# Creating redirect

The first step of OAuth is to add a button to your app that redirects the user to EdgeTag. Once the user clicks on the button, you should have a URL that looks like the one below.

For `edgeTagUrl` you should use the UI URL (see [Implementation page](https://docs.edgetag.io/api/getting-started/oauth-2.0/implementation) for URLs).

{% code title="Example of how to redirect to our sandbox" %}

```javascript
const edgeTagUrl = 'https://app-sandbox.edgetag.io/oauth/app/login'
const verifier = 'my secret text'

const url = new URL(edgeTagUrl)
url.searchParams.append('client_id', 'd0272c42-7ecc-4899-a1a7-0801a8a9da2f')
url.searchParams.append('redirect_uri', 'https://yourwebsite.com/login/check')
url.searchParams.append('scope', 'full')
url.searchParams.append('response_type', 'code')
url.searchParams.append('code_challenge', sha256Base64(verifier))
url.searchParams.append('code_challenge_method', 'S256')

window.location.href = url.toString()
```

{% endcode %}

Let's look at each search parameter that you can set.

### client\_id

This is the ID that you got when you created the OAuth app inside EdgeTag UI.

### redirect\_uri

URI where you would like to redirect after the user completes OAuth inside EdgeTag. If you want to pass some additional property, you can use `state` param and store it in there as a base64 encoded string

### scope

Right now, we only support `full` , but will be adding more scopes later on.

### response\_type

This tells you what the exchange mechanism will be when we redirect back to your app. Right now, we support only `code`.

### code\_challenge

To enhance security, we added a code challenge option, which we then double-check when exchanging the code for the token. The code challenge should be `SHA-256` hashed and encoded with base64. Make sure that you store `verifier` as you will need to pass it when you exchange code for the token.

```javascript
const crypto = require('crypto')
const codeChallenge = crypto.createHash('sha256').update(verifier).digest().toString('base64url')
```

### code\_challenge\_method

At this point, we only support `S256` which is SHA-256 with base64 encoding.

### state

The "state" parameter is optional and can be included if you want to send any data from the starting point of the OAuth process back to your application. For instance, if you need to remember the user's selection before they were redirected to OAuth, you can use this parameter for that purpose. It's important to note that the value of "state" should be base64 encoded.