Ticket Parameter in Authorization Endpoint

Table of Contents

Ticket Parameter in Authorization Endpoint

Authlete’s Authorization Endpoint APIs are backend APIs to implement an authorization endpoint. The APIs are comprised of two types of APIs:

  1. API that understands authorization requests and provides information that will be required in the next step, such as end-user authentication, and

  2. API that issues tokens or codes, or returns errors

These two APIs are linked using “ticket.”

First, Authlete /auth/authorization API returns ticket in its response to authorization requests. Then, auth/authorization/issue or auth/authorization/fail API receives the ticket and process the authorization requests to issue tokens or codes or return errors.


Here is a couple of nature of the ticket.

  • A ticket will be expired in 24 hours. Expired tickets will be deleted from Authlete’s database.
  • A ticket can only be used once. It will be removed from the database right after /auth/authorization/issue or /auth/authorization/fail API successfully processed a request including the ticket.
  • When you use a ticket that has already been used or expired, you will get an error code like below:
[A041202] There is no entity having the ticket specified
in the /api/auth/authorization/issue request (ticket = {Ticket}).
  • Please note that tickets are designed to be used only between an authorization server and Authlete server; It must thus not be used between an authorization server and user agent, such as web browser, to manage sessions, for example.