?code=...&state=....
This is an interactive browser redirect, not a JSON endpoint. Verify the state value does not change, and
exchange the returned code at Get or refresh a token.
Pick your environment, paste your client_id and code_challenge, then copy the URL:
Query parameters
Must be
code.Your client ID for the environment.
Your callback URL, registered with TaxRock.
Space-delimited. Use
offline_access read:client-accounts. The offline_access scope is
what yields a refresh token.https://delegate.api.taxrock.com (the same in both environments).The PKCE S256 challenge derived from your
code_verifier.Must be
S256.An opaque value echoed back to your callback. Verify it matches what you sent.

