Launch a user into the app

<form id="launch" method="POST" action="https://sandbox.etherfuse.com/auth/launch"> <input type="hidden" name="grant_type" value="urn:ietf:params:oauth:grant-type:jwt-bearer" /> <input type="hidden" name="assertion" value="<your_signed_jwt>" /> <input type="hidden" name="target" value="/kyb" /> </form> <script>document.getElementById("launch").submit()</script>

Targets

target must be one of Etherfuse’s allowed app paths (optionally with a query string such as ?org=<org_id>); any other path is rejected with invalid_target.

Target	Lands the user in
`/kyb`	Business Onboarding (KYB). Append `?org=<org_id>` to pick which organization to verify; without it, the app uses their current org or prompts them to create a business.

Target

Lands the user in

/kyb

Business Onboarding (KYB). Append ?org=<org_id> to pick which organization to verify; without it, the app uses their current org or prompts them to create a business.

The JWT’s sub is strongly recommended to be a UUID identifying the person signing in (see Sign a user JWT for how sub relates to the Ramp API customerId for individuals vs businesses), and its scope follows the same rules as /auth/token. The endpoint is unauthenticated: the JWT or refresh token is the credential.

Body

grant_type

enum<string>

required

Available options:

urn:ietf:params:oauth:grant-type:jwt-bearer,

refresh_token

target

string

required

App path to land the user on after sign-in. Must be an allowed target (see the endpoint description); today /kyb, optionally with ?org=<org_id>. Any other path is rejected.

Example:

"/kyb"

assertion

string

The partner-signed JWT. Required when grant_type is urn:ietf:params:oauth:grant-type:jwt-bearer.

refresh_token

string

A refresh_token from a prior POST /auth/token exchange. Required when grant_type is refresh_token.

return_url

string

Optional URL to return the user to when they leave the app.

Response

200

An HTML page that establishes the session and redirects the browser to target.