# Authorization

1. **Authorization Request**: Your application directs the user’s browser to AIRisk’s Authorization Endpoint with your `client_id`, a `redirect_uri`, optionally a `state` string, and optionally a `userid` if you are requesting a user-specific token. If requesting a user-specific token, the `userid` must be an existing `id` on some `ApplicationUser` in the AIRisk deployment. Also,
   * `client_id` and `client_secret` must be valid for some `APIUser` in the instances database.
   * `redirect_uri` must match at least one comma-separated value in the same `APIUser`s (as the client id & secret) `redirect_uri` column
     * ![See Here](https://2455207419-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnZwCwAN15BUJcXMA5avi%2Fuploads%2FmHLzU5fHmHT7T7ocEYue%2Fimage.png?alt=media)
2. **Authorization Code Redirect**: If AIRisk’s authorization server authorizes the request, then it redirects the client back to the specified `redirect_uri` with an authorization code in the URL (e.g. <https://localhost/callback?code=REMOTELY\\_GENERATED\\_AUTH\\_CODE\\_HERE>). This code is short-lived and cannot be used by itself except to request a token. If `state` was provided in the initial request, then there should be a matching state parameter and value in the URL coming from the redirect  (e.g. <https://localhost/callback?state=MATCHING\\_STATE\\_VALUE\\&code=REMOTELY\\_GENERATED\\_AUTH\\_CODE\\_HERE>).