AgeOnce Docs
Dashboard
API Reference

OAuth Flow

OAuth 2.0 Authorization Code Flow for age verification

OAuth 2.0 Flow

AgeOnce uses the standard OAuth 2.0 Authorization Code Flow for age verification.

Step 1: Redirect to verification

Endpoint

GET https://app.ageonce.com/verify

Parameters

ParameterTypeRequiredDescription
client_idstringYesYour Client ID
redirect_uristringYesURL for user redirect
statestringRecommendedRandom string for CSRF protection

Example URL

https://app.ageonce.com/verify?client_id=cl_abc123&redirect_uri=https://example.com/callback&state=xyz789

Important

redirect_uri must be pre-registered in your AgeOnce Dashboard.

Step 2: User completes verification

On the AgeOnce page:

  1. User grants camera permission
  2. Completes biometric verification
  3. System determines age compliance

Step 3: Redirect back with code

After successful verification, the user is redirected to your redirect_uri:

https://example.com/callback?code=auth_code_123&state=xyz789

Callback parameters

ParameterDescription
codeAuthorization code to exchange for token
stateSame state you sent

Errors

On error, redirect contains:

https://example.com/callback?error=access_denied&error_description=User%20cancelled
ErrorDescription
access_deniedUser declined verification
verification_failedVerification failed
invalid_requestInvalid request parameters

Step 4: Exchange code for token

Your backend exchanges code for age_token:

POST /api/oauth/token

Learn more about Token Exchange →

State parameter

State is used for CSRF attack protection:

// Generate state
const state = crypto.randomBytes(16).toString('hex');

// Store in session
session.oauthState = state;

// On callback - verify
if (req.query.state !== session.oauthState) {
  throw new Error('Invalid state');
}

Always verify state! Without this, your app is vulnerable to CSRF attacks.

Flow diagram

┌──────────┐                              ┌──────────┐
│  Client  │                              │ AgeOnce  │
└────┬─────┘                              └────┬─────┘
     │                                         │
     │  1. GET /verify?client_id=...          │
     │────────────────────────────────────────►│
     │                                         │
     │         2. User verifies age            │
     │                                         │
     │  3. Redirect: callback?code=...        │
     │◄────────────────────────────────────────│
     │                                         │
     │  4. POST /api/oauth/token              │
     │────────────────────────────────────────►│
     │                                         │
     │  5. { age_token: "..." }               │
     │◄────────────────────────────────────────│
     │                                         │

Lifetime

ElementLifetime
Authorization code1 minute
Age token10 minutes

API Reference

Complete AgeOnce API documentation

Token Exchange

Exchange authorization code for age token

On this page

OAuth 2.0 FlowStep 1: Redirect to verificationEndpointParametersExample URLImportantStep 2: User completes verificationStep 3: Redirect back with codeCallback parametersErrorsStep 4: Exchange code for tokenState parameterFlow diagramLifetime