> ## Documentation Index
> Fetch the complete documentation index at: https://docs.praxis-ai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO callback

> Handles the callback from OAuth 2.0 SSO authentication



## OpenAPI

````yaml /mdx/api-reference/admin/admin-api.json post /api/auth/sso_callback
openapi: 3.0.0
info:
  title: Pria Admin API
  version: 2.0.1
  description: >-
    Pria API Documentation Praxis's developer platform is a core part of our
    mission to empower organizations to grow better. Our APIs are designed to
    enable teams of any shape or size to build robust integrations that help
    them customize and get the most value out of Pria. All Pria APIs are built
    using REST conventions and designed to have a predictable URL structure.
    <br/>  <br/>They use many standard HTTP features, including methods (POST,
    GET, PUT, DELETE) and error response codes.  <br/> <br/>All API calls are
    made under https://hiimpria.ai/api and all responses return standard JSON.
    In these docs, you'll find lists of all available endpoints for a given API,
    along with interactive code blocks for building requests. For walkthroughs
    of basic usage for these APIs, check out the API guides.
servers:
  - url: https://pria.praxislxp.com
    description: Pria API Server
security: []
tags:
  - name: Authentication
    description: User authentication, registration, and password management (/api/auth)
  - name: OAuth
    description: OAuth authentication providers - Google, GitHub, SSO (/api/auth/oauth)
  - name: User
    description: User profile management and account operations (/api/user)
  - name: User Institutions
    description: User institution memberships and switching (/api/user/institution)
  - name: User Tools
    description: Available tools for authenticated users (/api/user/tools)
  - name: Institutions
    description: Institution settings and configuration (/api/user/institution)
  - name: Conversation
    description: AI conversation and Q&A endpoints (/api/ai)
  - name: Realtime
    description: Real-time voice AI and WebRTC sessions (/api/ai/rt)
  - name: Assistant
    description: AI assistant configuration and management (/api/user/assistant)
  - name: History
    description: Conversation history and favorites (/api/user/history)
  - name: RAG
    description: >-
      Document upload, embedding, and retrieval-augmented generation
      (/api/user/files, /api/user/rag)
  - name: Setting
    description: Instance variables and settings management (/api/user/setting)
  - name: Branding
    description: Digital twin branding and customization (/api/agent/branding)
  - name: Agent
    description: Agent engagement and session management (/api/agent)
  - name: SDK Launch
    description: >-
      SDK launch token signing and verification for secure iframe embedding
      (/api/auth/sdk-sign, /api/auth/sdk-verify)
  - name: Testing
    description: Health checks, diagnostics, and test endpoints (/api/test)
  - name: Admin Accounts
    description: Account management for super admins (/api/admin/account)
  - name: Admin Institutions
    description: Institution management for admins (/api/admin/institution)
  - name: Admin Users
    description: User management for admins (/api/admin/user)
  - name: Admin Entitlements
    description: >-
      User-institution relationships and permissions
      (/api/admin/userInstitution)
  - name: Admin Sessions
    description: Session management for admins (/api/admin/session)
  - name: Admin Histories
    description: Conversation history management and analytics (/api/admin/history)
  - name: Admin Assistants
    description: AI assistant management for admins (/api/admin/assistant)
  - name: Admin Questions
    description: Institution question and prompt management (/api/admin/question)
  - name: Admin Tools
    description: Tool configuration management (/api/admin/tool)
  - name: Admin AI Models
    description: AI model configuration (/api/admin/aimodel)
  - name: Admin MCP Servers
    description: Model Context Protocol server management (/api/admin/mcpserver)
  - name: Admin Feedbacks
    description: User feedback management (/api/admin/feedback)
  - name: Admin Uploads
    description: Upload management (/api/admin/upload)
  - name: Admin Charts
    description: Analytics and visualization chart management (/api/admin/chart)
  - name: Admin Memory
    description: Admin inspection and editing of user/instance memory parameters.
  - name: Admin Usage Limits
    description: Per-user usage-vs-cap reporting and account-wide at-limit counts.
paths:
  /api/auth/sso_callback:
    post:
      tags:
        - OAuth
      summary: SSO callback
      description: Handles the callback from OAuth 2.0 SSO authentication
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                code:
                  type: string
                  description: Authorization code
                state:
                  type: string
                  description: State parameter
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SignInResponse'
components:
  schemas:
    SignInResponse:
      type: object
      description: |
        Successful signin response shape. Two variants are returned by the
        same endpoint depending on whether email MFA is required:
          • **JWT issued** — `{ token, profile }`. The user is signed in.
          • **MFA challenge** — `{ mfaRequired: true, challengeId, maskedEmail, mandatorySuper? }`.
            The client must POST the 6-digit code to `/api/auth/mfa/verify`
            with the challengeId; the verify endpoint then issues the JWT.
          Discriminate via `mfaRequired === true` (per Phase 1 design §6.1).
      properties:
        token:
          type: string
          description: >-
            Signed JWT token. Present when MFA is not required or has just been
            verified. Include this in subsequent API requests via the
            x-access-token header or Authorization Bearer header. Expires after
            6 hours (configurable via JWT_VALIDITY_SEC). Automatically refreshed
