Supported IdPs
TheSupportedIdP enum lists the IdPs you can configure at the tenant level:
| Value | Description |
|---|---|
OAUTH2 | Standard OAuth2 / OpenID Connect provider (e.g. Google) |
FANWEI_E9 | FanWei E9 enterprise IdP with directory sync |
IdpType used in query parameters covers the full set of provider identifiers: PASSWORD, GOOGLE, TENANT.
SSO configuration is managed at the tenant level by tenant owners or admins. These endpoints handle the runtime authentication flow, not IdP configuration.
Initiate SSO
POST https://api-staging.knowledgestack.ai/v1/auth/sso/initiate
Start an SSO flow for a given provider and optional tenant. Returns a redirect_url that you should direct the user to in order to complete authentication with the IdP.
Query parameters
The IdP to initiate SSO with. One of the
IdpType values (e.g. GOOGLE).The tenant to authenticate against. Required for tenant-specific IdPs.
Response 200
The URL to redirect the user to in order to complete the SSO flow with the IdP.
Example
SSO login redirect handler
GET https://api-staging.knowledgestack.ai/v1/auth/sso/{tenant_id}/signin
Entry-point redirect handler for tenant-specific SSO login. Resolves the tenant’s configured IdP and dispatches the browser to the appropriate provider. Sets the ks_uat cookie and redirects to the frontend on completion.
This endpoint is typically called by the frontend — it is not a JSON API endpoint. The browser follows the redirect chain through the IdP and back.
Path parameters
The tenant whose IdP configuration to use.
Query parameters
Post-login redirect path within the application. Defaults to
"" (root).Response 307
Temporary redirect to the IdP’s authorization endpoint.
Example
OAuth2 callback
GET https://api-staging.knowledgestack.ai/v1/auth/sso/oauth2/callback
OAuth2 callback handler. The IdP redirects the user here after authorization. This endpoint exchanges the authorization code for user details, sets the ks_uat cookie, and returns the authenticated user.
You do not call this endpoint directly — the IdP calls it as part of the OAuth2 authorization code flow.
Query parameters
The IdP that issued the callback. Must match the
IdpType used to initiate the flow.Authorization code returned by the IdP.
State parameter for CSRF protection, returned by the IdP.
Error code if the IdP denied authorization.
Human-readable error description from the IdP.
Tenant ID to scope the session to.
Response 200
Returns a UserResponse on successful authentication.
User ID.
User’s email address.
First name.
Last name.
Identity provider type. One of
PASSWORD, GOOGLE, TENANT.The tenant the user is currently scoped to.
The user’s role in the current tenant.
The user’s default tenant.
Directory sync
POST https://api-staging.knowledgestack.ai/v1/auth/sso/{tenant_id}/directory_sync
Trigger a directory synchronization for a FanWei E9 tenant. Syncs users from the enterprise IdP into Knowledge Stack — creating, updating, activating, or deactivating accounts to match the IdP’s directory.
This endpoint requires either a tenant OWNER/ADMIN UAT or an admin API key. It is specific to tenants configured with the
FANWEI_E9 IdP.Path parameters
The tenant to synchronize.
Response 200
Returns a DirectorySyncResponse summarizing the sync operation.
Number of new user accounts created.
Number of existing accounts updated.
Number of previously deactivated accounts reactivated.
Number of accounts deactivated because they were removed from the IdP.
Number of directory entries skipped (e.g. already up to date).
Non-fatal warnings encountered during sync.
Errors encountered during sync (entries that failed to process).