# Example Authorization URL

To start the flow, redirect the user’s browser to the authorization endpoint. For example, if your client ID is abc123 and your redirect URI is <https://localhost/callback>, you would use:

`https://api.AIRisk.example.com/api/oauth2?client_id=abc123&redirect_uri=https%3A%2F%2Flocalhost%2Fcallback`

If you want a token on behalf of a user (e.g., user ID user\_42), include the `userid` parameter:

`https://api.AIRisk.example.com/api/oauth2?client_id=abc123&redirect_uri=https%3A%2F%2Flocalhost%2Fcallback&userid=user_42`

When the user visits this URL, if the client id and user id are valid, the user’s browser will be redirected to:

`https://localhost/callback?code=SplxlOBeZQQYbYS6WxSbIA`

The query parameter `code=SplxlOBeZQQYbYS6WxSbIA` (this is a sample code) is the authorization code that your application will exchange for an access token in the next step. The code is typically a short-lived, single-use string. (If the server denied the request or an error occurred, you might instead receive error parameters in this redirect, or may be redirected to a json response with error parameters).

If wanting to prevent CSRF Attacks, and therefore passing the `state` parameter like: `https://api.AIRisk.example.com/api/oauth2?client_id=abc123&state=a&redirect_uri=https%3A%2F%2Flocalhost%2Fcallback` , then the response from the server which redirects the user to their passed `redirect_uri` will have parameters not just for `code` but also for `state` and this `state` parameter must have a value matching the value passed in the initial request.