            on profile load (sliding session).
          example: >-
            eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2NDMwNzM2ZmQ2MmQ2NTAwNDA0MjA2NzQiLCJlbWFpbCI6ImpvaG4uZG9lQG15ZG9tYWluLmNvbSIsImN1c3RvbWVySWQiOiJjdXNfTnh4eHh4eCIsImFjY291bnRUeXBlIjoidXNlciIsInNlc3Npb25JZCI6InMlM0FhYmMxMjMiLCJpYXQiOjE3MDAwMDAwMDAsImV4cCI6MTcwMDA4NjQwMH0.signature
        profile:
          $ref: '#/components/schemas/UserProfile'
        mfaRequired:
          type: boolean
          description: >-
            When true, the response is an MFA challenge — no JWT issued. Client
            should redirect to the MFA verify screen with the challengeId.
          example: true
        challengeId:
          type: string
          description: >
            MongoDB ObjectId of the issued mfaChallenge. Only present when
            `mfaRequired: true`. POST this to `/api/auth/mfa/verify` alongside
            the 6-digit code.
          example: 6856fa89cbafcff8d98680f5
        maskedEmail:
          type: string
          description: >
            Partially-masked email address the verification code was sent to
            (for the verify-screen "code sent to …" prompt). Only present when
            `mfaRequired: true`.
          example: j*****e@example.com
        mandatorySuper:
          type: boolean
          description: |
            Phase 2 — when `true`, this MFA challenge was issued under
            super-mandatory enforcement (MFA_SUPER_MANDATORY=true and the
            user is past the rollout date). The verify screen should
            render an explanatory banner and suppress the Cancel
            affordance, since the user can't dismiss the flow without
            enrolling. On successful verify, the server persists
            `user.mfaEnabled = true` so the next signin follows the
            normal phase-1 trusted-device path.

            Only present when `mfaRequired: true` AND the gate fired.
            Omitted (not `false`) otherwise — clients should default to
            `false` when absent.
          example: true
    UserProfile:
      type: object
      properties:
        _id:
          type: string
        email:
          type: string
          format: email
        fname:
          type: string
        lname:
          type: string
        picture:
          type: string
        accountType:
          type: string
        permissions:
          type: array
          items:
            type: string
        customerId:
          type: string
        lxp_user_id:
          type: string
        lxp_user_type:
          type: integer
        lxp_partner_id:
          type: string
        lxp_partner_name:
          type: string
        lxp_role_id:
          type: integer
        lxp_role_name:
          type: string
        credits:
          type: integer
        creditsUsed:
          type: integer
        plan:
          type: string
        status:
          type: string
        trial_end:
          type: string
          format: date-time
        trial_used:
          type: boolean
        current_period_end:
          type: string
          format: date-time
        cancel_at_period_end:
          type: boolean
        referralId:
          type: string
          format: uuid
        referrerPaid:
          type: boolean
        resetCodeId:
          type: string
          format: uuid
        invoices_urls:
          type: array
          items:
            type: string
        remember_history_count:
          type: integer
        browser_voice:
          type: string
        rt_voice:
          type: string
        use_location:
          type: boolean
        showSideBar:
          type: boolean
        dark_mode:
          type: boolean
        created:
          type: string
          format: date-time
        __v:
          type: integer
        institution:
          $ref: '#/components/schemas/InstitutionProfile'
    InstitutionProfile:
      type: object
      properties:
        _id:
          type: string
        name:
          type: string
        picture:
          type: string
        picture_bg:
          type: string
        picture_dark_bg:
          type: string
        picture_animated:
          type: string
        elevenlabs_agent_id:
          type: string
        credits:
          type: integer
        status:
          type: string
        allowJoining:
          type: string
        joiningAdminOnly:
          type: boolean
        publicId:
          type: string
          format: uuid
        publicAuthorizedUrls:
          type: array
          items:
            type: string
        ainame:
          type: string
        contactEmail:
          type: string
          format: email
        creditAward:
          type: integer
        poolCredits:
          type: boolean
        invoices_urls:
          type: array
          items:
            type: string
        maxCompletionTokens:
          type: integer
        disableFileUploadForUser:
          type: boolean
        disableAudioNotesForUser:
          type: boolean
        toolsDisabled:
          type: array
          items:
            type: string
        ltiContextIds:
          type: array
          items:
            type: string
        personalisationAsked:
          type: boolean
        locationEnabled:
          type: boolean
        rtEnabled:
          type: boolean
        rtAdminOnly:
          type: boolean
        displayAgentDetails:
          type: boolean
        displayThinkingDetails:
          type: boolean
        displayRagSearchDetails:
          type: boolean
        displayThinkingExecution:
          type: boolean
        displayToolExecution:
          type: boolean
        assistantsDisabled:
          type: array
          items:
            type: string
        disableAssistantsForUser:
          type: boolean
        rtVoice:
          type: string
        maxFiles:
          type: integer
        questionType:
          type: string
        creditsTotal:
          type: integer
          nullable: true
        creditsUsagePct:
          type: number
        id:
          type: string

````