• Register

Authorization Endpoint

Starting point for the OAuth2 flow. The client requests an authorization code by redirecting the user to this endpoint.


Code snippet: URL

GET https://.../oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=...&scope=...&state=...


  • Base Address: the base adress of the OAuth2 Server - see Crew OAuth2 Server Overview
  • response_type: requested grant type. Only "code" is supported for this API
  • client_id: A unique identification of the client application (package key), which is assigned during application registration
  • code_challenge: PKCE code challenge according to RFC7636
  • code_challenge_method: PKCE code challenge method according to RFC7636
  • redirect_uri: A URI that will be called after the authentication and the authorization steps are done. The client application has to listen to this address, as it will be given the authorization code via this URI.
    Important Note: According to the OAuth2 specification, public clients have to register their redirect URI. Therefore you MUST register a Callback URL for your app on the developer portal. If you are using custom URI schemes for your native app then consider our URI rewrite guidelines documented here: Registration of redirect_uri
  • scope: A scope or scopes requested by the client - typically something like https://cms.fra.dlh.de/publicCrewApi
  • state: The state parameter is used by the application to store request-specific data and/or prevent CSRF attacks. The authorization server must return the unmodified state value back to the application.

Note: The "userLang" used to call the backend systems is taken from out of the client "Accept-Language"-Header.


Code snippet: HTTP Header

HTTP/1.1 302 Found
Location: <redirection_uri>?code=...


Code snippet: Get request

GET https://oauth-test.lufthansa.com/lhcrew/oauth/authorize?response_type=code

Docs Navigation