# Request Service Account Authorization

#### Description
In order to gain access to the calendars of a domain with an Enterprise Connect account it must be authorized by an administrator of that domain.

#### Example Request
```
https://app.cronofy.com/enterprise_connect/oauth/authorize
    ?response_type=code
    &client_id={CLIENT_ID}
    &redirect_uri={REDIRECT_URI}
    &scope={SCOPE}
    &delegated_scope={DELEGATED_SCOPE}
    &state={STATE}
```

*Note that the URL for this method differs from that used when authorizing an individual calendar account.*

##### `data_center_app_url` *(required)*

The URL for the data center you want to communicate with. Possible choices are:

- `app-au.cronofy.com` - Australia
- `app-ca.cronofy.com` - Canada
- `app-de.cronofy.com` - Germany
- `app-sg.cronofy.com` - Singapore
- `app-uk.cronofy.com` - United Kingdom
- `app.cronofy.com` - United States

Find out more about [Cronofy's data centers](/developers/data-centers/index.md).
##### `response_type` *(required)*

Must always be `code` as that is the only grant type supported by Cronofy.

##### `client_id` *(required)*

The `client_id` issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client.

##### `redirect_uri` *(required)*

The HTTP or HTTPS URI you wish the user's authorization request decision to be redirected to.

> **WARNING:** In development this can be any value, but in production this has to be a **pre-registered** value. This helps us guard against phishing attacks by controlling where we return authorization codes to for your application. We can only support wildcards in the host name for subdomains of domains under your control, eg:
`https://*.example.com/auth/cronofy/callback` Otherwise, the URL must be static and we can support multiple values. If your URL is dynamic, you should utilize the `state` parameter to pass variables. See [our FAQ on using this to support dynamic values in your OAuth flow](/developers/faqs/state-param/index.md).

##### `scope` *(required)*

The scope of the privileges you want the Enterprise Connect account to be granted. At least one of the following scopes must be requested:

- `service_account/accounts/manage` to allow authorization of accounts

- `service_account/accounts/unrestricted_access` to allow elevation of access for accounts

- `service_account/resources/manage` to allow authorization of resources

- `service_account/resources/unrestricted_access` to allow elevation of access for resources

Multiple scopes can be granted if separated with a space:
```plain
&scope=service_account/accounts/unrestricted_access service_account/resources/manage
```


##### `delegated_scope` *(required)*

The scope of the privileges that can be granted when requesting access to users and resources. Examples include:

- `read_only`

- `write_only`

- `read_write`

- `free_busy`

- `free_busy_write`

See the [full scope list and documentation](/developers/api/authorization/request-authorization/index.md) for more information.

##### `state` *(optional)*

A value that will be returned to you unaltered along with the user's authorization request decision.

The OAuth 2.0 RFC recommends <a href="https://www.rfc-editor.org/rfc/rfc6749#section-10.12">using this to prevent cross-site request forgery</a>.

##### `code_challenge` *(optional)*

A parameter used to protect against an authorization code intercept attack defined in [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636).

Providing this value will mean that a corresponding `code_verifier` parameter must be provided when redeeming an authorization `code` for an `access_token`.

##### `code_challenge_method` *(optional)*

Describes the method used to verify the `code_verifier` parameter that will be sent when the `access_token` is requested. Two values are supported.

- `S256`

- `plain`

If not passed then `plain` is the default used if a `code_challenge` parameter is provided.

#### Response URL parameters
You will not receive a direct response to your authorization request, instead the administrator will be redirected to the `redirect_uri` with additional querystring parameters specified.

The responses are fully specified in <a href="https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2">section 4.1.2 of RFC 6749</a>.

#### Successful response
##### `code`

A short-lived, single-use `code` to be used to make an [Access Token Request](/developers/api/authorization/request-token/index.md).

Will always be 32 character [`String`](/developers/api/data-types/index.md) of ASCII characters.

##### `state`

The value you passed for the `state` within the authorization request.

#### Error response
##### `error`

A single ASCII error code. The complete list is within <a href="https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1">section 4.1.2.1 of RFC 6749</a>, these are the most commonly encountered:

- **access_denied** the administrator declined your request

- **unsupported_response_type** your request's `response_type` was not `code`

- **invalid_scope** no valid scopes were specified in your request's `scope`



---
[Read in HTML](/developers/api/enterprise-connect/request-authorization/)