redirect_uri with an authorization code.
Query Parameters
Your OAuth client ID (from the Developer Dashboard)
Must exactly match one of your registered redirect URIs. Must include a path (e.g.,
https://example.com/callback).Must be
code (only authorization code flow is supported)A unique, random value generated per request. DHMAD returns this value unchanged in the callback so you can validate it to prevent CSRF attacks. Requests without
state are rejected.Space-separated list of scopes. Available:
openid, profile, email. Defaults to openid profile email.PKCE code challenge (base64url-encoded SHA-256 hash of your code verifier). Recommended for all clients.
Must be
S256. The plain method is not accepted.Example Request
Success Response
The user is redirected to yourredirect_uri with:
Authorization code to exchange for tokens (expires in 10 minutes, single-use)
The same state value you provided — validate it matches your stored value
Error Response
If the user denies access:Direct Error Responses (before redirect)
Missing required parameters:If the user is not logged in, they are redirected to the DHMAD login page first, then returned to the consent screen. After granting access, they are redirected to your
redirect_uri.