Social login
Token mode — org-native — POST /api/auth/login/social
Section titled “Token mode — org-native — POST /api/auth/login/social”The frontend obtains a provider token (e.g. Google idToken) and posts it; Axowl verifies it and issues the session (AuthEndpoints.cs:106, LoginWithSocialCommand).
Server-mediated — end-user (hosted portal)
Section titled “Server-mediated — end-user (hosted portal)”For end users, Axowl mediates the OAuth round-trip so provider tokens never touch the browser as final credentials:
| Method · Route | Source |
|---|---|
POST /api/public/apps/{applicationKey}/auth/social | PublicEndpoints.cs:156 |
POST /api/public/apps/{applicationKey}/auth/social/exchange | :384 |
The flow exchanges a provider authorization for a one-time code, then exchanges that code for the end-user JWT (token delivered via the code, not the URL fragment). Provider notes (e.g. Naver service-URL constraints) apply per provider console config.