# Backchannel authentication

Start a backchannel authentication process (See CIBA spec). The request can either be used to obtain a direct link (for example, to embed in a QR code) or to send the user a link by SMS or email. When opened, this link will initiate an authentication process. The request returns the authentication request ID that will be used to complete the process on the authenticating device (by calling /auth/backchannel/complete) and obtain the token. If the link channel was specified, the response will also include the link.

Endpoint: POST /oidc/backchannel

## Request fields (application/x-www-form-urlencoded):

  - `client_id` (string, required)
    Client ID for which authentication is requested.

  - `client_secret` (string, required)
    Client secret.

  - `scope` (string, required)
    Scope of the requested access. Used to request specific user details like email. Must include openid and can include additional values (space delimited). offline_access scope allows refreshing access tokens.
    Enum: "openid", "email", "phone", "offline_access"

  - `login_hint` (string, required)
    Identifier of a user for whom authentication is requested (email, phone or user_id)

  - `binding_message` (string)
    A message intended to be displayed on both consumption and authentication devices so the end-user can see how they are interconnected for the transaction.

 The message needs to be 1 - 20 characters in length and should contain only digits, alphabet and the characters: -._+/!?#

  - `requested_expiry` (integer)
    Requested expiration of the authentication request in seconds.

  - `request_context` (string)
    A stringify object that contains more data about the request

 example of object: 
json
{
	"channel": "email", 
	"login_hint_type": "email", 
	"custom_message": "click on the following link to approve the access: "
}
 
Note: You should stringify the value. 
| property | description |
|-----------|-------|
| channel | The channel to use for triggering the authentication device, one of the values: sms (default), email, link |
| login_hint_type | The login_hint identifier type, one of the values: phone (default), email, user_id |
| custom_message | Custom message to be sent when triggering the authentication device (default: To verify it's you, click this link:) |
    Example: "{\"channel\": \"email\", \"login_hint_type\": \"email\", \"custom_message\": \"click on the following link to approve the access: \"}"

## Response 200 fields (application/json):

  - `auth_req_id` (string, required)
    A unique identifier of the authentication request.

  - `expires_in` (integer, required)
    A positive integer value indicating the expiration time of the auth_req_id in seconds since the authentication request was received

## Response 400 fields (application/json):

  - `message` (array, required)
    Example: "Bad request"

  - `error_code` (number, required)
    Example: 400

## Response 500 fields (application/json):

  - `message` (string, required)
    Example: "Something went wrong - Internal server error"

  - `error_code` (number, required)
    Example: 500