yes	State parameter for CSRF protection

Success response (200):

{
  "success": true,
  "provider": "github",
  "userId": "user-123",
  "scopes": ["repo", "read:user"]
}

Error response (400):

{
  "error": "access_denied",
  "error_description": "The user denied the request"
}

Disconnect provider

DELETE /api/auth/:provider?userId=<userId>

Revokes tokens (best-effort) and deletes stored credentials for the provider.

Parameter	In	Required	Description
`provider`	path	Yes	OAuth provider
`userId`	query	Yes	User ID

Response (200):

{
  "disconnected": true,
  "provider": "github",
  "userId": "user-123"
}

List connections

GET /api/auth/connections?userId=<userId>

Lists which OAuth providers a user has connected.

Parameter	In	Required	Description
`userId`	query	Yes	User ID

Response (200):

{
  "userId": "user-123",
  "providers": ["github", "google"]
}

Server API

​Initiate OAuth login

​OAuth callback

​Disconnect provider

​List connections

Initiate OAuth login

OAuth callback

Disconnect provider

List connections